[PATCH v1 3/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys

Ahmad Fatoum a.fatoum at pengutronix.de
Wed Mar 24 09:26:14 UTC 2021


Hello Mimi,

On 23.03.21 19:07, Mimi Zohar wrote:
> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
>> On 21.03.21 21:48, Horia Geantă wrote:
>>> caam has random number generation capabilities, so it's worth using that
>>> by implementing .get_random.
>>
>> If the CAAM HWRNG is already seeding the kernel RNG, why not use the kernel's?
>>
>> Makes for less code duplication IMO.
> 
> Using kernel RNG, in general, for trusted keys has been discussed
> before.   Please refer to Dave Safford's detailed explanation for not
> using it [1].

The argument seems to boil down to:

 - TPM RNG are known to be of good quality
 - Trusted keys always used it so far

Both are fine by me for TPMs, but the CAAM backend is new code and neither point
really applies.

get_random_bytes_wait is already used for generating key material elsewhere.
Why shouldn't new trusted key backends be able to do the same thing?

Cheers,
Ahmad

> 
> thanks,
> 
> Mimi
> 
> [1] 
> https://lore.kernel.org/linux-integrity/BCA04D5D9A3B764C9B7405BBA4D4A3C035F2A38B@ALPMBAPA12.e2k.ad.ge.com/
>  
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



More information about the Linux-security-module-archive mailing list