On Fri, 2021-05-21 at 07:28 -0700, James Bottomley wrote:
> On Fri, 2021-05-21 at 14:48 +0100, David Woodhouse wrote:
> > On Thu, 2021-05-20 at 17:43 -0700, James Bottomley wrote:
> > > Now that the ASN.1 representation of trusted keys is upstream we
> > > can add policy to the keys as a sequence of policy statements
> > > meaning the kernel can now construct and use the policy session
> > > rather than the user having to do it and pass the session down to
> > > the kernel.  This makes TPM 2.0 keys with policy much easier.
> > > 
> > > The format of the policy statements is compatible with the
> > > openssl_tpm2_engine policy implementation:
> > > 
> > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/
> > > 
> > > And the seal_tpm2_data command in the above can be used to create
> > > sealed keys (including with policy statements) for the kernel.
> > 
> > I'd love to see that format properly defined and documented instead
> > of just a reference to another implementation.
> 
> Well if you want to help me write an RFC, I can try to submit it.

The xml2rfc tool makes it fairly easy.

See https://github.com/dwmw2/ietf-cert-best-practice for a template; in
Appendix B there is an example of specifying an ASN.1 format.

We should probably define not just the ASN.1 format but also a URI
scheme for referencing objects in NVRAM. A TPMv2 version of 
https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01
might be a good idea.