All of lore.kernel.org
 help / color / mirror / Atom feed
* [RFC 00/10] KEYS: TPM 1.2 asymmetric key type
@ 2018-05-29  3:29 Denis Kenzior
  2018-05-30  0:00 ` Mat Martineau
  0 siblings, 1 reply; 2+ messages in thread
From: Denis Kenzior @ 2018-05-29  3:29 UTC (permalink / raw)
  To: keyrings

Here's an RFC to provide access to the TPM-wrapped keys via keyctl
asymmetric key interface.  This RFC only provides pkey_query,
pkey_encrypt and pkey_decrypt operations.  sign and verify operations
should be simple, but I did not want to proceed with them until I sanity
checked that this is the right approach.

These patches depend on asymmetric key patches from David Howells, which
can be found here:
	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-asym-keyctl

And the needed keyutils patches:
	http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=pkey

A simple parser for DER-encoded TPM keys is added so that userspace
applications can load the key directly into the kernel.  The outer PEM
formatting (if any) must be stripped out by userspace.  For more details
on the format, please see patch 3/10.

Since the loaded key blob contains both the public key portion and the
(encrypted) private key portion of the key, it is possible to perform
both encryption and decryption operations.

For operations where the public key is used, all operations are done in
software using the existing kernel crypto APIs.  For operations that
utilize the TPM protected private key, tpm_loadkey2 and tpm_unbind
operations are used.

Example usage:
	# Generate Private Key
	openssl genrsa -out /tmp/privkey.pem 2048
	# Wrap the key with the TPM
	create_tpm_key -s 2048 -w /tmp/privkey.pem /tmp/privkey.tpm
	# Strip PEM
	openssl asn1parse -inform pem -in /tmp/privkey.tpm -noout -out \
	    /tmp/privkey.der
	# Load the TPM key into the kernel
	tpm_serial=`cat /tmp/privkey.der | keyctl padd asymmetric tpm @u`
	echo -n abcdefghijklmnopqrst >/tmp/data
	keyctl pkey_encrypt $tpm_serial 0 /tmp/data enc=pkcs1 > /tmp/enc
	keyctl pkey_decrypt $tpm_serial 0 /tmp/enc enc=pkcs1 > /tmp/dec
	cmp /tmp/data /tmp/dec

Denis Kenzior (10):
  crypto: rsa-pkcs1pad: Allow hash to be optional
  KEYS: asym_tpm: add skeleton for asym_tpm
  KEYS: Add parser for TPM-based keys
  KEYS: asym_tpm: extract key size & public key
  KEYS: asym_tpm: Implement pkey_query
  KEYS: asym_tpm: Implement encryption operation
  KEYS: trusted: Expose common functionality
  KEYS: asym_tpm: Add loadkey2 and flushspecific
  KEYS: asym_tpm: Implement tpm_unbind
  KEYS: asym_tpm: Implement the encrypt operation

 crypto/asymmetric_keys/Kconfig      |  21 ++
 crypto/asymmetric_keys/Makefile     |  13 +
 crypto/asymmetric_keys/asym_tpm.c   | 666 ++++++++++++++++++++++++++++++++++++
 crypto/asymmetric_keys/tpm.asn1     |   5 +
 crypto/asymmetric_keys/tpm_parser.c | 104 ++++++
 crypto/rsa-pkcs1pad.c               |  59 +++-
 include/crypto/asym_tpm_subtype.h   |  19 +
 security/keys/trusted.c             |  12 +-
 security/keys/trusted.h             |  14 +-
 9 files changed, 890 insertions(+), 23 deletions(-)
 create mode 100644 crypto/asymmetric_keys/asym_tpm.c
 create mode 100644 crypto/asymmetric_keys/tpm.asn1
 create mode 100644 crypto/asymmetric_keys/tpm_parser.c
 create mode 100644 include/crypto/asym_tpm_subtype.h

-- 
2.16.1


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [RFC 00/10] KEYS: TPM 1.2 asymmetric key type
  2018-05-29  3:29 [RFC 00/10] KEYS: TPM 1.2 asymmetric key type Denis Kenzior
@ 2018-05-30  0:00 ` Mat Martineau
  0 siblings, 0 replies; 2+ messages in thread
From: Mat Martineau @ 2018-05-30  0:00 UTC (permalink / raw)
  To: keyrings


