[PATCH] docs: Extend trusted keys documentation for TPM 2.0

[PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Stefan Berger]

Extend the documentation for trusted keys with documentation for how to
set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..6ec6bb2ac497 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
 when the kernel and initramfs are updated.  The same key can have many saved
 blobs under different PCR values, so multiple boots are easily supported.
 
+TPM 1.2
+-------
+
 By default, trusted keys are sealed under the SRK, which has the default
 authorization value (20 zeros).  This can be set at takeownership time with the
 trouser's utility: "tpm_takeownership -u -z".
 
+TPM 2.0
+-------
+
+The user must first create a storage key and make it persistent, so the key is
+available after reboot. This can be done using the following commands.
+
+With the IBM TSS 2 stack::
+
+  #> tsscreateprimary -hi o -st
+  Handle 80000000
+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
+
+Or with the Intel TSS 2 stack::
+
+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
+  [...]
+  handle: 0x800000FF
+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
+  persistentHandle: 0x81000001
+
 Usage::
 
     keyctl add trusted name "new keylen [options]" ring
@@ -30,7 +53,9 @@ Usage::
     keyctl print keyid
 
     options:
-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
+       keyhandle=    ascii hex value of sealing key
+                       TPM 1.2: default 0x40000000 (SRK)
+                       TPM 2.0: no default; must be passed every time
        keyauth=	     ascii hex auth for sealing key default 0x00...i
                      (40 ascii zeros)
        blobauth=     ascii hex auth for sealed data default 0x00...
@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
 
 Create and save a trusted key named "kmk" of length 32 bytes::
 
+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
+append 'keyhandle=0x81000001' to statements between quotes, such as
+"new 32 keyhandle=0x81000001".
+
     $ keyctl add trusted kmk "new 32" @u
     440502848
 
-- 
2.17.2

[PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Stefan Berger]

Extend the documentation for trusted keys with documentation for how to
set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..6ec6bb2ac497 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
 when the kernel and initramfs are updated.  The same key can have many saved
 blobs under different PCR values, so multiple boots are easily supported.
 
+TPM 1.2
+-------
+
 By default, trusted keys are sealed under the SRK, which has the default
 authorization value (20 zeros).  This can be set at takeownership time with the
 trouser's utility: "tpm_takeownership -u -z".
 
+TPM 2.0
+-------
+
+The user must first create a storage key and make it persistent, so the key is
+available after reboot. This can be done using the following commands.
+
+With the IBM TSS 2 stack::
+
+  #> tsscreateprimary -hi o -st
+  Handle 80000000
+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
+
+Or with the Intel TSS 2 stack::
+
+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
+  [...]
+  handle: 0x800000FF
+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
+  persistentHandle: 0x81000001
+
 Usage::
 
     keyctl add trusted name "new keylen [options]" ring
@@ -30,7 +53,9 @@ Usage::
     keyctl print keyid
 
     options:
-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
+       keyhandle=    ascii hex value of sealing key
+                       TPM 1.2: default 0x40000000 (SRK)
+                       TPM 2.0: no default; must be passed every time
        keyauth=	     ascii hex auth for sealing key default 0x00...i
                      (40 ascii zeros)
        blobauth=     ascii hex auth for sealed data default 0x00...
@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
 
 Create and save a trusted key named "kmk" of length 32 bytes::
 
+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
+append 'keyhandle=0x81000001' to statements between quotes, such as
+"new 32 keyhandle=0x81000001".
+
     $ keyctl add trusted kmk "new 32" @u
     440502848
 
-- 
2.17.2

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Randy Dunlap]

Hi,
Feel free to ignore my comments.  I don't know anything about TPM.

On 10/19/18 3:17 AM, Stefan Berger wrote:
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
>  1 file changed, 30 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..6ec6bb2ac497 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
>  when the kernel and initramfs are updated.  The same key can have many saved
>  blobs under different PCR values, so multiple boots are easily supported.
>  
> +TPM 1.2
> +-------
> +
>  By default, trusted keys are sealed under the SRK, which has the default
>  authorization value (20 zeros).  This can be set at takeownership time with the
>  trouser's utility: "tpm_takeownership -u -z".

It appears to be TrouSerS or maybe just trousers (no ').

BTW, is this still the current location for it or has it moved elsewhere?
http://trousers.sourceforge.net/


>  
> +TPM 2.0
> +-------
> +
> +The user must first create a storage key and make it persistent, so the key is
> +available after reboot. This can be done using the following commands.
> +
> +With the IBM TSS 2 stack::
> +
> +  #> tsscreateprimary -hi o -st
> +  Handle 80000000
> +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> +
> +Or with the Intel TSS 2 stack::
> +
> +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> +  [...]
> +  handle: 0x800000FF

Is that handle value important?  It doesn't seem to be used later...

