The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info()
for logging debug information.
Replace pr_info() with pr_debug(), and use KERN_DEBUG for print_hex_dump().
Remove TPM_DEBUG.
No functional change intended.
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
security/keys/trusted-keys/trusted_tpm1.c | 40 +++++++----------------
1 file changed, 12 insertions(+), 28 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index c865c97aa1b4..216caef97ffc 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -46,28 +46,25 @@ enum {
SRK_keytype = 4
};
-#define TPM_DEBUG 0
-
-#if TPM_DEBUG
static inline void dump_options(struct trusted_key_options *o)
{
- pr_info("sealing key type %d\n", o->keytype);
- pr_info("sealing key handle %0X\n", o->keyhandle);
- pr_info("pcrlock %d\n", o->pcrlock);
- pr_info("pcrinfo %d\n", o->pcrinfo_len);
- print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
+ pr_debug("sealing key type %d\n", o->keytype);
+ pr_debug("sealing key handle %0X\n", o->keyhandle);
+ pr_debug("pcrlock %d\n", o->pcrlock);
+ pr_debug("pcrinfo %d\n", o->pcrinfo_len);
+ print_hex_dump(KERN_DEBUG, "pcrinfo ", DUMP_PREFIX_NONE,
16, 1, o->pcrinfo, o->pcrinfo_len, 0);
}
static inline void dump_sess(struct osapsess *s)
{
- print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
+ print_hex_dump(KERN_DEBUG, "trusted-key: handle ", DUMP_PREFIX_NONE,
16, 1, &s->handle, 4, 0);
- pr_info("secret:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
+ pr_debug("secret:\n");
+ print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
- pr_info("trusted-key: enonce:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
+ pr_debug("trusted-key: enonce:\n");
+ print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
}
@@ -75,23 +72,10 @@ static inline void dump_tpm_buf(unsigned char *buf)
{
int len;
- pr_info("\ntpm buffer\n");
+ pr_debug("\ntpm buffer\n");
len = LOAD32(buf, TPM_SIZE_OFFSET);
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
-}
-#else
-static inline void dump_options(struct trusted_key_options *o)
-{
-}
-
-static inline void dump_sess(struct osapsess *s)
-{
-}
-
-static inline void dump_tpm_buf(unsigned char *buf)
-{
+ print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
}
-#endif
static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
unsigned int keylen, ...)
--
2.43.0
On 2/20/26 1:34 PM, Srish Srinivasan wrote:
> The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info()
> for logging debug information.
>
> Replace pr_info() with pr_debug(), and use KERN_DEBUG for print_hex_dump().
> Remove TPM_DEBUG.
>
> No functional change intended.
There is functional change here. This change allows secret and nonce in
the function dump_sess() to be logged to kernel logs when dynamic debug
is enabled. Previously, it was possible only in the debug builds and not
the production builds at runtime. With this change, it is always there
in production build. This can result in possible attack.
Instead of doing this change, I think add a comment to prevent this sort
of change in the future.
Thanks & Regards,
- Nayna
>
> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> security/keys/trusted-keys/trusted_tpm1.c | 40 +++++++----------------
> 1 file changed, 12 insertions(+), 28 deletions(-)
>
> diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
> index c865c97aa1b4..216caef97ffc 100644
> --- a/security/keys/trusted-keys/trusted_tpm1.c
> +++ b/security/keys/trusted-keys/trusted_tpm1.c
> @@ -46,28 +46,25 @@ enum {
> SRK_keytype = 4
> };
>
> -#define TPM_DEBUG 0
> -
> -#if TPM_DEBUG
> static inline void dump_options(struct trusted_key_options *o)
> {
> - pr_info("sealing key type %d\n", o->keytype);
> - pr_info("sealing key handle %0X\n", o->keyhandle);
> - pr_info("pcrlock %d\n", o->pcrlock);
> - pr_info("pcrinfo %d\n", o->pcrinfo_len);
> - print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
> + pr_debug("sealing key type %d\n", o->keytype);
> + pr_debug("sealing key handle %0X\n", o->keyhandle);
> + pr_debug("pcrlock %d\n", o->pcrlock);
> + pr_debug("pcrinfo %d\n", o->pcrinfo_len);
> + print_hex_dump(KERN_DEBUG, "pcrinfo ", DUMP_PREFIX_NONE,
> 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
> }
>
> static inline void dump_sess(struct osapsess *s)
> {
> - print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
> + print_hex_dump(KERN_DEBUG, "trusted-key: handle ", DUMP_PREFIX_NONE,
> 16, 1, &s->handle, 4, 0);
> - pr_info("secret:\n");
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> + pr_debug("secret:\n");
> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
> 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
> - pr_info("trusted-key: enonce:\n");
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> + pr_debug("trusted-key: enonce:\n");
> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
> 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
> }
>
> @@ -75,23 +72,10 @@ static inline void dump_tpm_buf(unsigned char *buf)
> {
> int len;
>
> - pr_info("\ntpm buffer\n");
> + pr_debug("\ntpm buffer\n");
> len = LOAD32(buf, TPM_SIZE_OFFSET);
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> -}
> -#else
> -static inline void dump_options(struct trusted_key_options *o)
> -{
> -}
> -
> -static inline void dump_sess(struct osapsess *s)
> -{
> -}
> -
> -static inline void dump_tpm_buf(unsigned char *buf)
> -{
> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> }
> -#endif
>
> static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
> unsigned int keylen, ...)
