| Message ID | cover.56fff82362af6228372ea82e6bd7e586e23f0966.1615914058.git-series.a.fatoum@pengutronix.de (mailing list archive) |
|---|---|
| Headers | show |
| Series | KEYS: trusted: Introduce support for NXP CAAM-based trusted keys | expand |
Ahmad, On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > > The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core > built into many newer i.MX and QorIQ SoCs by NXP. > > Its blob mechanism can AES encrypt/decrypt user data using a unique > never-disclosed device-specific key. There has been multiple > discussions on how to represent this within the kernel: > > - [RFC] crypto: caam - add red blobifier > Steffen implemented[1] a PoC sysfs driver to start a discussion on how to > best integrate the blob mechanism. > Mimi suggested that it could be used to implement trusted keys. > Trusted keys back then were a TPM-only feature. > > - security/keys/secure_key: Adds the secure key support based on CAAM. > Udit added[2] a new "secure" key type with the CAAM as backend. The key > material stays within the kernel only. > Mimi and James agreed that this needs a generic interface, not specific > to CAAM. Mimi suggested trusted keys. Jan noted that this could serve as > basis for TEE-backed keys. > > - [RFC] drivers: crypto: caam: key: Add caam_tk key type > Franck added[3] a new "caam_tk" key type based on Udit's work. The key > material stays within the kernel only, but can optionally be user-set > instead of coming from RNG. James voiced the opinion that there should > be just one user-facing generic wrap/unwrap key type with multiple > possible handlers. David suggested trusted keys. > > - Introduce TEE based Trusted Keys support > Sumit reworked[4] trusted keys to support multiple possible backends with > one chosen at boot time and added a new TEE backend along with TPM. > This now sits in Jarkko's master branch to be sent out for v5.13 > > This patch series builds on top of Sumit's rework to have the CAAM as yet another > trusted key backend. > > The CAAM bits are based on Steffen's initial patch from 2015. His work had been > used in the field for some years now, so I preferred not to deviate too much from it. > > This series has been tested with dmcrypt[5] on an i.MX6DL. Do have this series also in a git repo to pull from? I'd like to give it a test on various systems. > Looking forward to your feedback. Thanks for working on this! David and I will have a closer look these days.
Hello Richard, On 17.03.21 00:10, Richard Weinberger wrote: > On Tue, Mar 16, 2021 at 6:24 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: >> This series has been tested with dmcrypt[5] on an i.MX6DL. > > Do have this series also in a git repo to pull from? > I'd like to give it a test on various systems. Yes, please pull git://git.pengutronix.de/afa/linux Branch v5.12/topic/trusted-source-caam It includes these three patches on top of Jarkko's linux-tpmdd/master. >> Looking forward to your feedback. > > Thanks for working on this! David and I will have a closer look these days. Great. Here is a simple testing regiment that could help you getting started: # First boot DEV=/dev/loop0 ALGO=aes-cbc-essiv:sha256 KEYNAME=kmk BLOCKS=20 mount -o remount,rw / fallocate -l $((BLOCKS*512)) ~/loop0.img losetup -P $DEV ~/loop0.img KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)" keyctl pipe $KEY >~/kmk.blob TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" echo $TABLE | dmsetup create mydev echo $TABLE | dmsetup load mydev dd if=/dev/zero of=/dev/mapper/mydev || true echo "It works!" 1<> /dev/mapper/mydev cryptsetup close mydev # Second boot DEV=/dev/loop0 ALGO=aes-cbc-essiv:sha256 KEYNAME=kmk BLOCKS=20 losetup -P $DEV ~/loop0.img keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" echo $TABLE | dmsetup create mydev echo $TABLE | dmsetup load mydev # Should print that It works! hexdump -C /dev/mapper/mydev
On 3/16/2021 7:02 PM, Ahmad Fatoum wrote: > The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core > built into many newer i.MX and QorIQ SoCs by NXP. > > Its blob mechanism can AES encrypt/decrypt user data using a unique > never-disclosed device-specific key. There has been multiple > discussions on how to represent this within the kernel: > > - [RFC] crypto: caam - add red blobifier > Steffen implemented[1] a PoC sysfs driver to start a discussion on how to > best integrate the blob mechanism. > Mimi suggested that it could be used to implement trusted keys. > Trusted keys back then were a TPM-only feature. > > - security/keys/secure_key: Adds the secure key support based on CAAM. > Udit added[2] a new "secure" key type with the CAAM as backend. The key > material stays within the kernel only. > Mimi and James agreed that this needs a generic interface, not specific > to CAAM. Mimi suggested trusted keys. Jan noted that this could serve as > basis for TEE-backed keys. > > - [RFC] drivers: