On Tue, 2 Jun 2020 at 20:14, James Bottomley <jejb@xxxxxxxxxxxxx> wrote: > > On Tue, 2020-06-02 at 19:48 +0530, Sumit Garg wrote: > > Add support for TEE based trusted keys where TEE provides the > > functionality to seal and unseal trusted keys using hardware unique > > key. Also, this is an alternative in case platform doesn't possess a > > TPM device. > > So here's a meta problem: in the case when the platform possesses both > TEE and TPM what should it do? IMO, trust source (either a TPM or a TEE) should be unique and carefully chosen as per platform security policy corresponding to a particular threat model. And moreover TEEs have been mostly used in the embedded world where having a hardware TPM is cumbersome given constraints regarding BoM cost and hardware resources. > Things like this: > > > --- a/security/keys/trusted-keys/trusted_core.c > > +++ b/security/keys/trusted-keys/trusted_core.c > > @@ -25,6 +25,8 @@ > > > > #if defined(CONFIG_TRUSTED_TPM) > > static struct trusted_key_ops *trusted_key_ops = > > &tpm_trusted_key_ops; > > +#elif defined(CONFIG_TRUSTED_TEE) > > +static struct trusted_key_ops *trusted_key_ops = > > &tee_trusted_key_ops; > > #else > > Say it's either/or at a Kconfig level: so if you select both TEE and > TPM based trusted keys at compile time, we intall the TPM ops and > ignore the TEE ops, is that right? Surely this should be runtime > selectable based on what the platform has ... This dynamic selection was already part of v4 patch-set but after objection from Jarrko here [1], I switched to compile time mode instead. [1] https://lkml.org/lkml/2020/6/2/139 > perhaps it should even be > selectable per key? > > Once it is runtime selectable, what should be selected in the both > case? Or should we allow the user to decide, if so, how? > > when you pipe a trusted key, I think the subtype (TEE or TPM) should be > part of the piped information, so it loads again seamlessly. This > would actually be fixed by something like the ASN.1 scheme I'm trying > to upstream, at least for TPM keys, but do TEE keys have a recognized > ASN.1 format? > I guess this is something which we can refine later if there are real platforms that have a particular security requirement to support both TPM and a TEE. -Sumit > James >
