Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

From: David Gstir
Date: Fri Mar 08 2024 - 02:18:03 EST

Next message: Ojaswin Mujoo: "Re: [RFC 2/8] fs: Reserve inode flag FS_ATOMICWRITES_FL for atomic writes"
Previous message: Tian, Kevin: "RE: [PATCH 2/7] vfio/pci: Lock external INTx masking ops"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Jarkko,

> On 07.03.2024, at 20:30, Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote:

[...]

>> +
>> +static int trusted_dcp_init(void)
>> +{
>> + int ret;
>> +
>> + if (use_otp_key)
>> + pr_info("Using DCP OTP key\n");
>> +
>> + ret = test_for_zero_key();
>> + if (ret) {
>> + pr_err("Test for zero'ed keys failed: %i\n", ret);
>
> I'm not sure whether this should err or warn.
>
> What sort of situations can cause the test the fail (e.g.
> adversary/interposer, bad configuration etc.).

This occurs when the hardware is not in "secure mode". I.e. it’s a bad configuration issue.
Once the board is properly configured, this will never trigger again.
Do you think a warning is better for this then?

Thanks,
- David

Next message: Ojaswin Mujoo: "Re: [RFC 2/8] fs: Reserve inode flag FS_ATOMICWRITES_FL for atomic writes"
Previous message: Tian, Kevin: "RE: [PATCH 2/7] vfio/pci: Lock external INTx masking ops"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]