Hello Mimi, On 23.03.21 19:07, Mimi Zohar wrote: > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote: >> On 21.03.21 21:48, Horia Geantă wrote: >>> caam has random number generation capabilities, so it's worth using that >>> by implementing .get_random. >> >> If the CAAM HWRNG is already seeding the kernel RNG, why not use the >> kernel's? >> >> Makes for less code duplication IMO. > > Using kernel RNG, in general, for trusted keys has been discussed > before. Please refer to Dave Safford's detailed explanation for not > using it [1].
The argument seems to boil down to: - TPM RNG are known to be of good quality - Trusted keys always used it so far Both are fine by me for TPMs, but the CAAM backend is new code and neither point really applies. get_random_bytes_wait is already used for generating key material elsewhere. Why shouldn't new trusted key backends be able to do the same thing? Cheers, Ahmad > > thanks, > > Mimi > > [1] > https://lore.kernel.org/linux-integrity/bca04d5d9a3b764c9b7405bba4d4a3c035f2a...@alpmbapa12.e2k.ad.ge.com/ > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
