On Wed, Mar 24, 2021 at 09:14:02AM -0700, James Bottomley wrote:
> On Tue, 2021-03-23 at 14:07 -0400, Mimi Zohar wrote:
> > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
> > > Hello Horia,
> > >
> > > On 21.03.21 21:48, Horia Geantă wrote:
> > > > On 3/16/2021 7:02 PM, Ahmad Fatoum
Ahmad,
- Ursprüngliche Mail -
> Von: "Ahmad Fatoum"
>> That way existing blobs can also be used with this implementation.
>> IIRC the NXP vendor tree uses "SECURE_KEY" as default modifier.
>
> Being binary compatible with other implementations is not an objective
> for this patch set.
Hello Richard,
On 31.03.21 20:35, Richard Weinberger wrote:
> Ahmad,
>
> On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum wrote:
>> +#define KEYMOD "kernel:trusted"
>
> why is the CAAM key modifier hard coded?
> I'd love to have way to pass my own modifier.
>
> That way existing blobs can also be
Hello Jarkko,
On 01.04.21 01:30, Jarkko Sakkinen wrote:
>> Option (C) sounds reasonable to me but I would rather prefer an info
>> message rather than warning as otherwise it would reflect that we are
>> enforcing kernel RNG choice for a user to trust upon.
>
> I gave some though on this.
>
> I
On Thu, Apr 01, 2021 at 08:50:05AM +0300, Jarkko Sakkinen wrote:
> On Thu, Apr 01, 2021 at 12:11:32PM +1100, Herbert Xu wrote:
> > On Wed, Mar 31, 2021 at 04:34:29PM -0700, Eric Biggers wrote:
> > > On Thu, Apr 01, 2021 at 02:31:46AM +0300, Jarkko Sakkinen wrote:
> > > >
> > > > It's a bummer but
On Thu, Apr 01, 2021 at 12:11:32PM +1100, Herbert Xu wrote:
> On Wed, Mar 31, 2021 at 04:34:29PM -0700, Eric Biggers wrote:
> > On Thu, Apr 01, 2021 at 02:31:46AM +0300, Jarkko Sakkinen wrote:
> > >
> > > It's a bummer but uapi is the god in the end. Since TPM does not do it
> > > today, that
On Wed, Mar 31, 2021 at 04:34:29PM -0700, Eric Biggers wrote:
> On Thu, Apr 01, 2021 at 02:31:46AM +0300, Jarkko Sakkinen wrote:
> >
> > It's a bummer but uapi is the god in the end. Since TPM does not do it
> > today, that behaviour must be supported forever. That's why a boot option
> > AND a
On Wed, Mar 31, 2021 at 04:34:29PM -0700, Eric Biggers wrote:
> On Thu, Apr 01, 2021 at 02:31:46AM +0300, Jarkko Sakkinen wrote:
> >
> > It's a bummer but uapi is the god in the end. Since TPM does not do it
> > today, that behaviour must be supported forever. That's why a boot option
> > AND a
On Thu, Apr 01, 2021 at 02:31:46AM +0300, Jarkko Sakkinen wrote:
>
> It's a bummer but uapi is the god in the end. Since TPM does not do it
> today, that behaviour must be supported forever. That's why a boot option
> AND a warning would be the best compromise.
>
It's not UAPI if there is no
On Tue, Mar 30, 2021 at 02:47:18PM -0700, Eric Biggers wrote:
> On Sun, Mar 28, 2021 at 11:37:23PM +0300, Jarkko Sakkinen wrote:
> >
> > Unfortunately, TPM trusted keys started this bad security practice, and
> > obviously it cannot be fixed without breaking uapi backwards compatibility.
> >
>
On Tue, Mar 30, 2021 at 12:56:41PM +0530, Sumit Garg wrote:
> On Mon, 29 Mar 2021 at 01:07, Jarkko Sakkinen wrote:
> >
> > On Sat, Mar 27, 2021 at 01:41:24PM +0100, David Gstir wrote:
> > > Hi!
