Message ID | 20200616160229.8018-3-James.Bottomley@HansenPartnership.com (mailing list archive) |
---|---|
State | Rejected |
Headers | show |
Series | TPM 2.0 trusted keys with attached policy | expand |
On Tue Jun 16 20, James Bottomley wrote: >The TCG has defined an OID prefix "2.23.133.10.1" for the various TPM >key uses. We've defined three of the available numbers: > >2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key (Usually > RSA2048 or Elliptic Curve) which can be imported by a > TPM2_Load() operation. > >2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key (Usually > RSA2048 or Elliptic Curve) which can be imported by a > TPM2_Import() operation. > >Both loadable and importable keys are specific to a given TPM, the >difference is that a loadable key is wrapped with the symmetric >secret, so must have been created by the TPM itself. An importable >key is wrapped with a DH shared secret, and may be created without >access to the TPM provided you know the public part of the parent key. > >2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to 128 > bytes) which is sealed by the TPM. It usually > represents a symmetric key and must be unsealed before > use. > James, which document are these defined in? I was searching last night, and couldn't find it. >The ASN.1 binary key form starts of with this OID as the first element >of a sequence, giving the binary form a unique recognizable identity >marker regardless of encoding. > >Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> >Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> >Reviewed-by: David Howells <dhowells@redhat.com> > >--- > >v3: correct OID_TPMImportableKey name >v7: add ack >v9: add review >--- > include/linux/oid_registry.h | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h >index 657d6bf2c064..f6e2276e5f30 100644 >--- a/include/linux/oid_registry.h >+++ b/include/linux/oid_registry.h >@@ -107,6 +107,11 @@ enum OID { > OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */ > OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */ > >+ /* TCG defined OIDS for TPM based keys */ >+ OID_TPMLoadableKey, /* 2.23.133.10.1.3 */ >+ OID_TPMImportableKey, /* 2.23.133.10.1.4 */ >+ OID_TPMSealedData, /* 2.23.133.10.1.5 */ >+ > OID__NR > }; > >-- >2.26.2 >
On Wed, 2020-06-17 at 14:42 -0700, Jerry Snitselaar wrote: > On Tue Jun 16 20, James Bottomley wrote: > > The TCG has defined an OID prefix "2.23.133.10.1" for the various > > TPM > > key uses. We've defined three of the available numbers: > > > > 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key > > (Usually > > RSA2048 or Elliptic Curve) which can be imported by a > > TPM2_Load() operation. > > > > 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key > > (Usually > > RSA2048 or Elliptic Curve) which can be imported by a > > TPM2_Import() operation. > > > > Both loadable and importable keys are specific to a given TPM, the > > difference is that a loadable key is wrapped with the symmetric > > secret, so must have been created by the TPM itself. An importable > > key is wrapped with a DH shared secret, and may be created without > > access to the TPM provided you know the public part of the parent > > key. > > > > 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to 128 > > bytes) which is sealed by the TPM. It usually > > represents a symmetric key and must be unsealed before > > use. > > > > James, which document are these defined in? I was searching last > night, and couldn't find it. It isn't. It's defined in a TCG spreadsheet that Monty Wiseman keeps, but that seems to be as "official" as it gets with the TCG OID registry. James
On Wed, Jun 17, 2020 at 05:25:40PM -0700, James Bottomley wrote: > On Wed, 2020-06-17 at 14:42 -0700, Jerry Snitselaar wrote: > > On Tue Jun 16 20, James Bottomley wrote: > > > The TCG has defined an OID prefix "2.23.133.10.1" for the various > > > TPM > > > key uses. We've defined three of the available numbers: > > > > > > 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key > > > (Usually > > > RSA2048 or Elliptic Curve) which can be imported by a > > > TPM2_Load() operation. > > > > > > 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key > > > (Usually > > > RSA2048 or Elliptic Curve) which can be imported by a > > > TPM2_Import() operation. > > > > > > Both loadable and importable keys are specific to a given TPM, the > > > difference is that a loadable key is wrapped with the symmetric > > > secret, so must have been created by the TPM itself. An importable > > > key is wrapped with a DH shared secret, and may be created without > > > access to the TPM provided you know the public part of the parent > > > key. > > > > > > 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to 128 > > > bytes) which is sealed by the TPM. It usually > > > represents a symmetric key and must be unsealed before > > > use. > > > > > > > James, which document are these defined in? I was searching last > > night, and couldn't find it. > > It isn't. It's defined in a TCG spreadsheet that Monty Wiseman keeps, > but that seems to be as "official" as it gets with the TCG OID > registry. > > James "The TCG has defined an OID prefix "2.23.133.10.1" for the various TPM key uses." Should this sentence start just as "TCG ...", not sure if "the" is required? /Jarkko
