Re: [PATCH v1 3/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys
From: Ahmad Fatoum
Date: Wed Mar 24 2021 - 05:27:09 EST
Hello Mimi,
On 23.03.21 19:07, Mimi Zohar wrote:
> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote:
>> On 21.03.21 21:48, Horia Geantă wrote:
>>> caam has random number generation capabilities, so it's worth using that
>>> by implementing .get_random.
>>
>> If the CAAM HWRNG is already seeding the kernel RNG, why not use the kernel's?
>>
>> Makes for less code duplication IMO.
>
> Using kernel RNG, in general, for trusted keys has been discussed
> before. Please refer to Dave Safford's detailed explanation for not
> using it [1].
The argument seems to boil down to:
- TPM RNG are known to be of good quality
- Trusted keys always used it so far
Both are fine by me for TPMs, but the CAAM backend is new code and neither point
really applies.
get_random_bytes_wait is already used for generating key material elsewhere.
Why shouldn't new trusted key backends be able to do the same thing?
Cheers,
Ahmad
>
> thanks,
>
> Mimi
>
> [1]
> https://lore.kernel.org/linux-integrity/BCA04D5D9A3B764C9B7405BBA4D4A3C035F2A38B@xxxxxxxxxxxxxxxxxxxxxxxx/
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |