From: David Gstir <david@sigma-star.at>
To: Mimi Zohar <zohar@linux.ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: David Gstir <david@sigma-star.at>,
Shawn Guo <shawnguo@kernel.org>, Jonathan Corbet <corbet@lwn.net>,
Sascha Hauer <s.hauer@pengutronix.de>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>,
NXP Linux Team <linux-imx@nxp.com>,
Ahmad Fatoum <a.fatoum@pengutronix.de>,
sigma star Kernel Team <upstream+dcp@sigma-star.at>,
David Howells <dhowells@redhat.com>, Li Yang <leoyang.li@nxp.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Randy Dunlap <rdunlap@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Tejun Heo <tj@kernel.org>,
"Steven Rostedt (Google)" <rostedt@goodmis.org>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config
Date: Thu, 7 Mar 2024 16:38:29 +0100 [thread overview]
Message-ID: <20240307153842.80033-3-david@sigma-star.at> (raw)
In-Reply-To: <20240307153842.80033-1-david@sigma-star.at>
Enabling trusted keys requires at least one trust source implementation
(currently TPM, TEE or CAAM) to be enabled. Currently, this is
done by checking each trust source's config option individually.
This does not scale when more trust sources like the one for DCP
are added.
Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
once its enabled and adapt the check for having at least one active trust
source to use this option. Whenever a new trust source is added, it now
needs to select HAVE_TRUSTED_KEYS.
Signed-off-by: David Gstir <david@sigma-star.at>
---
security/keys/trusted-keys/Kconfig | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index dbfdd8536468..553dc117f385 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,3 +1,6 @@
+config HAVE_TRUSTED_KEYS
+ bool
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
@@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
select ASN1_ENCODER
select OID_REGISTRY
select ASN1
+ select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Platform Module (TPM) as trusted key
backend. Trusted keys are random number symmetric keys,
@@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
bool "TEE-based trusted keys"
depends on TEE >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Execution Environment (TEE) as trusted
key backend.
@@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
default y
+ select HAVE_TRUSTED_KEYS
help
Enable use of NXP's Cryptographic Accelerator and Assurance Module
(CAAM) as trusted key backend.
-if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
-comment "No trust source selected!"
+if !HAVE_TRUSTED_KEYS
+ comment "No trust source selected!"
endif
--
2.35.3
WARNING: multiple messages have this Message-ID (diff)
From: David Gstir <david@sigma-star.at>
To: Mimi Zohar <zohar@linux.ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: David Gstir <david@sigma-star.at>,
Shawn Guo <shawnguo@kernel.org>, Jonathan Corbet <corbet@lwn.net>,
Sascha Hauer <s.hauer@pengutronix.de>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>,
NXP Linux Team <linux-imx@nxp.com>,
Ahmad Fatoum <a.fatoum@pengutronix.de>,
sigma star Kernel Team <upstream+dcp@sigma-star.at>,
David Howells <dhowells@redhat.com>, Li Yang <leoyang.li@nxp.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Randy Dunlap <rdunlap@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Tejun Heo <tj@kernel.org>,
"Steven Rostedt (Google)" <rostedt@goodmis.org>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config
Date: Thu, 7 Mar 2024 16:38:29 +0100 [thread overview]
Message-ID: <20240307153842.80033-3-david@sigma-star.at> (raw)
In-Reply-To: <20240307153842.80033-1-david@sigma-star.at>
Enabling trusted keys requires at least one trust source implementation
(currently TPM, TEE or CAAM) to be enabled. Currently, this is
done by checking each trust source's config option individually.
This does not scale when more trust sources like the one for DCP
are added.
Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
once its enabled and adapt the check for having at least one active trust
source to use this option. Whenever a new trust source is added, it now
needs to select HAVE_TRUSTED_KEYS.
Signed-off-by: David Gstir <david@sigma-star.at>
---
security/keys/trusted-keys/Kconfig | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index dbfdd8536468..553dc117f385 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,3 +1,6 @@
+config HAVE_TRUSTED_KEYS
+ bool
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
@@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
select ASN1_ENCODER
select OID_REGISTRY
select ASN1
+ select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Platform Module (TPM) as trusted key
backend. Trusted keys are random number symmetric keys,
@@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
bool "TEE-based trusted keys"
depends on TEE >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Execution Environment (TEE) as trusted
key backend.
@@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
default y
+ select HAVE_TRUSTED_KEYS
help
Enable use of NXP's Cryptographic Accelerator and Assurance Module
(CAAM) as trusted key backend.
-if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
-comment "No trust source selected!"