On Thu, 2020-06-18 at 10:14 +0300, Jarkko Sakkinen wrote: > On Wed, Jun 17, 2020 at 05:25:40PM -0700, James Bottomley wrote: > > On Wed, 2020-06-17 at 14:42 -0700, Jerry Snitselaar wrote: > > > On Tue Jun 16 20, James Bottomley wrote: > > > > The TCG has defined an OID prefix "2.23.133.10.1" for the > > > > various > > > > TPM > > > > key uses. We've defined three of the available numbers: > > > > > > > > 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key > > > > (Usually > > > > RSA2048 or Elliptic Curve) which can be > > > > imported by a > > > > TPM2_Load() operation. > > > > > > > > 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key > > > > (Usually > > > > RSA2048 or Elliptic Curve) which can be > > > > imported by a > > > > TPM2_Import() operation. > > > > > > > > Both loadable and importable keys are specific to a given TPM, > > > > the > > > > difference is that a loadable key is wrapped with the symmetric > > > > secret, so must have been created by the TPM itself. An > > > > importable > > > > key is wrapped with a DH shared secret, and may be created > > > > without > > > > access to the TPM provided you know the public part of the > > > > parent > > > > key. > > > > > > > > 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to > > > > 128 > > > > bytes) which is sealed by the TPM. It usually > > > > represents a symmetric key and must be unsealed > > > > before > > > > use. > > > > > > > > > > James, which document are these defined in? I was searching last > > > night, and couldn't find it. > > > > It isn't. It's defined in a TCG spreadsheet that Monty Wiseman > > keeps, but that seems to be as "official" as it gets with the TCG > > OID registry. > > > > James > > "The TCG has defined an OID prefix "2.23.133.10.1" for the various > TPM key uses." > > Should this sentence start just as "TCG ...", not sure if "the" is > required? I've always referred to it as The Trusted Computing Group (so the TCG) partly to show they're not just any old trusted computing group. But I think they mostly do refer to themselves in literature as TCG. James
On Thu, Jun 18, 2020 at 12:22:02PM -0700, James Bottomley wrote: > On Thu, 2020-06-18 at 10:14 +0300, Jarkko Sakkinen wrote: > > On Wed, Jun 17, 2020 at 05:25:40PM -0700, James Bottomley wrote: > > > On Wed, 2020-06-17 at 14:42 -0700, Jerry Snitselaar wrote: > > > > On Tue Jun 16 20, James Bottomley wrote: > > > > > The TCG has defined an OID prefix "2.23.133.10.1" for the > > > > > various > > > > > TPM > > > > > key uses. We've defined three of the available numbers: > > > > > > > > > > 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key > > > > > (Usually > > > > > RSA2048 or Elliptic Curve) which can be > > > > > imported by a > > > > > TPM2_Load() operation. > > > > > > > > > > 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key > > > > > (Usually > > > > > RSA2048 or Elliptic Curve) which can be > > > > > imported by a > > > > > TPM2_Import() operation. > > > > > > > > > > Both loadable and importable keys are specific to a given TPM, > > > > > the > > > > > difference is that a loadable key is wrapped with the symmetric > > > > > secret, so must have been created by the TPM itself. An > > > > > importable > > > > > key is wrapped with a DH shared secret, and may be created > > > > > without > > > > > access to the TPM provided you know the public part of the > > > > > parent > > > > > key. > > > > > > > > > > 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to > > > > > 128 > > > > > bytes) which is sealed by the TPM. It usually > > > > > represents a symmetric key and must be unsealed > > > > > before > > > > > use. > > > > > > > > > > > > > James, which document are these defined in? I was searching last > > > > night, and couldn't find it. > > > > > > It isn't. It's defined in a TCG spreadsheet that Monty Wiseman > > > keeps, but that seems to be as "official" as it gets with the TCG > > > OID registry. > > > > > > James > > > > "The TCG has defined an OID prefix "2.23.133.10.1" for the various > > TPM key uses." > > > > Should this sentence start just as "TCG ...", not sure if "the" is > > required? > > I've always referred to it as The Trusted Computing Group (so the TCG) > partly to show they're not just any old trusted computing group. But I > think they mostly do refer to themselves in literature as TCG. ... not that this highly important, just asking for pure interest :-) /Jarkko
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 657d6bf2c064..f6e2276e5f30 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -107,6 +107,11 @@ enum OID { OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */ OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */ + /* TCG defined OIDS for TPM based keys */ + OID_TPMLoadableKey, /* 2.23.133.10.1.3 */ + OID_TPMImportableKey, /* 2.23.133.10.1.4 */ + OID_TPMSealedData, /* 2.23.133.10.1.5 */ + OID__NR };