> > >
> > > > On 25.03.2021, at 06:26, Sumit Garg wrote:
> > > >
> > > > On Wed, 24 Mar 2021 at 19:37,
On Mon, Mar 29, 2021 at 12:11:24PM +0200, Ahmad Fatoum wrote:
> Hello Jarkko,
>
> On 28.03.21 22:37, Jarkko Sakkinen wrote:
> > On Sat, Mar 27, 2021 at 01:41:24PM +0100, David Gstir wrote:
> >> Generally speaking, I’d say trusting the CAAM RNG and trusting in it’s
> >> other features are two
Ahmad,
On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum wrote:
> +#define KEYMOD "kernel:trusted"
why is the CAAM key modifier hard coded?
I'd love to have way to pass my own modifier.
That way existing blobs can also be used with this implementation.
IIRC the NXP vendor tree uses "SECURE_KEY" as
On Sun, Mar 28, 2021 at 11:37:23PM +0300, Jarkko Sakkinen wrote:
>
> Unfortunately, TPM trusted keys started this bad security practice, and
> obviously it cannot be fixed without breaking uapi backwards compatibility.
>
The whole point of a randomness source is that it is random. So userspace
Ahmad,
On Wed, Mar 17, 2021 at 3:03 PM Ahmad Fatoum wrote:
> > I didn't closely follow the previous discussions, but is a module
> > parameter really the right approach?
> > Is there also a way to set it via something like device tree?
>
> Compiled-on sources are considered in the order: tpm,
On Mon, 29 Mar 2021 at 01:07, Jarkko Sakkinen wrote:
>
> On Sat, Mar 27, 2021 at 01:41:24PM +0100, David Gstir wrote:
> > Hi!
> >
> > > On 25.03.2021, at 06:26, Sumit Garg wrote:
> > >
> > > On Wed, 24 Mar 2021 at 19:37, Ahmad Fatoum
> > > wrote:
> > >>
> > >> Hello Sumit,
> > >>
> > >> On
Hello Jarkko,
On 28.03.21 22:37, Jarkko Sakkinen wrote:
> On Sat, Mar 27, 2021 at 01:41:24PM +0100, David Gstir wrote:
>> Generally speaking, I’d say trusting the CAAM RNG and trusting in it’s
>> other features are two separate things. However, reading through the CAAM
>> key blob spec I’ve got
On Sat, Mar 27, 2021 at 01:41:24PM +0100, David Gstir wrote:
> Hi!
>
> > On 25.03.2021, at 06:26, Sumit Garg wrote:
> >
> > On Wed, 24 Mar 2021 at 19:37, Ahmad Fatoum wrote:
> >>
> >> Hello Sumit,
> >>
> >> On 24.03.21 11:47, Sumit Garg wrote:
> >>> On Wed, 24 Mar 2021 at 14:56, Ahmad Fatoum
Hi!
> On 25.03.2021, at 06:26, Sumit Garg wrote:
>
> On Wed, 24 Mar 2021 at 19:37, Ahmad Fatoum wrote:
>>
>> Hello Sumit,
>>
>> On 24.03.21 11:47, Sumit Garg wrote:
>>> On Wed, 24 Mar 2021 at 14:56, Ahmad Fatoum wrote:
Hello Mimi,
On 23.03.21 19:07, Mimi Zohar wrote:
On Wed, 24 Mar 2021 at 19:37, Ahmad Fatoum wrote:
>
> Hello Sumit,
>
> On 24.03.21 11:47, Sumit Garg wrote:
> > On Wed, 24 Mar 2021 at 14:56, Ahmad Fatoum wrote:
> >>
> >> Hello Mimi,
> >>
> >> On 23.03.21 19:07, Mimi Zohar wrote:
> >>> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
>
On Wed, 2021-03-24 at 16:49 -0400, Mimi Zohar wrote:
> On Wed, 2021-03-24 at 09:14 -0700, James Bottomley wrote:
> > On Tue, 2021-03-23 at 14:07 -0400, Mimi Zohar wrote:
> > > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
> > > > Hello Horia,
> > > >
> > > > On 21.03.21 21:48, Horia
On Wed, 2021-03-24 at 09:14 -0700, James Bottomley wrote:
> On Tue, 2021-03-23 at 14:07 -0400, Mimi Zohar wrote:
> > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
> > > Hello Horia,
> > >
> > > On 21.03.21 21:48, Horia Geantă wrote:
> > > > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote:
> > >
On Tue, 2021-03-23 at 14:07 -0400, Mimi Zohar wrote:
> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
> > Hello Horia,
> >
> > On 21.03.21 21:48, Horia Geantă wrote:
> > > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote:
> > > [...]
