James, ----- Ursprüngliche Mail ----- > Von: "James Bottomley" <jejb@xxxxxxxxxxxxx> > Well, yes. For the TPM, there's a defined ASN.1 format for the keys: > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/tpm2-asn.h > > and part of the design of the file is that it's distinguishable either > in DER or PEM (by the guards) format so any crypto application can know > it's dealing with a TPM key simply by inspecting the file. I think you > need the same thing for CAAM and any other format. > > We're encouraging new ASN.1 formats to be of the form > > SEQUENCE { > type OBJECT IDENTIFIER > ... key specific fields ... > } > > Where you choose a defined OID to represent the key and that means > every key even in DER form begins with a unique binary signature. I like this idea. Ahmad, what do you think? That way we could also get rid off the kernel parameter and all the fall back logic, given that we find a way to reliable detect TEE blobs too... Thanks, //richard