David,

On Mon, 28 May 2018, Denis Kenzior wrote:

> Here's an RFC to provide access to the TPM-wrapped keys via keyctl
> asymmetric key interface.  This RFC only provides pkey_query,
> pkey_encrypt and pkey_decrypt operations.  sign and verify operations
> should be simple, but I did not want to proceed with them until I sanity
> checked that this is the right approach.
>
> These patches depend on asymmetric key patches from David Howells, which
> can be found here:
> 	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-asym-keyctl

I've posted a rebased keys-asym-keyctl branch for v4.16 here:

https://git.kernel.org/pub/scm/linux/kernel/git/martineau/linux.git/tag/?h=ell-key-crypto-416


Mat

>
> And the needed keyutils patches:
> 	http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=pkey
>
> A simple parser for DER-encoded TPM keys is added so that userspace
> applications can load the key directly into the kernel.  The outer PEM
> formatting (if any) must be stripped out by userspace.  For more details
> on the format, please see patch 3/10.
>
> Since the loaded key blob contains both the public key portion and the
> (encrypted) private key portion of the key, it is possible to perform
> both encryption and decryption operations.
>
> For operations where the public key is used, all operations are done in
> software using the existing kernel crypto APIs.  For operations that
> utilize the TPM protected private key, tpm_loadkey2 and tpm_unbind
> operations are used.
>
> Example usage:
> 	# Generate Private Key
> 	openssl genrsa -out /tmp/privkey.pem 2048
> 	# Wrap the key with the TPM
> 	create_tpm_key -s 2048 -w /tmp/privkey.pem /tmp/privkey.tpm
> 	# Strip PEM
> 	openssl asn1parse -inform pem -in /tmp/privkey.tpm -noout -out \
> 	    /tmp/privkey.der
> 	# Load the TPM key into the kernel
> 	tpm_serial=`cat /tmp/privkey.der | keyctl padd asymmetric tpm @u`
> 	echo -n abcdefghijklmnopqrst >/tmp/data
> 	keyctl pkey_encrypt $tpm_serial 0 /tmp/data enc=pkcs1 > /tmp/enc
> 	keyctl pkey_decrypt $tpm_serial 0 /tmp/enc enc=pkcs1 > /tmp/dec
> 	cmp /tmp/data /tmp/dec
>
> Denis Kenzior (10):
>  crypto: rsa-pkcs1pad: Allow hash to be optional
>  KEYS: asym_tpm: add skeleton for asym_tpm
>  KEYS: Add parser for TPM-based keys
>  KEYS: asym_tpm: extract key size & public key
>  KEYS: asym_tpm: Implement pkey_query
>  KEYS: asym_tpm: Implement encryption operation
>  KEYS: trusted: Expose common functionality
>  KEYS: asym_tpm: Add loadkey2 and flushspecific
>  KEYS: asym_tpm: Implement tpm_unbind
>  KEYS: asym_tpm: Implement the encrypt operation
>
> crypto/asymmetric_keys/Kconfig      |  21 ++
> crypto/asymmetric_keys/Makefile     |  13 +
> crypto/asymmetric_keys/asym_tpm.c   | 666 ++++++++++++++++++++++++++++++++++++
> crypto/asymmetric_keys/tpm.asn1     |   5 +
> crypto/asymmetric_keys/tpm_parser.c | 104 ++++++
> crypto/rsa-pkcs1pad.c               |  59 +++-
> include/crypto/asym_tpm_subtype.h   |  19 +
> security/keys/trusted.c             |  12 +-
> security/keys/trusted.h             |  14 +-
> 9 files changed, 890 insertions(+), 23 deletions(-)
> create mode 100644 crypto/asymmetric_keys/asym_tpm.c
> create mode 100644 crypto/asymmetric_keys/tpm.asn1
> create mode 100644 crypto/asymmetric_keys/tpm_parser.c
> create mode 100644 include/crypto/asym_tpm_subtype.h
>
> -- 
> 2.16.1

--
Mat Martineau
Intel OTC

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-30  0:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-29  3:29 [RFC 00/10] KEYS: TPM 1.2 asymmetric key type Denis Kenzior
2018-05-30  0:00 ` Mat Martineau

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.