From: Jarkko Sakkinen <jarkko@kernel.org>
To: linux-integrity@vger.kernel.org
Cc: Jarkko Sakkinen <jarkko@kernel.org>,
David Howells <dhowells@redhat.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
Mimi Zohar <zohar@linux.ibm.com>,
keyrings@vger.kernel.org (open list:KEYS/KEYRINGS),
linux-security-module@vger.kernel.org (open list:SECURITY
SUBSYSTEM), linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] KEYS: trusted: Use get_random-fallback for TPM
Date: Sun, 14 Dec 2025 23:32:36 +0200 [thread overview]
Message-ID: <20251214213236.339586-1-jarkko@kernel.org> (raw)
1. tpm2_get_random() is costly when TCG_TPM2_HMAC is enabled and thus its
use should be pooled rather than directly used. This both reduces
latency and improves its predictability.
2. Linux is better off overall if every subsystem uses the same source for
the random bistream as the de-facto choice, unless *force majeure*
reasons point to some other direction.
In the case, of TPM there is no reason for trusted keys to invoke TPM
directly.
Thus, unset '.get_random', which causes fallback to kernel_get_random().
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
security/keys/trusted-keys/trusted_tpm1.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index 636acb66a4f6..33b7739741c3 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -936,11 +936,6 @@ static int trusted_tpm_unseal(struct trusted_key_payload *p, char *datablob)
return ret;
}
-static int trusted_tpm_get_random(unsigned char *key, size_t key_len)
-{
- return tpm_get_random(chip, key, key_len);
-}
-
static int __init init_digests(void)
{
int i;
@@ -992,6 +987,5 @@ struct trusted_key_ops trusted_key_tpm_ops = {
.init = trusted_tpm_init,
.seal = trusted_tpm_seal,
.unseal = trusted_tpm_unseal,
- .get_random = trusted_tpm_get_random,
.exit = trusted_tpm_exit,
};
--
2.39.5
next reply other threads:[~2025-12-14 21:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-14 21:32 Jarkko Sakkinen [this message]
2025-12-14 21:35 ` [PATCH] KEYS: trusted: Use get_random-fallback for TPM Jarkko Sakkinen
2025-12-14 22:18 ` James Bottomley
2025-12-15 6:43 ` Jarkko Sakkinen
2025-12-15 7:55 ` James Bottomley
2025-12-15 8:49 ` Jarkko Sakkinen
2025-12-15 19:43 ` Jarkko Sakkinen
2025-12-15 20:01 ` James Bottomley
2025-12-15 20:25 ` Jarkko Sakkinen
2025-12-15 20:09 ` Eric Biggers
2025-12-15 20:35 ` Jarkko Sakkinen
2025-12-15 21:09 ` Jarkko Sakkinen
2025-12-16 6:48 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251214213236.339586-1-jarkko@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).