[PATCH v3] KEYS: trusted: Debugging as a feature
Jarkko Sakkinen
jarkko at kernel.org
Wed Apr 15 00:05:23 UTC 2026
On Sun, Apr 12, 2026 at 02:47:20PM -0400, Nayna Jain wrote:
>
> On 4/9/26 12:07 PM, Jarkko Sakinen wrote:
> > From: Jarkko Sakkinen <jarkko at kernel.org>
> >
> > TPM_DEBUG, and other similar flags, are a non-standard way to specify a
> > feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted
> > keys, and use it to replace these ad-hoc feature flags.
> >
> > Given that trusted keys debug dumps can contain sensitive data, harden the
> > feature as follows:
> >
> > 1. In the Kconfig description postulate that pr_debug() statements must be
> > used.
> > 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
> > 3. Require trusted.debug=1 on the kernel command line (default: 0) to
> > activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y.
> >
> > Traces, when actually needed, can be easily enabled by providing
> > trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line.
>
> Thanks Jarkko. Additional changes looks good to me. I just realized that the
> kernel command-line parameters document may need to be updated to include
> these parameters.
Good point. I will bake that to my PR version of patch. It's low risk as
per corrateral damage. Thanks for pointing this out.
>
> Apart from that, feel free to add my
>
> Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
Thank you! These defines have been a huge itch for me for a while :-)
>
> Thanks & Regards,
>
> - Nayna
>
>
BR, Jarkko
More information about the Linux-security-module-archive
mailing list