On Mon, Mar 09, 2026 at 06:45:23PM -0400, Nayna Jain wrote:
>
> On 2/20/26 1:34 PM, Srish Srinivasan wrote:
> > The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info()
> > for logging debug information.
> >
> > Replace pr_info() with pr_debug(), and use KERN_DEBUG for print_hex_dump().
> > Remove TPM_DEBUG.
> >
> > No functional change intended.
> There is functional change here. This change allows secret and nonce in the
> function dump_sess() to be logged to kernel logs when dynamic debug is
> enabled. Previously, it was possible only in the debug builds and not the
> production builds at runtime. With this change, it is always there in
> production build. This can result in possible attack.
Good catch, thank you. It's in my master branch still (not in -next).
TPM_DEBUG should be removed in all cases. If you really want to read
a secret, use tracing tools.
This only proves that the print should exist or should be a constant
value, or overwritten same length value.
> Instead of doing this change, I think add a comment to prevent this sort of
> change in the future.
>
> Thanks & Regards,
>
> - Nayna
>
> >
> > Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > ---
> > security/keys/trusted-keys/trusted_tpm1.c | 40 +++++++----------------
> > 1 file changed, 12 insertions(+), 28 deletions(-)
> >
> > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
> > index c865c97aa1b4..216caef97ffc 100644
> > --- a/security/keys/trusted-keys/trusted_tpm1.c
> > +++ b/security/keys/trusted-keys/trusted_tpm1.c
> > @@ -46,28 +46,25 @@ enum {
> > SRK_keytype = 4
> > };
> > -#define TPM_DEBUG 0
> > -
> > -#if TPM_DEBUG
> > static inline void dump_options(struct trusted_key_options *o)
> > {
> > - pr_info("sealing key type %d\n", o->keytype);
> > - pr_info("sealing key handle %0X\n", o->keyhandle);
> > - pr_info("pcrlock %d\n", o->pcrlock);
> > - pr_info("pcrinfo %d\n", o->pcrinfo_len);
> > - print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
> > + pr_debug("sealing key type %d\n", o->keytype);
> > + pr_debug("sealing key handle %0X\n", o->keyhandle);
> > + pr_debug("pcrlock %d\n", o->pcrlock);
> > + pr_debug("pcrinfo %d\n", o->pcrinfo_len);
> > + print_hex_dump(KERN_DEBUG, "pcrinfo ", DUMP_PREFIX_NONE,
> > 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
> > }
> > static inline void dump_sess(struct osapsess *s)
> > {
> > - print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
> > + print_hex_dump(KERN_DEBUG, "trusted-key: handle ", DUMP_PREFIX_NONE,
> > 16, 1, &s->handle, 4, 0);
> > - pr_info("secret:\n");
> > - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> > + pr_debug("secret:\n");
> > + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
> > 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
> > - pr_info("trusted-key: enonce:\n");
> > - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> > + pr_debug("trusted-key: enonce:\n");
> > + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
> > 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
> > }
> > @@ -75,23 +72,10 @@ static inline void dump_tpm_buf(unsigned char *buf)
> > {
> > int len;
> > - pr_info("\ntpm buffer\n");
> > + pr_debug("\ntpm buffer\n");
> > len = LOAD32(buf, TPM_SIZE_OFFSET);
> > - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> > -}
> > -#else
> > -static inline void dump_options(struct trusted_key_options *o)
> > -{
> > -}
> > -
> > -static inline void dump_sess(struct osapsess *s)
> > -{
> > -}
> > -
> > -static inline void dump_tpm_buf(unsigned char *buf)
> > -{
> > + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> > }
> > -#endif
> > static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
> > unsigned int keylen, ...)
