| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFA6WYOREs37p0TF4=E0=Z66DLGFJi92FfJo9VyAD67cLpALGA@mail.gmail.com>
Date: Fri, 16 Aug 2019 10:28:20 +0530
From: Sumit Garg <sumit.garg@...aro.org>
To: Mimi Zohar <zohar@...nel.org>
Cc: keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@...r.kernel.org>,
linux-security-module@...r.kernel.org, dhowells@...hat.com,
Herbert Xu <herbert@...dor.apana.org.au>, davem@...emloft.net,
peterhuewe@....de, jgg@...pe.ca, jejb@...ux.ibm.com,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Casey Schaufler <casey@...aufler-ca.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Daniel Thompson <daniel.thompson@...aro.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
"tee-dev @ lists . linaro . org" <tee-dev@...ts.linaro.org>
Subject: Re: [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem
On Thu, 15 Aug 2019 at 20:36, Mimi Zohar <zohar@...nel.org> wrote:
>
> On Thu, 2019-08-15 at 18:33 +0530, Sumit Garg wrote:
> > Hi Mimi,
> >
> > On Wed, 14 Aug 2019 at 18:54, Mimi Zohar <zohar@...nel.org> wrote:
> > >
> > > Hi Sumit,
> > >
> > > On Tue, 2019-08-13 at 13:22 +0530, Sumit Garg wrote:
> > > > This patch-set is an outcome of discussion here [1]. It has evolved very
> > > > much since v1 to create, consolidate and generalize trusted keys
> > > > subsystem.
> > > >
> > > > This framework has been tested with trusted keys support provided via TEE
> > > > but I wasn't able to test it with a TPM device as I don't possess one. It
> > > > would be really helpful if others could test this patch-set using a TPM
> > > > device.
> > >
> > > With the "CONFIG_HEADER_TEST" and "CONFIG_KERNEL_HEADER_TEST" config
> > > options enabled, which is required for linux-next, it fails to build.
> > >
> >
> > TBH, I wasn't aware about this test feature for headers.
>
> It's new to me too.
>
> > It looks like
> > the header which fails this test is "include/keys/trusted_tpm.h" which
> > is basically a rename of "include/keys/trusted.h" plus changes in this
> > patch-set.
> >
> > And "include/keys/trusted.h" header is already put under blacklist
> > here: "include/Kbuild +68" as it fails to build. So its that rename
> > due to which build failure is observed now.
> >
> > It seems to be an easy fix for this build failure via following changes:
> >
> > diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h
> > index 7b593447920b..ca1bec0ef65d 100644
> > --- a/include/keys/trusted_tpm.h
> > +++ b/include/keys/trusted_tpm.h
> > @@ -2,6 +2,9 @@
> > #ifndef __TRUSTED_TPM_H
> > #define __TRUSTED_TPM_H
> >
> > +#include <keys/trusted-type.h>
> > +#include <linux/tpm_command.h>
> > +
> > /* implementation specific TPM constants */
> > #define MAX_BUF_SIZE 1024
> > #define TPM_GETRANDOM_SIZE 14
> >
> > So I will include above changes in this patch-set and also remove
> > "include/keys/trusted.h" header from the blacklist.
>
> That works, thanks. With this patch set, at least the EVM trusted key
> is properly being decrypted by the encrypted key with both a TPM 1.2
> and PTT TPM 2.0. My laptop still boots properly. Over the weekend
> I'll try to actually review the patches.
>
Thanks Mimi for testing this patch-set.
-Sumit
> Mimi
Powered by blists - more mailing lists