For cases a trusted key source already sources the kernel RNG, we can use get_random_bytes_wait to get the random data for key material.
Make the get_random callback optional to allow sources to make use of this. Signed-off-by: Ahmad Fatoum <[email protected]> --- To: James Bottomley <[email protected]> To: Jarkko Sakkinen <[email protected]> To: Mimi Zohar <[email protected]> To: David Howells <[email protected]> Cc: James Morris <[email protected]> Cc: "Serge E. Hallyn" <[email protected]> Cc: "Horia Geantă" <[email protected]> Cc: Aymen Sghaier <[email protected]> Cc: Herbert Xu <[email protected]> Cc: "David S. Miller" <[email protected]> Cc: Udit Agarwal <[email protected]> Cc: Jan Luebbe <[email protected]> Cc: David Gstir <[email protected]> Cc: Franck LENORMAND <[email protected]> Cc: Sumit Garg <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] --- include/keys/trusted-type.h | 2 +- security/keys/trusted-keys/trusted_core.c | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index d89fa2579ac0..4eb64548a74f 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -64,7 +64,7 @@ struct trusted_key_ops { /* Unseal a key. */ int (*unseal)(struct trusted_key_payload *p, char *datablob); - /* Get a randomized key. */ + /* Optional: Get a randomized key. */ int (*get_random)(unsigned char *key, size_t key_len); /* Exit key interface. */ diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c index ec3a066a4b42..5f92323efedf 100644 --- a/security/keys/trusted-keys/trusted_core.c +++ b/security/keys/trusted-keys/trusted_core.c @@ -16,6 +16,7 @@ #include <linux/key-type.h> #include <linux/module.h> #include <linux/parser.h> +#include <linux/random.h> #include <linux/rcupdate.h> #include <linux/slab.h> #include <linux/static_call.h> @@ -310,8 +311,14 @@ struct key_type key_type_trusted = { }; EXPORT_SYMBOL_GPL(key_type_trusted); +static int kernel_get_random(unsigned char *key, size_t key_len) +{ + return get_random_bytes_wait(key, key_len) ?: key_len; +} + static int __init init_trusted(void) { + int (*get_random)(unsigned char *key, size_t key_len); int i, ret = 0; for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) { @@ -320,6 +327,8 @@ static int __init init_trusted(void) strlen(trusted_key_sources[i].name))) continue; + get_random = trusted_key_sources[i].ops->get_random ?: kernel_get_random; + static_call_update(trusted_key_init, trusted_key_sources[i].ops->init); static_call_update(trusted_key_seal, @@ -327,7 +336,7 @@ static int __init init_trusted(void) static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); static_call_update(trusted_key_get_random, - trusted_key_sources[i].ops->get_random); + get_random); static_call_update(trusted_key_exit, trusted_key_sources[i].ops->exit); migratable = trusted_key_sources[i].ops->migratable; -- git-series 0.9.1
