From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "David Gstir" <david@sigma-star.at>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"James Bottomley" <jejb@linux.ibm.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: "Shawn Guo" <shawnguo@kernel.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Sascha Hauer" <s.hauer@pengutronix.de>,
"Pengutronix Kernel Team" <kernel@pengutronix.de>,
"Fabio Estevam" <festevam@gmail.com>,
"NXP Linux Team" <linux-imx@nxp.com>,
"Ahmad Fatoum" <a.fatoum@pengutronix.de>,
"sigma star Kernel Team" <upstream+dcp@sigma-star.at>,
"David Howells" <dhowells@redhat.com>,
"Li Yang" <leoyang.li@nxp.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
"Tejun Heo" <tj@kernel.org>,
"Steven Rostedt (Google)" <rostedt@goodmis.org>,
<linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-integrity@vger.kernel.org>, <keyrings@vger.kernel.org>,
<linux-crypto@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<linuxppc-dev@lists.ozlabs.org>,
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v7 2/6] KEYS: trusted: improve scalability of trust source config
Date: Wed, 27 Mar 2024 17:30:28 +0200 [thread overview]
Message-ID: <D04N1YLIAJQT.1WM3WVEU7R60G@kernel.org> (raw)
In-Reply-To: <20240327082454.13729-3-david@sigma-star.at>
On Wed Mar 27, 2024 at 10:24 AM EET, David Gstir wrote:
> Enabling trusted keys requires at least one trust source implementation
> (currently TPM, TEE or CAAM) to be enabled. Currently, this is
> done by checking each trust source's config option individually.
> This does not scale when more trust sources like the one for DCP
> are added, because the condition will get long and hard to read.
>
> Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
> once its enabled and adapt the check for having at least one active trust
> source to use this option. Whenever a new trust source is added, it now
> needs to select HAVE_TRUSTED_KEYS.
>
> Signed-off-by: David Gstir <david@sigma-star.at>
> ---
> security/keys/trusted-keys/Kconfig | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
> index dbfdd8536468..553dc117f385 100644
> --- a/security/keys/trusted-keys/Kconfig
> +++ b/security/keys/trusted-keys/Kconfig
> @@ -1,3 +1,6 @@
> +config HAVE_TRUSTED_KEYS
> + bool
> +
> config TRUSTED_KEYS_TPM
> bool "TPM-based trusted keys"
> depends on TCG_TPM >= TRUSTED_KEYS
> @@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
> select ASN1_ENCODER
> select OID_REGISTRY
> select ASN1
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Platform Module (TPM) as trusted key
> backend. Trusted keys are random number symmetric keys,
> @@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
> bool "TEE-based trusted keys"
> depends on TEE >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Execution Environment (TEE) as trusted
> key backend.
> @@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
> depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
> select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's Cryptographic Accelerator and Assurance Module
> (CAAM) as trusted key backend.
>
> -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
> -comment "No trust source selected!"
> +if !HAVE_TRUSTED_KEYS
> + comment "No trust source selected!"
> endif
Tested-by: Jarkko Sakkinen <jarkko@kernel.org> # for TRUSTED_KEYS_TPM
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "David Gstir" <david@sigma-star.at>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"James Bottomley" <jejb@linux.ibm.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: "Shawn Guo" <shawnguo@kernel.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Sascha Hauer" <s.hauer@pengutronix.de>,
"Pengutronix Kernel Team" <kernel@pengutronix.de>,
"Fabio Estevam" <festevam@gmail.com>,
"NXP Linux Team" <linux-imx@nxp.com>,
"Ahmad Fatoum" <a.fatoum@pengutronix.de>,
"sigma star Kernel Team" <upstream+dcp@sigma-star.at>,
"David Howells" <dhowells@redhat.com>,
"Li Yang" <leoyang.li@nxp.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
"Tejun Heo" <tj@kernel.org>,
"Steven Rostedt (Google)" <rostedt@goodmis.org>,
<linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-integrity@vger.kernel.org>, <keyrings@vger.kernel.org>,
<linux-crypto@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<linuxppc-dev@lists.ozlabs.org>,
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v7 2/6] KEYS: trusted: improve scalability of trust source config
Date: Wed, 27 Mar 2024 17:30:28 +0200 [thread overview]
Message-ID: <D04N1YLIAJQT.1WM3WVEU7R60G@kernel.org> (raw)
In-Reply-To: <20240327082454.13729-3-david@sigma-star.at>
On Wed Mar 27, 2024 at 10:24 AM EET, David Gstir wrote:
> Enabling trusted keys requires at least one trust source implementation
> (currently TPM, TEE or CAAM) to be enabled. Currently, this is
> done by checking each trust source's config option individually.
