Hello Sumit, On 24.03.21 11:47, Sumit Garg wrote: > On Wed, 24 Mar 2021 at 14:56, Ahmad Fatoum <a.fat...@pengutronix.de> wrote: >> >> Hello Mimi, >> >> On 23.03.21 19:07, Mimi Zohar wrote: >>> On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote: >>>> On 21.03.21 21:48, Horia Geantă wrote: >>>>> caam has random number generation capabilities, so it's worth using that >>>>> by implementing .get_random. >>>> >>>> If the CAAM HWRNG is already seeding the kernel RNG, why not use the >>>> kernel's? >>>> >>>> Makes for less code duplication IMO. >>> >>> Using kernel RNG, in general, for trusted keys has been discussed >>> before. Please refer to Dave Safford's detailed explanation for not >>> using it [1]. >> >> The argument seems to boil down to: >> >> - TPM RNG are known to be of good quality >> - Trusted keys always used it so far >> >> Both are fine by me for TPMs, but the CAAM backend is new code and neither >> point >> really applies. >> >> get_random_bytes_wait is already used for generating key material elsewhere. >> Why shouldn't new trusted key backends be able to do the same thing? >> > > Please refer to documented trusted keys behaviour here [1]. New > trusted key backends should align to this behaviour and in your case > CAAM offers HWRNG so we should be better using that.
Why is it better? Can you explain what benefit a CAAM user would have if the trusted key randomness comes directly out of the CAAM instead of indirectly from the kernel entropy pool that is seeded by it? > Also, do update documentation corresponding to CAAM as a trusted keys backend. Yes. The documentation should be updated for CAAM and it should describe how the key material is derived. Will do so for v2. Cheers, Ahmad > > [1] > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/tree/Documentation/security/keys/trusted-encrypted.rst#n87 > > -Sumit > >> Cheers, >> Ahmad >> >>> >>> thanks, >>> >>> Mimi >>> >>> [1] >>> https://lore.kernel.org/linux-integrity/bca04d5d9a3b764c9b7405bba4d4a3c035f2a...@alpmbapa12.e2k.ad.ge.com/ >>> >>> >>> >> >> -- >> Pengutronix e.K. | | >> Steuerwalder Str. 21 | http://www.pengutronix.de/ | >> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | >> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |