Add hardware-backed crypto support

[dpkristensen]

Add build-time support for platforms that support hardware-backed
crypto keys using a non-standard extension found in some Android
kernels. To enable this, set HW_CRYPTO_SUPPORT prior to building:

HW_CRYPTO_SUPPORT=1 make

Signed-off-by: Daniel Kristensen dpk5081@gmail.com
Change-Id: Idc17d90d0c3aafccf6e6620514e699fe1143f88e

[dpkristensen]

I tested this in both configurations on an Android-based Kernel (5.4) with hardware crypto engine support (CONFIG_BLK_INLINE_ENCRYPTION=y and CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y).

[ebiggers]

I don't think we should add this to fscryptctl, as this feature (hardware-wrapped keys) is not yet part of the upstream Linux kernel. And when it does get upstreamed it will use a slightly different interface.

Also, there is no upstream-ready development platform that actually supports this feature yet (which is why it hasn't been upstreamed yet), so it currently isn't usable outside of the context of Android anyway. So there should be no need to support this feature in fscryptctl yet. Or if you are using fscryptctl on Android for some reason, you can just carry this change locally...

I would be happy to add support for this once the upstream Linux kernel supports it.

[josephlr]

Agreed w/ @ebiggers here, I'd love to see a fscryptctl add_key --hw-backed option, but would want to make sure we were using a UAPI compatible with the eventual upstream kernel.

We would likely also want to have this be built w/ fscryptctl unconditionally, and have the tool fail if --hw-backed is requested but unsupported by the kernel.

[dpkristensen]

Yes, I agree it would be best to have it as a consistently available feature. Since the format of the ioctl is incompatible with the upstream implementation, I had made it a compile-time only flag. I guess it'll have to wait until Android fixes its implementation.

[ebiggers]

This feature is finally on its way to the upstream kernel. #48 adds support for it to fscryptctl.