> +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> +  persistentHandle: 0x81000001
> +
>  Usage::
>  
>      keyctl add trusted name "new keylen [options]" ring
> @@ -30,7 +53,9 @@ Usage::
>      keyctl print keyid
>  
>      options:
> -       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
> +       keyhandle=    ascii hex value of sealing key

s/ascii/ASCII/g

> +                       TPM 1.2: default 0x40000000 (SRK)
> +                       TPM 2.0: no default; must be passed every time
>         keyauth=	     ascii hex auth for sealing key default 0x00...i
>                       (40 ascii zeros)
>         blobauth=     ascii hex auth for sealed data default 0x00...
> @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>  
>  Create and save a trusted key named "kmk" of length 32 bytes::
>  
> +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> +append 'keyhandle=0x81000001' to statements between quotes, such as
> +"new 32 keyhandle=0x81000001".
> +
>      $ keyctl add trusted kmk "new 32" @u
>      440502848
>  
> 

ta.
-- 
~Randy

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Randy Dunlap]

Hi,
Feel free to ignore my comments.  I don't know anything about TPM.

On 10/19/18 3:17 AM, Stefan Berger wrote:
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
>  1 file changed, 30 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..6ec6bb2ac497 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
>  when the kernel and initramfs are updated.  The same key can have many saved
>  blobs under different PCR values, so multiple boots are easily supported.
>  
> +TPM 1.2
> +-------
> +
>  By default, trusted keys are sealed under the SRK, which has the default
>  authorization value (20 zeros).  This can be set at takeownership time with the
>  trouser's utility: "tpm_takeownership -u -z".

It appears to be TrouSerS or maybe just trousers (no ').

BTW, is this still the current location for it or has it moved elsewhere?
http://trousers.sourceforge.net/


>  
> +TPM 2.0
> +-------
> +
> +The user must first create a storage key and make it persistent, so the key is
> +available after reboot. This can be done using the following commands.
> +
> +With the IBM TSS 2 stack::
> +
> +  #> tsscreateprimary -hi o -st
> +  Handle 80000000
> +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> +
> +Or with the Intel TSS 2 stack::
> +
> +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> +  [...]
> +  handle: 0x800000FF

Is that handle value important?  It doesn't seem to be used later...

> +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> +  persistentHandle: 0x81000001
> +
>  Usage::
>  
>      keyctl add trusted name "new keylen [options]" ring
> @@ -30,7 +53,9 @@ Usage::
>      keyctl print keyid
>  
>      options:
> -       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
> +       keyhandle=    ascii hex value of sealing key

s/ascii/ASCII/g

> +                       TPM 1.2: default 0x40000000 (SRK)
> +                       TPM 2.0: no default; must be passed every time
>         keyauth=	     ascii hex auth for sealing key default 0x00...i
>                       (40 ascii zeros)
>         blobauth=     ascii hex auth for sealed data default 0x00...
> @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>  
>  Create and save a trusted key named "kmk" of length 32 bytes::
>  
> +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> +append 'keyhandle=0x81000001' to statements between quotes, such as
> +"new 32 keyhandle=0x81000001".
> +
>      $ keyctl add trusted kmk "new 32" @u
>      440502848
>  
> 

ta.
-- 
~Randy

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Dan Williams]

On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Thanks for the updates:

Acked-by: Dan Williams <dan.j.williams@intel.com>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Dan Williams]

On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Thanks for the updates:

Acked-by: Dan Williams <dan.j.williams@intel.com>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>---
> .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated.  The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros).  This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+  #> tsscreateprimary -hi o -st
>+  Handle 80000000
>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+  [...]
>+  handle: 0x800000FF
>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+  persistentHandle: 0x81000001
>+

Is that the correct option for tpm2_evictcontrol? What I'm seeing
in the versions I have is -S or -persistent= for specifying the persistent handle.

Other than that looks good to me.

> Usage::
>
>     keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
>     keyctl print keyid
>
>     options:
>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>+       keyhandle=    ascii hex value of sealing key
>+                       TPM 1.2: default 0x40000000 (SRK)
>+                       TPM 2.0: no default; must be passed every time
>        keyauth=	     ascii hex auth for sealing key default 0x00...i
>                      (40 ascii zeros)
>        blobauth=     ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
>     $ keyctl add trusted kmk "new 32" @u
>     440502848
>
>-- 
>2.17.2
>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>---
> .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated.  The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros).  This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+  #> tsscreateprimary -hi o -st
>+  Handle 80000000
>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+  [...]
>+  handle: 0x800000FF
>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+  persistentHandle: 0x81000001
>+

Is that the correct option for tpm2_evictcontrol? What I'm seeing
in the versions I have is -S or -persistent= for specifying the persistent handle.

Other than that looks good to me.

> Usage::
>
>     keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
>     keyctl print keyid
>
>     options:
>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>+       keyhandle=    ascii hex value of sealing key
>+                       TPM 1.2: default 0x40000000 (SRK)
>+                       TPM 2.0: no default; must be passed every time
>        keyauth=	     ascii hex auth for sealing key default 0x00...i
>                      (40 ascii zeros)
>        blobauth=     ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
>     $ keyctl add trusted kmk "new 32" @u
>     440502848
>
>-- 
>2.17.2
>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Mon Nov 05 18, Jerry Snitselaar wrote:
>On Fri Oct 19 18, Stefan Berger wrote:
>>Extend the documentation for trusted keys with documentation for how to
>>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>>
>>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>---
>>.../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
>>1 file changed, 30 insertions(+), 1 deletion(-)
>>
>>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>>index 3bb24e09a332..6ec6bb2ac497 100644
>>--- a/Documentation/security/keys/trusted-encrypted.rst
>>+++ b/Documentation/security/keys/trusted-encrypted.rst
>>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
>>when the kernel and initramfs are updated.  The same key can have many saved
>>blobs under different PCR values, so multiple boots are easily supported.
>>
>>+TPM 1.2
>>+-------
>>+
>>By default, trusted keys are sealed under the SRK, which has the default
>>authorization value (20 zeros).  This can be set at takeownership time with the
>>trouser's utility: "tpm_takeownership -u -z".
>>
>>+TPM 2.0
>>+-------
>>+
>>+The user must first create a storage key and make it persistent, so the key is
>>+available after reboot. This can be done using the following commands.
>>+
>>+With the IBM TSS 2 stack::
>>+
>>+  #> tsscreateprimary -hi o -st
>>+  Handle 80000000
>>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>>+
>>+Or with the Intel TSS 2 stack::
>>+
>>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>>+  [...]
>>+  handle: 0x800000FF
>>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>>+  persistentHandle: 0x81000001
>>+
>
>Is that the correct option for tpm2_evictcontrol? What I'm seeing
>in the versions I have is -S or -persistent= for specifying the persistent handle.
>
>Other than that looks good to me.

