| Message ID | 20181019101758.1569-1-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | docs: Extend trusted keys documentation for TPM 2.0 | expand |
Hi, Feel free to ignore my comments. I don't know anything about TPM. On 10/19/18 3:17 AM, Stefan Berger wrote: > Extend the documentation for trusted keys with documentation for how to > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst > index 3bb24e09a332..6ec6bb2ac497 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new > when the kernel and initramfs are updated. The same key can have many saved > blobs under different PCR values, so multiple boots are easily supported. > > +TPM 1.2 > +------- > + > By default, trusted keys are sealed under the SRK, which has the default > authorization value (20 zeros). This can be set at takeownership time with the > trouser's utility: "tpm_takeownership -u -z". It appears to be TrouSerS or maybe just trousers (no '). BTW, is this still the current location for it or has it moved elsewhere? http://trousers.sourceforge.net/ > > +TPM 2.0 > +------- > + > +The user must first create a storage key and make it persistent, so the key is > +available after reboot. This can be done using the following commands. > + > +With the IBM TSS 2 stack:: > + > + #> tsscreateprimary -hi o -st > + Handle 80000000 > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 > + > +Or with the Intel TSS 2 stack:: > + > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt > + [...] > + handle: 0x800000FF Is that handle value important? It doesn't seem to be used later... > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 > + persistentHandle: 0x81000001 > + > Usage:: > > keyctl add trusted name "new keylen [options]" ring > @@ -30,7 +53,9 @@ Usage:: > keyctl print keyid > > options: > - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) > + keyhandle= ascii hex value of sealing key s/ascii/ASCII/g > + TPM 1.2: default 0x40000000 (SRK) > + TPM 2.0: no default; must be passed every time > keyauth= ascii hex auth for sealing key default 0x00...i > (40 ascii zeros) > blobauth= ascii hex auth for sealed data default 0x00... > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > Create and save a trusted key named "kmk" of length 32 bytes:: > > +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, > +append 'keyhandle=0x81000001' to statements between quotes, such as > +"new 32 keyhandle=0x81000001". > + > $ keyctl add trusted kmk "new 32" @u > 440502848 > > ta.
On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <stefanb@linux.ibm.com> wrote: > > Extend the documentation for trusted keys with documentation for how to > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Thanks for the updates: Acked-by: Dan Williams <dan.j.williams@intel.com>
On Fri Oct 19 18, Stefan Berger wrote: >Extend the documentation for trusted keys with documentation for how to >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >--- > .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > >diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst >index 3bb24e09a332..6ec6bb2ac497 100644 >--- a/Documentation/security/keys/trusted-encrypted.rst >+++ b/Documentation/security/keys/trusted-encrypted.rst >@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new > when the kernel and initramfs are updated. The same key can have many saved > blobs under different PCR values, so multiple boots are easily supported. > >+TPM 1.2 >+------- >+ > By default, trusted keys are sealed under the SRK, which has the default > authorization value (20 zeros). This can be set at takeownership time with the > trouser's utility: "tpm_takeownership -u -z". > >+TPM 2.0 >+------- >+ >+The user must first create a storage key and make it persistent, so the key is >+available after reboot. This can be done using the following commands. >+ >+With the IBM TSS 2 stack:: >+ >+ #> tsscreateprimary -hi o -st >+ Handle 80000000 >+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 >+ >+Or with the Intel TSS 2 stack:: >+ >+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt >+ [...] >+ handle: 0x800000FF >+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 >+ persistentHandle: 0x81000001 >+ Is that the correct option for tpm2_evictcontrol? What I'm seeing in the versions I have is -S or -persistent= for specifying the persistent handle. Other than that looks good to me. > Usage:: > > keyctl add trusted name "new keylen [options]" ring >@@ -30,7 +53,9 @@ Usage:: > keyctl print keyid > > options: >- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) >+ keyhandle= ascii hex value of sealing key >+ TPM 1.2: default 0x40000000 (SRK) >+ TPM 2.0: no default; must be passed every time > keyauth= ascii hex auth for sealing key default 0x00...i > (40 ascii zeros) > blobauth= ascii hex auth for sealed data default 0x00... >@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > Create and save a trusted key named "kmk" of length 32 bytes:: > >+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, >+append 'keyhandle=0x81000001' to statements between quotes, such as >+"new 32 keyhandle=0x81000001". >+ > $ keyctl add trusted kmk "new 32" @u > 440502848 > >-- >2.17.2 >
