On Wed, 2021-03-24 at 09:14 -0700, James Bottomley wrote: > On Tue, 2021-03-23 at 14:07 -0400, Mimi Zohar wrote: > > On Tue, 2021-03-23 at 17:35 +0100, Ahmad Fatoum wrote: > > > Hello Horia, > > > > > > On 21.03.21 21:48, Horia Geantă wrote: > > > > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote: > > > > [...] > > > > > +struct trusted_key_ops caam_trusted_key_ops = { > > > > > + .migratable = 0, /* non-migratable */ > > > > > + .init = trusted_caam_init, > > > > > + .seal = trusted_caam_seal, > > > > > + .unseal = trusted_caam_unseal, > > > > > + .exit = trusted_caam_exit, > > > > > +}; > > > > caam has random number generation capabilities, so it's worth > > > > using that > > > > by implementing .get_random. > > > > > > If the CAAM HWRNG is already seeding the kernel RNG, why not use > > > the kernel's? > > > > > > Makes for less code duplication IMO. > > > > Using kernel RNG, in general, for trusted keys has been discussed > > before. Please refer to Dave Safford's detailed explanation for not > > using it [1]. > > > > [1] > > https://lore.kernel.org/linux-integrity/bca04d5d9a3b764c9b7405bba4d4a3c035f2a...@alpmbapa12.e2k.ad.ge.com/ > > I still don't think relying on one source of randomness to be > cryptographically secure is a good idea. The fear of bugs in the > kernel entropy pool is reasonable, but since it's widely used they're > unlikely to persist very long. Studies have shown that some TPMs > (notably the chinese manufactured ones) have suspicious failures in > their RNGs: > > https://www.researchgate.net/publication/45934562_Benchmarking_the_True_Random_Number_Generator_of_TPM_Chips > > And most cryptograhpers recommend using a TPM for entropy mixing rather > than directly: > > https://blog.cryptographyengineering.com/category/rngs/ > > The TPMFail paper also shows that in spite of NIST certification > things can go wrong with a TPM: > > https://tpm.fail/
We already had a lengthy discussion on replacing the TPM RNG with the kernel RNG for trusted keys, when TEE was being introduced [2,3]. I'm not interested in re-hashing that discussion here. The only difference now is that CAAM is a new trust source. I suspect the same concerns/issues persist, but at least in this case using the kernel RNG would not be a regression. [2] Pascal Van Leeuwen on mixing different sources of entropy and certification - https://lore.kernel.org/linux-integrity/mn2pr20mb29732a856a40131a671f949fca...@mn2pr20mb2973.namprd20.prod.outlook.com/ [3] Jarrko on "regression" and tpm_asym.c - https://lore.kernel.org/linux-integrity/20191014190033.ga15...@linux.intel.com/ Mimi