Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material

[PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
[PATCH v10 6/7] doc: trusted-encrypted: describe new CAAM trust source · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
[PATCH v10 3/7] crypto: caam - determine whether CAAM supports blob encap/decap · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
RE: [EXT] [PATCH v10 3/7] crypto: caam - determine whether CAAM supports blob encap/decap · Pankaj Gupta <pankaj.gupta@nxp.com> · 2022-05-17
[PATCH v10 4/7] crypto: caam - add in-kernel interface for blob generator · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
[PATCH v10 7/7] MAINTAINERS: add KEYS-TRUSTED-CAAM · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
[PATCH v10 5/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
[PATCH v10 1/7] KEYS: trusted: allow use of TEE as backend without TCG_TPM support · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
[PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-13
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Mimi Zohar <zohar@linux.ibm.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Mimi Zohar <zohar@linux.ibm.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Mimi Zohar <zohar@linux.ibm.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-18
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Jarkko Sakkinen <jarkko@kernel.org> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · "Jason A. Donenfeld" <Jason@zx2c4.com> · 2022-05-17
Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-17
Re: [PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Jarkko Sakkinen <jarkko@kernel.org> · 2022-05-16
Re: [PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-17
Re: [PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Jarkko Sakkinen <jarkko@kernel.org> · 2022-05-18
Re: [PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Ahmad Fatoum <a.fatoum@pengutronix.de> · 2022-05-18
Re: [PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Jarkko Sakkinen <jarkko@kernel.org> · 2022-05-18
Re: [PATCH v10 0/7] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys · Jarkko Sakkinen <jarkko@kernel.org> · 2022-05-19

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: 2022-05-17 17:38:35
Also in: keyrings, linux-crypto, linux-integrity, lkml

On Tue, May 17, 2022 at 11:52:55AM -0400, Mimi Zohar wrote:

On Fri, 2022-05-13 at 16:57 +0200, Ahmad Fatoum wrote:

quoted

 static int __init init_trusted(void)
 {
+       int (*get_random)(unsigned char *key, size_t key_len);
        int i, ret = 0;
 
        for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) {

@@ -322,6 +333,28 @@ static int __init init_trusted(void)
                            strlen(trusted_key_sources[i].name)))
                        continue;
 
+               /*
+                * We always support trusted.rng="kernel" and "default" as
+                * well as trusted.rng=$trusted.source if the trust source
+                * defines its own get_random callback.
+                */

 
While TEE trusted keys support was upstreamed, there was a lot of
discussion about using kernel RNG.  One of the concerns was lack of or
insuffiencent entropy during early boot on embedded devices.  This
concern needs to be clearly documented in both Documentation/admin-
guide/kernel-parameters.txt and Documentation/security/keys/trusted-
encrypted.rst.

Sounds like FUD. Use `get_random_bytes_wait()`, and you'll be fine.

Jason

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help