| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <D1FE58VX0KL4.70F6U9Y6HPQC@kernel.org> Date: Tue, 21 May 2024 17:26:54 +0300 From: "Jarkko Sakkinen" <jarkko@...nel.org> To: "James Bottomley" <James.Bottomley@...senPartnership.com>, <linux-integrity@...r.kernel.org> Cc: <keyrings@...r.kernel.org>, "Peter Huewe" <peterhuewe@....de>, "Jason Gunthorpe" <jgg@...pe.ca>, "Mimi Zohar" <zohar@...ux.ibm.com>, "David Howells" <dhowells@...hat.com>, "Paul Moore" <paul@...l-moore.com>, "James Morris" <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, <linux-kernel@...r.kernel.org>, <linux-security-module@...r.kernel.org> Subject: Re: [PATCH] tpm: enable HMAC encryption for only x86-64 and aarch64 On Tue May 21, 2024 at 5:13 PM EEST, James Bottomley wrote: > On Tue, 2024-05-21 at 17:02 +0300, Jarkko Sakkinen wrote: > > Secondly, it also roots to the null key if a parent is not given. So > > it covers all the basic features of the HMAC patch set. > > I don't think that can work. The key file would be wrapped to the > parent and the null seed (and hence the wrapping) changes with every > reboot. If you want a permanent key, it has to be in one of the > accessible permanent hierarchies (storage ideally or endorsement). I'm fully aware that null seed is randomized per power cycle. The fallback was inherited from James Prestwood's original code and I decided to keep it as a testing feature, and also to test HMAC changes. If you look at the testing transcript in the cover letter, it should be obvious that a primary key is created in my basic test. BR, Jarkko
Powered by blists - more mailing lists