Show Your Support: Did you know that you can get Phoronix Premium for under $4 per month? Try it today to view our site ad-free, multi-page articles on a single page, and more while the proceeds allow us to write more Linux hardware reviews. At the very least, please disable your ad-blocker.
Intel Key Locker Support For The Linux Kernel Being Prepared
Intel Key Locker is for Tiger Lake and beyond to allow encrypting/decrypting data without the raw AES key but instead relying on a key handle that is in place until revoked by the system. The key when loaded is effectively sealed and then accessed by new Intel Key Locker instructions (AESENC128KL, AESENCWIDE128KL, AESDEC128KL, AESDECWIDE128KL, AESENC256KL, AESENCWIDE256KL, AESDEC256KL, and AESDECWIDE256KL) to reference the handle to that key. Intel Key Locker aims to protect AES keys by keeping the raw keys exposed for a minimal amount of time to reduce the chances they are compromised by rogue attackers.
The Linux kernel patches now out for review are wiring up Key Locker support as a new "aeskl-intel" driver for the kernel's crypto subsystem. This new Intel Key Locker implementation for the crypto subsystem was found by Intel to be comparable to the existing AES-NI implementation.
There have already been some initial critiques to the code -- in particular, the Intel AES-NI driver is basically being replicated to make this new Intel AES-KL driver with minimal code changes besides the new instructions, but thereby increasing the maintenance burden. So restructuring of the patches to either extend AES-NI or better handle the differences will likely be pursued before being accepted for mainline. Some other technical questions/concerns were also raised over this initial code.
For those interested in the Intel Key Locker support, the preliminary Linux kernel patches can be found on the kernel mailing list. Those curious about the technical design of Key Locker can find the specification via software.intel.com.