Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1662404imm; Thu, 20 Sep 2018 00:26:55 -0700 (PDT) X-Google-Smtp-Source: ANB0Vda2s5219UXGclQ9z4Vp1qhG3gaPHuGskhKcAk4WdAXVNNT6J/8uqh+222PmH0ITPDEo4tcq X-Received: by 2002:a17:902:b702:: with SMTP id d2-v6mr38480113pls.12.1537428415530; Thu, 20 Sep 2018 00:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537428415; cv=none; d=google.com; s=arc-20160816; b=Ri43LHGvq8KbU7GTLKuova5lUdtA6b7lpiGEF07LhMHvIoMh+Kd2Wd9XMw2DsHuGgQ hnJ1jM7ZuECyOF9VnGEggZt2T7EZS9/w4aab2K2746KjYewRljSOwZwQz9bDF4qerp+L m1mjokB1PI9xThnwPJSyJYrmWeh0AVWMYDJS/Ntdvmsd6tOVEeg3EAIdBcDE2X3E2sQS VX9GzmYeTzlupwl99otqSXinqEocEAmb/858Xf4ui1ueWe3f8T5zEW7c2o1ehLRxgso1 /bnSelWmQl7KfrrUwndxclhfpKWHz+iz34qZHtHHkDOWrfXiRTEeT3DoT1xouSWrw51X /Unw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=XKWKrBWkz91wuvNjoet43G/BxMeOfPVtrhQqoIvlH+Y=; b=hmu2MUAFkyxVT2Dfm0sBIxhqMJB/K0LxNNUVKCTGfQPU/57WnOP8mo2Des9tfb/EOU QZCO8eiMSdoj4tVxEEvQ/9BMMU9n/+6gV0mD05zr2tlHIdmyibSXiB3RG7+wY6eIVvi+ ESIk43WiY3/FxSiDeYZMW+WVDhNZVgZvkm+bPP2XY60e6N3XGMwHsvfS23H1IwN0zt/b DJxQikucvllUQPcWn9r7UV5JDhHOYtzr+vZs5l/M+Zl2SP7SPzfunbKV0W8IGPnLFRUv z7dNX7TY+ckFJAvX2htja6ESQ2lUj5p9GJM1UGcvZK4NLrm29F7EyDvf+SlQA4BB4IQm NGmw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k63-v6si4510071pge.142.2018.09.20.00.26.39; Thu, 20 Sep 2018 00:26:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731747AbeITNIY convert rfc822-to-8bit (ORCPT + 99 others); Thu, 20 Sep 2018 09:08:24 -0400 Received: from coyote.holtmann.net ([212.227.132.17]:45616 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726592AbeITNIY (ORCPT ); Thu, 20 Sep 2018 09:08:24 -0400 Received: from marcel-macbook.fritz.box (p4FF9F8A9.dip0.t-ipconnect.de [79.249.248.169]) by mail.holtmann.org (Postfix) with ESMTPSA id 555E3CF27B; Thu, 20 Sep 2018 09:33:33 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops From: Marcel Holtmann In-Reply-To: <20622.1537291117@warthog.procyon.org.uk> Date: Thu, 20 Sep 2018 09:26:18 +0200 Cc: Denis Kenzior , James Morris , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, Linux Kernel Mailing List Content-Transfer-Encoding: 8BIT Message-Id: <58F37819-78E2-45C8-8F04-4F21DDFB640E@holtmann.org> References: <14f91823-474e-1b46-d305-12229dac8967@gmail.com> <0d51fca9a29458a40121df0c5380af91e3429c08.camel@infradead.org> <153618445730.7946.10001472635835806478.stgit@warthog.procyon.org.uk> <1537253993.20009.62.camel@infradead.org> <14067.1537285833@warthog.procyon.org.uk> <745318a0-51bd-be8f-2251-44701ad75830@gmail.com> <19247.1537288419@warthog.procyon.org.uk> <23698.1537289705@warthog.procyon.org.uk> <20622.1537291117@warthog.procyon.org.uk> To: David Howells , David Woodhouse X-Mailer: Apple Mail (2.3445.9.1) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, >>> Yes. It shouldn't be much code, either. You still have to check for X.509 >>> DER since the kernel currently supports that. >> >> For reasons of backward compatibility, correct? The kernel also has >> mscode.asn1 which we would need to support as well. Since we can't break >> compatibility then perhaps this doesn't buy us a whole lot in the end. > > Don't worry about mscode - that's not an asymmetric key parser. That's only > ever used directly from verify_pefile_signature(). > > Currently, we have to retain support for DER-encoded X.509. > > But there's no reason we can't have a PEM parser that decodes the PEM and > selects X.509, PKCS#8 or TPM based on the ascii header in that. PKCS#8 and > TPM don't need to take DER directly. since we have to support DER-encoded anyway, can we get the current patches merged (with fixes to the commit messages for the openssl examples if needed) and then work on PEM support inside the kernel. For me these seems to be two independent features. And in the current form the patches have been tested and used. Or let me ask this differently, are there any objections to merging these patches with just DER support? For example in ELL we have implemented the PEM to DER conversion before calling keyctl. This can be surely added to keyutils (if calling openssl is too much to ask) or even the kernel itself. However this doesn’t change the actual functionality of handling asymmetric key operations. And I would rather see that merged and established instead of worrying to much about the multitudes of possible encoding forms of keys. Regards Marcel