Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2022-05-13 at 16:57 +0200, Ahmad Fatoum wrote:
>  static int __init init_trusted(void)
>  {
> +       int (*get_random)(unsigned char *key, size_t key_len);
>         int i, ret = 0;
>  
>         for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) {
> @@ -322,6 +333,28 @@ static int __init init_trusted(void)
>                             strlen(trusted_key_sources[i].name)))
>                         continue;
>  
> +               /*
> +                * We always support trusted.rng="kernel" and "default" as
> +                * well as trusted.rng=$trusted.source if the trust source
> +                * defines its own get_random callback.
> +                */
 
While TEE trusted keys support was upstreamed, there was a lot of
discussion about using kernel RNG.  One of the concerns was lack of or
insuffiencent entropy during early boot on embedded devices.  This
concern needs to be clearly documented in both Documentation/admin-
guide/kernel-parameters.txt and Documentation/security/keys/trusted-
encrypted.rst.

thanks,

Mimi

> +               get_random = trusted_key_sources[i].ops->get_random;
> +               if (trusted_rng && strcmp(trusted_rng, "default")) {
> +                       if (!strcmp(trusted_rng, "kernel")) {
> +                               get_random = kernel_get_random;
> +                       } else if (strcmp(trusted_rng, trusted_key_sources[i].name) ||
> +                                  !get_random) {
> +                               pr_warn("Unsupported RNG. Supported: kernel");
> +                               if (get_random)
> +                                       pr_cont(", %s", trusted_key_sources[i].name);
> +                               pr_cont(", default\n");
> +                               return -EINVAL;
> +                       }
> +               }
> +
> +               if (!get_random)
> +                       get_random = kernel_get_random;
> +
>                 static_call_update(trusted_key_init,
>                                    trusted_key_sources[i].ops->init);




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux