Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4119847ybp; Mon, 7 Oct 2019 03:33:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqyyYBogoG1VErJD3Y5SPNAt6l4d5T6M0GJ412eJyk4kRlefuotuUdyfEMi09FcmXPW3J6pz X-Received: by 2002:a05:6402:68c:: with SMTP id f12mr28054963edy.299.1570444435801; Mon, 07 Oct 2019 03:33:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570444435; cv=none; d=google.com; s=arc-20160816; b=en0mUPg03qYCvIKQe6nYsAEBT+7UbqEGn6u/GnUq3zqUIFLctPCK49KXVM7MGNuQvC 2/qTAnzVX/El7LLu/XYQ2YXbu8+pUzRNu+YrhstnClVVg+c7fNvRlGkh1owDds+YGHTO 9St+Z0ckG0Fe8nMSHZlD52z3P91iFwW4/qkR8hxjIai5yqinindDsqbWEKM4hQtPnObh q55ambScD+sYCiR0Yw3PxlCoyRzZGLf+Bc3HwQB4ZPmCWc6qYyP0mXDdnE4GOKYCW9bb 5cN3EzvSZZC0CrIKL5urg+LBAPcHcSp4p3q5g7Ak//0ZryH500kKZ+wYCNh5qJMOPH5P kdcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=oNNig/APpXlzsgQf4/4zikU/t/X44sqLM8yD3yPV7Z4=; b=gKlJHg08LzKTBriiCGGfY84ZsICMkL0nTMbMmzHsnp8DyO/0L7ucOUGca1gx1sNw80 3ht9YdB0vLGAxgijGKchC1lFncqEv8SnMASNP/QyelDjnMwyJ56dsOmYjsvMRDXC95Bn pF78IXDOE75gODscEMq956rI2vsaZD6PCIpN8NwM3zcgOE31UF0K64XBUsKV4+QbqvhZ VZuG4LlRDKko2oL2eJr/tWnEm3yPsUewcWIY3VBs5LjJtPCdSa2TGsAXcBbfxSLCQ85s Fk9XltIpz7CDdtYOCBmpUWm16tTanPNklWSgDyv+yLszEpzPOOnSVXu1V+G+WsK8vO94 c39Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="a6/c32y8"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w55si8591602eda.15.2019.10.07.03.33.31; Mon, 07 Oct 2019 03:33:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="a6/c32y8"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727437AbfJGKd0 (ORCPT + 99 others); Mon, 7 Oct 2019 06:33:26 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:36744 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727252AbfJGKdZ (ORCPT ); Mon, 7 Oct 2019 06:33:25 -0400 Received: by mail-lj1-f196.google.com with SMTP id v24so13057316ljj.3; Mon, 07 Oct 2019 03:33:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oNNig/APpXlzsgQf4/4zikU/t/X44sqLM8yD3yPV7Z4=; b=a6/c32y8W+2OO4I6umBjXsfYmAjr1wzq5ZHhKiIZm4Em48taC2TXmnilorIClfKHaO RSmxzvD8Xs9fFNWqWqMrgleX8F0IxuyIxwH1d9TyD7vMeV3yPBJehBnUP3Lfh7mprb3c 9b8wzQwf0QnO24TOfK2zUJKNaulHRMaWc2qN787jm9FNi2sc5hlCzXobCuA0HVTyK12D /qqGSIztyF/WpWSBLhqXD9Sb1XwyKVK4uiix35kPRM7S4UaTzPcREo0x+u1WhX1lhin8 EI/ymKpfMHY/b8ZnavARPa21x+ufuCtjZ2NegaQj+mZGtpsQyVbXypQS5qliNRaaQqn5 Dy+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oNNig/APpXlzsgQf4/4zikU/t/X44sqLM8yD3yPV7Z4=; b=AUTF1YmG9s9Nvjq8lV+7TqUEuF/PkGD6i/Z2zZt/Zqdq3Xik3ii0IgAADIU/x8Ozk7 /Xquw4J/G2O0tWl2+ijCV+/tPKs/+gxTIBQxaWEtFmRH/6tpIe1rJbsJL1D0VZuDvhuH f276mGqh3tGAFEIhZ5i3n5cedSQI2+1Iv/pZsDGt/iqyRHUqIglGBJGtQUqttPYqGwiZ vjlxDyhclYgyIMZBiz3W8GM2p33RIxLZFxh94ayf7VOQNa2Ylp4ONTQk0Gn1DyMHFBLO gmfBTnT1SMnki+Ki+tJ8V8paStNyfAkI5VOJkJffzaOi/8mi9jIO84zU+VNR1RPWqSEA r+0A== X-Gm-Message-State: APjAAAV7TNNNnRZUZ59sqMpnGelwTtMUOxATEt7UZU/5ZAaopfKEmPRT cCEnu9IKAatZ51nc1dVf1pQ+hofjdQMIPtXtWlw= X-Received: by 2002:a2e:9854:: with SMTP id e20mr17397616ljj.72.1570444403274; Mon, 07 Oct 2019 03:33:23 -0700 (PDT) MIME-Version: 1.0 References: <20190926171601.30404-1-jarkko.sakkinen@linux.intel.com> <1570024819.4999.119.camel@linux.ibm.com> <20191003114119.GF8933@linux.intel.com> In-Reply-To: <20191003114119.GF8933@linux.intel.com> From: Janne Karhunen Date: Mon, 7 Oct 2019 13:33:11 +0300 Message-ID: Subject: Re: [PATCH] KEYS: asym_tpm: Switch to get_random_bytes() To: Jarkko Sakkinen Cc: Mimi Zohar , linux-integrity@vger.kernel.org, stable@vger.kernel.org, David Howells , Herbert Xu , "David S. Miller" , "open list:ASYMMETRIC KEYS" , "open list:CRYPTO API" , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 3, 2019 at 2:41 PM Jarkko Sakkinen wrote: > > At what point during boot is the kernel random pool available? Does > > this imply that you're planning on changing trusted keys as well? > > Well trusted keys *must* be changed to use it. It is not a choice > because using a proprietary random number generator instead of defacto > one in the kernel can be categorized as a *regression*. > > Also, TEE trusted keys cannot use the TPM option. > > If it was not initialized early enough we would need fix that too. Note that especially IMA and fs encryptions are pretty annoying in this sense. You probably want to keep your keys device specific and you really need the keys around the time when the filesystems mount for the first time. This is very early on.. -- Janne