Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

[PATCH v5 0/6] DCP as trusted keys backend · David Gstir <david@sigma-star.at> · 2024-03-07
[PATCH v6 1/6] crypto: mxs-dcp: Add support for hardware-bound keys · David Gstir <david@sigma-star.at> · 2024-03-07
Re: [PATCH v6 1/6] crypto: mxs-dcp: Add support for hardware-bound keys · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-03-07
[PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config · David Gstir <david@sigma-star.at> · 2024-03-07
Re: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-03-07
[PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys · David Gstir <david@sigma-star.at> · 2024-03-07
Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-03-07
Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-03-07
Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys · David Gstir <david@sigma-star.at> · 2024-03-08
Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-03-11
[PATCH v6 4/6] MAINTAINERS: add entry for DCP-based trusted keys · David Gstir <david@sigma-star.at> · 2024-03-07
[PATCH v6 5/6] docs: document DCP-backed trusted keys kernel params · David Gstir <david@sigma-star.at> · 2024-03-07
Re: [PATCH v6 5/6] docs: document DCP-backed trusted keys kernel params · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-03-07
[PATCH v6 6/6] docs: trusted-encrypted: add DCP as new trust source · David Gstir <david@sigma-star.at> · 2024-03-07

From: David Gstir <david@sigma-star.at>
Date: 2024-03-08 07:17:48
Also in: keyrings, linux-arm-kernel, linux-crypto, linux-doc, linux-integrity, linuxppc-dev, lkml

Hi Jarkko,

On 07.03.2024, at 20:30, Jarkko Sakkinen [off-list ref] wrote:

[...]

quoted

+
+static int trusted_dcp_init(void)
+{
+ int ret;
+
+ if (use_otp_key)
+ pr_info("Using DCP OTP key\n");
+
+ ret = test_for_zero_key();
+ if (ret) {
+ pr_err("Test for zero'ed keys failed: %i\n", ret);

I'm not sure whether this should err or warn.

What sort of situations can cause the test the fail (e.g.
adversary/interposer, bad configuration etc.).

This occurs when the hardware is not in "secure mode". I.e. it’s a bad configuration issue.
Once the board is properly configured, this will never trigger again.
Do you think a warning is better for this then?

Thanks,
- David

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help