On Thu May 23, 2024 at 4:38 PM EEST, James Bottomley wrote: > On Thu, 2024-05-23 at 16:19 +0300, Jarkko Sakkinen wrote: > > There's no reason to encode OID_TPMSealedData at run-time, as it > > never changes. > > > > Replace it with the encoded version, which has exactly the same size: > > > > 67 81 05 0A 01 05 > > > > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so > > that the OID can be simply copied to the blob. > > This is true, but if we're going to do this, we should expand the OID > registry functions (in lib/oid_registry.c) to do something like > encode_OID. The registry already contains the hex above minus the two > prefixes (which are easy to add).
Yes, I do agree with this idea, and I named variable the I named it to make it obvious that generation is possible. It would be best to have a single source, which could be just a CSV file with entries like: <Name>,<OID number> And then in scripts/ there should be a script that takes this source and generates oid_registry.gen.{h,c}. The existing oid_registry.h should really just include oid_registry.gen.h then to make this transparent change. And then in the series where OID's are encoded per-subsystem patch that takes pre-encoded OID into use. Happy to review such patch set if it is pushed forward. > > @ -51,8 +52,8 @@ static int tpm2_key_encode(struct > > trusted_key_payload *payload, > > if (!scratch) > > return -ENOMEM; > > > > - work = asn1_encode_oid(work, end_work, tpm2key_oid, > > - asn1_oid_len(tpm2key_oid)); > > + work = memcpy(work, OID_TPMSealedData_ASN1, > > sizeof(OID_TPMSealedData_ASN1)); > > + work += sizeof(OID_TPMSealedData_ASN1); > > You lost the actually fits check. This is somewhat irrelevant for TPM > keys because the OID is first in the structure and thus will never > overflow, but it might matter for other uses. Yep, it is irrelevant IMHO, there is 8 bytes, and also its location never changes. > James BR, Jarkko