[PATCH] KEYS: trusted: Use get_random-fallback for TPM
Jarkko Sakkinen
jarkko at kernel.org
Sun Dec 14 21:32:36 UTC 2025
1. tpm2_get_random() is costly when TCG_TPM2_HMAC is enabled and thus its
use should be pooled rather than directly used. This both reduces
latency and improves its predictability.
2. Linux is better off overall if every subsystem uses the same source for
the random bistream as the de-facto choice, unless *force majeure*
reasons point to some other direction.
In the case, of TPM there is no reason for trusted keys to invoke TPM
directly.
Thus, unset '.get_random', which causes fallback to kernel_get_random().
Signed-off-by: Jarkko Sakkinen <jarkko at kernel.org>
---
security/keys/trusted-keys/trusted_tpm1.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index 636acb66a4f6..33b7739741c3 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -936,11 +936,6 @@ static int trusted_tpm_unseal(struct trusted_key_payload *p, char *datablob)
return ret;
}
-static int trusted_tpm_get_random(unsigned char *key, size_t key_len)
-{
- return tpm_get_random(chip, key, key_len);
-}
-
static int __init init_digests(void)
{
int i;
@@ -992,6 +987,5 @@ struct trusted_key_ops trusted_key_tpm_ops = {
.init = trusted_tpm_init,
.seal = trusted_tpm_seal,
.unseal = trusted_tpm_unseal,
- .get_random = trusted_tpm_get_random,
.exit = trusted_tpm_exit,
};
--
2.39.5
More information about the Linux-security-module-archive
mailing list