* [PATCH v1] trusted_dcp.c: Do not return in case of non-secure mode
@ 2025-02-10 11:46 Kshitiz Varshney
2025-02-10 11:58 ` Richard Weinberger
0 siblings, 1 reply; 2+ messages in thread
From: Kshitiz Varshney @ 2025-02-10 11:46 UTC (permalink / raw)
To: David Gstir, sigma star Kernel Team, James Bottomley,
Jarkko Sakkinen, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E . Hallyn, SCE_Linux_Security_team
Cc: linux-integrity, keyrings, linux-security-module, linux-kernel,
Kshitiz Varshney
There are multiple type of keys in different worlds, like
test key in case of non-secure world and OTP, unique key
in case of secure world.
So, instead of returning with an error, in case of test key, we
should display warning to the user and allow the user to run the
trusted key functionality with test key.
Signed-off-by: Kshitiz Varshney <kshitiz.varshney@nxp.com>
---
security/keys/trusted-keys/trusted_dcp.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c
index e908c53a803c..99c9f9619f4f 100644
--- a/security/keys/trusted-keys/trusted_dcp.c
+++ b/security/keys/trusted-keys/trusted_dcp.c
@@ -319,11 +319,8 @@ static int trusted_dcp_init(void)
pr_info("Using DCP OTP key\n");
ret = test_for_zero_key();
- if (ret) {
- pr_warn("Test for zero'ed keys failed: %i\n", ret);
-
- return -EINVAL;
- }
+ if (ret)
+ pr_warn("Using insecure test key, enable HAB to use unique device key!\n");
return register_key_type(&key_type_trusted);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v1] trusted_dcp.c: Do not return in case of non-secure mode
2025-02-10 11:46 [PATCH v1] trusted_dcp.c: Do not return in case of non-secure mode Kshitiz Varshney
@ 2025-02-10 11:58 ` Richard Weinberger
0 siblings, 0 replies; 2+ messages in thread
From: Richard Weinberger @ 2025-02-10 11:58 UTC (permalink / raw)
To: David Gstir, sigma star Kernel Team, James Bottomley,
Jarkko Sakkinen, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E . Hallyn, SCE_Linux_Security_team, upstream
Cc: linux-integrity, keyrings, linux-security-module, linux-kernel,
Kshitiz Varshney, Kshitiz Varshney
On Montag, 10. Februar 2025 12:46 Kshitiz Varshney wrote:
> There are multiple type of keys in different worlds, like
> test key in case of non-secure world and OTP, unique key
> in case of secure world.
> So, instead of returning with an error, in case of test key, we
> should display warning to the user and allow the user to run the
> trusted key functionality with test key.
We have the dcp_skip_zk_test module parameter to allow such cases.
Why can't you use it?
Thanks,
//richard
--
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-02-10 11:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-10 11:46 [PATCH v1] trusted_dcp.c: Do not return in case of non-secure mode Kshitiz Varshney
2025-02-10 11:58 ` Richard Weinberger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).