[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <CZNRDVE0QD88.TXELW2XQC0XF@kernel.org>
Date: Thu, 07 Mar 2024 21:18:47 +0200
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "David Gstir" <david@...ma-star.at>, "Mimi Zohar" <zohar@...ux.ibm.com>,
"James Bottomley" <jejb@...ux.ibm.com>, "Herbert Xu"
<herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>
Cc: "Shawn Guo" <shawnguo@...nel.org>, "Jonathan Corbet" <corbet@....net>,
"Sascha Hauer" <s.hauer@...gutronix.de>, "Pengutronix Kernel Team"
<kernel@...gutronix.de>, "Fabio Estevam" <festevam@...il.com>, "NXP Linux
Team" <linux-imx@....com>, "Ahmad Fatoum" <a.fatoum@...gutronix.de>, "sigma
star Kernel Team" <upstream+dcp@...ma-star.at>, "David Howells"
<dhowells@...hat.com>, "Li Yang" <leoyang.li@....com>, "Paul Moore"
<paul@...l-moore.com>, "James Morris" <jmorris@...ei.org>, "Serge E.
Hallyn" <serge@...lyn.com>, "Paul E. McKenney" <paulmck@...nel.org>, "Randy
Dunlap" <rdunlap@...radead.org>, "Catalin Marinas"
<catalin.marinas@....com>, "Rafael J. Wysocki"
<rafael.j.wysocki@...el.com>, "Tejun Heo" <tj@...nel.org>, "Steven Rostedt
(Google)" <rostedt@...dmis.org>, <linux-doc@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <linux-integrity@...r.kernel.org>,
<keyrings@...r.kernel.org>, <linux-crypto@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>, <linuxppc-dev@...ts.ozlabs.org>,
<linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust
source config
On Thu Mar 7, 2024 at 5:38 PM EET, David Gstir wrote:
> Enabling trusted keys requires at least one trust source implementation
> (currently TPM, TEE or CAAM) to be enabled. Currently, this is
> done by checking each trust source's config option individually.
> This does not scale when more trust sources like the one for DCP
> are added.
nit: just to complete sentence and tie up the story "added because ..."
>
> Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
> once its enabled and adapt the check for having at least one active trust
> source to use this option. Whenever a new trust source is added, it now
> needs to select HAVE_TRUSTED_KEYS.
>
> Signed-off-by: David Gstir <david@...ma-star.at>
> ---
> security/keys/trusted-keys/Kconfig | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
> index dbfdd8536468..553dc117f385 100644
> --- a/security/keys/trusted-keys/Kconfig
> +++ b/security/keys/trusted-keys/Kconfig
> @@ -1,3 +1,6 @@
> +config HAVE_TRUSTED_KEYS
> + bool
> +
> config TRUSTED_KEYS_TPM
> bool "TPM-based trusted keys"
> depends on TCG_TPM >= TRUSTED_KEYS
> @@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
> select ASN1_ENCODER
> select OID_REGISTRY
> select ASN1
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Platform Module (TPM) as trusted key
> backend. Trusted keys are random number symmetric keys,
> @@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
> bool "TEE-based trusted keys"
> depends on TEE >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Execution Environment (TEE) as trusted
> key backend.
> @@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
> depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
> select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's Cryptographic Accelerator and Assurance Module
> (CAAM) as trusted key backend.
>
> -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
> -comment "No trust source selected!"
> +if !HAVE_TRUSTED_KEYS
> + comment "No trust source selected!"
> endif
otherwise, it is in reasonable shape and form.
BR, Jarkko
Powered by blists - more mailing lists