crypto: caam: key: Add caam_tk key type > Franck added[3] a new "caam_tk" key type based on Udit's work. The key > material stays within the kernel only, but can optionally be user-set > instead of coming from RNG. James voiced the opinion that there should > be just one user-facing generic wrap/unwrap key type with multiple > possible handlers. David suggested trusted keys. > The whole point was to use caam "black blobs", with the main advantage of keys being kept encrypted in memory after "unsealing" the blobs. (Keys in blobs are encrypted with a persistent BKEK - blob KEK, derived from fuse-based OTPMK. OTOH black keys are keys encrypted with an ephemeral, random KEK that is stored in an internal caam register. When a black blob is unsealed, the key is practically rekeyed, the random key replacing the BKEK; key is never exposed in plaintext, rekeying happens in caam). Current implementation uses "red blobs", which means keys are left unprotected in memory after blobs are unsealed. > - Introduce TEE based Trusted Keys support > Sumit reworked[4] trusted keys to support multiple possible backends with > one chosen at boot time and added a new TEE backend along with TPM. > This now sits in Jarkko's master branch to be sent out for v5.13 > > This patch series builds on top of Sumit's rework to have the CAAM as yet another > trusted key backend. > Shouldn't the description under TRUSTED_KEYS (in security/keys/Kconfig) be updated to reflect the availability of multiple backends? Thanks, Horia
Hello Horia, On 21.03.21 21:01, Horia Geantă wrote: > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote: >> This patch series builds on top of Sumit's rework to have the CAAM as yet another >> trusted key backend. >> > Shouldn't the description under TRUSTED_KEYS (in security/keys/Kconfig) > be updated to reflect the availability of multiple backends? This is indeed no longer correct. It also depends on TCG_TPM, which AFAIU is not really needed for the new TEE backend. @Sumit, can you confirm?
Hello Horia, On 21.03.21 21:01, Horia Geantă wrote: >> - [RFC] drivers: crypto: caam: key: Add caam_tk key type >> Franck added[3] a new "caam_tk" key type based on Udit's work. The key >> material stays within the kernel only, but can optionally be user-set >> instead of coming from RNG. James voiced the opinion that there should >> be just one user-facing generic wrap/unwrap key type with multiple >> possible handlers. David suggested trusted keys. >> > The whole point was to use caam "black blobs", with the main advantage of > keys being kept encrypted in memory after "unsealing" the blobs. > (Keys in blobs are encrypted with a persistent BKEK - blob KEK, derived from > fuse-based OTPMK. OTOH black keys are keys encrypted with an ephemeral, random > KEK that is stored in an internal caam register. When a black blob is unsealed, > the key is practically rekeyed, the random key replacing the BKEK; key is never > exposed in plaintext, rekeying happens in caam). > > Current implementation uses "red blobs", which means keys are left unprotected > in memory after blobs are unsealed. Oh. I will reread the series when sending the v2 cover letter. Thanks for spotting. (Sorry for the noise, missed this question first time) >> - Introduce TEE based Trusted Keys support >> Sumit reworked[4] trusted keys to support multiple possible backends with >> one chosen at boot time and added a new TEE backend along with TPM. >> This now sits in Jarkko's master branch to be sent out for v5.13 >> >> This patch series builds on top of Sumit's rework to have the CAAM as yet another >> trusted key backend. >> > Shouldn't the description under TRUSTED_KEYS (in security/keys/Kconfig) > be updated to reflect the availability of multiple backends? > > Thanks, > Horia >
On Tue, 23 Mar 2021 at 22:04, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > > Hello Horia, > > On 21.03.21 21:01, Horia Geantă wrote: > > On 3/16/2021 7:02 PM, Ahmad Fatoum wrote: > >> This patch series builds on top of Sumit's rework to have the CAAM as yet another > >> trusted key backend. > >> > > Shouldn't the description under TRUSTED_KEYS (in security/keys/Kconfig) > > be updated to reflect the availability of multiple backends? > > This is indeed no longer correct. It also depends on TCG_TPM, which AFAIU > is not really needed for the new TEE backend. > > @Sumit, can you confirm? > Yes, that's correct. Let me share a separate patch to fix that. -Sumit > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Ahmad, On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" > echo $TABLE | dmsetup create mydev > echo $TABLE | dmsetup load mydev Do you also plan to add support for this to cryptsetup? David and I have added (rough) support for our CAAM/DCP based keyrings to cryptsetup: https://github.com/sigma-star/cryptsetup/tree/rw/plain I'm pretty sure with minimal changes it will work with your recent approach too.
