From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Peter Huewe <peterhuewe@gmx.de>,
Marcel Selhorst <tpmdd@selhorst.net>,
David Howells <dhowells@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
David Safford <safford@us.ibm.com>,
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"open list:KEYS-ENCRYPTED"
<linux-security-module@vger.kernel.org>,
"open list:KEYS-ENCRYPTED" <keyrings@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
open list <linux-kernel@vger.kernel.org>,
"moderated list:TPM DEVICE DRIVER"
<tpmdd-devel@lists.sourceforge.net>
Subject: Re: [PATCH v2 3/3] keys, trusted: seal with a TPM2 authorization policy
Date: Mon, 14 Dec 2015 08:49:00 -0500 [thread overview]
Message-ID: <1450100940.2702.44.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1450021353-8775-4-git-send-email-jarkko.sakkinen@linux.intel.com>
On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> TPM2 supports authorization policies, which are essentially
> combinational logic statements repsenting the conditions where the data
> can be unsealed based on the TPM state. This patch enables to use
> authorization policies to seal trusted keys.
>
> Two following new options have been added for trusted keys:
>
> * 'policydigest=': provide an auth policy digest for sealing.
> * 'policyhandle=': provide a policy session handle for unsealing.
>
> If 'hash=' option is supplied after 'policydigest=' option, this
> will result an error because the state of the option would become
> mixed.
>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> Tested-by: Colin Ian King <colin.king@canonical.com>
> ---
> Documentation/security/keys-trusted-encrypted.txt | 34 +++++++++++++----------
> drivers/char/tpm/tpm2-cmd.c | 24 +++++++++++++---
> include/keys/trusted-type.h | 4 +++
> security/keys/trusted.c | 26 +++++++++++++++++
> 4 files changed, 70 insertions(+), 18 deletions(-)
>
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index fd2565b..324ddf5 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -27,20 +27,26 @@ Usage:
> keyctl print keyid
>
> options:
> - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> - keyauth= ascii hex auth for sealing key default 0x00...i
> - (40 ascii zeros)
> - blobauth= ascii hex auth for sealed data default 0x00...
> - (40 ascii zeros)
> - blobauth= ascii hex auth for sealed data default 0x00...
> - (40 ascii zeros)
> - pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
> - pcrlock= pcr number to be extended to "lock" blob
> - migratable= 0|1 indicating permission to reseal to new PCR values,
> - default 1 (resealing allowed)
> - hash= hash algorithm name as a string. For TPM 1.x the only
> - allowed value is sha1. For TPM 2.x the allowed values
> - are sha1, sha256, sha384, sha512 and sm3-256.
> + keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> + keyauth= ascii hex auth for sealing key default 0x00...i
> + (40 ascii zeros)
> + blobauth= ascii hex auth for sealed data default 0x00...
> + (40 ascii zeros)
> + blobauth= ascii hex auth for sealed data default 0x00...
> + (40 ascii zeros)
> + pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
> + pcrlock= pcr number to be extended to "lock" blob
> + migratable= 0|1 indicating permission to reseal to new PCR values,
> + default 1 (resealing allowed)
> + hash= hash algorithm name as a string. For TPM 1.x the only
> + allowed value is sha1. For TPM 2.x the allowed values
> + are sha1, sha256, sha384, sha512 and sm3-256.
> + policydigest= digest for the authorization policy. must be calculated
> + with the same hash algorithm as specified by the 'hash='
> + option.
> + policyhandle= handle to an authorization policy session that defines the
> + same policy and with the same hash algorithm as was used to
> + seal the key.
>
> "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
> TPM_STORED_DATA format. The key length for new keys are always in bytes.
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index d9d0822..45a6340 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -478,12 +478,26 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> tpm_buf_append_u8(&buf, payload->migratable);
>
> /* public */
> - tpm_buf_append_u16(&buf, 14);
> + if (options->policydigest)
> + tpm_buf_append_u16(&buf, 14 + options->digest_len);
> + else
> + tpm_buf_append_u16(&buf, 14);
>
> tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
> tpm_buf_append_u16(&buf, hash);
> - tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> - tpm_buf_append_u16(&buf, 0); /* policy digest size */
> +
> + /* policy */
> + if (options->policydigest) {
> + tpm_buf_append_u32(&buf, 0);
> + tpm_buf_append_u16(&buf, options->digest_len);
> + tpm_buf_append(&buf, options->policydigest,
> + options->digest_len);
> + } else {
> + tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> + tpm_buf_append_u16(&buf, 0);
> + }
> +
> + /* public parameters */
> tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
> tpm_buf_append_u16(&buf, 0);
>
> @@ -613,7 +627,9 @@ static int tpm2_unseal(struct tpm_chip *chip,
> return rc;
>
> tpm_buf_append_u32(&buf, blob_handle);
> - tpm2_buf_append_auth(&buf, TPM2_RS_PW,
> + tpm2_buf_append_auth(&buf,
> + options->policyhandle ?
