On Thu, 1 Aug 2019 at 14:00, Janne Karhunen janne.karhunen@gmail.com wrote:
On Thu, Aug 1, 2019 at 10:58 AM Sumit Garg sumit.garg@linaro.org wrote:
Anyway, just my .02c. I guess having any new support in the kernel for new trust sources is good and improvement from the current state. I can certainly make my stuff work with your setup as well, what ever people think is the best.
Yes your implementation can very well fit under trusted keys abstraction framework without creating a new keytype: "ext-trusted".
The fundamental problem with the 'standardized kernel tee' still exists - it will never be generic in real life. Getting all this in the kernel will solve your problem and sell this particular product, but it is quite unlikely to help that many users. If the security is truly important to you, would you really trust any of this code to someone else? In this day and age, I really doubt many do.
There are already multiple platforms supported by OP-TEE [1] which could benefit from this trusted keys interface.
Everyone does their own thing, so this is why I really see all that as a userspace problem.
IMO, we should try to use standardized interfaces which are well thought off rather than implementing your own.
[1] https://optee.readthedocs.io/general/platforms.html
-Sumit
-- Janne