Re: [PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config

From: Jarkko Sakkinen
Date: Thu Mar 07 2024 - 14:19:06 EST

Next message: Frank Li: "[PATCH v5 0/4] arm64: dts: imx8qxp add asrc and sai"
Previous message: Len Brown: "[PATCH] nvme: Re-word D3 Entry Latency message"
In reply to: David Gstir: "[PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config"
Next in thread: David Gstir: "[PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu Mar 7, 2024 at 5:38 PM EET, David Gstir wrote:
> Enabling trusted keys requires at least one trust source implementation
> (currently TPM, TEE or CAAM) to be enabled. Currently, this is
> done by checking each trust source's config option individually.
> This does not scale when more trust sources like the one for DCP
> are added.

nit: just to complete sentence and tie up the story "added because ..."

>
> Add config HAVE_TRUSTED_KEYS which is set to true by each trust source
> once its enabled and adapt the check for having at least one active trust
> source to use this option. Whenever a new trust source is added, it now
> needs to select HAVE_TRUSTED_KEYS.
>
> Signed-off-by: David Gstir <david@xxxxxxxxxxxxx>
> ---
> security/keys/trusted-keys/Kconfig | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
> index dbfdd8536468..553dc117f385 100644
> --- a/security/keys/trusted-keys/Kconfig
> +++ b/security/keys/trusted-keys/Kconfig
> @@ -1,3 +1,6 @@
> +config HAVE_TRUSTED_KEYS
> + bool
> +
> config TRUSTED_KEYS_TPM
> bool "TPM-based trusted keys"
> depends on TCG_TPM >= TRUSTED_KEYS
> @@ -9,6 +12,7 @@ config TRUSTED_KEYS_TPM
> select ASN1_ENCODER
> select OID_REGISTRY
> select ASN1
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Platform Module (TPM) as trusted key
> backend. Trusted keys are random number symmetric keys,
> @@ -20,6 +24,7 @@ config TRUSTED_KEYS_TEE
> bool "TEE-based trusted keys"
> depends on TEE >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Execution Environment (TEE) as trusted
> key backend.
> @@ -29,10 +34,11 @@ config TRUSTED_KEYS_CAAM
> depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
> select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> default y
> + select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's Cryptographic Accelerator and Assurance Module
> (CAAM) as trusted key backend.
>
> -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM
> -comment "No trust source selected!"
> +if !HAVE_TRUSTED_KEYS
> + comment "No trust source selected!"
> endif

otherwise, it is in reasonable shape and form.

BR, Jarkko

Next message: Frank Li: "[PATCH v5 0/4] arm64: dts: imx8qxp add asrc and sai"
Previous message: Len Brown: "[PATCH] nvme: Re-word D3 Entry Latency message"
In reply to: David Gstir: "[PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config"
Next in thread: David Gstir: "[PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]