Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp2286711lqb; Mon, 27 May 2024 14:36:29 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXE/OEvf6tEPveLhJ8r6Y9amUL9EQTxtezrNkbjoNbFt+txBsjVjahCT3ZP1hjmsOCE/QT2PV5TBULnlFjvTwL8XhOuKIh2wfmKaVshgQ== X-Google-Smtp-Source: AGHT+IHSVn9tD7pjCOTBkZ3n5J9iiaD5BSmd5Fy5tthwWb6IBsY5DzVLuLTvKKnVPv7kjuwX8edc X-Received: by 2002:a50:aac8:0:b0:578:2148:61f5 with SMTP id 4fb4d7f45d1cf-578519c2a24mr7143288a12.30.1716845789821; Mon, 27 May 2024 14:36:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716845789; cv=pass; d=google.com; s=arc-20160816; b=cIlygvNUaVF+B4EJndAMwePdopgSXJ/D8kGu3LPrJ/pY7itB+LUuDs4dMoRJ8HWmLk RLd0OesytBmhM8+W27OegzkY4y+rDj2g8JFQYEav4Bxs9fmUH8hcGUsYaAJ4YTRbHiCN IbqnIC3+3T+O4+Im7QXjjzRgWx1wzQSOcpZNXtsZw+8CPyzRnDyLxw/dhoOAJ6qoq5iu 16h0XzCK02GwF1jmK9lOQvLP1+9ODG9p0C1ISt5fMyi4iIsxBOn12ycKgmTDTrlj1hk0 kYTpslx/ehEwI/HFaV2WzMCgn++R/kpHs9c0gKnEgZ2JM6h9MW31orqEbM15KGMaP7Ho Ycpw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=Lvxrzhw2YvRYomC8jeZLZ1zRsAMf/PWVN739r1ul0iE=; fh=PBJszKfOuF7bnu4KMjYiO7NcHK+w2SF3QXhw73B4aug=; b=GZFFD98XfNHe+qDI73BAdubRPakcoDbemyUqNOP9NIw2ssWgGVZshuoNWEepb42m5D oTC5glYGaMPdjslSSZHTfQfUbsULFrY+nsG2PKriawUXNWYdCgX1Ca0bbdKuZeTAOTPS WfxQaAp8bfE2qCx6mFHrqb4m4zqRHXLbkmByHys15IWVcuTT9ty3I3tMO3uYQKTvFynu TADRhBeiFmoSO/La/gR/WE3gicvTxZCpcJ/QyWg5st86cm8H+3W1+ShF41GFix3CeEL7 HNXBebWBraPCKPZ7LlwbFSbQEy1eaj6Jxb8BA4UmAX/rm66zOcqVMaMIJlQTkELTFXyp bzZw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=jbSadvIE; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=jbSadvIE; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-191464-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191464-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-578524b15d2si4189949a12.496.2024.05.27.14.36.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 May 2024 14:36:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-191464-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=jbSadvIE; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=jbSadvIE; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-191464-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191464-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8DF1F1F231F5 for ; Mon, 27 May 2024 21:36:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 77106161306; Mon, 27 May 2024 21:36:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="jbSadvIE"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="jbSadvIE" Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E339C17BA7; Mon, 27 May 2024 21:36:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716845774; cv=none; b=uXHktjEHBf4qPRZXbwq718MW9YU//vP+umlPNkzBYvv9JZBsj6PICRZcfXNj3Tw7HLfLHqcK+OPzDVfU4Ne95GYubFdAWhU7DUrCIVRNxWe4N24usNunrfyEreKldbu6+SJlGL6zDueecJrwXQpNCh0FjbFNpiwDFPsAbWBWpDY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716845774; c=relaxed/simple; bh=ePgOBDA2ax1kCv4thLKsdmpgZhGIR5dGBMzgpyeuVsY=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=HyoOctlmnqNNtRQKHkjltClRMmdU23u7vKh7umL4hRxYLdFWRzLDXTqyuZqmxoGJjKDB3Hza3rlmWitbwLFKjs/wP/7uDUTXU3icYSCsoFN1eJnmOPjjEhJJ62v8wGgJuoSGOHLumfdwcpbbKDDGsUE26QnqtH95DDuxIdiFp1s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=jbSadvIE; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=jbSadvIE; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1716845772; bh=ePgOBDA2ax1kCv4thLKsdmpgZhGIR5dGBMzgpyeuVsY=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=jbSadvIEvaNFIE3Sf1NXzbB9Gyc1etPo6jj0iRWWnYuxHMiSJOvCxkFSAHATZilbB