From: Jarkko Sakkinen <jarkko@kernel.org>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: david.safford@gmail.com, linux-integrity@vger.kernel.org,
Mimi Zohar <zohar@linux.ibm.com>,
James Bottomley <jejb@linux.ibm.com>
Subject: Re: [PATCH] trusted-keys-fix-migratable-logic
Date: Tue, 7 Jun 2022 12:48:01 +0300 [thread overview]
Message-ID: <Yp8e0X+jkg3HWSA0@iki.fi> (raw)
In-Reply-To: <1eda7b47-1f9f-9188-efbe-e135326d7585@pengutronix.de>
On Tue, Jun 07, 2022 at 08:15:49AM +0200, Ahmad Fatoum wrote:
> Hello David,
>
> On 03.06.22 15:28, david.safford@gmail.com wrote:
> > When creating (sealing) a new trusted key, migratable
> > trusted keys have the FIXED_TPM and FIXED_PERM attributes
> > set, and non-migratable keys don't. This is backwards, and
> > also causes creation to fail when creating a migratable key
> > under a migratable parent. (The TPM thinks you are trying to
> > seal a non-migratable blob under a migratable parent.)
> >
> > The following simple patch fixes the logic, and has been
> > tested for all four combinations of migratable and non-migratable
> > trusted keys and parent storage keys. With this logic, you will
> > get a proper failure if you try to create a non-migratable
> > trusted key under a migratable parent storage key, and all other
> > combinations work correctly.
> >
> > david safford
>
> Thanks for your patch. It looks sensible, but needs some work to
> be aligned to the kernel patch guidelines, documented here:
> Documentation/process/submitting-patches.rst
>
> What I noticed in particular:
>
> - Your Signed-off-by is missing
> - Your patch title needs alignment to others in the revision history,
> you could change it e.g. "KEYS: trusted: tpm2: Fix migratable logic"
> - The To:/Cc: list is incomplete. Patches to this file are normally
> merged via Jarkko's tree. get_maintainers.pl will produce a full list
> of people and mailing lists to copy.
>
> Looking forward to your v2.
The code change looks legit but it also needs to have this:
Fixes: e5fb5d2c5a03 ("security: keys: trusted: Make sealed key properly interoperable")
> Cheers,
> Ahmad
BR, Jarkko
prev parent reply other threads:[~2022-06-07 9:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-03 13:28 [PATCH] trusted-keys-fix-migratable-logic david.safford
2022-06-07 6:15 ` Ahmad Fatoum
2022-06-07 9:48 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yp8e0X+jkg3HWSA0@iki.fi \
--to=jarkko@kernel.org \
--cc=a.fatoum@pengutronix.de \
--cc=david.safford@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.