Ahmad,
On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
> keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s
Is there a reason why we can't pass the desired backend name in the
trusted key parameters?
e.g.
keyctl add trusted $KEYNAME "backendtype caam load $(cat ~/kmk.blob)" @s
On Wed, 2021-03-31 at 00:04 +0200, Richard Weinberger wrote: > Ahmad, > > On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de > > wrote: > > keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s > > Is there a reason why we can't pass the desired backend name in the > trusted key parameters? > e.g. > keyctl add trusted $KEYNAME "backendtype caam load $(cat ~/kmk.blob)" > @s Why would you want to in the load? The blob should be type specific, so a TPM key shouldn't load as a CAAM key and vice versa ... and if they're not they need to be made so before the patches go upstream. I could possibly see that you might want to be type specific in the create, but once you're simply loading an already created key, the trusted key subsystem should be able to figure what to do on its own. James
James, ----- Ursprüngliche Mail ----- > Von: "James Bottomley" <jejb@linux.ibm.com> >> On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de >> > wrote: >> > keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s >> >> Is there a reason why we can't pass the desired backend name in the >> trusted key parameters? >> e.g. >> keyctl add trusted $KEYNAME "backendtype caam load $(cat ~/kmk.blob)" >> @s > > Why would you want to in the load? The blob should be type specific, > so a TPM key shouldn't load as a CAAM key and vice versa ... and if > they're not they need to be made so before the patches go upstream. I fear right now there is no good way to detect whether a blob is desired for CAAM or TPM. > I could possibly see that you might want to be type specific in the > create, but once you're simply loading an already created key, the > trusted key subsystem should be able to figure what to do on its own. So you have some kind of container format in mind which denotes the type of the blob? Thanks, //richard
On Wed, 2021-03-31 at 20:36 +0200, Richard Weinberger wrote: > James, > > ----- Ursprüngliche Mail ----- > > Von: "James Bottomley" <jejb@linux.ibm.com> > > > On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum < > > > a.fatoum@pengutronix.de wrote: > > > > keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s > > > > > > Is there a reason why we can't pass the desired backend name in > > > the > > > trusted key parameters? > > > e.g. > > > keyctl add trusted $KEYNAME "backendtype caam load $(cat > > > ~/kmk.blob)" > > > @s > > > > Why would you want to in the load? The blob should be type > > specific, so a TPM key shouldn't load as a CAAM key and vice versa > > ... and if they're not they need to be made so before the patches > > go upstream. > > I fear right now there is no good way to detect whether a blob is > desired for CAAM or TPM. At least for the TPM the old format is two TPM2B structures, and the new one is ASN.1 so either should be completely distinguishable over what CAAM does. > > I could possibly see that you might want to be type specific in the > > create, but once you're simply loading an already created key, the > > trusted key subsystem should be able to figure what to do on its > > own. > > So you have some kind of container format in mind which denotes the > type of the blob? Well, yes. For the TPM, there's a defined ASN.1 format for the keys: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/tpm2-asn.h and part of the design of the file is that it's distinguishable either in DER or PEM (by the guards) format so any crypto application can know it's dealing with a TPM key simply by inspecting the file. I think you need the same thing for CAAM and any other format. We're encouraging new ASN.1 formats to be of the form SEQUENCE { type OBJECT IDENTIFIER ... key specific fields ... } Where you choose a defined OID to represent the key and that means every key even in DER form begins with a unique binary signature. James
