Intel Key Locker Support For The Linux Kernel Being Prepared

Written by Michael Larabel in Intel on 17 December 2020 at 06:24 PM EST. 1 Comment
INTEL
For the past several months we've seen Intel Key Locker support being worked on for Linux as a new feature coming to future processors for better securing AES keys. That initial Key Locker support was initially focused on the open-source compilers with the new instructions while now the Linux kernel patches have been published in preliminary form.

Intel Key Locker is for Tiger Lake and beyond to allow encrypting/decrypting data without the raw AES key but instead relying on a key handle that is in place until revoked by the system. The key when loaded is effectively sealed and then accessed by new Intel Key Locker instructions (AESENC128KL, AESENCWIDE128KL, AESDEC128KL, AESDECWIDE128KL, AESENC256KL, AESENCWIDE256KL, AESDEC256KL, and AESDECWIDE256KL) to reference the handle to that key. Intel Key Locker aims to protect AES keys by keeping the raw keys exposed for a minimal amount of time to reduce the chances they are compromised by rogue attackers.

The Linux kernel patches now out for review are wiring up Key Locker support as a new "aeskl-intel" driver for the kernel's crypto subsystem. This new Intel Key Locker implementation for the crypto subsystem was found by Intel to be comparable to the existing AES-NI implementation.

There have already been some initial critiques to the code -- in particular, the Intel AES-NI driver is basically being replicated to make this new Intel AES-KL driver with minimal code changes besides the new instructions, but thereby increasing the maintenance burden. So restructuring of the patches to either extend AES-NI or better handle the differences will likely be pursued before being accepted for mainline. Some other technical questions/concerns were also raised over this initial code.

For those interested in the Intel Key Locker support, the preliminary Linux kernel patches can be found on the kernel mailing list. Those curious about the technical design of Key Locker can find the specification via software.intel.com.
1 Comment
Related News
Fedora 41 Aims For Out-Of-The-Box Webcam Support For Newer Intel Laptops
Intel Graphics Compiler 1.0.17193.4 Released With Initial Battlemage Support
Intel OSPRay 3.2 Further Advances This Open-Source Ray-Tracing Engine
Intel's Mesa Driver Upstreaming For Xe2 Support Appears Mostly Done
Performance Event Changes For Linux 6.11 Bring Several Additions For Intel Hardware
Intel oneAPI VPL 2024Q2 GPU Runtime Prepares For VVC Decode
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
EXT4 Has A Very Nice Performance Optimization For Linux 6.11
Microsoft's WSL 2.3.11 Brings "Hundreds Of New Kernel Modules" & New Features
systemd Talks Up Automatic Boot Assessment In Light Of The Crowdstrike-Microsoft Outage
XZ Patches For The Linux Kernel Updated, Drops "Jia Tan" As A Maintainer
New Linux Patches Enable The Snapdragon X1 Elite Powered Lenovo ThinkPad T14s Gen 6
KDE Developers Tackle The Five Most Common Plasma Crashes
USB & Thunderbolt Improvements Land In Linux 6.11
NVIDIA 560 Linux Driver Beta Released - Defaults To Open GPU Kernel Modules