BR, Jarkko
On Mon, Mar 23, 2026 at 07:17:51AM +0200, Jarkko Sakkinen wrote: > On Mon, Mar 09, 2026 at 06:45:23PM -0400, Nayna Jain wrote: > > > > On 2/20/26 1:34 PM, Srish Srinivasan wrote: > > > The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info() > > > for logging debug information. > > > > > > Replace pr_info() with pr_debug(), and use KERN_DEBUG for print_hex_dump(). > > > Remove TPM_DEBUG. > > > > > > No functional change intended. > > There is functional change here. This change allows secret and nonce in the > > function dump_sess() to be logged to kernel logs when dynamic debug is > > enabled. Previously, it was possible only in the debug builds and not the > > production builds at runtime. With this change, it is always there in > > production build. This can result in possible attack. > > Good catch, thank you. It's in my master branch still (not in -next). > > TPM_DEBUG should be removed in all cases. If you really want to read > a secret, use tracing tools. > > This only proves that the print should exist or should be a constant > value, or overwritten same length value. I dropped the current patches but yeah, a comment "do not touch this, could be poisonous" won't be an acceptable way to address this. If you want "some" debug information you can always put F-string or 0-string of same length, so there's options. BR, Jarkko
On 3/10/26 4:15 AM, Nayna Jain wrote:
>
> On 2/20/26 1:34 PM, Srish Srinivasan wrote:
>> The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info()
>> for logging debug information.
>>
>> Replace pr_info() with pr_debug(), and use KERN_DEBUG for
>> print_hex_dump().
>> Remove TPM_DEBUG.
>>
>> No functional change intended.
> There is functional change here. This change allows secret and nonce
> in the function dump_sess() to be logged to kernel logs when dynamic
> debug is enabled. Previously, it was possible only in the debug builds
> and not the production builds at runtime. With this change, it is
> always there in production build. This can result in possible attack.
Hi Jarkko,
Could you please let us know your thoughts on this one?
And Nayna,
thanks for bringing this up.
thanks,
Srish.
>
> Instead of doing this change, I think add a comment to prevent this
> sort of change in the future.
>
> Thanks & Regards,
>
> - Nayna
>
>>
>> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
>> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>> security/keys/trusted-keys/trusted_tpm1.c | 40 +++++++----------------
>> 1 file changed, 12 insertions(+), 28 deletions(-)
>>
>> diff --git a/security/keys/trusted-keys/trusted_tpm1.c
>> b/security/keys/trusted-keys/trusted_tpm1.c
>> index c865c97aa1b4..216caef97ffc 100644
>> --- a/security/keys/trusted-keys/trusted_tpm1.c
>> +++ b/security/keys/trusted-keys/trusted_tpm1.c
>> @@ -46,28 +46,25 @@ enum {
>> SRK_keytype = 4
>> };
>> -#define TPM_DEBUG 0
>> -
>> -#if TPM_DEBUG
>> static inline void dump_options(struct trusted_key_options *o)
>> {
>> - pr_info("sealing key type %d\n", o->keytype);
>> - pr_info("sealing key handle %0X\n", o->keyhandle);
>> - pr_info("pcrlock %d\n", o->pcrlock);
>> - pr_info("pcrinfo %d\n", o->pcrinfo_len);
>> - print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
>> + pr_debug("sealing key type %d\n", o->keytype);
>> + pr_debug("sealing key handle %0X\n", o->keyhandle);
>> + pr_debug("pcrlock %d\n", o->pcrlock);
>> + pr_debug("pcrinfo %d\n", o->pcrinfo_len);
>> + print_hex_dump(KERN_DEBUG, "pcrinfo ", DUMP_PREFIX_NONE,
>> 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
>> }
>> static inline void dump_sess(struct osapsess *s)
>> {
>> - print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
>> + print_hex_dump(KERN_DEBUG, "trusted-key: handle ",
>> DUMP_PREFIX_NONE,
>> 16, 1, &s->handle, 4, 0);
>> - pr_info("secret:\n");
>> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
>> + pr_debug("secret:\n");
>> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
>> 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
>> - pr_info("trusted-key: enonce:\n");
>> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
>> + pr_debug("trusted-key: enonce:\n");
>> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
>> 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
>> }
>> @@ -75,23 +72,10 @@ static inline void dump_tpm_buf(unsigned char
>> *buf)
>> {
>> int len;
>> - pr_info("\ntpm buffer\n");
>> + pr_debug("\ntpm buffer\n");
>> len = LOAD32(buf, TPM_SIZE_OFFSET);
>> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len,
>> 0);
>> -}
>> -#else
>> -static inline void dump_options(struct trusted_key_options *o)
>> -{
>> -}
>> -
>> -static inline void dump_sess(struct osapsess *s)
>> -{
>> -}
>> -
>> -static inline void dump_tpm_buf(unsigned char *buf)
>> -{
>> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 1, buf,
>> len, 0);
>> }
>> -#endif
>> static int TSS_rawhmac(unsigned char *digest, const unsigned char
>> *key,
>> unsigned int keylen, ...)