James, ----- Ursprüngliche Mail ----- > Von: "James Bottomley" <jejb@linux.ibm.com> > Well, yes. For the TPM, there's a defined ASN.1 format for the keys: > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/tpm2-asn.h > > and part of the design of the file is that it's distinguishable either > in DER or PEM (by the guards) format so any crypto application can know > it's dealing with a TPM key simply by inspecting the file. I think you > need the same thing for CAAM and any other format. > > We're encouraging new ASN.1 formats to be of the form > > SEQUENCE { > type OBJECT IDENTIFIER > ... key specific fields ... > } > > Where you choose a defined OID to represent the key and that means > every key even in DER form begins with a unique binary signature. I like this idea. Ahmad, what do you think? That way we could also get rid off the kernel parameter and all the fall back logic, given that we find a way to reliable detect TEE blobs too... Thanks, //richard
Hello Richard, On 30.03.21 23:50, Richard Weinberger wrote: > Ahmad, > > On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > >> TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" >> echo $TABLE | dmsetup create mydev >> echo $TABLE | dmsetup load mydev > > Do you also plan to add support for this to cryptsetup? > > David and I have added (rough) support for our CAAM/DCP based keyrings > to cryptsetup: > https://github.com/sigma-star/cryptsetup/tree/rw/plain > > I'm pretty sure with minimal changes it will work with your recent approach too. I am using dmsetup directly in my project. I am not familiar with cryptsetup plain. What benefits do you see with this over direct dmsetup? What I'd like to see eventually is support for this with LUKS. There is a RFE on trusted keys and cryptsetup on the project's repository[1]. The behavior I'd want it that the LUKS header would point at the trusted key blob to use and load it into the kernel. This of course means that you won't be able to have multiple keys for the encrypted partition. [1]: https://gitlab.com/cryptsetup/cryptsetup/-/issues/443 Cheers, Ahmad
Hello Richard, On 31.03.21 21:36, Richard Weinberger wrote: > James, > > ----- Ursprüngliche Mail ----- >> Von: "James Bottomley" <jejb@linux.ibm.com> >> Well, yes. For the TPM, there's a defined ASN.1 format for the keys: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/tpm2-asn.h >> >> and part of the design of the file is that it's distinguishable either >> in DER or PEM (by the guards) format so any crypto application can know >> it's dealing with a TPM key simply by inspecting the file. I think you >> need the same thing for CAAM and any other format. >> >> We're encouraging new ASN.1 formats to be of the form >> >> SEQUENCE { >> type OBJECT IDENTIFIER >> ... key specific fields ... >> } >> >> Where you choose a defined OID to represent the key and that means >> every key even in DER form begins with a unique binary signature. > > I like this idea. > Ahmad, what do you think? > > That way we could also get rid off the kernel parameter and all the fall back logic, > given that we find a way to reliable detect TEE blobs too... Sounds good to me. Sumit, your thoughts on doing this for TEE as well? > > Thanks, > //richard >
Ahmad, ----- Ursprüngliche Mail ----- > Von: "Ahmad Fatoum" <a.fatoum@pengutronix.de> >> I'm pretty sure with minimal changes it will work with your recent approach too. > > I am using dmsetup directly in my project. I am not familiar with cryptsetup > plain. What benefits do you see with this over direct dmsetup? cryptsetup is the de-facto standard to setup encrypted block devices. There is a lot of existing tooling around cryptsetup already (systemd, etc..), so being able to use CAAM keys for dm-crypt with cryptsetup seems natural to me. Plain mode allows setting up dm-crypt without LUKS. Thanks, //richard
Hello, On 01.04.21 12:20, Richard Weinberger wrote: > Ahmad, > > ----- Ursprüngliche Mail ----- >> Von: "Ahmad Fatoum" <a.fatoum@pengutronix.de> >>> I'm pretty sure with minimal changes it will work with your recent approach too. >> >> I am using dmsetup directly in my project. I am not familiar with cryptsetup >> plain. What benefits do you see with this over direct dmsetup? > > cryptsetup is the de-facto standard to setup encrypted block devices. > There is a lot of existing tooling around cryptsetup already (systemd, etc..), Do you mean systemd-cryptsetup? It looks to me like it's just a way to supply the keyphrase. With trusted keys and a keyphrase unknown to userspace, this won't work. > so being able to use CAAM keys for dm-crypt with cryptsetup seems natural to me. > Plain mode allows setting up dm-crypt without LUKS. I don't (yet) see the utility of it without LUKS. Perhaps a command dump on how to do the same I did with dmsetup, but with cryptsetup plain instead could help me to see the benefits? Cheers, Ahmad > > Thanks, > //richard >
