On Sun, Apr 12, 2026 at 02:47:20PM -0400, Nayna Jain wrote: > > On 4/9/26 12:07 PM, Jarkko Sakinen wrote: > > From: Jarkko Sakkinen <[email protected]> > > > > TPM_DEBUG, and other similar flags, are a non-standard way to specify a > > feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted > > keys, and use it to replace these ad-hoc feature flags. > > > > Given that trusted keys debug dumps can contain sensitive data, harden the > > feature as follows: > > > > 1. In the Kconfig description postulate that pr_debug() statements must be > > used. > > 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump. > > 3. Require trusted.debug=1 on the kernel command line (default: 0) to > > activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y. > > > > Traces, when actually needed, can be easily enabled by providing > > trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line. > > Thanks Jarkko. Additional changes looks good to me. I just realized that the > kernel command-line parameters document may need to be updated to include > these parameters.
Good point. I will bake that to my PR version of patch. It's low risk as per corrateral damage. Thanks for pointing this out. > > Apart from that, feel free to add my > > Reviewed-by: Nayna Jain <[email protected]> Thank you! These defines have been a huge itch for me for a while :-) > > Thanks & Regards, > > - Nayna > > BR, Jarkko