William, is the above correct?

>
>>Usage::
>>
>>    keyctl add trusted name "new keylen [options]" ring
>>@@ -30,7 +53,9 @@ Usage::
>>    keyctl print keyid
>>
>>    options:
>>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>>+       keyhandle=    ascii hex value of sealing key
>>+                       TPM 1.2: default 0x40000000 (SRK)
>>+                       TPM 2.0: no default; must be passed every time
>>       keyauth=	     ascii hex auth for sealing key default 0x00...i
>>                     (40 ascii zeros)
>>       blobauth=     ascii hex auth for sealed data default 0x00...
>>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>>
>>Create and save a trusted key named "kmk" of length 32 bytes::
>>
>>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>>+append 'keyhandle=0x81000001' to statements between quotes, such as
>>+"new 32 keyhandle=0x81000001".
>>+
>>    $ keyctl add trusted kmk "new 32" @u
>>    440502848
>>
>>-- 
>>2.17.2
>>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Mon Nov 05 18, Jerry Snitselaar wrote:
>On Fri Oct 19 18, Stefan Berger wrote:
>>Extend the documentation for trusted keys with documentation for how to
>>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>>
>>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>---
>>.../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
>>1 file changed, 30 insertions(+), 1 deletion(-)
>>
>>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>>index 3bb24e09a332..6ec6bb2ac497 100644
>>--- a/Documentation/security/keys/trusted-encrypted.rst
>>+++ b/Documentation/security/keys/trusted-encrypted.rst
>>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
>>when the kernel and initramfs are updated.  The same key can have many saved
>>blobs under different PCR values, so multiple boots are easily supported.
>>
>>+TPM 1.2
>>+-------
>>+
>>By default, trusted keys are sealed under the SRK, which has the default
>>authorization value (20 zeros).  This can be set at takeownership time with the
>>trouser's utility: "tpm_takeownership -u -z".
>>
>>+TPM 2.0
>>+-------
>>+
>>+The user must first create a storage key and make it persistent, so the key is
>>+available after reboot. This can be done using the following commands.
>>+
>>+With the IBM TSS 2 stack::
>>+
>>+  #> tsscreateprimary -hi o -st
>>+  Handle 80000000
>>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>>+
>>+Or with the Intel TSS 2 stack::
>>+
>>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>>+  [...]
>>+  handle: 0x800000FF
>>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>>+  persistentHandle: 0x81000001
>>+
>
>Is that the correct option for tpm2_evictcontrol? What I'm seeing
>in the versions I have is -S or -persistent= for specifying the persistent handle.
>
>Other than that looks good to me.

William, is the above correct?

>
>>Usage::
>>
>>    keyctl add trusted name "new keylen [options]" ring
>>@@ -30,7 +53,9 @@ Usage::
>>    keyctl print keyid
>>
>>    options:
>>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>>+       keyhandle=    ascii hex value of sealing key
>>+                       TPM 1.2: default 0x40000000 (SRK)
>>+                       TPM 2.0: no default; must be passed every time
>>       keyauth=	     ascii hex auth for sealing key default 0x00...i
>>                     (40 ascii zeros)
>>       blobauth=     ascii hex auth for sealed data default 0x00...
>>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>>
>>Create and save a trusted key named "kmk" of length 32 bytes::
>>
>>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>>+append 'keyhandle=0x81000001' to statements between quotes, such as
>>+"new 32 keyhandle=0x81000001".
>>+
>>    $ keyctl add trusted kmk "new 32" @u
>>    440502848
>>
>>-- 
>>2.17.2
>>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Joshua Lock]

