From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>,
<linux-integrity@vger.kernel.org>
Cc: <keyrings@vger.kernel.org>,
"David Woodhouse" <dwmw2@infradead.org>,
"Eric Biggers" <ebiggers@kernel.org>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"David Howells" <dhowells@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"open list:CRYPTO API" <linux-crypto@vger.kernel.org>,
"open list" <linux-kernel@vger.kernel.org>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH RESEND] KEYS: trusted: Use ASN.1 encoded OID
Date: Thu, 23 May 2024 16:54:02 +0300 [thread overview]
Message-ID: <D1H2P674GFY0.3O8WYK2P1GZ2K@kernel.org> (raw)
In-Reply-To: <9c96f39ed2161dd7f0c3a7964cba2de3169fae3b.camel@HansenPartnership.com>
On Thu May 23, 2024 at 4:38 PM EEST, James Bottomley wrote:
> On Thu, 2024-05-23 at 16:19 +0300, Jarkko Sakkinen wrote:
> > There's no reason to encode OID_TPMSealedData at run-time, as it
> > never changes.
> >
> > Replace it with the encoded version, which has exactly the same size:
> >
> > 67 81 05 0A 01 05
> >
> > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so
> > that the OID can be simply copied to the blob.
>
> This is true, but if we're going to do this, we should expand the OID
> registry functions (in lib/oid_registry.c) to do something like
> encode_OID. The registry already contains the hex above minus the two
> prefixes (which are easy to add).
Yes, I do agree with this idea, and I named variable the I named
it to make it obvious that generation is possible.
It would be best to have a single source, which could be just
a CSV file with entries like:
<Name>,<OID number>
And then in scripts/ there should be a script that takes this
source and generates oid_registry.gen.{h,c}. The existing
oid_registry.h should really just include oid_registry.gen.h
then to make this transparent change.
And then in the series where OID's are encoded per-subsystem
patch that takes pre-encoded OID into use.
Happy to review such patch set if it is pushed forward.
> > @ -51,8 +52,8 @@ static int tpm2_key_encode(struct
> > trusted_key_payload *payload,
> > if (!scratch)
> > return -ENOMEM;
> >
> > - work = asn1_encode_oid(work, end_work, tpm2key_oid,
> > - asn1_oid_len(tpm2key_oid));
> > + work = memcpy(work, OID_TPMSealedData_ASN1,
> > sizeof(OID_TPMSealedData_ASN1));
> > + work += sizeof(OID_TPMSealedData_ASN1);
>
> You lost the actually fits check. This is somewhat irrelevant for TPM
> keys because the OID is first in the structure and thus will never
> overflow, but it might matter for other uses.
Yep, it is irrelevant IMHO, there is 8 bytes, and also its location
never changes.
> James
BR, Jarkko
next prev parent reply other threads:[~2024-05-23 13:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-23 13:19 [PATCH RESEND] KEYS: trusted: Use ASN.1 encoded OID Jarkko Sakkinen
2024-05-23 13:38 ` James Bottomley
2024-05-23 13:54 ` Jarkko Sakkinen [this message]
2024-05-23 15:30 ` James Bottomley
2024-05-23 15:37 ` Jarkko Sakkinen
2024-05-23 15:43 ` James Bottomley
2024-05-23 15:55 ` Jarkko Sakkinen
2024-05-23 17:03 ` Jarkko Sakkinen
2024-05-23 17:08 ` James Bottomley
2024-05-23 17:24 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D1H2P674GFY0.3O8WYK2P1GZ2K@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.