From: Mimi Zohar <zohar@kernel.org>
To: Sumit Garg <sumit.garg@linaro.org>
Cc: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
linux-security-module@vger.kernel.org, dhowells@redhat.com,
Herbert Xu <herbert@gondor.apana.org.au>,
davem@davemloft.net, peterhuewe@gmx.de, jgg@ziepe.ca,
jejb@linux.ibm.com,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Daniel Thompson <daniel.thompson@linaro.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"tee-dev @ lists . linaro . org" <tee-dev@lists.linaro.org>
Subject: Re: [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem
Date: Thu, 15 Aug 2019 15:06:49 +0000 [thread overview]
Message-ID: <1565881609.9424.7.camel@kernel.org> (raw)
In-Reply-To: <CAFA6WYPU0oREaHROhhRsEXJTijvER8G4riBk4e4=Bd5XgGFqtQ@mail.gmail.com>
On Thu, 2019-08-15 at 18:33 +0530, Sumit Garg wrote:
> Hi Mimi,
>
> On Wed, 14 Aug 2019 at 18:54, Mimi Zohar <zohar@kernel.org> wrote:
> >
> > Hi Sumit,
> >
> > On Tue, 2019-08-13 at 13:22 +0530, Sumit Garg wrote:
> > > This patch-set is an outcome of discussion here [1]. It has evolved very
> > > much since v1 to create, consolidate and generalize trusted keys
> > > subsystem.
> > >
> > > This framework has been tested with trusted keys support provided via TEE
> > > but I wasn't able to test it with a TPM device as I don't possess one. It
> > > would be really helpful if others could test this patch-set using a TPM
> > > device.
> >
> > With the "CONFIG_HEADER_TEST" and "CONFIG_KERNEL_HEADER_TEST" config
> > options enabled, which is required for linux-next, it fails to build.
> >
>
> TBH, I wasn't aware about this test feature for headers.
It's new to me too.
> It looks like
> the header which fails this test is "include/keys/trusted_tpm.h" which
> is basically a rename of "include/keys/trusted.h" plus changes in this
> patch-set.
>
> And "include/keys/trusted.h" header is already put under blacklist
> here: "include/Kbuild +68" as it fails to build. So its that rename
> due to which build failure is observed now.
>
> It seems to be an easy fix for this build failure via following changes:
>
> diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h
> index 7b593447920b..ca1bec0ef65d 100644
> --- a/include/keys/trusted_tpm.h
> +++ b/include/keys/trusted_tpm.h
> @@ -2,6 +2,9 @@
> #ifndef __TRUSTED_TPM_H
> #define __TRUSTED_TPM_H
>
> +#include <keys/trusted-type.h>
> +#include <linux/tpm_command.h>
> +
> /* implementation specific TPM constants */
> #define MAX_BUF_SIZE 1024
> #define TPM_GETRANDOM_SIZE 14
>
> So I will include above changes in this patch-set and also remove
> "include/keys/trusted.h" header from the blacklist.
That works, thanks. With this patch set, at least the EVM trusted key
is properly being decrypted by the encrypted key with both a TPM 1.2
and PTT TPM 2.0. My laptop still boots properly. Over the weekend
I'll try to actually review the patches.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@kernel.org>
To: Sumit Garg <sumit.garg@linaro.org>
Cc: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
linux-security-module@vger.kernel.org, dhowells@redhat.com,
Herbert Xu <herbert@gondor.apana.org.au>,
davem@davemloft.net, peterhuewe@gmx.de, jgg@ziepe.ca,
jejb@linux.ibm.com,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Daniel Thompson <daniel.thompson@linaro.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"tee-dev @ lists . linaro . org" <tee-dev@lists.linaro.org>
Subject: Re: [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem
Date: Thu, 15 Aug 2019 11:06:49 -0400 [thread overview]
Message-ID: <1565881609.9424.7.camel@kernel.org> (raw)
In-Reply-To: <CAFA6WYPU0oREaHROhhRsEXJTijvER8G4riBk4e4=Bd5XgGFqtQ@mail.gmail.com>
On Thu, 2019-08-15 at 18:33 +0530, Sumit Garg wrote:
> Hi Mimi,
>
> On Wed, 14 Aug 2019 at 18:54, Mimi Zohar <zohar@kernel.org> wrote:
> >
> > Hi Sumit,
> >
> > On Tue, 2019-08-13 at 13:22 +0530, Sumit Garg wrote:
> > > This patch-set is an outcome of discussion here [1]. It has evolved very
> > > much since v1 to create, consolidate and generalize trusted keys
> > > subsystem.
> > >
> > > This framework has been tested with trusted keys support provided via TEE
> > > but I wasn't able to test it with a TPM device as I don't possess one. It
> > > would be really helpful if others could test this patch-set using a TPM
> > > device.
> >
> > With the "CONFIG_HEADER_TEST" and "CONFIG_KERNEL_HEADER_TEST" config
> > options enabled, which is required for linux-next, it fails to build.
> >
>
> TBH, I wasn't aware about this test feature for headers.
