Allow search for TEE based trusted keys to act as master keys in case TPM device is not present. Signed-off-by: Sumit Garg <sumit.garg@xxxxxxxxxx> --- security/keys/encrypted-keys/masterkey_trusted.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c index c68528a..cfac27f 100644 --- a/security/keys/encrypted-keys/masterkey_trusted.c +++ b/security/keys/encrypted-keys/masterkey_trusted.c @@ -23,6 +23,9 @@ * Trusted keys are sealed to PCRs and other metadata. Although userspace * manages both trusted/encrypted key-types, like the encrypted key type * data, trusted key type data is not visible decrypted from userspace. + * + * Also, check for alternate trusted keys provided via TEE in case there + * is no TPM available. */ struct key *request_trusted_key(const char *trusted_desc, const u8 **master_key, size_t *master_keylen) @@ -31,8 +34,11 @@ struct key *request_trusted_key(const char *trusted_desc, struct key *tkey; tkey = request_key(&key_type_trusted, trusted_desc, NULL); - if (IS_ERR(tkey)) - goto error; + if (IS_ERR(tkey)) { + tkey = request_key(&key_type_tee_trusted, trusted_desc, NULL); + if (IS_ERR(tkey)) + goto error; + } down_read(&tkey->sem); tpayload = tkey->payload.data[0]; -- 2.7.4