> + options->policyhandle : TPM2_RS_PW,
> NULL /* nonce */, 0,
> 0 /* session_attributes */,
> options->blobauth /* hmac */,
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index a6a1008..42cf2d9 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -18,6 +18,7 @@
> #define MAX_KEY_SIZE 128
> #define MAX_BLOB_SIZE 512
> #define MAX_PCRINFO_SIZE 64
> +#define MAX_DIGEST_SIZE 64
>
> struct trusted_key_payload {
> struct rcu_head rcu;
> @@ -37,6 +38,9 @@ struct trusted_key_options {
> unsigned char pcrinfo[MAX_PCRINFO_SIZE];
> int pcrlock;
> uint32_t hash;
> + uint32_t digest_len;
> + unsigned char policydigest[MAX_DIGEST_SIZE];
> + uint32_t policyhandle;
> };
>
> extern struct key_type key_type_trusted;
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 8f1300c..e15baf7 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -713,6 +713,8 @@ enum {
> Opt_keyhandle, Opt_keyauth, Opt_blobauth,
> Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
> Opt_hash,
> + Opt_policydigest,
> + Opt_policyhandle,
> };
>
> static const match_table_t key_tokens = {
> @@ -726,6 +728,8 @@ static const match_table_t key_tokens = {
> {Opt_pcrlock, "pcrlock=%s"},
> {Opt_migratable, "migratable=%s"},
> {Opt_hash, "hash=%s"},
> + {Opt_policydigest, "policydigest=%s"},
> + {Opt_policyhandle, "policyhandle=%s"},
> {Opt_err, NULL}
> };
>
> @@ -748,6 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> return tpm2;
>
> opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
> + opt->digest_len = hash_digest_size[opt->hash];
>
> while ((p = strsep(&c, " \t"))) {
> if (*p == '\0' || *p == ' ' || *p == '\t')
> @@ -802,9 +807,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> opt->pcrlock = lock;
> break;
> case Opt_hash:
> + if (test_bit(Opt_policydigest, &token_mask))
> + return -EINVAL;
Thanks! Definitely better than having the test at the end of the while
loop.
Mimi
> for (i = 0; i < HASH_ALGO__LAST; i++) {
> if (!strcmp(args[0].from, hash_algo_name[i])) {
> opt->hash = i;
> + opt->digest_len =
> + hash_digest_size[opt->hash];
> break;
> }
> }
> @@ -815,6 +824,23 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> return -EINVAL;
> }
> break;
> + case Opt_policydigest:
> + if (!tpm2 ||
> + strlen(args[0].from) != (2 * opt->digest_len))
> + return -EINVAL;
> + res = hex2bin(opt->policydigest, args[0].from,
> + opt->digest_len);
> + if (res < 0)
> + return -EINVAL;
> + break;
> + case Opt_policyhandle:
> + if (!tpm2)
> + return -EINVAL;
> + res = kstrtoul(args[0].from, 16, &handle);
> + if (res < 0)
> + return -EINVAL;
> + opt->policyhandle = handle;
> + break;
> default:
> return -EINVAL;
> }
next prev parent reply other threads:[~2015-12-14 13:50 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-13 15:42 [PATCH v2 0/3] TPM 2.0 trusted key features for v4.5 Jarkko Sakkinen
2015-12-13 15:42 ` Jarkko Sakkinen
2015-12-13 15:42 ` Jarkko Sakkinen
2015-12-13 15:42 ` [PATCH v2 1/3] keys, trusted: fix: *do not* allow duplicate key options Jarkko Sakkinen
2015-12-14 13:46 ` Mimi Zohar
2015-12-14 14:54 ` Jarkko Sakkinen
2015-12-13 15:42 ` [PATCH v2 2/3] keys, trusted: select hash algorithm for TPM2 chips Jarkko Sakkinen
2015-12-13 15:42 ` Jarkko Sakkinen
2015-12-13 15:42 ` [PATCH v2 3/3] keys, trusted: seal with a TPM2 authorization policy Jarkko Sakkinen
2015-12-14 13:49 ` Mimi Zohar [this message]
2015-12-14 14:56 ` Jarkko Sakkinen
[not found] ` <20151214095830.GA21291@intel.com>
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E682BF197@ABGEX74E.FSC.NET>
[not found] ` <20151214112501.GA26100@intel.com>
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E682BF19D@ABGEX74E.FSC.NET>
[not found] ` <20151215233237.GA31965@obsidianresearch.com>
[not found] ` <201512161652.tBGGqWPG019442@d03av04.boulder.ibm.com>
[not found] ` <20151216171633.GB32594@obsidianresearch.com>
[not found] ` <201512161721.tBGHLqXh009986@d03av03.boulder.ibm.com>
[not found] ` <20151216174523.GC32594@obsidianresearch.com>
