On Tue, Dec 16, 2025 at 01:14:38AM +0200, Jarkko Sakkinen wrote: > 1. tpm2_get_random() is costly when TCG_TPM2_HMAC is enabled and thus its > use should be pooled rather than directly used. This both reduces > latency and improves its predictability. > > 2. Linux is better off overall if every subsystem uses the same source for > generating the random numbers required. > > Thus, unset '.get_random', which causes fallback to kernel_get_random(). > > One might argue that TPM RNG should be used so that generated trusted keys > have the matching entropy with the TPM internally generated objects. > > This argument does some weight into it but as far cryptography goes, FIPS > certification sets the exact bar, not which exact FIPS certified RNG will > be used. Thus, the rational choice is obviously to pick the lowest latency > path. > > Finally, there also some actual defence in depth benefits on using kernel > RNG. E.g., it helps to mitigate TPM firmware bugs concerning RNG > implementation, which do happen in the wild occasionally. > > Reviewed-by: Eric Biggers <[email protected]> > Signed-off-by: Jarkko Sakkinen <[email protected]> > --- > v2: > - Added Eric's reviewed-by tag. > - Addressed concerns from James by writing more details to the commit > message and documenting random number generation to the source > code. > --- > security/keys/trusted-keys/trusted_tpm1.c | 6 ------ > security/keys/trusted-keys/trusted_tpm2.c | 9 +++++++++ > 2 files changed, 9 insertions(+), 6 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm1.c > b/security/keys/trusted-keys/trusted_tpm1.c > index 636acb66a4f6..33b7739741c3 100644 > --- a/security/keys/trusted-keys/trusted_tpm1.c > +++ b/security/keys/trusted-keys/trusted_tpm1.c > @@ -936,11 +936,6 @@ static int trusted_tpm_unseal(struct trusted_key_payload > *p, char *datablob) > return ret; > } > > -static int trusted_tpm_get_random(unsigned char *key, size_t key_len) > -{ > - return tpm_get_random(chip, key, key_len); > -} > - > static int __init init_digests(void) > { > int i; > @@ -992,6 +987,5 @@ struct trusted_key_ops trusted_key_tpm_ops = { > .init = trusted_tpm_init, > .seal = trusted_tpm_seal, > .unseal = trusted_tpm_unseal, > - .get_random = trusted_tpm_get_random, > .exit = trusted_tpm_exit, > }; > diff --git a/security/keys/trusted-keys/trusted_tpm2.c > b/security/keys/trusted-keys/trusted_tpm2.c > index a7ea4a1c3bed..d16be47f1305 100644 > --- a/security/keys/trusted-keys/trusted_tpm2.c > +++ b/security/keys/trusted-keys/trusted_tpm2.c > @@ -2,6 +2,15 @@ > /* > * Copyright (C) 2004 IBM Corporation > * Copyright (C) 2014 Intel Corporation > + > +/** > + * DOC: Random Number Generation > + * > + * tpm_get_random() was previously used here as the RNG in order to have > equal > + * entropy with the objects fully inside the TPM. However, as far as goes, > + * kernel RNG is equally fine, as long as long as it is FIPS certified. Also, > + * using kernel RNG has the benefit of mitigating bugs in the TPM firmware > + * associated with the RNG. > */
Sorry, this should have gone to trusted_tpm1.c :-) > > #include <linux/asn1_encoder.h> > -- > 2.39.5 > BR, Jarkko
