Intel Key Locker Support For The Linux Kernel Being Prepared

Written by Michael Larabel in Intel on 17 December 2020 at 06:24 PM EST. 1 Comment
For the past several months we've seen Intel Key Locker support being worked on for Linux as a new feature coming to future processors for better securing AES keys. That initial Key Locker support was initially focused on the open-source compilers with the new instructions while now the Linux kernel patches have been published in preliminary form.

Intel Key Locker is for Tiger Lake and beyond to allow encrypting/decrypting data without the raw AES key but instead relying on a key handle that is in place until revoked by the system. The key when loaded is effectively sealed and then accessed by new Intel Key Locker instructions (AESENC128KL, AESENCWIDE128KL, AESDEC128KL, AESDECWIDE128KL, AESENC256KL, AESENCWIDE256KL, AESDEC256KL, and AESDECWIDE256KL) to reference the handle to that key. Intel Key Locker aims to protect AES keys by keeping the raw keys exposed for a minimal amount of time to reduce the chances they are compromised by rogue attackers.

The Linux kernel patches now out for review are wiring up Key Locker support as a new "aeskl-intel" driver for the kernel's crypto subsystem. This new Intel Key Locker implementation for the crypto subsystem was found by Intel to be comparable to the existing AES-NI implementation.

There have already been some initial critiques to the code -- in particular, the Intel AES-NI driver is basically being replicated to make this new Intel AES-KL driver with minimal code changes besides the new instructions, but thereby increasing the maintenance burden. So restructuring of the patches to either extend AES-NI or better handle the differences will likely be pursued before being accepted for mainline. Some other technical questions/concerns were also raised over this initial code.

For those interested in the Intel Key Locker support, the preliminary Linux kernel patches can be found on the kernel mailing list. Those curious about the technical design of Key Locker can find the specification via
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week