Linux May Get A New Subsystem For RPMB: Replay Protected Memory Block
Patches surfaced this morning on the Linux Kernel Mailing List for implementing a new kernel subsystem.
The new subsystem proposal with patches by Tomas Winkler of Intel is for RPMB, the Replay Protected Memory Block specification for eMMC, NVMe, etc. Replay Protected Memory Block (RPMB) is a several year old specification for having a portion of memory be more secure and accessed via a hidden security key. The RPMB block in eMMC can be used for matters like storing DRM protection keys, OEM security keys, and other information that can't -- for whatever legal or security reasons -- can't be stored via normal storage.
Winkler explained, "The RPMB partition cannot be accessed via standard block layer, but by a set of specific commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a partition provides authenticated and replay protected access, hence suitable as a secure storage...The RPMB layer aims to provide in-kernel API for Trusted Execution Environment (TEE) devices that are capable to securely compute block frame signature."
If you are interested in learning more about the proposed Linux kernel implementation for securely supporting Replay Protected Memory Block, you can see this patch series that introduces the new subsystem, provides a simulation device, and also a small user-space utility for demonstration purposes.
The new subsystem proposal with patches by Tomas Winkler of Intel is for RPMB, the Replay Protected Memory Block specification for eMMC, NVMe, etc. Replay Protected Memory Block (RPMB) is a several year old specification for having a portion of memory be more secure and accessed via a hidden security key. The RPMB block in eMMC can be used for matters like storing DRM protection keys, OEM security keys, and other information that can't -- for whatever legal or security reasons -- can't be stored via normal storage.
Winkler explained, "The RPMB partition cannot be accessed via standard block layer, but by a set of specific commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a partition provides authenticated and replay protected access, hence suitable as a secure storage...The RPMB layer aims to provide in-kernel API for Trusted Execution Environment (TEE) devices that are capable to securely compute block frame signature."
If you are interested in learning more about the proposed Linux kernel implementation for securely supporting Replay Protected Memory Block, you can see this patch series that introduces the new subsystem, provides a simulation device, and also a small user-space utility for demonstration purposes.
10 Comments