On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> On Mon Nov 05 18, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > > Extend the documentation for trusted keys with documentation for
> > > how to
> > > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as
> > > well.
> > > 
> > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > ---
> > > .../security/keys/trusted-encrypted.rst       | 31
> > > ++++++++++++++++++-
> > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > b/Documentation/security/keys/trusted-encrypted.rst
> > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > @@ -18,10 +18,33 @@ integrity verifications match.  A loaded
> > > Trusted Key can be updated with new
> > > when the kernel and initramfs are updated.  The same key can have
> > > many saved
> > > blobs under different PCR values, so multiple boots are easily
> > > supported.
> > > 
> > > +TPM 1.2
> > > +-------
> > > +
> > > By default, trusted keys are sealed under the SRK, which has the
> > > default
> > > authorization value (20 zeros).  This can be set at takeownership
> > > time with the
> > > trouser's utility: "tpm_takeownership -u -z".
> > > 
> > > +TPM 2.0
> > > +-------
> > > +
> > > +The user must first create a storage key and make it persistent,
> > > so the key is
> > > +available after reboot. This can be done using the following
> > > commands.
> > > +
> > > +With the IBM TSS 2 stack::
> > > +
> > > +  #> tsscreateprimary -hi o -st
> > > +  Handle 80000000
> > > +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > +
> > > +Or with the Intel TSS 2 stack::
> > > +
> > > +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > +  [...]
> > > +  handle: 0x800000FF
> > > +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > +  persistentHandle: 0x81000001
> > > +
> > 
> > Is that the correct option for tpm2_evictcontrol? What I'm seeing
> > in the versions I have is -S or -persistent= for specifying the
> > persistent handle.
> > 
> > Other than that looks good to me.
> 
> William, is the above correct?

We're changing some of the options in master ahead of our next major
release, the -p/--persistent option is correct for that branch and the
eventual 4.X series.

Regards,
Joshua

> > 
> > > Usage::
> > > 
> > >    keyctl add trusted name "new keylen [options]" ring
> > > @@ -30,7 +53,9 @@ Usage::
> > >    keyctl print keyid
> > > 
> > >    options:
> > > -       keyhandle=    ascii hex value of sealing key default
> > > 0x40000000 (SRK)
> > > +       keyhandle=    ascii hex value of sealing key
> > > +                       TPM 1.2: default 0x40000000 (SRK)
> > > +                       TPM 2.0: no default; must be passed every
> > > time
> > >       keyauth=	     ascii hex auth for sealing key default
> > > 0x00...i
> > >                     (40 ascii zeros)
> > >       blobauth=     ascii hex auth for sealed data default
> > > 0x00...
> > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > 
> > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > 
> > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > 0x81000001,
> > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > as
> > > +"new 32 keyhandle=0x81000001".
> > > +
> > >    $ keyctl add trusted kmk "new 32" @u
> > >    440502848
> > > 
> > > -- 
> > > 2.17.2
> > > 

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>

>---
> .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated.  The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros).  This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+  #> tsscreateprimary -hi o -st
>+  Handle 80000000
>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+  [...]
>+  handle: 0x800000FF
>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+  persistentHandle: 0x81000001
>+
> Usage::
>
>     keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
>     keyctl print keyid
>
>     options:
>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>+       keyhandle=    ascii hex value of sealing key
>+                       TPM 1.2: default 0x40000000 (SRK)
>+                       TPM 2.0: no default; must be passed every time
>        keyauth=	     ascii hex auth for sealing key default 0x00...i
>                      (40 ascii zeros)
>        blobauth=     ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
>     $ keyctl add trusted kmk "new 32" @u
>     440502848
>
>-- 
>2.17.2
>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>

>---
> .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated.  The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros).  This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+  #> tsscreateprimary -hi o -st
>+  Handle 80000000
>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+  [...]
>+  handle: 0x800000FF
>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+  persistentHandle: 0x81000001
>+
> Usage::
>
>     keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
>     keyctl print keyid
>
>     options:
>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>+       keyhandle=    ascii hex value of sealing key
>+                       TPM 1.2: default 0x40000000 (SRK)
>+                       TPM 2.0: no default; must be passed every time
>        keyauth=	     ascii hex auth for sealing key default 0x00...i
>                      (40 ascii zeros)
>        blobauth=     ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
>     $ keyctl add trusted kmk "new 32" @u
>     440502848
>
>-- 
>2.17.2
>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Mimi Zohar]

On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> On Fri Oct 19 18, Stefan Berger wrote:
> >Extend the documentation for trusted keys with documentation for how to
> >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> >
> >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>

Thanks!  This patch is now staged in the #next-integrity-queued
branch.

Mimi

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Mimi Zohar]

On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> On Fri Oct 19 18, Stefan Berger wrote:
> >Extend the documentation for trusted keys with documentation for how to
> >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> >
> >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>

Thanks!  This patch is now staged in the #next-integrity-queued
branch.

Mimi

RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Roberts, William C]

DQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogSm9zaHVhIExvY2sgW21h
aWx0bzpqb3NodWEuZy5sb2NrQGxpbnV4LmludGVsLmNvbV0NCj4gU2VudDogVHVlc2RheSwgTm92
ZW1iZXIgNiwgMjAxOCA4OjE1IEFNDQo+IFRvOiBKZXJyeSBTbml0c2VsYWFyIDxqc25pdHNlbEBy
ZWRoYXQuY29tPjsgU3RlZmFuIEJlcmdlcg0KPiA8c3RlZmFuYkBsaW51eC5pYm0uY29tPjsga2V5
cmluZ3NAdmdlci5rZXJuZWwub3JnOyBsaW51eC0NCj4gaW50ZWdyaXR5QHZnZXIua2VybmVsLm9y
Zzsgem9oYXJAbGludXguaWJtLmNvbTsgamVqYkBsaW51eC5pYm0uY29tOw0KPiBBbGV4YW5kZXIu
TGV2aW5AbWljcm9zb2Z0LmNvbTsgam1vcnJpc0BuYW1laS5vcmc7IGxpbnV4LQ0KPiBrZXJuZWxA
dmdlci5rZXJuZWwub3JnDQo+IENjOiBSb2JlcnRzLCBXaWxsaWFtIEMgPHdpbGxpYW0uYy5yb2Jl
cnRzQGludGVsLmNvbT4NCj4gU3ViamVjdDogUmU6IFtQQVRDSF0gZG9jczogRXh0ZW5kIHRydXN0
ZWQga2V5cyBkb2N1bWVudGF0aW9uIGZvciBUUE0gMi4wDQo+IA0KPiBPbiBUdWUsIDIwMTgtMTEt
MDYgYXQgMDk6MDAgLTA3MDAsIEplcnJ5IFNuaXRzZWxhYXIgd3JvdGU6DQo+ID4gT24gTW9uIE5v
diAwNSAxOCwgSmVycnkgU25pdHNlbGFhciB3cm90ZToNCj4gPiA+IE9uIEZyaSBPY3QgMTkgMTgs
IFN0ZWZhbiBCZXJnZXIgd3JvdGU6DQo+ID4gPiA+IEV4dGVuZCB0aGUgZG9jdW1lbnRhdGlvbiBm
b3IgdHJ1c3RlZCBrZXlzIHdpdGggZG9jdW1lbnRhdGlvbiBmb3INCj4gPiA+ID4gaG93IHRvIHNl
dCB1cCBhIGtleSBmb3IgYSBUUE0gMi4wIHNvIGl0IGNhbiBiZSB1c2VkIHdpdGggYSBUUE0gMi4w
DQo+ID4gPiA+IGFzIHdlbGwuDQo+ID4gPiA+DQo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IFN0ZWZh
biBCZXJnZXIgPHN0ZWZhbmJAbGludXguaWJtLmNvbT4NCj4gPiA+ID4gUmV2aWV3ZWQtYnk6IE1p
bWkgWm9oYXIgPHpvaGFyQGxpbnV4LmlibS5jb20+DQo+ID4gPiA+IC0tLQ0KPiA+ID4gPiAuLi4v
c2VjdXJpdHkva2V5cy90cnVzdGVkLWVuY3J5cHRlZC5yc3QgICAgICAgfCAzMQ0KPiA+ID4gPiAr
KysrKysrKysrKysrKysrKystDQo+ID4gPiA+IDEgZmlsZSBjaGFuZ2VkLCAzMCBpbnNlcnRpb25z
KCspLCAxIGRlbGV0aW9uKC0pDQo+ID4gPiA+DQo+ID4gPiA+IGRpZmYgLS1naXQgYS9Eb2N1bWVu
dGF0aW9uL3NlY3VyaXR5L2tleXMvdHJ1c3RlZC1lbmNyeXB0ZWQucnN0DQo+ID4gPiA+IGIvRG9j
dW1lbnRhdGlvbi9zZWN1cml0eS9rZXlzL3RydXN0ZWQtZW5jcnlwdGVkLnJzdA0KPiA+ID4gPiBp
bmRleCAzYmIyNGUwOWEzMzIuLjZlYzZiYjJhYzQ5NyAxMDA2NDQNCj4gPiA+ID4gLS0tIGEvRG9j
dW1lbnRhdGlvbi9zZWN1cml0eS9rZXlzL3RydXN0ZWQtZW5jcnlwdGVkLnJzdA0KPiA+ID4gPiAr
KysgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2tleXMvdHJ1c3RlZC1lbmNyeXB0ZWQucnN0DQo+
ID4gPiA+IEBAIC0xOCwxMCArMTgsMzMgQEAgaW50ZWdyaXR5IHZlcmlmaWNhdGlvbnMgbWF0Y2gu
ICBBIGxvYWRlZA0KPiA+ID4gPiBUcnVzdGVkIEtleSBjYW4gYmUgdXBkYXRlZCB3aXRoIG5ldyB3
aGVuIHRoZSBrZXJuZWwgYW5kIGluaXRyYW1mcw0KPiA+ID4gPiBhcmUgdXBkYXRlZC4gIFRoZSBz
YW1lIGtleSBjYW4gaGF2ZSBtYW55IHNhdmVkIGJsb2JzIHVuZGVyDQo+ID4gPiA+IGRpZmZlcmVu
dCBQQ1IgdmFsdWVzLCBzbyBtdWx0aXBsZSBib290cyBhcmUgZWFzaWx5IHN1cHBvcnRlZC4NCj4g
PiA+ID4NCj4gPiA+ID4gK1RQTSAxLjINCj4gPiA+ID4gKy0tLS0tLS0NCj4gPiA+ID4gKw0KPiA+
ID4gPiBCeSBkZWZhdWx0LCB0cnVzdGVkIGtleXMgYXJlIHNlYWxlZCB1bmRlciB0aGUgU1JLLCB3
aGljaCBoYXMgdGhlDQo+ID4gPiA+IGRlZmF1bHQgYXV0aG9yaXphdGlvbiB2YWx1ZSAoMjAgemVy
b3MpLiAgVGhpcyBjYW4gYmUgc2V0IGF0DQo+ID4gPiA+IHRha2Vvd25lcnNoaXAgdGltZSB3aXRo
IHRoZSB0cm91c2VyJ3MgdXRpbGl0eTogInRwbV90YWtlb3duZXJzaGlwDQo+ID4gPiA+IC11IC16
Ii4NCj4gPiA+ID4NCj4gPiA+ID4gK1RQTSAyLjANCj4gPiA+ID4gKy0tLS0tLS0NCj4gPiA+ID4g
Kw0KPiA+ID4gPiArVGhlIHVzZXIgbXVzdCBmaXJzdCBjcmVhdGUgYSBzdG9yYWdlIGtleSBhbmQg
bWFrZSBpdCBwZXJzaXN0ZW50LA0KPiA+ID4gPiBzbyB0aGUga2V5IGlzDQo+ID4gPiA+ICthdmFp
bGFibGUgYWZ0ZXIgcmVib290LiBUaGlzIGNhbiBiZSBkb25lIHVzaW5nIHRoZSBmb2xsb3dpbmcN
