From patchwork Sat May 22 18:15:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 12274653 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8060C2B9F2 for ; Sat, 22 May 2021 18:16:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 80E1D61164 for ; Sat, 22 May 2021 18:16:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231317AbhEVSSB (ORCPT ); Sat, 22 May 2021 14:18:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231249AbhEVSSA (ORCPT ); Sat, 22 May 2021 14:18:00 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB33DC061574; Sat, 22 May 2021 11:16:35 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 9AD591280257; Sat, 22 May 2021 11:16:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1621707394; bh=cSfk9C4UwhilAgTZCJfqOQv8nUWGvajxGZD4aFG2Oe8=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References:From; b=XyElANYRCsJF4kaEDTWPyed1UuzNajVOfJGrS5cDxFPKkR/6abaAsZjD8fFs0kqmx 7zU1L+gT4o0XeSuZ5ZRKSOamiaD6hWyYtb/uwwZ5IPiAfutITK//Xp6hyo8WD+LLLG nYgWtkQqDg2sVodtIr32zkYxB3S9n6jJJF2t2PGM= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yx64k8rly-PC; Sat, 22 May 2021 11:16:34 -0700 (PDT) Received: from jarvis.int.hansenpartnership.com (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 27C0D1280245; Sat, 22 May 2021 11:16:34 -0700 (PDT) From: James Bottomley To: openssl-tpm2-engine@groups.io Cc: linux-integrity@vger.kernel.org, Mimi Zohar , Jarkko Sakkinen , David Woodhouse , keyrings@vger.kernel.org, David Howells Subject: [PATCH 1/1] doc: add draft RFC for TPM Key format Date: Sat, 22 May 2021 11:15:48 -0700 Message-Id: <20210522181548.8284-2-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210522181548.8284-1-James.Bottomley@HansenPartnership.com> References: <20210522181548.8284-1-James.Bottomley@HansenPartnership.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Adds the xml file for the draft RFC and builds text and html versions if the xml2rfc program is found. Signed-off-by: James Bottomley --- Makefile.am | 2 +- configure.ac | 4 +- doc/Makefile.am | 15 ++ doc/draft-bottomley-tpm2-keys.xml | 329 ++++++++++++++++++++++++++++++ 4 files changed, 348 insertions(+), 2 deletions(-) create mode 100644 doc/Makefile.am create mode 100644 doc/draft-bottomley-tpm2-keys.xml diff --git a/Makefile.am b/Makefile.am index 33de0d9..787ba29 100644 --- a/Makefile.am +++ b/Makefile.am @@ -41,4 +41,4 @@ $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/% install-data-hook: cd $(DESTDIR)$(openssl_enginedir) && $(LN_S) -f libtpm2@SHREXT@ tpm2@SHREXT@ -SUBDIRS = tests +SUBDIRS = tests doc diff --git a/configure.ac b/configure.ac index 6efa7a5..e102dd2 100644 --- a/configure.ac +++ b/configure.ac @@ -128,6 +128,8 @@ fi AC_PATH_PROG(TPMSERVER, tpm_server,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss) AC_PATH_PROG(SWTPM, swtpm,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss) AC_PATH_PROG(SWTPM_IOCTL, swtpm_ioctl,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss) +AC_CHECK_PROG(XML2RFC, xml2rfc, xml2rfc) +AM_CONDITIONAL(HAVE_XML2RFC, test -n "${XML2RFC}") CFLAGS="$CFLAGS -Wall" SHREXT=$shrext_cmds AC_SUBST(CFLAGS) @@ -147,7 +149,7 @@ fi AC_SUBST(testtpm) -AC_OUTPUT([Makefile tests/Makefile]) +AC_OUTPUT([Makefile tests/Makefile doc/Makefile]) cat < + + + +]> + + + + ASN.1 Specification for TPM 2.0 Key Files + + Linux Kernel +
+ + + + + USA + + James.Bottomley@HansenPartnership.com +
+
+ + Security + I-D + Internet-Draft + X.509 + + + This specification is designed ot be an extension to the ASN.1 + (defined in ) specification of PKCS #1 + to define the file format of private + keys that need to be loaded into a TPM 2 device to operate. + + +
+ +
+ + The Security of private keys has long been a concern and the + ability of ubiquitous devices like TPMs has made it useful to + use them for secure private key storage. With the advent of + TPM 2.0, private key storage inside the TPM (acting as a token + which could be referred to by PKCS #11) has been discouraged, + and instead key files which are loaded and evicted as + necessary is the encouraged format. This standard defines an + interoperable ASN.1 representation for such key files, so that + a key created by one tool should be loadable by a different + one. + +
+
+ + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL + NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + . + +
+
+
ASN.1
+
Abstract Syntax Notatition defined in +
+
DER
+
Distinguished Encoding Rules. Basically a defined binary + representation for ASN.1
+
MSO
+
Most Significant Octet (the highest order + byte of an integer)
+
PEM
+
Privacy enhanced Electronic Mail. An ASCII compatible + representation of DER
+
TCG
+
Trusted Computing Group
+
TPM
+
Trusted Platform Module
+
+
+
+
+ + All TPM 2.0 keys consist of two binary pieces, a public part, + which can be parsed according to the TPM specification for + TPM2B_PUBLIC and a private part, which + is cryptographically sealed in such a way as to be only + readable on the TPM that created it. The purpose of this + specification is to specify a format by which the public and + private pieces of a TPM key can be loaded. + + + The design of the TPMkey ASN.1 format is that it should have a + distinguishing OID at the beginning so the DER/BER form of the + key can be easily recognized. In PEM form, the key MUST have + "-----BEGIN TSS2 PRIVATE KEY-----" and "-----END TSS2 PRIVATE + KEY-----" as the PEM guards. All additional information that + may be needed to load the key is specified as optional + explicit elements, which can be extended by later + specifications, which is why the TPMkey is not versioned. + +
+
+ TPMKey ::= SEQUENCE { + type OBJECT IDENTIFIER + emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL + policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL + secret [2] EXPLICIT OCTET STRING OPTIONAL + parent INTEGER + pubkey OCTET STRING + privkey OCTET STRING + } +