> > > > +struct trusted_key_ops caam_trusted_key_ops = {
> > >
Hello Sumit,
On 24.03.21 11:47, Sumit Garg wrote:
> On Wed, 24 Mar 2021 at 14:56, Ahmad Fatoum wrote:
>>
>> Hello Mimi,
>>
>> On 23.03.21 19:07, Mimi Zohar wrote:
>>> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
On 21.03.21 21:48, Horia Geantă wrote:
> caam has random number
On Wed, 24 Mar 2021 at 14:56, Ahmad Fatoum wrote:
>
> Hello Mimi,
>
> On 23.03.21 19:07, Mimi Zohar wrote:
> > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
> >> On 21.03.21 21:48, Horia Geantă wrote:
> >>> caam has random number generation capabilities, so it's worth using that
> >>> by
Hello Mimi,
On 23.03.21 19:07, Mimi Zohar wrote:
> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
>> On 21.03.21 21:48, Horia Geantă wrote:
>>> caam has random number generation capabilities, so it's worth using that
>>> by implementing .get_random.
>>
>> If the CAAM HWRNG is already
On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
> Hello Horia,
>
> On 21.03.21 21:48, Horia Geantă wrote:
> > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote:
> > [...]
> >> +struct trusted_key_ops caam_trusted_key_ops = {
> >> + .migratable = 0, /* non-migratable */
> >> + .init =
Hello Horia,
On 21.03.21 21:48, Horia Geantă wrote:
> On 3/16/2021 7:02 PM, Ahmad Fatoum wrote:
> [...]
>> +struct trusted_key_ops caam_trusted_key_ops = {
>> +.migratable = 0, /* non-migratable */
>> +.init = trusted_caam_init,
>> +.seal = trusted_caam_seal,
>> +.unseal =
On 3/16/2021 7:02 PM, Ahmad Fatoum wrote:
[...]
> +struct trusted_key_ops caam_trusted_key_ops = {
> + .migratable = 0, /* non-migratable */
> + .init = trusted_caam_init,
> + .seal = trusted_caam_seal,
> + .unseal = trusted_caam_unseal,
> + .exit = trusted_caam_exit,
> +};
Hello Richard,
On 17.03.21 00:14, Richard Weinberger wrote:
> Ahmad,
>
> On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum wrote:
>> +#include
>> +#include
>> +#include
>> +#include
>> +#include
>> +
>> +struct caam_blob_priv *blobifier;
>
> Who is using this pointer too?
> Otherwise I'd
Hello Jarkko,
On 16.03.21 20:22, Jarkko Sakkinen wrote:
> On Tue, Mar 16, 2021 at 06:01:18PM +0100, Ahmad Fatoum wrote:
>> The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core
>> built into many newer i.MX and QorIQ SoCs by NXP.
>>
>> The CAAM does crypto acceleration,
Sumit,
- Ursprüngliche Mail -
>> > module_param_named(source, trusted_key_source, charp, 0);
>> > -MODULE_PARM_DESC(source, "Select trusted keys source (tpm or tee)");
>> > +MODULE_PARM_DESC(source, "Select trusted keys source (tpm, tee or caam)");
>>
>> I didn't closely follow the
Hi Richard,
On Wed, 17 Mar 2021 at 04:45, Richard Weinberger
wrote:
>
> Ahmad,
>
> On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum wrote:
> > +#include
> > +#include
> > +#include
> > +#include
> > +#include
> > +
> > +struct caam_blob_priv *blobifier;
>
> Who is using this pointer too?
>
Ahmad,
On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum wrote:
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +struct caam_blob_priv *blobifier;
Who is using this pointer too?
Otherwise I'd suggest marking it static.
> module_param_named(source, trusted_key_source, charp,
On Tue, Mar 16, 2021 at 06:01:18PM +0100, Ahmad Fatoum wrote:
> The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core
> built into many newer i.MX and QorIQ SoCs by NXP.
>
> The CAAM does crypto acceleration, hardware number generation and
> has a blob mechanism for
The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core
built into many newer i.MX and QorIQ SoCs by NXP.
The CAAM does crypto acceleration, hardware number generation and
has a blob mechanism for encapsulation/decapsulation of sensitive material.
This blob mechanism depends on
36 matches
Mail list logo