Ahmad, ----- Ursprüngliche Mail ----- > Do you mean systemd-cryptsetup? It looks to me like it's just a way to supply > the keyphrase. With trusted keys and a keyphrase unknown to userspace, this > won't work. Nah, I meant existing scripts/service Files. > I don't (yet) see the utility of it without LUKS. Perhaps a command dump on how > to do the same I did with dmsetup, but with cryptsetup plain instead could > help me to see the benefits? My reasoning is simple, why do I need a different tool when there is already one that could do the task too? Usually the systems I get my hands on use already dm-crypt with cryptsetup in some way. So I have the tooling already in my initramfs, etc.. and need to adopt the callers of cryptsetup a little. If I need all of a sudden different/additional tooling, it means more work, more docs to write, more hassle with crypto/system reviewers, etc... I don't want you to force to use cryptsetup. The only goal was pointing out that it can be done with cryptsetup and that there is already code such that no work is done twice. One the kernel side it does not matter. Thanks, //richard
Hello Richard, On 01.04.21 12:53, Richard Weinberger wrote: > Ahmad, > > ----- Ursprüngliche Mail ----- >> Do you mean systemd-cryptsetup? It looks to me like it's just a way to supply >> the keyphrase. With trusted keys and a keyphrase unknown to userspace, this >> won't work. > > Nah, I meant existing scripts/service Files. > >> I don't (yet) see the utility of it without LUKS. Perhaps a command dump on how >> to do the same I did with dmsetup, but with cryptsetup plain instead could >> help me to see the benefits? > > My reasoning is simple, why do I need a different tool when there is already one > that could do the task too? > Usually the systems I get my hands on use already dm-crypt with cryptsetup in some way. > So I have the tooling already in my initramfs, etc.. and need to adopt the callers of cryptsetup a little. > > If I need all of a sudden different/additional tooling, it means more work, more docs to write, > more hassle with crypto/system reviewers, etc... > > I don't want you to force to use cryptsetup. I'd love to use cryptsetup with LUKS and trusted keys eventually. I'll take a look and see if cryptsetup plain maybe a suitable stop-gap solution for us. > The only goal was pointing out that it can be done with cryptsetup and that there > is already code such that no work is done twice. > One the kernel side it does not matter. Thanks for the pointer, Ahmad > > Thanks, > //richard >
Ahmad, ----- Ursprüngliche Mail ----- > Von: "Ahmad Fatoum" <a.fatoum@pengutronix.de> >> I don't want you to force to use cryptsetup. > > I'd love to use cryptsetup with LUKS and trusted keys eventually. I'll take But using LUKS would mean that cryptsetup has access to the plain disc encryption key material? This would be a no-go for many systems out there, key material must not accessible to userspace. I know, distrusting userspace root is not easy, but doable. :) Thanks, //richard
Richard Weinberger <richard.weinberger@gmail.com> wrote: > On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > > keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s > > Is there a reason why we can't pass the desired backend name in the > trusted key parameters? > e.g. > keyctl add trusted $KEYNAME "backendtype caam load $(cat ~/kmk.blob)" @s I wonder... Does it make sense to add a new variant of the add_key() and keyctl_instantiate() syscalls that takes an additional parameter string, separate from the payload blob? key_serial_t add_key2(const char *type, const char *description, const char *params, const void *payload, size_t plen, key_serial_t keyring); which could then by used, say: keyctl add --payload=~/kmk.blob trusted $KEYNAME "backendtype caam load" @s This would then appear in struct key_preparsed_payload { const char *orig_description; char *description; char *params; <--- union key_payload payload; const void *data; size_t datalen; size_t quotalen; time64_t expiry; }; params would then be NULL for add_key(). If add_key2() is not available, the --payload param gets concatenated to the parameters string. Might be too complicated, I guess. Though it might make sense just to do the concatenation inside the keyctl program. David