On Mon Nov 05 18, Jerry Snitselaar wrote: >On Fri Oct 19 18, Stefan Berger wrote: >>Extend the documentation for trusted keys with documentation for how to >>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. >> >>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >>--- >>.../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++- >>1 file changed, 30 insertions(+), 1 deletion(-) >> >>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst >>index 3bb24e09a332..6ec6bb2ac497 100644 >>--- a/Documentation/security/keys/trusted-encrypted.rst >>+++ b/Documentation/security/keys/trusted-encrypted.rst >>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new >>when the kernel and initramfs are updated. The same key can have many saved >>blobs under different PCR values, so multiple boots are easily supported. >> >>+TPM 1.2 >>+------- >>+ >>By default, trusted keys are sealed under the SRK, which has the default >>authorization value (20 zeros). This can be set at takeownership time with the >>trouser's utility: "tpm_takeownership -u -z". >> >>+TPM 2.0 >>+------- >>+ >>+The user must first create a storage key and make it persistent, so the key is >>+available after reboot. This can be done using the following commands. >>+ >>+With the IBM TSS 2 stack:: >>+ >>+ #> tsscreateprimary -hi o -st >>+ Handle 80000000 >>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 >>+ >>+Or with the Intel TSS 2 stack:: >>+ >>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt >>+ [...] >>+ handle: 0x800000FF >>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 >>+ persistentHandle: 0x81000001 >>+ > >Is that the correct option for tpm2_evictcontrol? What I'm seeing >in the versions I have is -S or -persistent= for specifying the persistent handle. > >Other than that looks good to me. William, is the above correct? > >>Usage:: >> >> keyctl add trusted name "new keylen [options]" ring >>@@ -30,7 +53,9 @@ Usage:: >> keyctl print keyid >> >> options: >>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) >>+ keyhandle= ascii hex value of sealing key >>+ TPM 1.2: default 0x40000000 (SRK) >>+ TPM 2.0: no default; must be passed every time >> keyauth= ascii hex auth for sealing key default 0x00...i >> (40 ascii zeros) >> blobauth= ascii hex auth for sealed data default 0x00... >>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: >> >>Create and save a trusted key named "kmk" of length 32 bytes:: >> >>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, >>+append 'keyhandle=0x81000001' to statements between quotes, such as >>+"new 32 keyhandle=0x81000001". >>+ >> $ keyctl add trusted kmk "new 32" @u >> 440502848 >> >>-- >>2.17.2 >>
On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote: > On Mon Nov 05 18, Jerry Snitselaar wrote: > > On Fri Oct 19 18, Stefan Berger wrote: > > > Extend the documentation for trusted keys with documentation for > > > how to > > > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as > > > well. > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > --- > > > .../security/keys/trusted-encrypted.rst | 31 > > > ++++++++++++++++++- > > > 1 file changed, 30 insertions(+), 1 deletion(-) > > > > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst > > > b/Documentation/security/keys/trusted-encrypted.rst > > > index 3bb24e09a332..6ec6bb2ac497 100644 > > > --- a/Documentation/security/keys/trusted-encrypted.rst > > > +++ b/Documentation/security/keys/trusted-encrypted.rst > > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded > > > Trusted Key can be updated with new > > > when the kernel and initramfs are updated. The same key can have > > > many saved > > > blobs under different PCR values, so multiple boots are easily > > > supported. > > > > > > +TPM 1.2 > > > +------- > > > + > > > By default, trusted keys are sealed under the SRK, which has the > > > default > > > authorization value (20 zeros). This can be set at takeownership > > > time with