+ + The fields of type TPMKey have the following meanings: + +
+ + A unique OID specifying the key type. This standard + currently defines three types of keys: a loadable key, + specified by id-loadablekey, (to be loaded with + TPM2_Load), an importable key, specified by + id-importablekey, (to be loaded with TPM2_Import) and a + sealed data key, specified by id-sealedkey, (to be + extracted with TPM2_Unseal). The TCG has reserved the + following OID prefix for this: + +
+ id-tpmkey OBJECT IDENTIFIER ::= + {joint-iso-itu-t(2) international-organizations(23) 133 10} +
+ + And the three key types are: + +
+ id-loadablekey OBJECT IDENTIFIER ::= + {id-tpmkey 3} +
+
+ id-importablekey OBJECT IDENTIFIER ::= + {id-tpmkey 4} +
+
+ id-sealedkey OBJECT IDENTIFIER ::= + {id-tpmkey 5} +
+
+
+ + An implementation needs to know as it formulates the + TPM2_Load/Import/Unseal command whether it must also send + down an authorization, so this parameter gives that + indication. emptyAuth MUST be true if authorization is + NOT required and MUST BE either false or absent if + authorization is required. Since this element has + three states (one representing true and two representing + false) it is RECOMMENDED that implementations emitting + TPMkey representations use absence of the tag to represent + false. However, implementations reading TPMKey MUST + be able to process all three possible states. + +
+
+ + This MUST be present if the TPM key has a policy hash + because it describes to the implementation how to + construct the policy. The forms of the policy statement + are described in section . + +
+
+ + This section describes the additional cryptographic + secret used to specify the outer wrapping of an + importable key. It MUST be present for key type + id-importablekey and MUST NOT be present for any other + key type. + +
+
+ + This MUST be present for all keys and specifies the parent + key. The parent key SHOULD be either a persistent handle + (MSO 0x81) or a permanent handle (MSO 0x40). Since + volatile handle numbering can change unexpectedly + depending on key load order, the parent SHOULD NOT be a + volatile handle (MSO 0x80). The parent MAY NOT be any + other MSO. + + + If a permanent handle (MSO 0x40) is specified then the + implementation MUST run TPM2_CreatePrimary on the handle + using the TCG specified Elliptic Curve template for the + NIST P-256 curve and use the primary key so generated as + the parent. + +
+
+ + This MUST be present and MUST correspond to the fully + marshalled TPM2B_PUBLIC structure of the TPM Key with the + exception that the leading U16 parameter specifying size + MUST BE omitted (it is redundant, since all ASN.1 + structures are length specified). + +
+
+ + This MUST be present and MUST correspond to the fully + marshalled TPM2B_PRIVATE structure of the TPM Key with the + exception that the leading U16 parameter specifying size + MUST BE omitted (it is redundant, since all ASN.1 + structures are length specified). + +
+
+
+
+ + Policy is constructed on a TPM by executing a sequence of + policy statements. This specification currently only defines + a limited subset of the allowed policy statements. The policy + is specified by a hash, which the execution of the policy + statements must reach in order for the policy to be validated + (See Part 1 for a detailed description. + + + The TPMPolicy ASN.1 MUST be a sequence of policy statements + which correspond exactly to TPM policy instructions in the + order they should be executed and additionally from which the + ultimate policy hash can be constructed. + + + The current policy specification is strictly for AND based + policy only and may be extended at a later date with OR + policy. However, the ASN.1 for policy is fomulated as CONS + elements, leaving the possibility of adding additional but + optional elements for policy statements which are not + supported by this standard (such as TPM2_PolicyAuthorize). + +
+
+ TPMPolicy ::= SEQUENCE { + CommandCode [0] EXPLICIT INTEGER + CommandPolicy [1] EXPLICIT OCTET STRING + } +
+ + The Fields of type TPMPolicy have the following meanings: + +
+ + This is the integer representation of the TPM command code + for the policy statement. + +
+
+ + This is a binary string representing a fully marshalled, + TPM ordered, command body for the TPM policy command. + Therefore to send the command, the implementation simply + marshalls the command code and appends this octet string + as the body. + + + Commands which have no body, such as TPM2_AuthVal, MUST be + specified as a zero length OCTET STRING + +
+
+
+ + The policy hash for AND based policies is constructed by extension of the prior policy hash + +
+ newHash = HASH ( oldHash || policyHash ) +
+ + where policyHash is usually simply the hash of the fully + marshalled policy command (including the CommandCode). + However, this isn't true for TPM2_PolicyCounterTimer() so + always consult the specifications + for how to construct the policyHash. + +
+ + When Authorization (Passing in a password) is required, + the emptyAuth parameter MUST be absent or set to false + and additionally the TPM_CC_PolicyAuthValue MUST be + specified as the command code for one entry in the + TPMPolicy sequence. However, the implementation MAY + choose to execute either TPM2_PolicyPassword for TPM_RS_PW + or TPM2_PolicyAuthValue for HMAC based authorization + depending on whether the command being authorized is using + sessions or not. If the policy does not require an + authorization then the emptyAuth parameter MUST be set to + true. + +
+
+
+ +
+ + + &RFC2119; + &RFC8017; + + + TPM 2.0 Library Specification + + + + + + + + + ITU-T Recommendation X.680, + Information technology - Abstract Syntax Notation One + (ASN.1): Specification of basic notation. + ITU + + + + + +