Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp679101pxf; Thu, 1 Apr 2021 10:43:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7Jg57ihLuhhyL10JxA6x+KLkJ2TbNIbSC2QLDyGk+iX23AwJM+uAtS67uGaQM0mwUVW+o X-Received: by 2002:a17:907:1614:: with SMTP id hb20mr10337715ejc.77.1617299020777; Thu, 01 Apr 2021 10:43:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617299020; cv=none; d=google.com; s=arc-20160816; b=fo6ratQm/W5hfGujfsda3kYBI54f87XY4Sx+altL5gEtyvAcTuxS/Ghq41VmnmT4tE Tn6vYSpxbCgXtzPej0BzmncWYP+FPVGt1GqovmhFXN9pz7BtFLxmelIQTDubjALCiVvw MFYe3OH2AxkB6IBrwDrcPVHmYDqoye/s9+P127XiapNB7AUv2HCJpEAUDicQmXRrOJYK YtN7ZWl8wPrdKbYMeIeV2SndegA+1Wkmsp9iBjgTEmMkREajQKJNkwEf0oS/HlV2txB1 HeCA++bhpvdmazx9LHQ0F/lOaAIAC1e3dtZimXsqABm57qEpzATvMNwuzX2NbLS3NqTu v1xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Wc8br82rdSUXocjUVRdeobzbTuG/H9DWpf5YwUpebsM=; b=vMxcZXeFMj4vlzGAd0PYAXHw9rZSTCkhAZWi4phC0mV3PfPhqCOkqSFG2TIoveHnDW Webp+U4pqjoRDyyd1oVTQHAZCN6wVZUJCQDg0J55jaYhqUJByFh/j2jMbVPTfJ/PRsg4 v8YY1N/10iGm5VJMkzCIAd4qb+XtUekRVLks3OOSeYIQQwl/mmFVJ5+KjjRJcNWGX/Yy DZ2s85X3gDIFdMYnp4yR8SHmWtWsJoAI8I2Cr0EmyYfmbDHStzKD/VPeRW0rMoNywttq tIUtgorOHvvwJEstIqQqPtwO3iE0Vz/leOM5+mzQ7ZUxAacRd4RauFofvX8VoB+rbFwT IqBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TIxRpaOO; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c12si4569732edv.455.2021.04.01.10.43.17; Thu, 01 Apr 2021 10:43:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TIxRpaOO; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235073AbhDARmL (ORCPT + 99 others); Thu, 1 Apr 2021 13:42:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234533AbhDARhy (ORCPT ); Thu, 1 Apr 2021 13:37:54 -0400 Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CF66C08E89B for ; Thu, 1 Apr 2021 06:20:15 -0700 (PDT) Received: by mail-lj1-x230.google.com with SMTP id c6so737498lji.8 for ; Thu, 01 Apr 2021 06:20:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Wc8br82rdSUXocjUVRdeobzbTuG/H9DWpf5YwUpebsM=; b=TIxRpaOOIxphi2ILfb/UobjRISoGFs2T1tAJaBLLjQzu+AbbD0FecdbT54DYSLngFe 3+EADpzGqP2gMrqDdA3TeB2uhst595q7AbwPmYAQuRON+ML+DZ4N/TYyB7yf4c3+jzMq Sljkl13NM/ND2qkrqfOqBAtZDnTu2VdmUiTRspBDqq7UK7QsYopO2+k/3807SVFcBQ0j 9f6es/Xyfesjx8pUTIuP7o7rn/SqrA92pF5tfufSgEsY0BYJvz+WjDMUBKvs1upZIhn9 zFXi9wHlKfWvZWg/VlcENdoZpwr0a3HJf7h+k9kSC1fzQnF8Ly6Bh161piCYqG1Hb3sk AZDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Wc8br82rdSUXocjUVRdeobzbTuG/H9DWpf5YwUpebsM=; b=pftAw4DNDpwXq+ODuTjKR7Irnf4pdjqVq5FpB6tHNprvMYjbW23/Hr1sflqQQcBgXH 5bvvddwJdJFPPzol41yjey3WZm51+6G20uf5m2KtZ+nhRkMcgUWrB0GOjWWfteY6C3ba bYRwBbzme3gXZzOckdHGxdCQmYt1AEN9AqBsPNm6mOvJhvel/off+c+pN68x9GShcPzU C/HBlW/rbNMjpDmAg5CqWim6rgmBy/p50OoTiSN71Jr6mCezGUA3G0enzyX8y6s4Fraw UnxIUbPW3V5+o3GM9i+jT3vu3256xurrGUhWrDDBHd5soEsZpdPoWABfs61k0PRHfSBw Uccw== X-Gm-Message-State: AOAM532PZRuovNDE81p33T4qtJk6fIwg/UnIIEUYGxyvmzhQdNteikKg /SIp0xKF7KrHg0C6s+fDRPGRH1qPVe8LkxSci3ySGw== X-Received: by 2002:a2e:9acc:: with SMTP id p12mr5271081ljj.442.1617283213842; Thu, 01 Apr 2021 06:20:13 -0700 (PDT) MIME-Version: 1.0 References: <1777909690.136833.1617215767704.JavaMail.zimbra@nod.at> <2034693332.137003.1617219379831.JavaMail.zimbra@nod.at> In-Reply-To: From: Sumit Garg Date: Thu, 1 Apr 2021 18:50:02 +0530 Message-ID: Subject: Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys To: Ahmad Fatoum , James Bottomley Cc: Richard Weinberger , Jarkko Sakkinen , horia geanta , Mimi Zohar , aymen sghaier , Herbert Xu , davem , kernel , David Howells , James Morris , "Serge E. Hallyn" , Steffen Trumtrar , Udit Agarwal , Jan Luebbe , david , Franck Lenormand , linux-integrity , "open list, ASYMMETRIC KEYS" , Linux Crypto Mailing List , linux-kernel , LSM Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 1 Apr 2021 at 15:36, Ahmad Fatoum wrote: > > Hello Richard, > > On 31.03.21 21:36, Richard Weinberger wrote: > > James, > > > > ----- Urspr=C3=BCngliche Mail ----- > >> Von: "James Bottomley" > >> Well, yes. For the TPM, there's a defined ASN.1 format for the keys: > >> > >> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engi= ne.git/tree/tpm2-asn.h > >> > >> and part of the design of the file is that it's distinguishable either > >> in DER or PEM (by the guards) format so any crypto application can kno= w > >> it's dealing with a TPM key simply by inspecting the file. I think yo= u > >> need the same thing for CAAM and any other format. > >> > >> We're encouraging new ASN.1 formats to be of the form > >> > >> SEQUENCE { > >> type OBJECT IDENTIFIER > >> ... key specific fields ... > >> } > >> > >> Where you choose a defined OID to represent the key and that means > >> every key even in DER form begins with a unique binary signature. > > > > I like this idea. > > Ahmad, what do you think? > > > > That way we could also get rid off the kernel parameter and all the fal= l back logic, > > given that we find a way to reliable detect TEE blobs too... > > Sounds good to me. Sumit, your thoughts on doing this for TEE as well? > AFAIU, ASN.1 formating should be independent of trusted keys backends which could be abstracted to trusted keys core layer so that every backend could be plugged in seamlessly. James, Would it be possible to achieve this? -Sumit > > > > Thanks, > > //richard > > > > -- > Pengutronix e.K. | = | > Steuerwalder Str. 21 | http://www.pengutronix.de/ = | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 = | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 = |