lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250210114606.1593650-1-kshitiz.varshney@nxp.com>
Date: Mon, 10 Feb 2025 12:46:06 +0100
From: Kshitiz Varshney <kshitiz.varshney@....com>
To: David Gstir <david@...ma-star.at>,
	sigma star Kernel Team <upstream+dcp@...ma-star.at>,
	James Bottomley <James.Bottomley@...senPartnership.com>,
	Jarkko Sakkinen <jarkko@...nel.org>,
	Mimi Zohar <zohar@...ux.ibm.com>,
	David Howells <dhowells@...hat.com>,
	Paul Moore <paul@...l-moore.com>,
	James Morris <jmorris@...ei.org>,
	"Serge E . Hallyn" <serge@...lyn.com>,
	SCE_Linux_Security_team@...eams.nxp.com
Cc: linux-integrity@...r.kernel.org,
	keyrings@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Kshitiz Varshney <kshitiz.varshney@....com>
Subject: [PATCH v1] trusted_dcp.c: Do not return in case of non-secure mode

There are multiple type of keys in different worlds, like
test key in case of non-secure world and OTP, unique key
in case of secure world.
So, instead of returning with an error, in case of test key, we
should display warning to the user and allow the user to run the
trusted key functionality with test key.

Signed-off-by: Kshitiz Varshney <kshitiz.varshney@....com>
---
 security/keys/trusted-keys/trusted_dcp.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c
index e908c53a803c..99c9f9619f4f 100644
--- a/security/keys/trusted-keys/trusted_dcp.c
+++ b/security/keys/trusted-keys/trusted_dcp.c
@@ -319,11 +319,8 @@ static int trusted_dcp_init(void)
 		pr_info("Using DCP OTP key\n");
 
 	ret = test_for_zero_key();
-	if (ret) {
-		pr_warn("Test for zero'ed keys failed: %i\n", ret);
-
-		return -EINVAL;
-	}
+	if (ret)
+		pr_warn("Using insecure test key, enable HAB to use unique device key!\n");
 
 	return register_key_type(&key_type_trusted);
 }
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