the > > > trouser's utility: "tpm_takeownership -u -z". > > > > > > +TPM 2.0 > > > +------- > > > + > > > +The user must first create a storage key and make it persistent, > > > so the key is > > > +available after reboot. This can be done using the following > > > commands. > > > + > > > +With the IBM TSS 2 stack:: > > > + > > > + #> tsscreateprimary -hi o -st > > > + Handle 80000000 > > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 > > > + > > > +Or with the Intel TSS 2 stack:: > > > + > > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt > > > + [...] > > > + handle: 0x800000FF > > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 > > > + persistentHandle: 0x81000001 > > > + > > > > Is that the correct option for tpm2_evictcontrol? What I'm seeing > > in the versions I have is -S or -persistent= for specifying the > > persistent handle. > > > > Other than that looks good to me. > > William, is the above correct? We're changing some of the options in master ahead of our next major release, the -p/--persistent option is correct for that branch and the eventual 4.X series. Regards, Joshua > > > > > Usage:: > > > > > > keyctl add trusted name "new keylen [options]" ring > > > @@ -30,7 +53,9 @@ Usage:: > > > keyctl print keyid > > > > > > options: > > > - keyhandle= ascii hex value of sealing key default > > > 0x40000000 (SRK) > > > + keyhandle= ascii hex value of sealing key > > > + TPM 1.2: default 0x40000000 (SRK) > > > + TPM 2.0: no default; must be passed every > > > time > > > keyauth= ascii hex auth for sealing key default > > > 0x00...i > > > (40 ascii zeros) > > > blobauth= ascii hex auth for sealed data default > > > 0x00... > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > > > > > Create and save a trusted key named "kmk" of length 32 bytes:: > > > > > > +Note: When using a TPM 2.0 with a persistent key with handle > > > 0x81000001, > > > +append 'keyhandle=0x81000001' to statements between quotes, such > > > as > > > +"new 32 keyhandle=0x81000001". > > > + > > > $ keyctl add trusted kmk "new 32" @u > > > 440502848 > > > > > > -- > > > 2.17.2 > > >
On Fri Oct 19 18, Stefan Berger wrote: >Extend the documentation for trusted keys with documentation for how to >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Jerry Snitselaar <jsnitsel@redhat.com> >--- > .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > >diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst >index 3bb24e09a332..6ec6bb2ac497 100644 >--- a/Documentation/security/keys/trusted-encrypted.rst >+++ b/Documentation/security/keys/trusted-encrypted.rst >@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new > when the kernel and initramfs are updated. The same key can have many saved > blobs under different PCR values, so multiple boots are easily supported. > >+TPM 1.2 >+------- >+ > By default, trusted keys are sealed under the SRK, which has the default > authorization value (20 zeros). This can be set at takeownership time with the > trouser's utility: "tpm_takeownership -u -z". > >+TPM 2.0 >+------- >+ >+The user must first create a storage key and make it persistent, so the key is >+available after reboot. This can be done using the following commands. >+ >+With the IBM TSS 2 stack:: >+ >+ #> tsscreateprimary -hi o -st >+ Handle 80000000 >+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 >+ >+Or with the Intel TSS 2 stack:: >+ >+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt >+ [...] >+ handle: 0x800000FF >+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 >+ persistentHandle: 0x81000001 >+ > Usage:: > > keyctl add trusted name "new keylen [options]" ring >@@ -30,7 +53,9 @@ Usage:: > keyctl print keyid > > options: >- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) >+ keyhandle= ascii hex value of sealing key >+ TPM 1.2: default 0x40000000 (SRK) >+ TPM 2.0: no default; must be passed every time > keyauth= ascii hex auth for sealing key default 0x00...i > (40 ascii zeros) > blobauth= ascii hex auth for sealed data default 0x00... >@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > Create and save a trusted key named "kmk" of length 32 bytes:: > >+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, >+append 'keyhandle=0x81000001' to statements between quotes, such as >+"new 32 keyhandle=0x81000001". >+ > $ keyctl add trusted kmk "new 32" @u > 440502848 > >-- >2.17.2 >
On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote: > On Fri Oct 19 18, Stefan Berger wrote: > >Extend the documentation for trusted keys with documentation for how to > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com> Thanks! This patch is now staged in the #next-integrity-queued branch. Mimi
