Intel Seeks More Comments From Developers On Key Locker Implementation For Linux

One of the features already found in new Intel "Tiger Lake" CPUs but not yet supported by the Linux kernel is Key Locker for securing AES keys on the system. Going back months there has been various patch series working toward Key Locker support while the actual patch series getting things ready for usage was just sent out again under a "request for comments" flag.

Last December was the Key Locker kernel patch series initially sent out as a request for comments. Intel Key Locker allows encrypting/decrypting data without the raw AES key but instead making use of a key handle that is in place until revoked by the system. The key when loaded is effectively sealed and then accessed by new Intel Key Locker instructions (AESENC128KL, AESENCWIDE128KL, AESDEC128KL, AESDECWIDE128KL, AESENC256KL, AESENCWIDE256KL, AESDEC256KL, and AESDECWIDE256KL) to reference the handle to a particular AES key. Intel Key Locker aims to protect AES keys by keeping the raw keys exposed for a minimal amount of time to reduce the chances they are compromised by rogue attackers. The Linux support for Key Locker is being implemented as a new "aeskl-intel" driver for the kernel's crypto subsystem.

A half-year has passed since the first RFC patch series while this Friday a second revision was send out and is still marked as RFC. This is still under a request for comments in the Intel developers hoping for more feedback from developers over the implementation. The updated patches refactor the AES-NI implementation and has other low-level code improvements.

Those interested in Key Locker can learn more via these latest patches.