Hi Richard, On Wed, 31 Mar 2021 at 03:34, Richard Weinberger <richard.weinberger@xxxxxxxxx> wrote: > > Ahmad, > > On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> wrote: > > keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s > > Is there a reason why we can't pass the desired backend name in the > trusted key parameters? > e.g. > keyctl add trusted $KEYNAME "backendtype caam load $(cat ~/kmk.blob)" @s > IIUC, this would require support for multiple trusted keys backends at runtime but currently the trusted keys subsystem only supports a single backend which is selected via kernel module parameter during boot. So the trusted keys framework needs to evolve to support multiple trust sources at runtime but I would like to understand the use-cases first. IMO, selecting the best trust source available on a platform for trusted keys should be a one time operation, so why do we need to have other backends available at runtime as well? -Sumit > -- > Thanks, > //richard
