Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp947168pxf; Thu, 1 Apr 2021 19:00:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyjyJpQEcWdvmRzawdzBYk64W3cMbG6lI0Fh9yx11AGyTmsVNau7R+nBYDuG/DrcG+AclV4 X-Received: by 2002:a17:906:6d8e:: with SMTP id h14mr11933072ejt.410.1617328803916; Thu, 01 Apr 2021 19:00:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617328803; cv=none; d=google.com; s=arc-20160816; b=VdqfspgqoOyaMZHFWOikf6+w7wpyOpqfyDAPBOyde8sRzPCnGfWzcHwE3uHk3/Yv0d 9e93JuI093rdrrQTiCjMgeTR+CAaonXBKOZBTa3YKkHc8b+86fb7klEDa1qpUEPpr9VT aWBLC4dfEiqAGTYi7ISocr6qCdd6G1fI5qNZ6JRnJKOSp/jgDb7hIHYX5P4y5i6FJdmL Vl75naLU45MzZ3vUBZP123Dv9mmSB1qsNQ1XpfLxX+SGReqIZ1WEqQQiRXcYyARibkcB HJtVWo1o/VLfUXWnxr/3S7PSD8lE93dxqF6moLGwFY81Bbk+gSClsNgz+7zonJ+/7eoT 3ECQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=KvJ7Im6wZfvwaOa5qMa6o/OktMtjbr41F8v4esEL5qg=; b=QJv5vHDMGUGfPcb69YxMASq33LdG+nbAi15G2ohm/TrFuSvxJXdaHAwdC9iBYJGXz/ XXhAQgMrJMNXK1aEBE67owq+LsjLmqYeadEE4NuppRNf7LK8rfIv+U22j8JBJbPofhOb 1ZqH23FbCodea0QpHBhNVDVUY8BRcgNQJ1jPc8mEh5wXaihu4nQGlZdXwZPrYdLGfwdw WNpQK41nr39dA7Yr9ZCOY3hFvAyFBhy/vIIViVq9mvJBQv3FPoHC1+VB+hCIOquyPMCg RxOs8/LYb0KHUdddR9HA4MZGxnEdaDpWsJ2KBbgKFKnV/F3wWV6KkIgsWgvAGwQgLBnI 8rPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h6si5696636edw.354.2021.04.01.18.59.25; Thu, 01 Apr 2021 19:00:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233665AbhDBB6V (ORCPT + 99 others); Thu, 1 Apr 2021 21:58:21 -0400 Received: from mail.hallyn.com ([178.63.66.53]:40296 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233258AbhDBB6U (ORCPT ); Thu, 1 Apr 2021 21:58:20 -0400 X-Greylist: delayed 505 seconds by postgrey-1.27 at vger.kernel.org; Thu, 01 Apr 2021 21:58:18 EDT Received: by mail.hallyn.com (Postfix, from userid 1001) id F246D774; Thu, 1 Apr 2021 20:49:50 -0500 (CDT) Date: Thu, 1 Apr 2021 20:49:50 -0500 From: "Serge E. Hallyn" To: James Bottomley Cc: Mimi Zohar , Ahmad Fatoum , Horia =?utf-8?Q?Geant=C4=83?= , Jonathan Corbet , David Howells , Jarkko Sakkinen , "kernel@pengutronix.de" , James Morris , "Serge E. Hallyn" , Aymen Sghaier , Herbert Xu , "David S. Miller" , Udit Agarwal , Jan Luebbe , David Gstir , Franck Lenormand , Sumit Garg , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "linux-doc@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-security-module@vger.kernel.org" Subject: Re: [PATCH v1 3/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Message-ID: <20210402014950.GA6897@mail.hallyn.com> References: <319e558e1bd19b80ad6447c167a2c3942bdafea2.1615914058.git-series.a.fatoum@pengutronix.de> <01e6e13d-2968-0aa5-c4c8-7458b7bde462@nxp.com> <45a9e159-2dcb-85bf-02bd-2993d50b5748@pengutronix.de> <9ba89168d8c4f1e3d6797a0b3713e152ac6388fd.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9ba89168d8c4f1e3d6797a0b3713e152ac6388fd.camel@linux.ibm.com> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Mar 24, 2021 at 09:14:02AM -0700, James Bottomley wrote: > On Tue, 2021-03-23 at 14:07 -0400, Mimi Zohar wrote: > > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote: > > > Hello Horia, > > > > > > On 21.03.21 21:48, Horia Geantă wrote: > > > > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote: > > > > [...] > > > > > +struct trusted_key_ops caam_trusted_key_ops = { > > > > > + .migratable = 0, /* non-migratable */ > > > > > + .init = trusted_caam_init, > > > > > + .seal = trusted_caam_seal, > > > > > + .unseal = trusted_caam_unseal, > > > > > + .exit = trusted_caam_exit, > > > > > +}; > > > > caam has random number generation capabilities, so it's worth > > > > using that > > > > by implementing .get_random. > > > > > > If the CAAM HWRNG is already seeding the kernel RNG, why not use > > > the kernel's? > > > > > > Makes for less code duplication IMO. > > > > Using kernel RNG, in general, for trusted keys has been discussed > > before. Please refer to Dave Safford's detailed explanation for not > > using it [1]. > > > > thanks, > > > > Mimi > > > > [1] > > https://lore.kernel.org/linux-integrity/BCA04D5D9A3B764C9B7405BBA4D4A3C035F2A38B@ALPMBAPA12.e2k.ad.ge.com/ > > I still don't think relying on one source of randomness to be > cryptographically secure is a good idea. The fear of bugs in the > kernel entropy pool is reasonable, but since it's widely used they're > unlikely to persist very long. I'm not sure I agree - remember https://www.schneier.com/blog/archives/2008/05/random_number_b.html ? You'd surely expect that to have been found quickly. > Studies have shown that some TPMs > (notably the chinese manufactured ones) have suspicious failures in > their RNGs: > > https://www.researchgate.net/publication/45934562_Benchmarking_the_True_Random_Number_Generator_of_TPM_Chips > > And most cryptograhpers recommend using a TPM for entropy mixing rather > than directly: > > https://blog.cryptographyengineering.com/category/rngs/ > > The TPMFail paper also shows that in spite of NIST certification > things can go wrong with a TPM: > > https://tpm.fail/ In this thread I've seen argument over "which is better" and "which is user api", but noone's mentioned fips. Unfortunately, so long as kernel rng refuses to be fips-friendly (cf https://lkml.org/lkml/2020/9/21/157), making CAAM based trusted keys depend on kernel rng would make them impossible to use in fips certified applications without a forked kernel. So I definitely am in favor of a config or kernel command line option to drive which rng to use.