Re: [PATCH v3] KEYS: trusted: Use ASN.1 encoded OID

From: Jarkko Sakkinen
Date: Thu May 23 2024 - 10:26:35 EST


On Thu May 23, 2024 at 5:20 PM EEST, Jarkko Sakkinen wrote:
> There's no reason to encode OID_TPMSealedData at run-time, as it never
> changes.
>
> Replace it with an encoded u8-array, which has the same number of
> elements:
>
> 67 81 05 0A 01 05
>
> Include OBJECT IDENTIFIER (0x06) tag and length as the prologue so that
> the OID can be simply copied to the blob leading to:
>
> 06 06 67 81 05 0A 01 05
>
> Since this in stationary place in the buffer it is guaranteed to always
> fit and not further checks are required.
>
> Reviewed-by: David Howells <dhowells@xxxxxxxxxx>
> Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>

Does not really substitute distribution kernel testing, which is
IMHO essential for something like TPM2 boot in systemd but for
simple patches like this, the following does a trivial smoke
test:

export LINUX_OVERRIDE_SRCDIR=<path to a kernel tree with a trusted keys patch>
git clone https://gitlab.com/jarkkojs/linux-tpmdd-test.git
cd linux-tpmdd-test
cmake -Bbuild && make -Cbuild buildroot-prepare
make -Cbuild/buildroot/build
build/buildroot/build/images/run-tests.sh

I'm planning to migrate at some point to systemd and make it
appear more like distribution tho..

For recompiling just kernel only thing needed is:

rm -rf build/buildroot/build/build/linux-custom
make -Cbuild/buildroot/build

I've put this also to the MAINTAINERS entry of TPM driver although
I use it also for keyrings etc. Also it is open for contributions
via Gitlab merge requests (not requesting them per se but I'm open
to such possibility).

BR, Jarkko