> This does not scale when more trust sources like the one for DCP
> are added, because the condition will get long and hard to read.
>
> Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
> once its enabled and adapt the check for having at least one active trust
> source to use this option. Whenever a new trust source is added, it now
> needs to select HAVE_TRUSTED_KEYS.
>
> Signed-off-by: David Gstir <david@sigma-star.at>
> ---
> security/keys/trusted-keys/Kconfig | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
> index dbfdd8536468..553dc117f385 100644
> --- a/security/keys/trusted-keys/Kconfig
> +++ b/security/keys/trusted-keys/Kconfig
> @@ -1,3 +1,6 @@
> +config HAVE_TRUSTED_KEYS
> + bool
> +
> config TRUSTED_KEYS_TPM
> bool "TPM-based trusted keys"
> depends on TCG_TPM >= TRUSTED_KEYS
> @@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
> select ASN1_ENCODER
> select OID_REGISTRY
> select ASN1
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Platform Module (TPM) as trusted key
> backend. Trusted keys are random number symmetric keys,
> @@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
> bool "TEE-based trusted keys"
> depends on TEE >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Execution Environment (TEE) as trusted
> key backend.
> @@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
> depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
> select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's Cryptographic Accelerator and Assurance Module
> (CAAM) as trusted key backend.
>
> -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
> -comment "No trust source selected!"
> +if !HAVE_TRUSTED_KEYS
> + comment "No trust source selected!"
> endif
Tested-by: Jarkko Sakkinen <jarkko@kernel.org> # for TRUSTED_KEYS_TPM
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "David Gstir" <david@sigma-star.at>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"James Bottomley" <jejb@linux.ibm.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: linux-doc@vger.kernel.org,
Catalin Marinas <catalin.marinas@arm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, Fabio Estevam <festevam@gmail.com>,
Ahmad Fatoum <a.fatoum@pengutronix.de>,
Paul Moore <paul@paul-moore.com>,
Jonathan Corbet <corbet@lwn.net>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
James Morris <jmorris@namei.org>,
NXP Linux Team <linux-imx@nxp.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Sascha Hauer <s.hauer@pengutronix.de>,
sigma star Kernel Team <upstream+dcp@sigma-star.at>,
"Steven Rostedt \(Google\)" <rostedt@goodmis.org>,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org,
Randy Dunlap <rdunlap@infradead.org>,
linux-kernel@vger.kernel.org, Li Yang <leoyang.li@nxp.com>,
linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Tejun Heo <tj@kernel.org>,
linux-integrity@vger.kernel.org, Shawn Guo <shawnguo@kernel.org>
Subject: Re: [PATCH v7 2/6] KEYS: trusted: improve scalability of trust source config
Date: Wed, 27 Mar 2024 17:30:28 +0200 [thread overview]
Message-ID: <D04N1YLIAJQT.1WM3WVEU7R60G@kernel.org> (raw)
In-Reply-To: <20240327082454.13729-3-david@sigma-star.at>
On Wed Mar 27, 2024 at 10:24 AM EET, David Gstir wrote:
> Enabling trusted keys requires at least one trust source implementation
> (currently TPM, TEE or CAAM) to be enabled. Currently, this is
> done by checking each trust source's config option individually.
> This does not scale when more trust sources like the one for DCP
> are added, because the condition will get long and hard to read.
