[PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Jarkko Sakkinen jarkko at kernel.org
Mon Mar 11 20:07:19 UTC 2024


On Fri Mar 8, 2024 at 9:17 AM EET, David Gstir wrote:
> Hi Jarkko,
>
> > On 07.03.2024, at 20:30, Jarkko Sakkinen <jarkko at kernel.org> wrote:
>
> [...]
>
> >> +
> >> +static int trusted_dcp_init(void)
> >> +{
> >> + int ret;
> >> +
> >> + if (use_otp_key)
> >> + pr_info("Using DCP OTP key\n");
> >> +
> >> + ret = test_for_zero_key();
> >> + if (ret) {
> >> + pr_err("Test for zero'ed keys failed: %i\n", ret);
> > 
> > I'm not sure whether this should err or warn.
> > 
> > What sort of situations can cause the test the fail (e.g.
> > adversary/interposer, bad configuration etc.).
>
> This occurs when the hardware is not in "secure mode". I.e. it’s a bad configuration issue.
> Once the board is properly configured, this will never trigger again.
> Do you think a warning is better for this then?

Bad configuration is not unexpected configuration so it cannot possibly
be an error situation as far as Linux is considered. So warning is 
appropriate here I'd figure.

BR, Jarkko



More information about the Linux-security-module-archive mailing list