+if !HAVE_TRUSTED_KEYS
+ comment "No trust source selected!"
endif
--
2.35.3
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: David Gstir <david@sigma-star.at>
To: Mimi Zohar <zohar@linux.ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: David Gstir <david@sigma-star.at>,
linux-doc@vger.kernel.org,
Catalin Marinas <catalin.marinas@arm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, Fabio Estevam <festevam@gmail.com>,
Ahmad Fatoum <a.fatoum@pengutronix.de>,
Paul Moore <paul@paul-moore.com>,
Jonathan Corbet <corbet@lwn.net>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
James Morris <jmorris@namei.org>,
NXP Linux Team <linux-imx@nxp.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Sascha Hauer <s.hauer@pengutronix.de>,
sigma star Kernel Team <upstream+dcp@sigma-star.at>,
"Steven Rostedt \(Google\)" <rostedt@goodmis.org>,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org,
Randy Dunlap <rdunlap@infradead.org>,
linux-kernel@vger.kernel.org, Li Yang <leoyang.li@nxp.com>,
linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Tejun Heo <tj@kernel.org>,
linux-integrity@vger.kernel. org, Shawn Guo <shawnguo@kernel.org>
Subject: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config
Date: Thu, 7 Mar 2024 16:38:29 +0100 [thread overview]
Message-ID: <20240307153842.80033-3-david@sigma-star.at> (raw)
In-Reply-To: <20240307153842.80033-1-david@sigma-star.at>
Enabling trusted keys requires at least one trust source implementation
(currently TPM, TEE or CAAM) to be enabled. Currently, this is
done by checking each trust source's config option individually.
This does not scale when more trust sources like the one for DCP
are added.
Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
once its enabled and adapt the check for having at least one active trust
source to use this option. Whenever a new trust source is added, it now
needs to select HAVE_TRUSTED_KEYS.
Signed-off-by: David Gstir <david@sigma-star.at>
---
security/keys/trusted-keys/Kconfig | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index dbfdd8536468..553dc117f385 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,3 +1,6 @@
+config HAVE_TRUSTED_KEYS
+ bool
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
@@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
select ASN1_ENCODER
select OID_REGISTRY
select ASN1
+ select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Platform Module (TPM) as trusted key
backend. Trusted keys are random number symmetric keys,
@@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
bool "TEE-based trusted keys"
depends on TEE >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Execution Environment (TEE) as trusted
key backend.
@@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
default y
+ select HAVE_TRUSTED_KEYS
help
Enable use of NXP's Cryptographic Accelerator and Assurance Module
(CAAM) as trusted key backend.
-if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
-comment "No trust source selected!"
+if !HAVE_TRUSTED_KEYS
+ comment "No trust source selected!"
endif
--
2.35.3
next prev parent reply other threads:[~2024-03-07 15:39 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 15:38 [PATCH v5 0/6] DCP as trusted keys backend David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` [PATCH v6 1/6] crypto: mxs-dcp: Add support for hardware-bound keys David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 19:17 ` Jarkko Sakkinen
2024-03-07 19:17 ` Jarkko Sakkinen
2024-03-07 19:17 ` Jarkko Sakkinen
2024-03-07 15:38 ` David Gstir [this message]
2024-03-07 15:38 ` [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 19:18 ` Jarkko Sakkinen
2024-03-07 19:18 ` Jarkko Sakkinen
2024-03-07 19:18 ` Jarkko Sakkinen
2024-03-07 15:38 ` [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 19:23 ` Jarkko Sakkinen
2024-03-07 19:23 ` Jarkko Sakkinen
2024-03-07 19:23 ` Jarkko Sakkinen
2024-03-07 19:30 ` Jarkko Sakkinen
2024-03-07 19:30 ` Jarkko Sakkinen
2024-03-07 19:30 ` Jarkko Sakkinen
2024-03-08 7:17 ` David Gstir
2024-03-08 7:17 ` David Gstir
2024-03-08 7:17 ` David Gstir
2024-03-11 20:07 ` Jarkko Sakkinen
2024-03-11 20:07 ` Jarkko Sakkinen
2024-03-11 20:07 ` Jarkko Sakkinen
2024-03-07 15:38 ` [PATCH v6 4/6] MAINTAINERS: add entry for DCP-based " David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` [PATCH v6 5/6] docs: document DCP-backed trusted keys kernel params David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 19:32 ` Jarkko Sakkinen
2024-03-07 19:32 ` Jarkko Sakkinen
2024-03-07 19:32 ` Jarkko Sakkinen
2024-03-07 15:38 ` [PATCH v6 6/6] docs: trusted-encrypted: add DCP as new trust source David Gstir
2024-03-07 15:38 ` David Gstir
2024-03-07 15:38 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240307153842.80033-3-david@sigma-star.at \
--to=david@sigma-star.at \
--cc=a.fatoum@pengutronix.de \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=festevam@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kernel@pengutronix.de \
--cc=keyrings@vger.kernel.org \
--cc=leoyang.li@nxp.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-imx@nxp.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paul@paul-moore.com \
--cc=paulmck@kernel.org \
--cc=rafael.j.wysocki@intel.com \
--cc=rdunlap@infradead.org \
--cc=rostedt@goodmis.org \
--cc=s.hauer@pengutronix.de \
--cc=serge@hallyn.com \
--cc=shawnguo@kernel.org \
--cc=tj@kernel.org \
--cc=upstream+dcp@sigma-star.at \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.