[PATCH v6 5/6] docs: document DCP-backed trusted keys kernel params
Jarkko Sakkinen
jarkko at kernel.org
Thu Mar 7 19:32:08 UTC 2024
On Thu Mar 7, 2024 at 5:38 PM EET, David Gstir wrote:
> Document the kernel parameters trusted.dcp_use_otp_key
> and trusted.dcp_skip_zk_test for DCP-backed trusted keys.
>
> Co-developed-by: Richard Weinberger <richard at nod.at>
> Signed-off-by: Richard Weinberger <richard at nod.at>
> Co-developed-by: David Oberhollenzer <david.oberhollenzer at sigma-star.at>
> Signed-off-by: David Oberhollenzer <david.oberhollenzer at sigma-star.at>
> Signed-off-by: David Gstir <david at sigma-star.at>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 24c02c704049..b6944e57768a 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -6698,6 +6698,7 @@
> - "tpm"
> - "tee"
> - "caam"
> + - "dcp"
> If not specified then it defaults to iterating through
> the trust source list starting with TPM and assigns the
> first trust source as a backend which is initialized
> @@ -6713,6 +6714,18 @@
> If not specified, "default" is used. In this case,
> the RNG's choice is left to each individual trust source.
>
> + trusted.dcp_use_otp_key
> + This is intended to be used in combination with
> + trusted.source=dcp and will select the DCP OTP key
> + instead of the DCP UNIQUE key blob encryption.
> +
> + trusted.dcp_skip_zk_test
> + This is intended to be used in combination with
> + trusted.source=dcp and will disable the check if all
> + the blob key is zero'ed. This is helpful for situations where
> + having this key zero'ed is acceptable. E.g. in testing
> + scenarios.
> +
> tsc= Disable clocksource stability checks for TSC.
> Format: <string>
> [x86] reliable: mark tsc clocksource as reliable, this
I don't disagree with the API part.
Mimi?
BR, Jarkko
More information about the Linux-security-module-archive
mailing list