Re: [PATCH v9 0/8] TPM 2.0 trusted keys with attached policy

[Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>]

On Thu, May 14, 2020 at 08:44:23PM -0700, James Bottomley wrote:
> On Fri, 2020-05-15 at 05:22 +0300, Jarkko Sakkinen wrote:
> > On Thu, 2020-05-14 at 17:31 +0300, Jarkko Sakkinen wrote:
> > > I'm compiling now kernel with all series included.
> > > 
> > > Kind of checking if I could just take the whole series. Let see.
> > > 
> > > In all cases I want the style errors in 3/8 to be fixes with a
> > > helper
> > > but maybe better to hold before sending anything. Possibly that is
> > > all
> > > needed I'll just carve that patch myself.
> > > 
> > > Please don't do anything for the moment.
> > 
> > This is what I tried first (with the full series applied):
> > 
> > #!/bin/sh
> > 
> > die()
> > {
> > 	keyctl clear @u
> > 	./tpm2-flush --all-transient
> > 	exit $1
> > }
> > 
> > KEYHANDLE=$(./tpm2-root-key || die 1)
> > KEYID=$(keyctl add trusted kmk "new 32 keyhandle=$KEYHANDLE
> > hash=sha256" @u || die 1)
> > 
> > echo "$KEYID ($KEYHANDLE)"
> > 
> > keyctl pipe $KEYID > blob.hex || die 1
> > keyctl clear @u || die 1
> > 
> > echo "Import key from blob"
> > 
> > keyctl add trusted kmk "load `cat blob.hex` keyhandle=$KEYHANDLE" @u
> > || die 1
> > 
> > die 0
> > 
> > Result:
> > 
> > sudo ./keyctl-smoke.sh
> > 566201053 (0x80000000)
> > keyctl_read_alloc: Permission denied
> 
> Well, it's clearly failing in keyctl pipe
> 
> I do confess to never having tested a volatile primary, but I just did
> so and it works for me.  I will also add the keyhandle in the load
> isn't necessary, because it should be in the blob, but there should
> also be no harm (just tested).
> 
> However, I don't have keyctl_read_alloc in my tree, so it may be an
> incompatibility with another patch set.  What's your base and what
> other patches do you have applied?

http://git.infradead.org/users/jjs/linux-tpmdd.git

Or exactly:

git://git.infradead.org/users/jjs/linux-tpmdd.git (master)

/Jarkko