[not found] ` <201512161804.tBGI47vu000331@d01av02.pok.ibm.com>
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E69407545@ABGEX74E.FSC.NET>
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA5864641@EXCH2010A.sit.fraunhofer.de>
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA5864641-wI35/lLZEdT5yyJIIHUSGGSU2VBt9E6NG9Ur7JDdleE@public.gmane.org>
2015-12-18 0:57 ` Question on Linux TSS architecture design (kernel vs. user space access) Jason Gunthorpe
[not found] ` <201512171523.tBHFNlJ6013434@d03av03.boulder.ibm.com>
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA58648F1@EXCH2010A.sit.fraunhofer.de>
[not found] ` <201512171620.tBHGK3GE030569@d03av04.boulder.ibm.com>
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA586493C@EXCH2010A.sit.fraunhofer.de>
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA586493C-wI35/lLZEdT5yyJIIHUSGGSU2VBt9E6NG9Ur7JDdleE@public.gmane.org>
2015-12-18 10:06 ` Wilck, Martin
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E6940754C-bIoXcEM4pvRAuK1PVaBULA@public.gmane.org>
2015-12-18 10:51 ` Jarkko Sakkinen
[not found] ` <20151218105148.GA12882-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2015-12-18 10:53 ` Jarkko Sakkinen
[not found] ` <20151218105323.GB12882-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2015-12-18 11:09 ` Wilck, Martin
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E6940754D-bIoXcEM4pvRAuK1PVaBULA@public.gmane.org>
2015-12-18 11:41 ` Jarkko Sakkinen
[not found] ` <20151218114131.GA3287-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2015-12-18 14:10 ` Ken Goldman
2015-12-21 13:22 ` Fuchs, Andreas
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA586A57C-wI35/lLZEdRyXeJKmmMAp2SU2VBt9E6NG9Ur7JDdleE@public.gmane.org>
2015-12-21 14:23 ` Stefan Berger
2015-12-22 21:23 ` Jason Gunthorpe
[not found] ` <20151222212348.GB9461-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-12-23 15:02 ` Ken Goldman
2015-12-24 11:42 ` Jarkko Sakkinen
[not found] ` <20151224114241.GA5119-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2015-12-24 15:09 ` Ken Goldman
2016-01-02 20:39 ` Jason Gunthorpe
[not found] ` <20160102203957.GA19490-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-03 13:53 ` Jarkko Sakkinen
[not found] ` <20160103135346.GA4047-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-04 16:22 ` Fuchs, Andreas
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA5877E95-wI35/lLZEdRyXeJKmmMAp2SU2VBt9E6NG9Ur7JDdleE@public.gmane.org>
2016-01-04 18:19 ` Jarkko Sakkinen
[not found] ` <20160104181915.GA15908-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-04 20:06 ` Mimi Zohar
2016-01-05 9:43 ` Fuchs, Andreas
[not found] ` <9F48E1A823B03B4790B7E6E69430724DA58784A8-wI35/lLZEdRyXeJKmmMAp2SU2VBt9E6NG9Ur7JDdleE@public.gmane.org>
2016-01-05 13:13 ` Mimi Zohar
2016-01-05 17:39 ` Jason Gunthorpe
2015-12-22 6:59 ` Jarkko Sakkinen
[not found] ` <20151222065917.GB7867-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-04 16:07 ` Fuchs, Andreas
2016-01-07 21:07 ` TPM2 resource manager vendor specific commands Ken Goldman
[not found] ` <201512171533.tBHFXn35003792@d03av02.boulder.ibm.com>
[not found] ` <201512171533.tBHFXn35003792-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2015-12-18 11:21 ` Question on Linux TSS architecture design (kernel vs. user space access) Wilck, Martin
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E6940754E-bIoXcEM4pvRAuK1PVaBULA@public.gmane.org>
2015-12-18 11:51 ` Jarkko Sakkinen
[not found] ` <20151218115137.GA4774-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2015-12-18 11:57 ` Jarkko Sakkinen
2015-12-18 13:40 ` Stefan Berger
[not found] ` <C5A28EF7B98F574C85C70238C8E9ECC04E69407545-bIoXcEM4pvRAuK1PVaBULA@public.gmane.org>
2015-12-18 15:03 ` Kenneth Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450100940.2702.44.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=safford@us.ibm.com \
--cc=serge@hallyn.com \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.