[PATCH v8 02/12] KEYS: trusted: Use get_random_bytes_wait() instead of tpm_get_random()

Fri Dec 19 09:21:46 UTC 2025

On Tue, Dec 16, 2025 at 11:21:36AM +0200, Jarkko Sakkinen wrote:
>Substitute remaining tpm_get_random() calls in trusted_tpm1.c with
>get_random_bytes_wait() thus aligning random number generation for TPM 1.2
>with the removal of '.get_random' callback.

Had to double check we wouldn't end up not getting all the randomness we 
ask for, but get_random_bytes_wait does indeed DTRT.

Reviewed-by: Jonathan McDowell <noodles at meta.com>

>Cc: Eric Biggers <ebiggers at kernel.org>
>Signed-off-by: Jarkko Sakkinen <jarkko at kernel.org>
>---
> security/keys/trusted-keys/trusted_tpm1.c | 18 +++---------------
> 1 file changed, 3 insertions(+), 15 deletions(-)
>
>diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
>index 7ce7e31bcdfb..3d75bb6f9689 100644
>--- a/security/keys/trusted-keys/trusted_tpm1.c
>+++ b/security/keys/trusted-keys/trusted_tpm1.c
>@@ -371,13 +371,10 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
> 	unsigned char ononce[TPM_NONCE_SIZE];
> 	int ret;
>
>-	ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE);
>+	ret = get_random_bytes_wait(ononce, TPM_NONCE_SIZE);
> 	if (ret < 0)
> 		return ret;
>
>-	if (ret != TPM_NONCE_SIZE)
>-		return -EIO;
>-
> 	tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP);
> 	tpm_buf_append_u16(tb, type);
> 	tpm_buf_append_u32(tb, handle);
>@@ -464,15 +461,10 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
> 	memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
> 	sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
>
>-	ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
>+	ret = get_random_bytes_wait(td->nonceodd, TPM_NONCE_SIZE);
> 	if (ret < 0)
> 		goto out;
>
>-	if (ret != TPM_NONCE_SIZE) {
>-		ret = -EIO;
>-		goto out;
>-	}
>-
> 	ordinal = htonl(TPM_ORD_SEAL);
> 	datsize = htonl(datalen);
> 	pcrsize = htonl(pcrinfosize);
>@@ -575,14 +567,10 @@ static int tpm_unseal(struct tpm_buf *tb,
> 	}
>
> 	ordinal = htonl(TPM_ORD_UNSEAL);
>-	ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE);
>+	ret = get_random_bytes_wait(nonceodd, TPM_NONCE_SIZE);
> 	if (ret < 0)
> 		return ret;
>
>-	if (ret != TPM_NONCE_SIZE) {
>-		pr_info("tpm_get_random failed (%d)\n", ret);
>-		return -EIO;
>-	}
> 	ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
> 			   enonce1, nonceodd, cont, sizeof(uint32_t),
> 			   &ordinal, bloblen, blob, 0, 0);
>-- 
>2.39.5
>
>

J.

-- 
Web [         Avoid temporary variables and strange women.         ]
site: https:// [                                          ]      Made by
www.earth.li/~noodles/  [                      ]         HuggieTag 0.0.24