| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 Mar 2024 21:18:47 +0200 From: "Jarkko Sakkinen" <jarkko@...nel.org> To: "David Gstir" <david@...ma-star.at>, "Mimi Zohar" <zohar@...ux.ibm.com>, "James Bottomley" <jejb@...ux.ibm.com>, "Herbert Xu" <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net> Cc: "Shawn Guo" <shawnguo@...nel.org>, "Jonathan Corbet" <corbet@....net>, "Sascha Hauer" <s.hauer@...gutronix.de>, "Pengutronix Kernel Team" <kernel@...gutronix.de>, "Fabio Estevam" <festevam@...il.com>, "NXP Linux Team" <linux-imx@....com>, "Ahmad Fatoum" <a.fatoum@...gutronix.de>, "sigma star Kernel Team" <upstream+dcp@...ma-star.at>, "David Howells" <dhowells@...hat.com>, "Li Yang" <leoyang.li@....com>, "Paul Moore" <paul@...l-moore.com>, "James Morris" <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, "Paul E. McKenney" <paulmck@...nel.org>, "Randy Dunlap" <rdunlap@...radead.org>, "Catalin Marinas" <catalin.marinas@....com>, "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>, "Tejun Heo" <tj@...nel.org>, "Steven Rostedt (Google)" <rostedt@...dmis.org>, <linux-doc@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <linux-integrity@...r.kernel.org>, <keyrings@...r.kernel.org>, <linux-crypto@...r.kernel.org>, <linux-arm-kernel@...ts.infradead.org>, <linuxppc-dev@...ts.ozlabs.org>, <linux-security-module@...r.kernel.org> Subject: Re: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config On Thu Mar 7, 2024 at 5:38 PM EET, David Gstir wrote: > Enabling trusted keys requires at least one trust source implementation > (currently TPM, TEE or CAAM) to be enabled. Currently, this is > done by checking each trust source's config option individually. > This does not scale when more trust sources like the one for DCP > are added. nit: just to complete sentence and tie up the story "added because ..." > > Add config HAVE_TRUSTED_KEYS which is set to true by each trust source > once its enabled and adapt the check for having at least one active trust > source to use this option. Whenever a new trust source is added, it now > needs to select HAVE_TRUSTED_KEYS. > > Signed-off-by: David Gstir <david@...ma-star.at> > --- > security/keys/trusted-keys/Kconfig | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig > index dbfdd8536468..553dc117f385 100644 > --- a/security/keys/trusted-keys/Kconfig > +++ b/security/keys/trusted-keys/Kconfig > @@ -1,3 +1,6 @@ > +config HAVE_TRUSTED_KEYS > + bool > + > config TRUSTED_KEYS_TPM > bool "TPM-based trusted keys" > depends on TCG_TPM >= TRUSTED_KEYS > @@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM > select ASN1_ENCODER > select OID_REGISTRY > select ASN1 > + select HAVE_TRUSTED_KEYS > help > Enable use of the Trusted Platform Module (TPM) as trusted key > backend. Trusted keys are random number symmetric keys, > @@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE > bool "TEE-based trusted keys" > depends on TEE >= TRUSTED_KEYS > default y > + select HAVE_TRUSTED_KEYS > help > Enable use of the Trusted Execution Environment (TEE) as trusted > key backend. > @@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM > depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS > select CRYPTO_DEV_FSL_CAAM_BLOB_GEN > default y > + select HAVE_TRUSTED_KEYS > help > Enable use of NXP's Cryptographic Accelerator and Assurance Module > (CAAM) as trusted key backend. > > -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM > -comment "No trust source selected!" > +if !HAVE_TRUSTED_KEYS > + comment "No trust source selected!" > endif otherwise, it is in reasonable shape and form. BR, Jarkko
Powered by blists - more mailing lists