| Message ID | 20231024011531.442587-1-jarkko@kernel.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | Extend struct tpm_buf to support sized buffers (TPM2B) | expand |
On 10/23/23 21:15, Jarkko Sakkinen wrote: > For TPM1 I tried: > > keyctl add trusted kmk "new 32" @u > > This caused TPM error 18, which AFAIK means that there is not SRK (?), > which is probably an issue in my swtpm configuration, which is visible > in board/qemu/start-qemu.sh.in. FYI: This would create a TPM 1.2 with an SRK with password 'sss': swtpm_setup --tpmstate=./ --create-ek-cert --take-ownership --overwrite --srkpass sss --ownerpass ooo
On Wed Nov 15, 2023 at 11:56 PM EET, Stefan Berger wrote: > > > On 10/23/23 21:15, Jarkko Sakkinen wrote: > > > For TPM1 I tried: > > > > keyctl add trusted kmk "new 32" @u > > > > This caused TPM error 18, which AFAIK means that there is not SRK (?), > > which is probably an issue in my swtpm configuration, which is visible > > in board/qemu/start-qemu.sh.in. > > FYI: This would create a TPM 1.2 with an SRK with password 'sss': > > swtpm_setup --tpmstate=./ --create-ek-cert --take-ownership --overwrite > --srkpass sss --ownerpass ooo Thanks! I'll update my scripts in my BuildRoot repository. BR, Jarkko
On Mon Nov 20, 2023 at 12:05 AM EET, Jarkko Sakkinen wrote: > On Wed Nov 15, 2023 at 11:56 PM EET, Stefan Berger wrote: > > > > > > On 10/23/23 21:15, Jarkko Sakkinen wrote: > > > > > For TPM1 I tried: > > > > > > keyctl add trusted kmk "new 32" @u > > > > > > This caused TPM error 18, which AFAIK means that there is not SRK (?), > > > which is probably an issue in my swtpm configuration, which is visible > > > in board/qemu/start-qemu.sh.in. > > > > FYI: This would create a TPM 1.2 with an SRK with password 'sss': > > > > swtpm_setup --tpmstate=./ --create-ek-cert --take-ownership --overwrite > > --srkpass sss --ownerpass ooo > > Thanks! I'll update my scripts in my BuildRoot repository. The repository helps to verify that tpm_buf changes don't break anything. I created it because I saw it as too high risk not to verify tpm_buf changes properly, as everything uses them. Any bug in HMAC session feature itself would be optimally only local to the feature and not something that spreads everywhere. So both the patch set itself and also the BuildRoot repository effectively manages this risk. BR, Jarkko
This patch set implements my ideas on how to extend struct tpm_buf to support TPM2 sized buffers (TPM2B). See Section 10.4 in TPM2 Structures specification for more information. The goal is to do initial groundwork for smoother landing of integrity protection patches by James Bottomley. I tested the patch set with: https://github.com/jarkkojs/buildroot-tpmdd/tree/linux-6.5.y Compilation: make qemu_x86_64_defconfig make 2>&1 | tee build.txt; TPM1 startup: output/images/start-qemu.sh --use-system-swtpm --rtc --tpm1 TPM2 startup: output/images/start-qemu.sh --use-system-swtpm --rtc For TPM2 I executed the following as the smoke test for these patches: /usr/lib/kselftests/run_kselftest.sh tpm2_createprimary --hierarchy o -G rsa2048 -c key.ctxt tpm2_evictcontrol -c key.ctxt 0x81000001 keyctl add trusted kmk "new 32 keyhandle=0x81000001" @u keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk 64" @u For TPM1 I tried: keyctl add trusted kmk "new 32" @u This caused TPM error 18, which AFAIK means that there is not SRK (?), which is probably an issue in my swtpm configuration, which is visible in board/qemu/start-qemu.sh.in. v3: - Resend with rebase to the latest upstream. Link: https://lore.kernel.org/linux-integrity/CT5OE5VZA7D7.3B7C6CK27JIK1@suppilovahvero/ Link: https://lore.kernel.org/linux-integrity/20230403214003.32093-1-James.Bottomley@HansenPartnership.com/ Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: William Roberts <bill.c.roberts@gmail.com> Cc: Stefan Berger <stefanb@linux.ibm.com> Cc: David Howells <dhowells@redhat.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Mimi Zohar <zohar@linux.ibm.com> James Bottomley (1): tpm: Move buffer handling from static inlines to real functions Jarkko Sakkinen (5): tpm: Store TPM buffer length tpm: Detach tpm_buf_reset() from tpm_buf_init() tpm: Support TPM2 sized buffers (TPM2B) tpm: Add tpm_buf_read_{u8,u16,u32} KEYS: trusted: tpm2: Use struct tpm_buf for sized buffers drivers/char/tpm/Makefile | 1 + drivers/char/tpm/tpm-buf.c | 195 ++++++++++++++++++++++ drivers/char/tpm/tpm-interface.c | 18 +- drivers/char/tpm/tpm-sysfs.c | 3 +- drivers/char/tpm/tpm1-cmd.c | 26 ++- drivers/char/tpm/tpm2-cmd.c | 36 ++-- drivers/char/tpm/tpm2-space.c | 7 +- drivers/char/tpm/tpm_vtpm_proxy.c | 13 +- include/linux/tpm.h | 96 ++--------- security/keys/trusted-keys/trusted_tpm1.c | 12 +- security/keys/trusted-keys/trusted_tpm2.c | 60 ++++--- 11 files changed, 325 insertions(+), 142 deletions(-) create mode 100644 drivers/char/tpm/tpm-buf.c