Cj4gPiA+ID4gY29tbWFuZHMuDQo+ID4gPiA+ICsNCj4gPiA+ID4gK1dpdGggdGhlIElCTSBUU1Mg
MiBzdGFjazo6DQo+ID4gPiA+ICsNCj4gPiA+ID4gKyAgIz4gdHNzY3JlYXRlcHJpbWFyeSAtaGkg
byAtc3QNCj4gPiA+ID4gKyAgSGFuZGxlIDgwMDAwMDAwDQo+ID4gPiA+ICsgICM+IHRzc2V2aWN0
Y29udHJvbCAtaGkgbyAtaG8gODAwMDAwMDAgLWhwIDgxMDAwMDAxDQo+ID4gPiA+ICsNCj4gPiA+
ID4gK09yIHdpdGggdGhlIEludGVsIFRTUyAyIHN0YWNrOjoNCj4gPiA+ID4gKw0KPiA+ID4gPiAr
ICAjPiB0cG0yX2NyZWF0ZXByaW1hcnkgLS1oaWVyYXJjaHkgbyAtRyByc2EyMDQ4IC1vIGtleS5j
dHh0DQo+ID4gPiA+ICsgWy4uLl0NCj4gPiA+ID4gKyAgaGFuZGxlOiAweDgwMDAwMEZGDQo+ID4g
PiA+ICsgICM+IHRwbTJfZXZpY3Rjb250cm9sIC1jIGtleS5jdHh0IC1wIDB4ODEwMDAwMDENCj4g
PiA+ID4gKyAgcGVyc2lzdGVudEhhbmRsZTogMHg4MTAwMDAwMQ0KPiA+ID4gPiArDQo+ID4gPg0K
PiA+ID4gSXMgdGhhdCB0aGUgY29ycmVjdCBvcHRpb24gZm9yIHRwbTJfZXZpY3Rjb250cm9sPyBX
aGF0IEknbSBzZWVpbmcgaW4NCj4gPiA+IHRoZSB2ZXJzaW9ucyBJIGhhdmUgaXMgLVMgb3IgLXBl
cnNpc3RlbnQ9IGZvciBzcGVjaWZ5aW5nIHRoZQ0KPiA+ID4gcGVyc2lzdGVudCBoYW5kbGUuDQo+
ID4gPg0KPiA+ID4gT3RoZXIgdGhhbiB0aGF0IGxvb2tzIGdvb2QgdG8gbWUuDQo+ID4NCj4gPiBX
aWxsaWFtLCBpcyB0aGUgYWJvdmUgY29ycmVjdD8NCj4gDQo+IFdlJ3JlIGNoYW5naW5nIHNvbWUg
b2YgdGhlIG9wdGlvbnMgaW4gbWFzdGVyIGFoZWFkIG9mIG91ciBuZXh0IG1ham9yIHJlbGVhc2Us
DQo+IHRoZSAtcC8tLXBlcnNpc3RlbnQgb3B0aW9uIGlzIGNvcnJlY3QgZm9yIHRoYXQgYnJhbmNo
IGFuZCB0aGUgZXZlbnR1YWwgNC5YIHNlcmllcy4NCg0KTEdUTS4NCg0KQWxzbyBpZiB5b3Ugc3Bl
Y2lmeSAtLWhlbHA9bm8tbWFuIGl0IHdpbGwgZHVtcCBhIHNob3J0IHN1bW1hcnkgdG8gc3Rkb3V0
IChtYXN0ZXIgb25seSkgd2hpY2ggaXMgdXNlZnVsLg0KDQo+IA0KPiBSZWdhcmRzLA0KPiBKb3No
dWENCj4gDQo+ID4gPg0KPiA+ID4gPiBVc2FnZTo6DQo+ID4gPiA+DQo+ID4gPiA+ICAgIGtleWN0
bCBhZGQgdHJ1c3RlZCBuYW1lICJuZXcga2V5bGVuIFtvcHRpb25zXSIgcmluZyBAQCAtMzAsNw0K
PiA+ID4gPiArNTMsOSBAQCBVc2FnZTo6DQo+ID4gPiA+ICAgIGtleWN0bCBwcmludCBrZXlpZA0K
PiA+ID4gPg0KPiA+ID4gPiAgICBvcHRpb25zOg0KPiA+ID4gPiAtICAgICAgIGtleWhhbmRsZT0g
ICAgYXNjaWkgaGV4IHZhbHVlIG9mIHNlYWxpbmcga2V5IGRlZmF1bHQNCj4gPiA+ID4gMHg0MDAw
MDAwMCAoU1JLKQ0KPiA+ID4gPiArICAgICAgIGtleWhhbmRsZT0gICAgYXNjaWkgaGV4IHZhbHVl
IG9mIHNlYWxpbmcga2V5DQo+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICAgIFRQTSAxLjI6
IGRlZmF1bHQgMHg0MDAwMDAwMCAoU1JLKQ0KPiA+ID4gPiArICAgICAgICAgICAgICAgICAgICAg
ICBUUE0gMi4wOiBubyBkZWZhdWx0OyBtdXN0IGJlIHBhc3NlZCBldmVyeQ0KPiA+ID4gPiB0aW1l
DQo+ID4gPiA+ICAgICAgIGtleWF1dGg9CSAgICAgYXNjaWkgaGV4IGF1dGggZm9yIHNlYWxpbmcg
a2V5IGRlZmF1bHQNCj4gPiA+ID4gMHgwMC4uLmkNCj4gPiA+ID4gICAgICAgICAgICAgICAgICAg
ICAoNDAgYXNjaWkgemVyb3MpDQo+ID4gPiA+ICAgICAgIGJsb2JhdXRoPSAgICAgYXNjaWkgaGV4
IGF1dGggZm9yIHNlYWxlZCBkYXRhIGRlZmF1bHQNCj4gPiA+ID4gMHgwMC4uLg0KPiA+ID4gPiBA
QCAtODQsNiArMTA5LDEwIEBAIEV4YW1wbGVzIG9mIHRydXN0ZWQgYW5kIGVuY3J5cHRlZCBrZXkg
dXNhZ2U6DQo+ID4gPiA+DQo+ID4gPiA+IENyZWF0ZSBhbmQgc2F2ZSBhIHRydXN0ZWQga2V5IG5h
bWVkICJrbWsiIG9mIGxlbmd0aCAzMiBieXRlczo6DQo+ID4gPiA+DQo+ID4gPiA+ICtOb3RlOiBX
aGVuIHVzaW5nIGEgVFBNIDIuMCB3aXRoIGEgcGVyc2lzdGVudCBrZXkgd2l0aCBoYW5kbGUNCj4g
PiA+ID4gMHg4MTAwMDAwMSwNCj4gPiA+ID4gK2FwcGVuZCAna2V5aGFuZGxlPTB4ODEwMDAwMDEn
IHRvIHN0YXRlbWVudHMgYmV0d2VlbiBxdW90ZXMsIHN1Y2gNCj4gPiA+ID4gYXMNCj4gPiA+ID4g
KyJuZXcgMzIga2V5aGFuZGxlPTB4ODEwMDAwMDEiLg0KPiA+ID4gPiArDQo+ID4gPiA+ICAgICQg
a2V5Y3RsIGFkZCB0cnVzdGVkIGttayAibmV3IDMyIiBAdQ0KPiA+ID4gPiAgICA0NDA1MDI4NDgN
Cj4gPiA+ID4NCj4gPiA+ID4gLS0NCj4gPiA+ID4gMi4xNy4yDQo+ID4gPiA+DQoNCg=

RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Roberts, William C]

> -----Original Message-----
> From: Joshua Lock [mailto:joshua.g.lock@linux.intel.com]
> Sent: Tuesday, November 6, 2018 8:15 AM
> To: Jerry Snitselaar <jsnitsel@redhat.com>; Stefan Berger
> <stefanb@linux.ibm.com>; keyrings@vger.kernel.org; linux-
> integrity@vger.kernel.org; zohar@linux.ibm.com; jejb@linux.ibm.com;
> Alexander.Levin@microsoft.com; jmorris@namei.org; linux-
> kernel@vger.kernel.org
> Cc: Roberts, William C <william.c.roberts@intel.com>
> Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
> 
> On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> > On Mon Nov 05 18, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > Extend the documentation for trusted keys with documentation for
> > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0
> > > > as well.
> > > >
> > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > ---
> > > > .../security/keys/trusted-encrypted.rst       | 31
> > > > ++++++++++++++++++-
> > > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > > b/Documentation/security/keys/trusted-encrypted.rst
> > > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > > @@ -18,10 +18,33 @@ integrity verifications match.  A loaded
> > > > Trusted Key can be updated with new when the kernel and initramfs
> > > > are updated.  The same key can have many saved blobs under
> > > > different PCR values, so multiple boots are easily supported.
> > > >
> > > > +TPM 1.2
> > > > +-------
> > > > +
> > > > By default, trusted keys are sealed under the SRK, which has the
> > > > default authorization value (20 zeros).  This can be set at
> > > > takeownership time with the trouser's utility: "tpm_takeownership
> > > > -u -z".
> > > >
> > > > +TPM 2.0
> > > > +-------
> > > > +
> > > > +The user must first create a storage key and make it persistent,
> > > > so the key is
> > > > +available after reboot. This can be done using the following
> > > > commands.
> > > > +
> > > > +With the IBM TSS 2 stack::
> > > > +
> > > > +  #> tsscreateprimary -hi o -st
> > > > +  Handle 80000000
> > > > +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > > +
> > > > +Or with the Intel TSS 2 stack::
> > > > +
> > > > +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > > + [...]
> > > > +  handle: 0x800000FF
> > > > +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > > +  persistentHandle: 0x81000001
> > > > +
> > >
> > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in
> > > the versions I have is -S or -persistent= for specifying the
> > > persistent handle.
> > >
> > > Other than that looks good to me.
> >
> > William, is the above correct?
> 
> We're changing some of the options in master ahead of our next major release,
> the -p/--persistent option is correct for that branch and the eventual 4.X series.