Hello Richard, On 01.04.21 13:05, Richard Weinberger wrote: > Ahmad, > > ----- Ursprüngliche Mail ----- >> Von: "Ahmad Fatoum" <a.fatoum@pengutronix.de> >>> I don't want you to force to use cryptsetup. >> >> I'd love to use cryptsetup with LUKS and trusted keys eventually. I'll take > > But using LUKS would mean that cryptsetup has access to the plain disc encryption key material? > This would be a no-go for many systems out there, key material must not accessible to userspace. > I know, distrusting userspace root is not easy, but doable. :) The LUKS2 format supports tokens. I see no reason why the encrypted blob couldn't be stored there along with the usual metadata. cryptsetup would then load it as kernel trusted key and use it for dmcrypt decryption. This will mean we have to part ways with features such as having multiple keys, but I think it's worth it to have a plug and play solution for trusted keys. Of course, someone needs to implement this first ^^. Cheers, Ahmad > > Thanks, > //richard >
Ahmad, ----- Ursprüngliche Mail ----- > Von: "Ahmad Fatoum" <a.fatoum@pengutronix.de> >> But using LUKS would mean that cryptsetup has access to the plain disc >> encryption key material? >> This would be a no-go for many systems out there, key material must not >> accessible to userspace. >> I know, distrusting userspace root is not easy, but doable. :) > > The LUKS2 format supports tokens. I see no reason why the encrypted blob > couldn't be stored there along with the usual metadata. cryptsetup would > then load it as kernel trusted key and use it for dmcrypt decryption. > > This will mean we have to part ways with features such as having multiple > keys, but I think it's worth it to have a plug and play solution for > trusted keys. Ah, now I can follow your thoughts! Yes, that would be nice to have. :) I kind of assumed you want to use LUKS with passphrases and CAAM blobs. Thanks, //richard
Hi Richard, On Wed, 31 Mar 2021 at 03:34, Richard Weinberger <richard.weinberger@gmail.com> wrote: > > Ahmad, > > On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > > keyctl add trusted $KEYNAME "load $(cat ~/kmk.blob)" @s > > Is there a reason why we can't pass the desired backend name in the > trusted key parameters? > e.g. > keyctl add trusted $KEYNAME "backendtype caam load $(cat ~/kmk.blob)" @s > IIUC, this would require support for multiple trusted keys backends at runtime but currently the trusted keys subsystem only supports a single backend which is selected via kernel module parameter during boot. So the trusted keys framework needs to evolve to support multiple trust sources at runtime but I would like to understand the use-cases first. IMO, selecting the best trust source available on a platform for trusted keys should be a one time operation, so why do we need to have other backends available at runtime as well? -Sumit > -- > Thanks, > //richard
Sumit, ----- Ursprüngliche Mail ----- > Von: "Sumit Garg" <sumit.garg@linaro.org> > IIUC, this would require support for multiple trusted keys backends at > runtime but currently the trusted keys subsystem only supports a > single backend which is selected via kernel module parameter during > boot. > > So the trusted keys framework needs to evolve to support multiple > trust sources at runtime but I would like to understand the use-cases > first. IMO, selecting the best trust source available on a platform > for trusted keys should be a one time operation, so why do we need to > have other backends available at runtime as well? I thought about devices with a TPM-Chip and CAAM. IMHO allowing only one backend at the same time is a little over simplified. Thanks, //richard
