Intel Key Locker Support For The Linux Kernel Being Prepared

Written by Michael Larabel in Intel on 17 December 2020 at 06:24 PM EST. 1 Comment
INTEL
For the past several months we've seen Intel Key Locker support being worked on for Linux as a new feature coming to future processors for better securing AES keys. That initial Key Locker support was initially focused on the open-source compilers with the new instructions while now the Linux kernel patches have been published in preliminary form.

Intel Key Locker is for Tiger Lake and beyond to allow encrypting/decrypting data without the raw AES key but instead relying on a key handle that is in place until revoked by the system. The key when loaded is effectively sealed and then accessed by new Intel Key Locker instructions (AESENC128KL, AESENCWIDE128KL, AESDEC128KL, AESDECWIDE128KL, AESENC256KL, AESENCWIDE256KL, AESDEC256KL, and AESDECWIDE256KL) to reference the handle to that key. Intel Key Locker aims to protect AES keys by keeping the raw keys exposed for a minimal amount of time to reduce the chances they are compromised by rogue attackers.

The Linux kernel patches now out for review are wiring up Key Locker support as a new "aeskl-intel" driver for the kernel's crypto subsystem. This new Intel Key Locker implementation for the crypto subsystem was found by Intel to be comparable to the existing AES-NI implementation.

There have already been some initial critiques to the code -- in particular, the Intel AES-NI driver is basically being replicated to make this new Intel AES-KL driver with minimal code changes besides the new instructions, but thereby increasing the maintenance burden. So restructuring of the patches to either extend AES-NI or better handle the differences will likely be pursued before being accepted for mainline. Some other technical questions/concerns were also raised over this initial code.

For those interested in the Intel Key Locker support, the preliminary Linux kernel patches can be found on the kernel mailing list. Those curious about the technical design of Key Locker can find the specification via software.intel.com.
1 Comment
Related News
Intel Data Center & AI Update 2023: Sierra Forest & Granite Rapids On Track
Intel Releases GPGMM v0.1 GPU Memory Management Library
Intel XeSS SDK 1.1 Released
Intel Prepares More Meteor Lake Graphics Code For Linux 6.4
Intel LAM Will Try Again For Linux 6.4
Raja Koduri Departing Intel To Start New Software Company
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OBS Studio Lands AV1 & HEVC RTMP Streaming Support
Valve Officially Announces Counter-Strike 2
GNOME 44 Released With Many Desktop Enhancements
Framework Laptop Launches AMD Ryzen Upgradeable Laptop, Intel Raptor Lake Models Too
Mozilla Announces Mozilla.ai For "Trustworthy AI"
Proxmox VE 7.4 Released With Linux 5.15 LTS + Linux 6.2 Support, New Dark Theme
AMD FidelityFX Super Resolution 3 "FSR 3" Will Be Open-Source
Ubuntu 20.04.6 LTS Released With Restored UEFI Secure Boot Support