Re: [RFC/RFT v4 0/5] Add generic trusted keys framework/subsystem
From: Sumit Garg <hidden>
Date: 2019-08-16 04:58:37
Also in:
keyrings, linux-crypto, linux-integrity, lkml
On Thu, 15 Aug 2019 at 20:36, Mimi Zohar [off-list ref] wrote:
On Thu, 2019-08-15 at 18:33 +0530, Sumit Garg wrote:quoted
Hi Mimi, On Wed, 14 Aug 2019 at 18:54, Mimi Zohar [off-list ref] wrote:quoted
Hi Sumit, On Tue, 2019-08-13 at 13:22 +0530, Sumit Garg wrote:quoted
This patch-set is an outcome of discussion here [1]. It has evolved very much since v1 to create, consolidate and generalize trusted keys subsystem. This framework has been tested with trusted keys support provided via TEE but I wasn't able to test it with a TPM device as I don't possess one. It would be really helpful if others could test this patch-set using a TPM device.With the "CONFIG_HEADER_TEST" and "CONFIG_KERNEL_HEADER_TEST" config options enabled, which is required for linux-next, it fails to build.TBH, I wasn't aware about this test feature for headers.It's new to me too.quoted
It looks like the header which fails this test is "include/keys/trusted_tpm.h" which is basically a rename of "include/keys/trusted.h" plus changes in this patch-set. And "include/keys/trusted.h" header is already put under blacklist here: "include/Kbuild +68" as it fails to build. So its that rename due to which build failure is observed now. It seems to be an easy fix for this build failure via following changes:diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h index 7b593447920b..ca1bec0ef65d 100644 --- a/include/keys/trusted_tpm.h +++ b/include/keys/trusted_tpm.h@@ -2,6 +2,9 @@ #ifndef __TRUSTED_TPM_H #define __TRUSTED_TPM_H +#include <keys/trusted-type.h> +#include <linux/tpm_command.h> + /* implementation specific TPM constants */ #define MAX_BUF_SIZE 1024 #define TPM_GETRANDOM_SIZE 14So I will include above changes in this patch-set and also remove "include/keys/trusted.h" header from the blacklist.That works, thanks. With this patch set, at least the EVM trusted key is properly being decrypted by the encrypted key with both a TPM 1.2 and PTT TPM 2.0. My laptop still boots properly. Over the weekend I'll try to actually review the patches.
Thanks Mimi for testing this patch-set. -Sumit
Mimi