[PATCH v3] KEYS: trusted: Debugging as a feature
Nayna Jain
nayna at linux.ibm.com
Sun Apr 12 18:47:20 UTC 2026
On 4/9/26 12:07 PM, Jarkko Sakinen wrote:
> From: Jarkko Sakkinen <jarkko at kernel.org>
>
> TPM_DEBUG, and other similar flags, are a non-standard way to specify a
> feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted
> keys, and use it to replace these ad-hoc feature flags.
>
> Given that trusted keys debug dumps can contain sensitive data, harden the
> feature as follows:
>
> 1. In the Kconfig description postulate that pr_debug() statements must be
> used.
> 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
> 3. Require trusted.debug=1 on the kernel command line (default: 0) to
> activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y.
>
> Traces, when actually needed, can be easily enabled by providing
> trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line.
Thanks Jarkko. Additional changes looks good to me. I just realized that
the kernel command-line parameters document may need to be updated to
include these parameters.
Apart from that, feel free to add my
Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
Thanks & Regards,
- Nayna
More information about the Linux-security-module-archive
mailing list