LGTM.

Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful.

> 
> Regards,
> Joshua
> 
> > >
> > > > Usage::
> > > >
> > > >    keyctl add trusted name "new keylen [options]" ring @@ -30,7
> > > > +53,9 @@ Usage::
> > > >    keyctl print keyid
> > > >
> > > >    options:
> > > > -       keyhandle=    ascii hex value of sealing key default
> > > > 0x40000000 (SRK)
> > > > +       keyhandle=    ascii hex value of sealing key
> > > > +                       TPM 1.2: default 0x40000000 (SRK)
> > > > +                       TPM 2.0: no default; must be passed every
> > > > time
> > > >       keyauth=	     ascii hex auth for sealing key default
> > > > 0x00...i
> > > >                     (40 ascii zeros)
> > > >       blobauth=     ascii hex auth for sealed data default
> > > > 0x00...
> > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > >
> > > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > >
> > > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > > 0x81000001,
> > > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > > as
> > > > +"new 32 keyhandle=0x81000001".
> > > > +
> > > >    $ keyctl add trusted kmk "new 32" @u
> > > >    440502848
> > > >
> > > > --
> > > > 2.17.2
> > > >

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > >Extend the documentation for trusted keys with documentation for how to
> > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > >
> > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> 
> Thanks!  This patch is now staged in the #next-integrity-queued
> branch.
> 
> Mimi

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > >Extend the documentation for trusted keys with documentation for how to
> > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > >
> > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> 
> Thanks!  This patch is now staged in the #next-integrity-queued
> branch.
> 
> Mimi

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > >Extend the documentation for trusted keys with documentation for how to
> > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > >
> > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > 
> > Thanks!  This patch is now staged in the #next-integrity-queued
> > branch.
> > 
> > Mimi
> 
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Brings to mind, in the long run where the backend code for trusted keys
should reside.

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > >Extend the documentation for trusted keys with documentation for how to
> > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > >
> > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > 
> > Thanks!  This patch is now staged in the #next-integrity-queued
> > branch.
> > 
> > Mimi
> 
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Brings to mind, in the long run where the backend code for trusted keys
should reside.

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Mimi Zohar]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="maccentraleurope", Size: 1253 bytes --]

On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > >Extend the documentation for trusted keys with documentation for how to
> > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > > >
> > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > 
> > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > > 
> > > Thanks!  This patch is now staged in the #next-integrity-queued
> > > branch.
> > > 
> > > Mimi
> > 
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> 
> Brings to mind, in the long run where the backend code for trusted keys
> should reside.

Are you asking about coordinating staging the trusted key patches to
be upstreamed or about moving portions of the encrypted keys code out
of the keyring subsystem?

I'm not sure there needs to be a separate encrypted-keys pull request.
 Either they can be upstreamed via the TPM or the integrity subsystem
for now.

Mimi

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Mimi Zohar]

On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > >Extend the documentation for trusted keys with documentation for how to
> > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > > >
> > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > 
> > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > > 
> > > Thanks!  This patch is now staged in the #next-integrity-queued
> > > branch.
> > > 
> > > Mimi
> > 
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> 
> Brings to mind, in the long run where the backend code for trusted keys
> should reside.

Are you asking about coordinating staging the trusted key patches to
be upstreamed or about moving portions of the encrypted keys code out
of the keyring subsystem?

I'm not sure there needs to be a separate encrypted-keys pull request.
 Either they can be upstreamed via the TPM or the integrity subsystem
for now.

Mimi

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote:
> Are you asking about coordinating staging the trusted key patches to
> be upstreamed or about moving portions of the encrypted keys code out
> of the keyring subsystem?
> 
> I'm not sure there needs to be a separate encrypted-keys pull request.
>  Either they can be upstreamed via the TPM or the integrity subsystem
> for now.

Nothing that ought to be rushed.

I'm speaking about this situation:

1. TPM 1.x trusted keys code is inside keyring subsystem.
2. TPM 2.0 trusted keys code is inside tpm subsystem.

We are doing effort to make TPM subsystem more friendly to send custom
commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean
ups for TPM 1.x code) so I'm more dilated to the 2nd option.

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote:
> Are you asking about coordinating staging the trusted key patches to
> be upstreamed or about moving portions of the encrypted keys code out
> of the keyring subsystem?
> 
> I'm not sure there needs to be a separate encrypted-keys pull request.
>  Either they can be upstreamed via the TPM or the integrity subsystem
> for now.

Nothing that ought to be rushed.

I'm speaking about this situation:

1. TPM 1.x trusted keys code is inside keyring subsystem.
2. TPM 2.0 trusted keys code is inside tpm subsystem.

We are doing effort to make TPM subsystem more friendly to send custom
commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean
ups for TPM 1.x code) so I'm more dilated to the 2nd option.

/Jarkko