Re: [PATCH v2 1/2] keys/trusted_keys: clean up debug message logging in the tpm backend

Mon, 09 Mar 2026 15:48:10 -0700 


On 2/20/26 1:34 PM, Srish Srinivasan wrote:

The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info()
for logging debug information.

Replace pr_info() with pr_debug(), and use KERN_DEBUG for print_hex_dump().
Remove TPM_DEBUG.

No functional change intended.

There is functional change here.  This change allows secret and nonce in 
the function dump_sess() to be logged to kernel logs when dynamic debug 
is enabled. Previously, it was possible only in the debug builds and not 
the production builds at runtime. With this change, it is always there 
in production build. This can result in possible attack.



Instead of doing this change, I think add a comment to prevent this sort 
of change in the future.


Thanks & Regards,

    - Nayna



Signed-off-by: Srish Srinivasan <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
---
  security/keys/trusted-keys/trusted_tpm1.c | 40 +++++++----------------
  1 file changed, 12 insertions(+), 28 deletions(-)

diff --git a/security/keys/trusted-keys/trusted_tpm1.c 
b/security/keys/trusted-keys/trusted_tpm1.c
index c865c97aa1b4..216caef97ffc 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -46,28 +46,25 @@ enum {
        SRK_keytype = 4
  };

  
-#define TPM_DEBUG 0

-
-#if TPM_DEBUG
  static inline void dump_options(struct trusted_key_options *o)
  {
-       pr_info("sealing key type %d\n", o->keytype);
-       pr_info("sealing key handle %0X\n", o->keyhandle);
-       pr_info("pcrlock %d\n", o->pcrlock);
-       pr_info("pcrinfo %d\n", o->pcrinfo_len);
-       print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
+       pr_debug("sealing key type %d\n", o->keytype);
+       pr_debug("sealing key handle %0X\n", o->keyhandle);
+       pr_debug("pcrlock %d\n", o->pcrlock);
+       pr_debug("pcrinfo %d\n", o->pcrinfo_len);
+       print_hex_dump(KERN_DEBUG, "pcrinfo ", DUMP_PREFIX_NONE,
                       16, 1, o->pcrinfo, o->pcrinfo_len, 0);
  }

  
  static inline void dump_sess(struct osapsess *s)

  {
-       print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
+       print_hex_dump(KERN_DEBUG, "trusted-key: handle ", DUMP_PREFIX_NONE,
                       16, 1, &s->handle, 4, 0);
-       pr_info("secret:\n");
-       print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
+       pr_debug("secret:\n");
+       print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
                       16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
-       pr_info("trusted-key: enonce:\n");
-       print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
+       pr_debug("trusted-key: enonce:\n");
+       print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
                       16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
  }

  
@@ -75,23 +72,10 @@ static inline void dump_tpm_buf(unsigned char *buf)

  {
        int len;

  
-	pr_info("\ntpm buffer\n");

+       pr_debug("\ntpm buffer\n");
        len = LOAD32(buf, TPM_SIZE_OFFSET);
-       print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
-}
-#else
-static inline void dump_options(struct trusted_key_options *o)
-{
-}
-
-static inline void dump_sess(struct osapsess *s)
-{
-}
-
-static inline void dump_tpm_buf(unsigned char *buf)
-{
+       print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
  }
-#endif

  
  static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,

                       unsigned int keylen, ...)
























					Reply via email to