]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
KEYS: trusted: Debugging as a feature
authorJarkko Sakkinen <jarkko@kernel.org>
Thu, 9 Apr 2026 16:07:51 +0000 (19:07 +0300)
committerJarkko Sakkinen <jarkko@kernel.org>
Mon, 15 Jun 2026 12:19:12 +0000 (15:19 +0300)
commit4d05e948cebe03974ab9927daee55273207fdc22
tree0dffa192549b9b8f964abb96854c17483f2063b8
parent3a1705d180b203a6764d2a142d602bbf522d339b
KEYS: trusted: Debugging as a feature

TPM_DEBUG, and other similar flags, are a non-standard way to specify a
feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted
keys, and use it to replace these ad-hoc feature flags.

Given that trusted keys debug dumps can contain sensitive data, harden the
feature as follows:

1. In the Kconfig description postulate that pr_debug() statements must be
   used.
2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
3. Require trusted.debug=1 on the kernel command line (default: 0) to
   activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y.

Traces, when actually needed, can be easily enabled by providing
trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line.

Reported-by: Nayna Jain <nayna@linux.ibm.com>
Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Srish Srinivasan <ssrish@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Documentation/admin-guide/kernel-parameters.txt
include/keys/trusted-type.h
security/keys/trusted-keys/Kconfig
security/keys/trusted-keys/trusted_caam.c
security/keys/trusted-keys/trusted_core.c
security/keys/trusted-keys/trusted_tpm1.c