It's new to me too.
> It looks like
> the header which fails this test is "include/keys/trusted_tpm.h" which
> is basically a rename of "include/keys/trusted.h" plus changes in this
> patch-set.
>
> And "include/keys/trusted.h" header is already put under blacklist
> here: "include/Kbuild +68" as it fails to build. So its that rename
> due to which build failure is observed now.
>
> It seems to be an easy fix for this build failure via following changes:
>
> diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h
> index 7b593447920b..ca1bec0ef65d 100644
> --- a/include/keys/trusted_tpm.h
> +++ b/include/keys/trusted_tpm.h
> @@ -2,6 +2,9 @@
> #ifndef __TRUSTED_TPM_H
> #define __TRUSTED_TPM_H
>
> +#include <keys/trusted-type.h>
> +#include <linux/tpm_command.h>
> +
> /* implementation specific TPM constants */
> #define MAX_BUF_SIZE 1024
> #define TPM_GETRANDOM_SIZE 14
>
> So I will include above changes in this patch-set and also remove
> "include/keys/trusted.h" header from the blacklist.
That works, thanks. With this patch set, at least the EVM trusted key
is properly being decrypted by the encrypted key with both a TPM 1.2
and PTT TPM 2.0. My laptop still boots properly. Over the weekend
I'll try to actually review the patches.
Mimi
next prev parent reply other threads:[~2019-08-15 15:06 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-13 7:52 [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem Sumit Garg
2019-08-13 7:53 ` Sumit Garg
2019-08-13 7:53 ` [RFC/RFT v4 1/5] tpm: move tpm_buf code to include/linux/ Sumit Garg
2019-08-13 7:54 ` Sumit Garg
2019-08-19 16:56 ` Jarkko Sakkinen
2019-08-19 16:56 ` Jarkko Sakkinen
2019-08-20 5:52 ` Sumit Garg
2019-08-20 5:52 ` Sumit Garg
2019-08-21 19:13 ` Jarkko Sakkinen
2019-08-21 19:13 ` Jarkko Sakkinen
2019-08-13 7:53 ` [RFC/RFT v4 2/5] KEYS: trusted: use common tpm_buf for TPM1.x code Sumit Garg
2019-08-13 7:54 ` Sumit Garg
2019-08-19 16:57 ` Jarkko Sakkinen
2019-08-19 16:57 ` Jarkko Sakkinen
2019-08-13 7:53 ` [RFC/RFT v4 3/5] KEYS: trusted: create trusted keys subsystem Sumit Garg
2019-08-13 7:54 ` Sumit Garg
2019-08-19 17:04 ` Jarkko Sakkinen
2019-08-19 17:04 ` Jarkko Sakkinen
2019-08-19 17:06 ` Jarkko Sakkinen
2019-08-19 17:06 ` Jarkko Sakkinen
2019-08-20 5:53 ` Sumit Garg
2019-08-20 5:54 ` Sumit Garg
2019-08-13 7:53 ` [RFC/RFT v4 4/5] KEYS: trusted: move tpm2 trusted keys code Sumit Garg
2019-08-13 7:54 ` Sumit Garg
2019-08-19 17:07 ` Jarkko Sakkinen
2019-08-19 17:07 ` Jarkko Sakkinen
2019-08-20 5:54 ` Sumit Garg
2019-08-20 5:54 ` Sumit Garg
2019-08-13 7:53 ` [RFC/RFT v4 5/5] KEYS: trusted: Add generic trusted keys framework Sumit Garg
2019-08-13 7:54 ` Sumit Garg
2019-08-30 9:19 ` Sumit Garg
2019-08-30 9:31 ` Sumit Garg
2019-08-30 17:20 ` Jarkko Sakkinen
2019-08-30 17:20 ` Jarkko Sakkinen
2019-08-30 17:24 ` Jarkko Sakkinen
2019-08-30 17:24 ` Jarkko Sakkinen
2019-09-02 5:07 ` Sumit Garg
2019-09-02 5:19 ` Sumit Garg
2019-08-14 13:24 ` [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem Mimi Zohar
2019-08-14 13:24 ` Mimi Zohar
2019-08-15 13:03 ` Sumit Garg
2019-08-15 13:15 ` Sumit Garg
2019-08-15 15:06 ` Mimi Zohar [this message]
2019-08-15 15:06 ` Mimi Zohar
2019-08-16 4:58 ` Sumit Garg
2019-08-16 4:58 ` Sumit Garg
2019-08-19 16:54 ` Jarkko Sakkinen
2019-08-19 16:54 ` Jarkko Sakkinen
2019-08-20 5:46 ` Sumit Garg
2019-08-20 5:58 ` Sumit Garg
2019-08-21 19:12 ` Jarkko Sakkinen
2019-08-21 19:12 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1565881609.9424.7.camel@kernel.org \
--to=zohar@kernel.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=daniel.thompson@linaro.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=serge@hallyn.com \
--cc=sumit.garg@linaro.org \
--cc=tee-dev@lists.linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.