Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1436565pxv; Fri, 2 Jul 2021 03:54:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2DUuA/Zdo36AO25qjx0BnnBSHsG0d+qabJkMFBHrG5trmyz9npuy3UavliEOtx3QpuR/U X-Received: by 2002:a05:6e02:b47:: with SMTP id f7mr2881463ilu.135.1625223252329; Fri, 02 Jul 2021 03:54:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625223252; cv=none; d=google.com; s=arc-20160816; b=05l0VxotCp/LFCEMeR3ZVvZ+rIP3+OUGgHg3ibm51TV5hnM+HlHc2Vus1Bt24lpjBA bPxXFrn4VMK7WHRdxTmVXz4GzXhwrV7zx25o7FeBE2qvIFxmxKZr7tNFPcZe5YZnw7S2 DPTBUkHv1BfoIg3jVEKpjw+d+DnxDR6hM3S6U9/9f9MxC+Yz1xD92Vop0dXbc0hYIKXb N5VSb75gcZC2zblIOv+VdVyY17Iya9V9mkLRq08jjT49lw85tSI52XdMzKNSvA5Gk32u 4CZVyyFblpxMZPbsff9zLPJEt/8ymbJ/AAeaSK/9FxTkjwl0QLqsCdnFCloAkLa1ttGg bzWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:thread-index:thread-topic :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date; bh=Kvu0y3FXOTeLc3DSu++G5uLJsDGmVOTLlc8wLUW1JQU=; b=NJHVpfY9KNws/VC5UHDvB1vPcJwdVgLMABGt6Epew0eUmfHWseEIfCoTT/s+QQZOgn KRpilRltSxzBJptMxHqF0gf+klvJrZsmV15zU9HQgAVt4PDu0LH2iU+olgYEJkrB5Rmh N9y2v4Oe9LPbVLrxAckl9IlmXpEA9RL3ItICFqhqs+JVirKq+pIY8ksmcrB+4SU8IWoq z+MIkUTfw+IjENwjnWRT1j7mxtTpXZL0SkOFpn183ARmj5PZd1Vc7ROmOwU6JW/XvCLk k3Wa5L4VOVfJUgq9ZrOuehxoZuiJll4uW9nIgsZuMK7TEVMIDSLNLJ5EmCr0Ljb/M7aY yXZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d5si2933802ilr.23.2021.07.02.03.53.51; Fri, 02 Jul 2021 03:54:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231569AbhGBK4S convert rfc822-to-8bit (ORCPT + 99 others); Fri, 2 Jul 2021 06:56:18 -0400 Received: from lithops.sigma-star.at ([195.201.40.130]:39292 "EHLO lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231320AbhGBK4S (ORCPT ); Fri, 2 Jul 2021 06:56:18 -0400 Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id CF14D606BA30; Fri, 2 Jul 2021 12:53:43 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id hG49krIohN_g; Fri, 2 Jul 2021 12:53:43 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 52AA1606BA4F; Fri, 2 Jul 2021 12:53:43 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id yiX2RLkjjlHe; Fri, 2 Jul 2021 12:53:43 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id 121A7606BA30; Fri, 2 Jul 2021 12:53:43 +0200 (CEST) Date: Fri, 2 Jul 2021 12:53:42 +0200 (CEST) From: Richard Weinberger To: Ahmad Fatoum Cc: Jonathan Corbet , David Howells , Jarkko Sakkinen , James Bottomley , Mimi Zohar , kernel , James Morris , "Serge E. Hallyn" , horia geanta , aymen sghaier , Herbert Xu , davem , Udit Agarwal , Eric Biggers , Jan Luebbe , david , Franck Lenormand , Sumit Garg , "open list, ASYMMETRIC KEYS" , Linux Crypto Mailing List , Linux Doc Mailing List , linux-integrity , linux-kernel , LSM Message-ID: <783613027.15909.1625223222889.JavaMail.zimbra@nod.at> In-Reply-To: <2f608e5a-5a12-6db1-b9bd-a2cd9e3e3671@pengutronix.de> References: <39e6d65ca5d2a0a35fb71d6c1f85add8ee489a19.1624364386.git-series.a.fatoum@pengutronix.de> <1850833581.13438.1625172175436.JavaMail.zimbra@nod.at> <2f608e5a-5a12-6db1-b9bd-a2cd9e3e3671@pengutronix.de> Subject: Re: [PATCH v2 6/6] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF78 (Linux)/8.8.12_GA_3809) Thread-Topic: KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Thread-Index: YNq+u/AVc12Aad/zgRj+Xah98DqV1g== Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Ahmad, ----- Ursprüngliche Mail ----- > Von: "Ahmad Fatoum" >> I'm still think that hard coding the key modifier is not wise. >> As I said[0], there are folks out there that want to provide their own modifier, >> so it is not only about being binary compatible with other CAAM blob patches in >> the wild. > > I don't think the characterization as a salt is accurate. AFAIU it's more > of a namespace, so blobs being loaded are "type-checked" against the modifier. Well, the CAAM programmer's reference manual states that the blob key is a 128 bit modifier and has two purposes: 1. It can be used as tag to provide separation between blobs to detect accidental replacement of blobs. 2. But it can also be treated as secret to provide additional protection. Because the blob encryption key derivation includes the key modifier. While you have case 1 in mind, I care about case 2. :-) >> I'll happily implement that feature after your patches got merged but IMHO we >> should first agree on an interface. >> How about allowing another optional parameter to Opt_new and Opt_load > > Sound good to me. pcrlock for TPM trusted keys has the same interface. > > I'd prefer the new option to accept strings, not hex though. Both is possible. If the string starts with "0x" it needs to be decoded to a 128 bit key. Otherwise it has to be a up to 16 byte string. Thanks, //richard