> -----Original Message----- > From: Joshua Lock [mailto:joshua.g.lock@linux.intel.com] > Sent: Tuesday, November 6, 2018 8:15 AM > To: Jerry Snitselaar <jsnitsel@redhat.com>; Stefan Berger > <stefanb@linux.ibm.com>; keyrings@vger.kernel.org; linux- > integrity@vger.kernel.org; zohar@linux.ibm.com; jejb@linux.ibm.com; > Alexander.Levin@microsoft.com; jmorris@namei.org; linux- > kernel@vger.kernel.org > Cc: Roberts, William C <william.c.roberts@intel.com> > Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0 > > On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote: > > On Mon Nov 05 18, Jerry Snitselaar wrote: > > > On Fri Oct 19 18, Stefan Berger wrote: > > > > Extend the documentation for trusted keys with documentation for > > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0 > > > > as well. > > > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > --- > > > > .../security/keys/trusted-encrypted.rst | 31 > > > > ++++++++++++++++++- > > > > 1 file changed, 30 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst > > > > b/Documentation/security/keys/trusted-encrypted.rst > > > > index 3bb24e09a332..6ec6bb2ac497 100644 > > > > --- a/Documentation/security/keys/trusted-encrypted.rst > > > > +++ b/Documentation/security/keys/trusted-encrypted.rst > > > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded > > > > Trusted Key can be updated with new when the kernel and initramfs > > > > are updated. The same key can have many saved blobs under > > > > different PCR values, so multiple boots are easily supported. > > > > > > > > +TPM 1.2 > > > > +------- > > > > + > > > > By default, trusted keys are sealed under the SRK, which has the > > > > default authorization value (20 zeros). This can be set at > > > > takeownership time with the trouser's utility: "tpm_takeownership > > > > -u -z". > > > > > > > > +TPM 2.0 > > > > +------- > > > > + > > > > +The user must first create a storage key and make it persistent, > > > > so the key is > > > > +available after reboot. This can be done using the following > > > > commands. > > > > + > > > > +With the IBM TSS 2 stack:: > > > > + > > > > + #> tsscreateprimary -hi o -st > > > > + Handle 80000000 > > > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 > > > > + > > > > +Or with the Intel TSS 2 stack:: > > > > + > > > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt > > > > + [...] > > > > + handle: 0x800000FF > > > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 > > > > + persistentHandle: 0x81000001 > > > > + > > > > > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in > > > the versions I have is -S or -persistent= for specifying the > > > persistent handle. > > > > > > Other than that looks good to me. > > > > William, is the above correct? > > We're changing some of the options in master ahead of our next major release, > the -p/--persistent option is correct for that branch and the eventual 4.X series. LGTM. Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful. > > Regards, > Joshua > > > > > > > > Usage:: > > > > > > > > keyctl add trusted name "new keylen [options]" ring @@ -30,7 > > > > +53,9 @@ Usage:: > > > > keyctl print keyid > > > > > > > > options: > > > > - keyhandle= ascii hex value of sealing key default > > > > 0x40000000 (SRK) > > > > + keyhandle= ascii hex value of sealing key > > > > + TPM 1.2: default 0x40000000 (SRK) > > > > + TPM 2.0: no default; must be passed every > > > > time > > > > keyauth= ascii hex auth for sealing key default > > > > 0x00...i > > > > (40 ascii zeros) > > > > blobauth= ascii hex auth for sealed data default > > > > 0x00... > > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > > > > > > > Create and save a trusted key named "kmk" of length 32 bytes:: > > > > > > > > +Note: When using a TPM 2.0 with a persistent key with handle > > > > 0x81000001, > > > > +append 'keyhandle=0x81000001' to statements between quotes, such > > > > as > > > > +"new 32 keyhandle=0x81000001". > > > > + > > > > $ keyctl add trusted kmk "new 32" @u > > > > 440502848 > > > > > > > > -- > > > > 2.17.2 > > > >
On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote: > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote: > > On Fri Oct 19 18, Stefan Berger wrote: > > >Extend the documentation for trusted keys with documentation for how to > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > > > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com> > > Thanks! This patch is now staged in the #next-integrity-queued > branch. > > Mimi Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> /Jarkko
