Re: [PATCH] tpm: enable HMAC encryption for only x86-64 and aarch64

From: James Bottomley
Date: Tue May 21 2024 - 10:14:04 EST

Next message: Björn Töpel: "Re: [PATCH v3 9/9] riscv: mm: Add support for ZONE_DEVICE"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH 2/4] arm64: dts: mediatek: mt8365: use a specific SCPSYS compatible"
In reply to: Jarkko Sakkinen: "Re: [PATCH] tpm: enable HMAC encryption for only x86-64 and aarch64"
Next in thread: Jarkko Sakkinen: "Re: [PATCH] tpm: enable HMAC encryption for only x86-64 and aarch64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2024-05-21 at 17:02 +0300, Jarkko Sakkinen wrote:
> Secondly, it also roots to the null key if a parent is not given. So
> it covers all the basic features of the HMAC patch set.

I don't think that can work. The key file would be wrapped to the
parent and the null seed (and hence the wrapping) changes with every
reboot. If you want a permanent key, it has to be in one of the
accessible permanent hierarchies (storage ideally or endorsement).

The spec has a mechanism for deriving the key from a permanent handle
if the system doesn't have it in-place. I do have patches to use that
because that's the way most sealed objects and keys are generated
today. I'll post them (although there'll be a bit of fixing up to do).

Regards,

James

Next message: Björn Töpel: "Re: [PATCH v3 9/9] riscv: mm: Add support for ZONE_DEVICE"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH 2/4] arm64: dts: mediatek: mt8365: use a specific SCPSYS compatible"
In reply to: Jarkko Sakkinen: "Re: [PATCH] tpm: enable HMAC encryption for only x86-64 and aarch64"
Next in thread: Jarkko Sakkinen: "Re: [PATCH] tpm: enable HMAC encryption for only x86-64 and aarch64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]