From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v13 3/5] security: keys: trusted: fix TPM2 authorizations
Date: Fri, 25 Sep 2020 17:39:23 +0000 [thread overview]
Message-ID: <49f167946299ced25cf6ad0db1a53f8b319c3491.camel@HansenPartnership.com> (raw)
In-Reply-To: <20200925072829.GA170658@linux.intel.com>
On Fri, 2020-09-25 at 10:28 +0300, Jarkko Sakkinen wrote:
> On Mon, Sep 21, 2020 at 07:28:07PM -0700, James Bottomley wrote:
[...]
> > keyctl add trusted kmk "new 32
> > blobauthõ72d396fae9206628714fb2ce00f72e94f2258fkeyhandle000001
> > " @u
> >
> > after we will accept both the old hex sha1 form as well as a new
> > directly supplied password:
> >
> > keyctl add trusted kmk "new 32 blobauth=hello keyhandle000001"
> > @u
>
> I'm still getting -EINVAL from both with a Geminilake NUC.
Since I don't have one of those you're going to have to give me more to
go on. I've tested this works in a VM with the ibmtss and on a Rainbow
Pass with a variety of physical TPMs. Keyctl returns -EINVAL for an
annoying number of conditions it shouldn't ... the most frequent of
which is that the key already exists in the keyring.
So what's different about the Geminilake NUC? Either it's a kernel
problem with the TPM, in which case there should be something in dmesg
or it's a userspace problem with keyctl, in which case perhaps strace
might get us further forward.
James
next prev parent reply other threads:[~2020-09-25 17:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-22 2:28 [PATCH v13 0/5] TPM 2.0 trusted key rework James Bottomley
2020-09-22 2:28 ` [PATCH v13 1/5] lib: add ASN.1 encoder James Bottomley
2020-09-22 2:28 ` [PATCH v13 2/5] oid_registry: Add TCG defined OIDS for TPM keys James Bottomley
2020-09-22 2:28 ` [PATCH v13 3/5] security: keys: trusted: fix TPM2 authorizations James Bottomley
2020-09-25 7:28 ` Jarkko Sakkinen
2020-09-25 17:39 ` James Bottomley [this message]
2020-09-27 23:48 ` Jarkko Sakkinen
2020-09-30 11:02 ` Jarkko Sakkinen
2020-09-22 2:28 ` [PATCH v13 4/5] security: keys: trusted: use ASN.1 TPM2 key format for the blobs James Bottomley
2020-09-26 11:33 ` kernel test robot
2020-09-30 11:11 ` Jarkko Sakkinen
2020-09-30 14:49 ` James Bottomley
2020-09-30 15:35 ` Jarkko Sakkinen
2020-09-22 2:28 ` [PATCH v13 5/5] security: keys: trusted: Make sealed key properly interoperable James Bottomley
2020-09-30 11:24 ` Jarkko Sakkinen
2020-09-30 3:43 ` [PATCH v13 0/5] TPM 2.0 trusted key rework Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49f167946299ced25cf6ad0db1a53f8b319c3491.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).