Re: [PATCH] KEYS: trusted: Fix trusted key backends when building as module
From: Sumit Garg <hidden>
Date: 2021-07-19 08:06:36
Also in:
keyrings, linux-security-module, lkml
On Mon, 19 Jul 2021 at 12:40, Ahmad Fatoum [off-list ref] wrote:
Hello Andreas, On 16.07.21 10:17, Andreas Rammhold wrote:quoted
Before this commit the kernel could end up with no trusted key sources even thought both of the currently supported backends (tpm & tee) were compoiled as modules. This manifested in the trusted key type not being registered at all.I assume (TPM) trusted key module use worked before the TEE rework? If so, an appropriate Fixes: Tag would then be in order.quoted
When checking if a CONFIG_… preprocessor variable is defined we only test for the builtin (=y) case and not the module (=m) case. By using the IS_ENABLE(…) macro we to test for both cases.It looks to me like you could now provoke a link error if TEE is a module and built-in trusted key core tries to link against trusted_key_tee_ops.
That's true.
One solution for that IS_REACHABLE(). Another is to address the root cause, which is the inflexible trusted keys Kconfig description: - Trusted keys despite TEE support can still only be built when TCG_TPM is enabled - There is no support to have TEE or TPM enabled without using those for enabled trusted keys as well - As you noticed, module build of the backend has issues I addressed these three issues in a patch[1], a month ago, but have yet to receive feedback.
That's an oversight on my part since this patch was part of the new CAAM trust source patch-set. Although I do admit that it was on my TODO list. So I have provided some feedback on that patch. Can you post the next version as an independent fix patch? -Sumit
[1]: https://lore.kernel.org/linux-integrity/f8285eb0135ba30c9d846cf9dd395d1f5f8b1efc.1624364386.git-series.a.fatoum@pengutronix.de/ (local) Cheers, Ahmadquoted
Signed-off-by: Andreas Rammhold <redacted> --- security/keys/trusted-keys/trusted_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c index d5c891d8d353..fd640614b168 100644 --- a/security/keys/trusted-keys/trusted_core.c +++ b/security/keys/trusted-keys/trusted_core.c@@ -27,10 +27,10 @@ module_param_named(source, trusted_key_source, charp, 0); MODULE_PARM_DESC(source, "Select trusted keys source (tpm or tee)"); static const struct trusted_key_source trusted_key_sources[] = { -#if defined(CONFIG_TCG_TPM) +#if IS_ENABLED(CONFIG_TCG_TPM) { "tpm", &trusted_key_tpm_ops }, #endif -#if defined(CONFIG_TEE) +#if IS_ENABLED(CONFIG_TEE) { "tee", &trusted_key_tee_ops }, #endif };-- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |