From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: linux-integrity@vger.kernel.org,
Jarkko Sakkinen <jarkko@kernel.org>,
keyrings@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH v4 00/13] add integrity and security to TPM2 transactions
Date: Tue, 04 Apr 2023 17:33:16 -0400 [thread overview]
Message-ID: <294ff9aa398234d5e0a1aba20c406daf7b2f57ab.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAFftDdp84qYaL+VuUXNiMbgPadOzZF1aS07ewW_jTJfM=0yDjA@mail.gmail.com>
On Tue, 2023-04-04 at 16:10 -0500, William Roberts wrote:
> On Tue, Apr 4, 2023 at 3:19 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> >
> > On Tue, 2023-04-04 at 14:42 -0500, William Roberts wrote:
> > > On Tue, Apr 4, 2023 at 2:18 PM James Bottomley
> > > <James.Bottomley@hansenpartnership.com> wrote:
> > > >
> > > > On Tue, 2023-04-04 at 13:43 -0500, William Roberts wrote:
> > > > [...]
> > > > > > The final part of the puzzle is that the machine owner must
> > > > > > have a fixed idea of the EK of their TPM and should have
> > > > > > certified this with the TPM manufacturer. On every boot,
> > > > > > the certified EK public key should be used to do a make
> > > > > > credential/activate credential attestation key insertion
> > > > > > and then the null key certified with the attestation key.
> > > > > > We can follow a trust on first use model where an OS
> > > > > > installation will extract and verify a public EK and save
> > > > > > it to a read only file.
> > > > >
> > > > > Ahh I was wondering how you were going to bootstrap trust
> > > > > using the NULL hierarchy.
> > > >
> > > > Well, actually, I changed my mind on the details of this one:
> > > > the make credential/activate credential round trip is a huge
> > > > faff given that there's no privacy issue. I think what we
> > > > should do is simply store the name of a known signing EK on
> > > > first install (using the standard P-256 derivation of the EK
> > > > template but with TPMA_OBJECT_SIGN additionally set). Then you
> > > > can use the signing EK to certify the NULL key directly and
> > > > merely check the signing EK name against the stored value to
> > > > prove everything is correct.
> > > >
> > >
> > > Yeah that model is much simpler. My guess is that on install it
> > > would persist this "Signing EK" to a specific address that is
> > > different from the typical EK Address?
> >
> > Actually, since this is used to prove trust in the TPM, we can't
> > have the TPM store it;
>
> Hmm, I think we miscommunicated here. At some point you need to call
> TPM2_CreatePrimary with the "Signing EK" template which would require
> Endorsement Hierarchy (EH) Auth.
That's right. Then you hash what you get back and check it against the
name file.
> So I would imagine this key would be persistend to avoid needing it
> all the time?
You could, but the benefit is marginal given how fast the Elliptic
Curve calculation can be done. Remember the key is only needed for a
quote or a certification, so that's once per boot to certify the NULL
seed and possibly a handful of other uses.
> Then the use of TPM2_Certify using the "EK Signing" key would also
> need EH Auth since AuthPolicy is coupled to EH Auth via PolicySecret.
> I'm just thinking every time these commands are invoked, especially
> if this is used during boot, where EH Auth would be coming from or am
> I missing something?
No, but then TPM2_CreatePrimary needs the hierarchy authorizations.
The standard assumption I tend to make is that they're empty for both
the endorsement and owner.
Although if there's a use case that actually wants them set for some
reason, then I think there might be a case for removing the policy from
the EK template, but if not, it's easier just to follow what the TCG
says with the addition of the signing permission.
> > it's going to have to be somewhere in the root
> > filesystem, like /etc. Ideally it would be in the immutable part
> > of /etc so it is write once on install.
> >
>
> I'm assuming this would be the template or name of the "Signing EK"?
Just the name, I think, assuming everyone agrees on the template. If
there's going to be a question about which template then we'd need
both.
James
next prev parent reply other threads:[~2023-04-04 21:33 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 21:39 [PATCH v4 00/13] add integrity and security to TPM2 transactions James Bottomley
2023-04-03 21:39 ` [PATCH v4 01/13] crypto: lib - implement library version of AES in CFB mode James Bottomley
2023-04-23 3:34 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 02/13] tpm: move buffer handling from static inlines to real functions James Bottomley
2023-04-23 3:36 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 03/13] tpm: add kernel doc to buffer handling functions James Bottomley
2023-04-23 3:40 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 04/13] tpm: add buffer handling for TPM2B types James Bottomley
2023-04-23 4:12 ` Jarkko Sakkinen
2023-05-02 15:43 ` Stefan Berger
2023-05-03 11:29 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 05/13] tpm: add cursor based buffer functions for response parsing James Bottomley
2023-04-23 4:14 ` Jarkko Sakkinen
2023-05-02 13:54 ` Stefan Berger
2023-08-22 11:15 ` Jarkko Sakkinen
2023-08-22 13:51 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 06/13] tpm: add buffer function to point to returned parameters James Bottomley
2023-05-02 14:09 ` Stefan Berger
2023-05-03 11:31 ` Jarkko Sakkinen
2023-06-06 2:09 ` James Bottomley
2023-06-06 15:34 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 07/13] tpm: export the context save and load commands James Bottomley
2023-05-02 14:12 ` Stefan Berger
2023-04-03 21:39 ` [PATCH v4 08/13] tpm: Add full HMAC and encrypt/decrypt session handling code James Bottomley
2023-04-04 1:49 ` kernel test robot
2023-04-23 5:29 ` Jarkko Sakkinen
2023-11-26 3:39 ` Jarkko Sakkinen
2023-11-26 3:45 ` Jarkko Sakkinen
2023-11-26 15:07 ` James Bottomley
2023-11-26 15:05 ` James Bottomley
2023-12-04 2:29 ` Jarkko Sakkinen
2023-12-04 12:35 ` James Bottomley
2023-12-04 13:43 ` Mimi Zohar
2023-12-04 13:53 ` James Bottomley
2023-12-04 13:59 ` Mimi Zohar
2023-12-04 14:02 ` James Bottomley
2023-12-04 14:10 ` Mimi Zohar
2023-12-04 14:23 ` James Bottomley
2023-12-04 22:58 ` Jarkko Sakkinen
2023-12-04 22:46 ` Jarkko Sakkinen
2023-04-03 21:39 ` [PATCH v4 09/13] tpm: add hmac checks to tpm2_pcr_extend() James Bottomley
2023-04-23 5:32 ` Jarkko Sakkinen
2023-04-03 21:40 ` [PATCH v4 10/13] tpm: add session encryption protection to tpm2_get_random() James Bottomley
2023-04-03 21:40 ` [PATCH v4 11/13] KEYS: trusted: Add session encryption protection to the seal/unseal path James Bottomley
2023-04-03 21:40 ` [PATCH v4 12/13] tpm: add the null key name as a sysfs export James Bottomley
2023-04-23 5:38 ` Jarkko Sakkinen
2023-04-03 21:40 ` [PATCH v4 13/13] Documentation: add tpm-security.rst James Bottomley
2023-04-04 18:43 ` [PATCH v4 00/13] add integrity and security to TPM2 transactions William Roberts
2023-04-04 19:18 ` James Bottomley
2023-04-04 19:42 ` William Roberts
2023-04-04 20:19 ` James Bottomley
2023-04-04 21:10 ` William Roberts
2023-04-04 21:33 ` James Bottomley [this message]
2023-04-04 21:44 ` William Roberts
2023-04-05 18:39 ` William Roberts
2023-04-05 19:41 ` James Bottomley
2023-04-07 14:40 ` William Roberts
2023-04-23 5:42 ` Jarkko Sakkinen
2023-12-04 18:56 ` Stefan Berger
2023-12-04 19:24 ` James Bottomley
2023-12-04 21:02 ` Stefan Berger
2023-12-05 13:50 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=294ff9aa398234d5e0a1aba20c406daf7b2f57ab.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=bill.c.roberts@gmail.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.