Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp748851pxf; Wed, 10 Mar 2021 17:11:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJzB3hj6EoJ6qLXckgn8c3egTU3BPJAPiofslLfBJka98JnBtATpaxsf1Jrjce30qJxWeYoD X-Received: by 2002:a17:907:9862:: with SMTP id ko2mr610940ejc.222.1615425117673; Wed, 10 Mar 2021 17:11:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615425117; cv=none; d=google.com; s=arc-20160816; b=gW7bWKxsEzuMIMzRq69PIJjKKb89titgZoLecRvdeLiiWsGsC0CrcV8PVhr70qBxMe Pcuf35qCC7hXt8FhXJhjRTGJzdvCtkJFM4CNiJagYndNUWSI9kDN5ZSB0J69Alx+IdRr AdhTRqP2GeJXHRDCjHo3OCmZYkqIq8qBk87dXDT3DpXTd1Qk5s0PG/G8Nu6E20coKuXL KGNJ4MvB1ZQSr0ZoC1UNvRWV+d9nYFEnzEDA9qX+E9Q/5KoM2ROHaCxVWPtmDlcn6b6A 9Li8B8/HndFB5ugzFmc5cnwJM0CaxiiKJrICY4pGK+0QLsllPHMLYIUxOdQ//a/MWjcB kKqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=S1TAY1lNXaUQ22SqS6byiErDQrUrCWDJBiM1hmWDod8=; b=Q/QdXpYvJF/0SIGG5t3+Ds7LWP8yB9fr78MN1iJHkIhunBSBg90hvx++vYtLWzi/nZ mxddf1kGhpcX0lmPMTPNeFsK4WGy4hPoXGpzOEhVZBCBukCBCbZFKQcqZYdHm0GRqk1D /gRfvkktAlQpOXN9p2ShQX21qG9Wvmk1KsL9UjFkOxSzRkeLTNbHLUPElwRuhhWfbc/1 KFWugP/XsaQ99lcjHaVPaCsU0CvNZDK1sNSkTA+qB4EFiXk/t6bkJqyTQMMQN5ub4z7b +iscZaPrG9lszC328g+4JXH96v5Ie/bZyRXs8CyA1WCyItY738zMu11nXcmSK9EZBpHP Jivg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=p12GzutZ; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=p12GzutZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b16si672917eds.502.2021.03.10.17.11.34; Wed, 10 Mar 2021 17:11:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=p12GzutZ; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=p12GzutZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229630AbhCKBII (ORCPT + 99 others); Wed, 10 Mar 2021 20:08:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229520AbhCKBHj (ORCPT ); Wed, 10 Mar 2021 20:07:39 -0500 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D29DDC061574; Wed, 10 Mar 2021 17:07:38 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id D65C61280622; Wed, 10 Mar 2021 17:07:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1615424856; bh=rPT+VYV1+Cvgf3klr7B1cClAbrNcSs/uscoE5EBQ0nc=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=p12GzutZqy8xcUa2GnBy4AOa+gxAVmux6akGb/gVO8WcPowOFQyN5jmyE52Lyz7/r BnDxvXjx8FggJ+nr1mNWUTNHncvcWJIEcSSWGK5if6n5S5UvFcoGs9xCV/aH6Zx5oI cLwFa94vi+9FtHBA27LQV/mVFHIhmeEXGaeMba6U= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gW20K4LJnFMI; Wed, 10 Mar 2021 17:07:36 -0800 (PST) Received: from jarvis.int.hansenpartnership.com (unknown [IPv6:2601:600:8280:66d1::527]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id AA7E31280610; Wed, 10 Mar 2021 17:07:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1615424856; bh=rPT+VYV1+Cvgf3klr7B1cClAbrNcSs/uscoE5EBQ0nc=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=p12GzutZqy8xcUa2GnBy4AOa+gxAVmux6akGb/gVO8WcPowOFQyN5jmyE52Lyz7/r BnDxvXjx8FggJ+nr1mNWUTNHncvcWJIEcSSWGK5if6n5S5UvFcoGs9xCV/aH6Zx5oI cLwFa94vi+9FtHBA27LQV/mVFHIhmeEXGaeMba6U= Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem From: James Bottomley To: Linus Walleij , Sumit Garg Cc: Hector Martin , Arnd Bergmann , "open list:ASYMMETRIC KEYS" , David Howells , Jarkko Sakkinen , Joakim Bech , Alex =?ISO-8859-1?Q?Benn=E9e?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann Date: Wed, 10 Mar 2021 17:07:34 -0800 In-Reply-To: References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2021-03-11 at 01:49 +0100, Linus Walleij wrote: > The use case for TPM on laptops is similar: it can be used by a > provider to lock down a machine, but it can also be used by the > random user to store keys. Very few users beside James > Bottomley are capable of doing that (I am not) Yes, that's the problem with the TPM: pretty much no-one other than someone prepared to become an expert in the subject can use it. This means that enabling RPMB is unlikely to be useful ... you have to develop easy use cases for it as well. > but they exist. > https://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/ It's the difficulty of actually *using* the thing as a keystore which causes the problem. The trick to expanding use it to make it simple. Not to derail the thread, but this should hopefully become a whole lot easier soon. Gnupg-2.3 will release with easy to use TPM support for all your gpg keys: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=log;h=6720f1343aef9342127380b155c19e12c92d65ac It's not the end of the road by any means, but hopefully it will become a beach head of sorts for more uses. James