On Tue, Mar 17, 2026 at 08:44:03AM +0530, Srish Srinivasan wrote: > > On 3/10/26 4:15 AM, Nayna Jain wrote: > > > > On 2/20/26 1:34 PM, Srish Srinivasan wrote: > > > The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info() > > > for logging debug information. > > > > > > Replace pr_info() with pr_debug(), and use KERN_DEBUG for > > > print_hex_dump(). > > > Remove TPM_DEBUG. > > > > > > No functional change intended. > > There is functional change here. This change allows secret and nonce in > > the function dump_sess() to be logged to kernel logs when dynamic debug > > is enabled. Previously, it was possible only in the debug builds and not > > the production builds at runtime. With this change, it is always there > > in production build. This can result in possible attack. > > > Hi Jarkko, > Could you please let us know your thoughts on this one? > > And Nayna, > thanks for bringing this up. Nayna is absolutely right so I dropped it. Solution is debatable. > > thanks, > Srish. BR, Jarkko
On Sat, Feb 21, 2026 at 12:04:25AM +0530, Srish Srinivasan wrote:
> The TPM trusted-keys backend uses a local TPM_DEBUG guard and pr_info()
> for logging debug information.
>
> Replace pr_info() with pr_debug(), and use KERN_DEBUG for print_hex_dump().
> Remove TPM_DEBUG.
>
> No functional change intended.
>
> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> security/keys/trusted-keys/trusted_tpm1.c | 40 +++++++----------------
> 1 file changed, 12 insertions(+), 28 deletions(-)
>
> diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
> index c865c97aa1b4..216caef97ffc 100644
> --- a/security/keys/trusted-keys/trusted_tpm1.c
> +++ b/security/keys/trusted-keys/trusted_tpm1.c
> @@ -46,28 +46,25 @@ enum {
> SRK_keytype = 4
> };
>
> -#define TPM_DEBUG 0
> -
> -#if TPM_DEBUG
> static inline void dump_options(struct trusted_key_options *o)
> {
> - pr_info("sealing key type %d\n", o->keytype);
> - pr_info("sealing key handle %0X\n", o->keyhandle);
> - pr_info("pcrlock %d\n", o->pcrlock);
> - pr_info("pcrinfo %d\n", o->pcrinfo_len);
> - print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
> + pr_debug("sealing key type %d\n", o->keytype);
> + pr_debug("sealing key handle %0X\n", o->keyhandle);
> + pr_debug("pcrlock %d\n", o->pcrlock);
> + pr_debug("pcrinfo %d\n", o->pcrinfo_len);
> + print_hex_dump(KERN_DEBUG, "pcrinfo ", DUMP_PREFIX_NONE,
> 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
> }
>
> static inline void dump_sess(struct osapsess *s)
> {
> - print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
> + print_hex_dump(KERN_DEBUG, "trusted-key: handle ", DUMP_PREFIX_NONE,
> 16, 1, &s->handle, 4, 0);
> - pr_info("secret:\n");
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> + pr_debug("secret:\n");
> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
> 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
> - pr_info("trusted-key: enonce:\n");
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> + pr_debug("trusted-key: enonce:\n");
> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE,
> 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
> }
>
> @@ -75,23 +72,10 @@ static inline void dump_tpm_buf(unsigned char *buf)
> {
> int len;
>
> - pr_info("\ntpm buffer\n");
> + pr_debug("\ntpm buffer\n");
> len = LOAD32(buf, TPM_SIZE_OFFSET);
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> -}
> -#else
> -static inline void dump_options(struct trusted_key_options *o)
> -{
> -}
> -
> -static inline void dump_sess(struct osapsess *s)
> -{
> -}
> -
> -static inline void dump_tpm_buf(unsigned char *buf)
> -{
> + print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> }
> -#endif
>
> static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
> unsigned int keylen, ...)
> --
> 2.43.0
>
Applied.
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
© 2016 - 2026 Red Hat, Inc.