On Thu, 1 Apr 2021 at 15:36, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > > Hello Richard, > > On 31.03.21 21:36, Richard Weinberger wrote: > > James, > > > > ----- Ursprüngliche Mail ----- > >> Von: "James Bottomley" <jejb@linux.ibm.com> > >> Well, yes. For the TPM, there's a defined ASN.1 format for the keys: > >> > >> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/tpm2-asn.h > >> > >> and part of the design of the file is that it's distinguishable either > >> in DER or PEM (by the guards) format so any crypto application can know > >> it's dealing with a TPM key simply by inspecting the file. I think you > >> need the same thing for CAAM and any other format. > >> > >> We're encouraging new ASN.1 formats to be of the form > >> > >> SEQUENCE { > >> type OBJECT IDENTIFIER > >> ... key specific fields ... > >> } > >> > >> Where you choose a defined OID to represent the key and that means > >> every key even in DER form begins with a unique binary signature. > > > > I like this idea. > > Ahmad, what do you think? > > > > That way we could also get rid off the kernel parameter and all the fall back logic, > > given that we find a way to reliable detect TEE blobs too... > > Sounds good to me. Sumit, your thoughts on doing this for TEE as well? > AFAIU, ASN.1 formating should be independent of trusted keys backends which could be abstracted to trusted keys core layer so that every backend could be plugged in seamlessly. James, Would it be possible to achieve this? -Sumit > > > > Thanks, > > //richard > > > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Hello Richard, Sumit, On 01.04.21 15:17, Richard Weinberger wrote: > Sumit, > > ----- Ursprüngliche Mail ----- >> Von: "Sumit Garg" <sumit.garg@linaro.org> >> IIUC, this would require support for multiple trusted keys backends at >> runtime but currently the trusted keys subsystem only supports a >> single backend which is selected via kernel module parameter during >> boot. >> >> So the trusted keys framework needs to evolve to support multiple >> trust sources at runtime but I would like to understand the use-cases >> first. IMO, selecting the best trust source available on a platform >> for trusted keys should be a one time operation, so why do we need to >> have other backends available at runtime as well? > > I thought about devices with a TPM-Chip and CAAM. > IMHO allowing only one backend at the same time is a little over simplified. It is, but I'd rather leave this until it's actually needed. What can be done now is adopting a format for the exported keys that would make this extension seamless in future. Cheers, Ahmad
On Thu, 1 Apr 2021 at 19:00, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > > Hello Richard, Sumit, > > On 01.04.21 15:17, Richard Weinberger wrote: > > Sumit, > > > > ----- Ursprüngliche Mail ----- > >> Von: "Sumit Garg" <sumit.garg@linaro.org> > >> IIUC, this would require support for multiple trusted keys backends at > >> runtime but currently the trusted keys subsystem only supports a > >> single backend which is selected via kernel module parameter during > >> boot. > >> > >> So the trusted keys framework needs to evolve to support multiple > >> trust sources at runtime but I would like to understand the use-cases > >> first. IMO, selecting the best trust source available on a platform > >> for trusted keys should be a one time operation, so why do we need to > >> have other backends available at runtime as well? > > > > I thought about devices with a TPM-Chip and CAAM. In this case why would one prefer to use CAAM when you have standards compliant TPM-Chip which additionally offers sealing to specific PCR (integrity measurement) values. > > IMHO allowing only one backend at the same time is a little over simplified. > > It is, but I'd rather leave this until it's actually needed. > What can be done now is adopting a format for the exported keys that would > make this extension seamless in future. > +1 -Sumit > Cheers, > Ahmad > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Sumit, ----- Ursprüngliche Mail ----- > Von: "Sumit Garg" <sumit.garg@linaro.org> > In this case why would one prefer to use CAAM when you have standards > compliant TPM-Chip which additionally offers sealing to specific PCR > (integrity measurement) values. I don't think we can dictate what good/sane solutions are and which are not. Both CAAM and TPM have pros and cons, I don't see why supporting both is a bad idea. >> > IMHO allowing only one backend at the same time is a little over simplified. >> >> It is, but I'd rather leave this until it's actually needed. >> What can be done now is adopting a format for the exported keys that would >> make this extension seamless in future. >> > > +1 As long we don't make multiple backends at runtime impossible I'm fine and will happily add support for it when needed. :-) Thanks, //richard