>
> Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
> once its enabled and adapt the check for having at least one active trust
> source to use this option. Whenever a new trust source is added, it now
> needs to select HAVE_TRUSTED_KEYS.
>
> Signed-off-by: David Gstir <david@sigma-star.at>
> ---
> security/keys/trusted-keys/Kconfig | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
> index dbfdd8536468..553dc117f385 100644
> --- a/security/keys/trusted-keys/Kconfig
> +++ b/security/keys/trusted-keys/Kconfig
> @@ -1,3 +1,6 @@
> +config HAVE_TRUSTED_KEYS
> + bool
> +
> config TRUSTED_KEYS_TPM
> bool "TPM-based trusted keys"
> depends on TCG_TPM >= TRUSTED_KEYS
> @@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
> select ASN1_ENCODER
> select OID_REGISTRY
> select ASN1
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Platform Module (TPM) as trusted key
> backend. Trusted keys are random number symmetric keys,
> @@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
> bool "TEE-based trusted keys"
> depends on TEE >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Execution Environment (TEE) as trusted
> key backend.
> @@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
> depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
> select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's Cryptographic Accelerator and Assurance Module
> (CAAM) as trusted key backend.
>
> -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
> -comment "No trust source selected!"
> +if !HAVE_TRUSTED_KEYS
> + comment "No trust source selected!"
> endif
Tested-by: Jarkko Sakkinen <jarkko@kernel.org> # for TRUSTED_KEYS_TPM
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
next prev parent reply other threads:[~2024-03-27 15:30 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-27 8:24 [PATCH v7 0/6] DCP as trusted keys backend David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` [PATCH v7 1/6] crypto: mxs-dcp: Add support for hardware-bound keys David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` [PATCH v7 2/6] KEYS: trusted: improve scalability of trust source config David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 15:30 ` Jarkko Sakkinen [this message]
2024-03-27 15:30 ` Jarkko Sakkinen
2024-03-27 15:30 ` Jarkko Sakkinen
2024-03-27 8:24 ` [PATCH v7 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` [PATCH v7 4/6] MAINTAINERS: add entry for DCP-based " David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` [PATCH v7 5/6] docs: document DCP-backed trusted keys kernel params David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 15:32 ` Jarkko Sakkinen
2024-03-27 15:32 ` Jarkko Sakkinen
2024-03-27 15:32 ` Jarkko Sakkinen
2024-03-27 8:24 ` [PATCH v7 6/6] docs: trusted-encrypted: add DCP as new trust source David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 8:24 ` David Gstir
2024-03-27 15:40 ` Jarkko Sakkinen
2024-03-27 15:40 ` Jarkko Sakkinen
2024-03-27 15:40 ` Jarkko Sakkinen
2024-03-28 8:05 ` David Gstir
2024-03-28 8:05 ` David Gstir
2024-03-28 8:05 ` David Gstir
2024-03-28 18:47 ` Jarkko Sakkinen
2024-03-28 18:47 ` Jarkko Sakkinen
2024-03-28 18:47 ` Jarkko Sakkinen
2024-03-28 18:50 ` Jarkko Sakkinen
2024-03-28 18:50 ` Jarkko Sakkinen
2024-03-28 18:50 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D04N1YLIAJQT.1WM3WVEU7R60G@kernel.org \
--to=jarkko@kernel.org \
--cc=a.fatoum@pengutronix.de \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=david@sigma-star.at \
--cc=dhowells@redhat.com \
--cc=festevam@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kernel@pengutronix.de \
--cc=keyrings@vger.kernel.org \
--cc=leoyang.li@nxp.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-imx@nxp.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paul@paul-moore.com \
--cc=paulmck@kernel.org \
--cc=rafael.j.wysocki@intel.com \
--cc=rdunlap@infradead.org \
--cc=rostedt@goodmis.org \
--cc=s.hauer@pengutronix.de \
--cc=serge@hallyn.com \
--cc=shawnguo@kernel.org \
--cc=tj@kernel.org \
--cc=upstream+dcp@sigma-star.at \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.