On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote: > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote: > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote: > > > On Fri Oct 19 18, Stefan Berger wrote: > > > >Extend the documentation for trusted keys with documentation for how to > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > > > > > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com> > > > > Thanks! This patch is now staged in the #next-integrity-queued > > branch. > > > > Mimi > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Brings to mind, in the long run where the backend code for trusted keys should reside. /Jarkko
On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote: > On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote: > > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote: > > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote: > > > > On Fri Oct 19 18, Stefan Berger wrote: > > > > >Extend the documentation for trusted keys with documentation for how to > > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > > > > > > > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com> > > > > > > Thanks! This patch is now staged in the #next-integrity-queued > > > branch. > > > > > > Mimi > > > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > Brings to mind, in the long run where the backend code for trusted keys > should reside. Are you asking about coordinating staging the trusted key patches to be upstreamed or about moving portions of the encrypted keys code out of the keyring subsystem? I'm not sure there needs to be a separate encrypted-keys pull request. Either they can be upstreamed via the TPM or the integrity subsystem for now. Mimi
On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote: > Are you asking about coordinating staging the trusted key patches to > be upstreamed or about moving portions of the encrypted keys code out > of the keyring subsystem? > > I'm not sure there needs to be a separate encrypted-keys pull request. > Either they can be upstreamed via the TPM or the integrity subsystem > for now. Nothing that ought to be rushed. I'm speaking about this situation: 1. TPM 1.x trusted keys code is inside keyring subsystem. 2. TPM 2.0 trusted keys code is inside tpm subsystem. We are doing effort to make TPM subsystem more friendly to send custom commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean ups for TPM 1.x code) so I'm more dilated to the 2nd option. /Jarkko
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index 3bb24e09a332..6ec6bb2ac497 100644 --- a/Documentation/security/keys/trusted-encrypted.rst +++ b/Documentation/security/keys/trusted-encrypted.rst @@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new when the kernel and initramfs are updated. The same key can have many saved blobs under different PCR values, so multiple boots are easily supported. +TPM 1.2 +------- + By default, trusted keys are sealed under the SRK, which has the default authorization value (20 zeros). This can be set at takeownership time with the trouser's utility: "tpm_takeownership -u -z". +TPM 2.0 +------- + +The user must first create a storage key and make it persistent, so the key is +available after reboot. This can be done using the following commands. + +With the IBM TSS 2 stack:: + + #> tsscreateprimary -hi o -st + Handle 80000000 + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 + +Or with the Intel TSS 2 stack:: + + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt + [...] + handle: 0x800000FF + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 + persistentHandle: 0x81000001 + Usage:: keyctl add trusted name "new keylen [options]" ring @@ -30,7 +53,9 @@ Usage:: keyctl print keyid options: - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) + keyhandle= ascii hex value of sealing key + TPM 1.2: default 0x40000000 (SRK) + TPM 2.0: no default; must be passed every time keyauth= ascii hex auth for sealing key default 0x00...i (40 ascii zeros) blobauth= ascii hex auth for sealed data default 0x00... @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: Create and save a trusted key named "kmk" of length 32 bytes:: +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, +append 'keyhandle=0x81000001' to statements between quotes, such as +"new 32 keyhandle=0x81000001". + $ keyctl add trusted kmk "new 32" @u 440502848