On Thu, 1 Apr 2021 at 19:29, Richard Weinberger <richard@nod.at> wrote: > > Sumit, > > ----- Ursprüngliche Mail ----- > > Von: "Sumit Garg" <sumit.garg@linaro.org> > > In this case why would one prefer to use CAAM when you have standards > > compliant TPM-Chip which additionally offers sealing to specific PCR > > (integrity measurement) values. > > I don't think we can dictate what good/sane solutions are and which are not. > Both CAAM and TPM have pros and cons, I don't see why supporting both is a bad idea. I didn't mean to say that supporting both is a bad idea but rather I was looking for use-cases where one time selection of the best trust source (whether it be a TPM or TEE or CAAM etc.) for a platform wouldn't suffice for user needs. > > >> > IMHO allowing only one backend at the same time is a little over simplified. > >> > >> It is, but I'd rather leave this until it's actually needed. > >> What can be done now is adopting a format for the exported keys that would > >> make this extension seamless in future. > >> > > > > +1 > > As long we don't make multiple backends at runtime impossible I'm > fine and will happily add support for it when needed. :-) > You are most welcome to add such support. I will be happy to review it. -Sumit > Thanks, > //richard
On Thu, 2021-04-01 at 18:50 +0530, Sumit Garg wrote: > On Thu, 1 Apr 2021 at 15:36, Ahmad Fatoum <a.fatoum@pengutronix.de> > wrote: > > Hello Richard, > > > > On 31.03.21 21:36, Richard Weinberger wrote: > > > James, > > > > > > ----- Ursprüngliche Mail ----- > > > > Von: "James Bottomley" <jejb@linux.ibm.com> > > > > Well, yes. For the TPM, there's a defined ASN.1 format for the > > > > keys: > > > > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/tpm2-asn.h > > > > > > > > and part of the design of the file is that it's distinguishable > > > > either > > > > in DER or PEM (by the guards) format so any crypto application > > > > can know > > > > it's dealing with a TPM key simply by inspecting the file. I > > > > think you > > > > need the same thing for CAAM and any other format. > > > > > > > > We're encouraging new ASN.1 formats to be of the form > > > > > > > > SEQUENCE { > > > > type OBJECT IDENTIFIER > > > > ... key specific fields ... > > > > } > > > > > > > > Where you choose a defined OID to represent the key and that > > > > means > > > > every key even in DER form begins with a unique binary > > > > signature. > > > > > > I like this idea. > > > Ahmad, what do you think? > > > > > > That way we could also get rid off the kernel parameter and all > > > the fall back logic, > > > given that we find a way to reliable detect TEE blobs too... > > > > Sounds good to me. Sumit, your thoughts on doing this for TEE as > > well? > > > > AFAIU, ASN.1 formating should be independent of trusted keys backends > which could be abstracted to trusted keys core layer so that every > backend could be plugged in seamlessly. > > James, > > Would it be possible to achieve this? I'm not quite sure what you're asking. The saved format of the keys is particular to the underlying hardware. The ASN.1 wraps this so we have an identifier, some useful information to help load the key (like the policy systemements) and then the blobs the hardware expects. This makes the ASN.1 specific to the backend but having a distinguishing OID that allows anyone to tell which backend it needs from the file. So you can call the ASN.1 format that begins with the type OID, the "universal" format, but if you mean there should be a standard ASN.1 format for all keys that defines all the fields then that's not possible because the fields after type are very specific to the underlying hardware. James