Thread (26 messages) 26 messages, 3 authors, 2019-09-02

Re: [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem

From: Sumit Garg <hidden>
Date: 2019-08-16 04:58:37
Also in: keyrings, linux-crypto, linux-integrity, lkml

On Thu, 15 Aug 2019 at 20:36, Mimi Zohar [off-list ref] wrote:
On Thu, 2019-08-15 at 18:33 +0530, Sumit Garg wrote:
quoted
Hi Mimi,

On Wed, 14 Aug 2019 at 18:54, Mimi Zohar [off-list ref] wrote:
quoted
Hi Sumit,

On Tue, 2019-08-13 at 13:22 +0530, Sumit Garg wrote:
quoted
This patch-set is an outcome of discussion here [1]. It has evolved very
much since v1 to create, consolidate and generalize trusted keys
subsystem.

This framework has been tested with trusted keys support provided via TEE
but I wasn't able to test it with a TPM device as I don't possess one. It
would be really helpful if others could test this patch-set using a TPM
device.
With the "CONFIG_HEADER_TEST" and "CONFIG_KERNEL_HEADER_TEST" config
options enabled, which is required for linux-next, it fails to build.
TBH, I wasn't aware about this test feature for headers.
It's new to me too.
quoted
It looks like
the header which fails this test is "include/keys/trusted_tpm.h" which
is basically a rename of "include/keys/trusted.h" plus changes in this
patch-set.

And "include/keys/trusted.h" header is already put under blacklist
here: "include/Kbuild +68" as it fails to build. So its that rename
due to which build failure is observed now.

It seems to be an easy fix for this build failure via following changes:
diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h
index 7b593447920b..ca1bec0ef65d 100644
--- a/include/keys/trusted_tpm.h
+++ b/include/keys/trusted_tpm.h
@@ -2,6 +2,9 @@
 #ifndef __TRUSTED_TPM_H
 #define __TRUSTED_TPM_H

+#include <keys/trusted-type.h>
+#include <linux/tpm_command.h>
+
 /* implementation specific TPM constants */
 #define MAX_BUF_SIZE                   1024
 #define TPM_GETRANDOM_SIZE             14
So I will include above changes in this patch-set and also remove
"include/keys/trusted.h" header from the blacklist.
That works, thanks.  With this patch set, at least the EVM trusted key
is properly being decrypted by the encrypted key with both a TPM 1.2
and PTT TPM 2.0.  My laptop still boots properly.  Over the weekend
I'll try to actually review the patches.
Thanks Mimi for testing this patch-set.

-Sumit
Mimi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help