1mlx5dv_crmylpxt5od_vl_ocgriynp_tcor_elaotgein/_cmrlexa5tdev_/crmylpxt5od_vl_ocgriynp_tqou_elroygi/n_mqluxe5rdyv_/crmylpxt5od_vl_ocgriynp_tdoe_sltorgoiyn(_3d)estroy(3)
2
3
4
6 mlx5dv_crypto_login_create - Creates a crypto login object
7
8 mlx5dv_crypto_login_query - Queries the given crypto login object
9
10 mlx5dv_crypto_login_destroy - Destroys the given crypto login object
11
13 #include <infiniband/mlx5dv.h>
14
15 struct mlx5dv_crypto_login_obj *
16 mlx5dv_crypto_login_create(struct ibv_context *context,
17 struct mlx5dv_crypto_login_attr_ex *login_attr);
18
19 int mlx5dv_crypto_login_query(struct mlx5dv_crypto_login_obj *crypto_login,
20 struct mlx5dv_crypto_login_query_attr *query_attr);
21
22 int mlx5dv_crypto_login_destroy(struct mlx5dv_crypto_login_obj *crypto_login);
23
25 When using a crypto engine that is in wrapped import method, a valid
26 crypto login object must be provided in order to create and query
27 wrapped Data Encryption Keys (DEKs).
28
29 A valid crypto login object is necessary only to create and query
30 wrapped DEKs. Existing DEKs that were previously created don’t need a
31 valid crypto login object in order to be used (in MKey or during traf‐
32 fic).
33
34 mlx5dv_crypto_login_create() creates and returns a crypto login object
35 with the credential given in login_attr. Only one crypto login object
36 can be created per device context. The created crypto login object
37 must be provided to mlx5dv_dek_create() in order to create wrapped
38 DEKs.
39
40 mlx5dv_crypto_login_query() queries the crypto login object crypto_lo‐
41 gin and returns the queried attributes in query_attr.
42
43 mlx5dv_crypto_login_destroy() destroys the given crypto login object.
44
46 context
47 The device context that will be associated with the crypto login ob‐
48 ject.
49
50 login_attr
51 Crypto extended login attributes specify the credential to login with
52 and the import KEK to be used for secured communications done with the
53 crypto login object.
54
55 struct mlx5dv_crypto_login_attr_ex {
56 uint32_t credential_id;
57 uint32_t import_kek_id;
58 const void *credential;
59 size_t credential_len;
60 uint64_t comp_mask;
61 };
62
63 credential_id
64 An ID of a credential, from the credentials stored on the de‐
65 vice, that indicates the credential that should be validated
66 against the credential provided in credential.
67
68 import_kek_id
69 An ID of an import KEK, from the import KEKs stored on the de‐
70 vice, that indicates the import KEK that will be used for un‐
71 wrapping the credential provided in credential and also for all
72 other secured communications done with the crypto login object.
73
74 credential
75 The credential to login with. Credential is a piece of data
76 used to authenticate the user for crypto login. The credential
77 in credential is validated against the credential indicated by
78 credential_id, which is stored on the device. The credentials
79 must match in order for the crypto login to succeed. credential
80 must be provided wrapped by the AES key wrap algorithm using the
81 import KEK indicated by import_kek_id. credential format is
82 ENC(iv_64b + plaintext_credential) where ENC() is AES key wrap
83 algorithm and iv_64b is 0xA6A6A6A6A6A6A6A6 as per the NIST SP
84 800-38F AES key wrap spec, and plaintext_credential is the cre‐
85 dential value stored on the device.
86
87 credential_len
88 The length of the provided credential value in bytes.
89
90 comp_mask
91 Reserved for future extension, must be 0 now.
92
93 query_attr
94 Crypto login attributes to be populated when querying a crypto login
95 object.
96
97 struct mlx5dv_crypto_login_query_attr {
98 enum mlx5dv_crypto_login_state state;
99 uint64_t comp_mask;
100 };
101
102 state The state of the crypto login object, can be one of the follow‐
103 ing
104
105 MLX5DV_CRYPTO_LOGIN_STATE_VALID
106 The crypto login object is valid and can be used.
107
108 MLX5DV_CRYPTO_LOGIN_STATE_INVALID
109 The crypto login object is invalid and cannot be used. A
110 valid crypto login object can become invalid if the cre‐
111 dential or the import KEK used in the crypto login object
112 were deleted while in use (for example by a crypto offi‐
113 cer). In this case, mlx5dv_crypto_login_destroy() should
114 be called to destroy the invalid crypto login object and
115 if still necessary, mlx5dv_crypto_login_create() should
116 be called to create a new crypto login object with valid
117 credential and import KEK.
118
119 comp_mask
120 Reserved for future extension, must be 0 now.
121
123 mlx5dv_crypto_login_create() returns a pointer to a new valid struct
124 mlx5dv_crypto_login_obj on success. On error NULL is returned and er‐
125 rno is set.
126
127 mlx5dv_crypto_login_query() returns 0 on success and fills query_attr
128 with the queried attributes. On error, errno is returned.
129
130 mlx5dv_crypto_login_destroy() returns 0 on success and errno on error.
131
133 mlx5dv_dek_create(3), mlx5dv_query_device(3)
134
136 Avihai Horon <avihaih@nvidia.com>
137
138
139
140mlx5dv_crypto_login_create / mlx5dv_crypto_login_query / mlx5dv_crypto_login_destroy(3)