j9Eiy+nfALL+9yc+Qn3OB5w78IJJccYTQoXgtUh/3kUFNcwssAkOtOlJLTcRxEfon3 Led3qaXb/A+jCIta2ZKxE0e398CPHJvyN8Y68iBI= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 3894312869EC; Mon, 27 May 2024 17:36:12 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id CmJ45No8kRvy; Mon, 27 May 2024 17:36:12 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1716845772; bh=ePgOBDA2ax1kCv4thLKsdmpgZhGIR5dGBMzgpyeuVsY=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=jbSadvIEvaNFIE3Sf1NXzbB9Gyc1etPo6jj0iRWWnYuxHMiSJOvCxkFSAHATZilbB j9Eiy+nfALL+9yc+Qn3OB5w78IJJccYTQoXgtUh/3kUFNcwssAkOtOlJLTcRxEfon3 Led3qaXb/A+jCIta2ZKxE0e398CPHJvyN8Y68iBI= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::a774]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 0C02412868BA; Mon, 27 May 2024 17:36:10 -0400 (EDT) Message-ID: <6e326fa73968839199378694d4e7cc2544326fa6.camel@HansenPartnership.com> Subject: Re: [PATCH 1/3] tpm: Disable TCG_TPM2_HMAC by default From: James Bottomley To: Jarkko Sakkinen , Vitor Soares , linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org, Peter Huewe , Jason Gunthorpe , Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Date: Mon, 27 May 2024 17:36:09 -0400 In-Reply-To: References: <20240519235122.3380-1-jarkko@kernel.org> <20240519235122.3380-2-jarkko@kernel.org> <850862655008f84ef0b6ecd99750e8dc395304d1.camel@gmail.com> <17dc838120b56ce342c34611596c7b46dcd9ab5a.camel@HansenPartnership.com> <2dd8d49516ec9c7cb8c1182b5b8537b1e82d7067.camel@gmail.com> <17a5dcd7aceb356587ef7c8f45b0f6359b2d2a91.camel@HansenPartnership.com> <0c12c9ea10aa97e246230fc33e6b35c571102b48.camel@gmail.com> <3e4bbd0f0fe9f57fd7555a3775e8d71031c0d6c5.camel@gmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit On Mon, 2024-05-27 at 22:53 +0300, Jarkko Sakkinen wrote: > On Mon May 27, 2024 at 8:57 PM EEST, James Bottomley wrote: > > On Mon, 2024-05-27 at 18:34 +0300, Jarkko Sakkinen wrote: [...] > > > While looking at code I started to wanted what was the reasoning > > > for adding *undocumented* "TPM2_OA_TMPL" in include/linux/tpm.h. > > > It should really be in tpm2-sessions.c and named something like > > > TPM2_NULL_KEY_OA or similar. > > > > Well, because you asked for it. I originally had all the flags > > spelled out and I'm not a fan of this obscurity, but you have to do > > stuff like this to get patches accepted: > > > > https://lore.kernel.org/linux-integrity/CZCKTWU6ZCC9.2UTEQPEVICYHL@suppilovahvero/ > > I still think the constant does make sense. I'm not so sure. The TCG simply defines it as a collection of flags and every TPM tool set I've seen simply uses a list of flags as well. The original design was that the template would be in this one place and everything else would call into it. I think the reason all template construction looks similar is for ease of auditing (it's easy to get things, particularly the flags, wrong). If it only has one use case, it should be spelled out but if someone else would use it then it should be in the tpm.h shared header. > The current constant does not really imply that it is for the null > key, Well, it isn't exactly: it's the required flag set for all primaries. James > it is defined in the wrong file and has no actual legit > documentation to go with it.