On Sun, Dec 14, 2025 at 11:32:36PM +0200, Jarkko Sakkinen wrote: > 1. tpm2_get_random() is costly when TCG_TPM2_HMAC is enabled and thus its > use should be pooled rather than directly used. This both reduces > latency and improves its predictability. > > 2. Linux is better off overall if every subsystem uses the same source for > the random bistream as the de-facto choice, unless *force majeure* > reasons point to some other direction. > > In the case, of TPM there is no reason for trusted keys to invoke TPM > directly. > > Thus, unset '.get_random', which causes fallback to kernel_get_random(). > > Signed-off-by: Jarkko Sakkinen <[email protected]> > --- > security/keys/trusted-keys/trusted_tpm1.c | 6 ------ > 1 file changed, 6 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm1.c > b/security/keys/trusted-keys/trusted_tpm1.c > index 636acb66a4f6..33b7739741c3 100644 > --- a/security/keys/trusted-keys/trusted_tpm1.c > +++ b/security/keys/trusted-keys/trusted_tpm1.c > @@ -936,11 +936,6 @@ static int trusted_tpm_unseal(struct trusted_key_payload > *p, char *datablob) > return ret; > } > > -static int trusted_tpm_get_random(unsigned char *key, size_t key_len) > -{ > - return tpm_get_random(chip, key, key_len); > -} > - > static int __init init_digests(void) > { > int i; > @@ -992,6 +987,5 @@ struct trusted_key_ops trusted_key_tpm_ops = { > .init = trusted_tpm_init, > .seal = trusted_tpm_seal, > .unseal = trusted_tpm_unseal, > - .get_random = trusted_tpm_get_random, > .exit = trusted_tpm_exit, > }; > -- > 2.39.5 >
Additional cc's as this indirectly relates to hwrng. BR, Jarkko
