Commit be07858f authored by Ahmad Fatoum's avatar Ahmad Fatoum Committed by Jarkko Sakkinen
Browse files

KEYS: trusted: allow use of TEE as backend without TCG_TPM support 



With recent rework, trusted keys are no longer limited to TPM as trust
source. The Kconfig symbol is unchanged however leading to a few issues:

  - TCG_TPM is required, even if only TEE is to be used
  - Enabling TCG_TPM, but excluding it from available trusted sources
    is not possible
  - TEE=m && TRUSTED_KEYS=y will lead to TEE support being silently
    dropped, which is not the best user experience

Remedy these issues by introducing two new boolean Kconfig symbols:
TRUSTED_KEYS_TPM and TRUSTED_KEYS_TEE with the appropriate
dependencies.

Any new code depending on the TPM trusted key backend in particular
or symbols exported by it will now need to explicitly state that it

  depends on TRUSTED_KEYS && TRUSTED_KEYS_TPM

The latter to ensure the dependency is built and the former to ensure
it's reachable for module builds. There are no such users yet.

Reviewed-by: default avatarSumit Garg <sumit.garg@linaro.org>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: default avatarPankaj Gupta <pankaj.gupta@nxp.com>
Tested-by: default avatarPankaj Gupta <pankaj.gupta@nxp.com>
Tested-by: default avatarAndreas Rammhold <andreas@rammhold.de>
Tested-by: default avatarTim Harvey <tharvey@gateworks.com>
Tested-by: Michael Walle <michael@walle.cc> # on ls1028a (non-E and E)
Tested-by: John Ernberg <john.ernberg@actia.se> # iMX8QXP
Signed-off-by: default avatarAhmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
parent af402ee3

security/keys/Kconfig

+7 −11
Original line number Diff line number Diff line
@@ -70,23 +70,19 @@ config BIG_KEYS 


config TRUSTED_KEYS

	tristate "TRUSTED KEYS"

	depends on KEYS && TCG_TPM

	select CRYPTO

	select CRYPTO_HMAC

	select CRYPTO_SHA1

	select CRYPTO_HASH_INFO

	select ASN1_ENCODER

	select OID_REGISTRY

	select ASN1

	depends on KEYS

	help

	  This option provides support for creating, sealing, and unsealing

	  keys in the kernel. Trusted keys are random number symmetric keys,

	  generated and RSA-sealed by the TPM. The TPM only unseals the keys,

	  if the boot PCRs and other criteria match.  Userspace will only ever

	  see encrypted blobs.

	  generated and sealed by a trust source selected at kernel boot-time.

	  Userspace will only ever see encrypted blobs.



	  If you are unsure as to whether this is required, answer N.



if TRUSTED_KEYS

source "security/keys/trusted-keys/Kconfig"

endif



config ENCRYPTED_KEYS

	tristate "ENCRYPTED KEYS"

	depends on KEYS

security/keys/trusted-keys/Kconfig

0 → 100644
+29 −0
Original line number Diff line number Diff line 
config TRUSTED_KEYS_TPM

	bool "TPM-based trusted keys"

	depends on TCG_TPM >= TRUSTED_KEYS

	default y

	select CRYPTO

	select CRYPTO_HMAC

	select CRYPTO_SHA1

	select CRYPTO_HASH_INFO

	select ASN1_ENCODER

	select OID_REGISTRY

	select ASN1

	help

	  Enable use of the Trusted Platform Module (TPM) as trusted key

	  backend. Trusted keys are random number symmetric keys,

	  which will be generated and RSA-sealed by the TPM.

	  The TPM only unseals the keys, if the boot PCRs and other

	  criteria match.



config TRUSTED_KEYS_TEE

	bool "TEE-based trusted keys"

	depends on TEE >= TRUSTED_KEYS

	default y

	help

	  Enable use of the Trusted Execution Environment (TEE) as trusted

	  key backend.



if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE

comment "No trust source selected!"

endif

security/keys/trusted-keys/Makefile

+4 −4
Original line number Diff line number Diff line
@@ -5,10 +5,10 @@ 


obj-$(CONFIG_TRUSTED_KEYS) += trusted.o

trusted-y += trusted_core.o

trusted-y += trusted_tpm1.o

trusted-$(CONFIG_TRUSTED_KEYS_TPM) += trusted_tpm1.o



$(obj)/trusted_tpm2.o: $(obj)/tpm2key.asn1.h

trusted-y += trusted_tpm2.o

trusted-y += tpm2key.asn1.o

trusted-$(CONFIG_TRUSTED_KEYS_TPM) += trusted_tpm2.o

trusted-$(CONFIG_TRUSTED_KEYS_TPM) += tpm2key.asn1.o



trusted-$(CONFIG_TEE) += trusted_tee.o
 
trusted-$(CONFIG_TRUSTED_KEYS_TEE) += trusted_tee.o

security/keys/trusted-keys/trusted_core.c

+2 −2
Original line number Diff line number Diff line
@@ -27,10 +27,10 @@ module_param_named(source, trusted_key_source, charp, 0); 
MODULE_PARM_DESC(source, "Select trusted keys source (tpm or tee)");



static const struct trusted_key_source trusted_key_sources[] = {

#if IS_REACHABLE(CONFIG_TCG_TPM)

#if defined(CONFIG_TRUSTED_KEYS_TPM)

	{ "tpm", &trusted_key_tpm_ops },

#endif

#if IS_REACHABLE(CONFIG_TEE)

#if defined(CONFIG_TRUSTED_KEYS_TEE)

	{ "tee", &trusted_key_tee_ops },

#endif

};