[RFC 5/7] KEYS: encrypted: Allow TEE based trusted master keys

Sumit Garg Thu, 13 Jun 2019 08:34:52 -0700

Allow search for TEE based trusted keys to act as master keys in case
TPM device is not present.


Signed-off-by: Sumit Garg <sumit.g...@linaro.org>
---
 security/keys/encrypted-keys/masterkey_trusted.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/keys/encrypted-keys/masterkey_trusted.c 
b/security/keys/encrypted-keys/masterkey_trusted.c
index c68528a..cfac27f 100644
--- a/security/keys/encrypted-keys/masterkey_trusted.c
+++ b/security/keys/encrypted-keys/masterkey_trusted.c
@@ -23,6 +23,9 @@
  * Trusted keys are sealed to PCRs and other metadata. Although userspace
  * manages both trusted/encrypted key-types, like the encrypted key type
  * data, trusted key type data is not visible decrypted from userspace.
+ *
+ * Also, check for alternate trusted keys provided via TEE in case there
+ * is no TPM available.
  */
 struct key *request_trusted_key(const char *trusted_desc,
                                const u8 **master_key, size_t *master_keylen)
@@ -31,8 +34,11 @@ struct key *request_trusted_key(const char *trusted_desc,
        struct key *tkey;
 
        tkey = request_key(&key_type_trusted, trusted_desc, NULL);
-       if (IS_ERR(tkey))
-               goto error;
+       if (IS_ERR(tkey)) {
+               tkey = request_key(&key_type_tee_trusted, trusted_desc, NULL);
+               if (IS_ERR(tkey))
+                       goto error;
+       }
 
        down_read(&tkey->sem);
        tpayload = tkey->payload.data[0];
-- 
2.7.4

[RFC 5/7] KEYS: encrypted: Allow TEE based trusted master keys

Reply via email to