From: "Roberts, William C" <william.c.roberts@intel.com> To: Joshua Lock <joshua.g.lock@linux.intel.com>, Jerry Snitselaar <jsnitsel@redhat.com>, Stefan Berger <stefanb@linux.ibm.com>, "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>, "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>, "zohar@linux.ibm.com" <zohar@linux.ibm.com>, "jejb@linux.ibm.com" <jejb@linux.ibm.com>, "Alexander.Levin@microsoft.com" <Alexander.Levin@microsoft.com>, "jmorris@namei.org" <jmorris@namei.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Date: Wed, 07 Nov 2018 00:53:30 +0000 [thread overview] Message-ID: <476DC76E7D1DF2438D32BFADF679FC5649C7AF69@ORSMSX101.amr.corp.intel.com> (raw) In-Reply-To: <6c4576c012fca40a08e6db394b4c3620a2879aa8.camel@linux.intel.com> DQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogSm9zaHVhIExvY2sgW21h aWx0bzpqb3NodWEuZy5sb2NrQGxpbnV4LmludGVsLmNvbV0NCj4gU2VudDogVHVlc2RheSwgTm92 ZW1iZXIgNiwgMjAxOCA4OjE1IEFNDQo+IFRvOiBKZXJyeSBTbml0c2VsYWFyIDxqc25pdHNlbEBy ZWRoYXQuY29tPjsgU3RlZmFuIEJlcmdlcg0KPiA8c3RlZmFuYkBsaW51eC5pYm0uY29tPjsga2V5 cmluZ3NAdmdlci5rZXJuZWwub3JnOyBsaW51eC0NCj4gaW50ZWdyaXR5QHZnZXIua2VybmVsLm9y Zzsgem9oYXJAbGludXguaWJtLmNvbTsgamVqYkBsaW51eC5pYm0uY29tOw0KPiBBbGV4YW5kZXIu TGV2aW5AbWljcm9zb2Z0LmNvbTsgam1vcnJpc0BuYW1laS5vcmc7IGxpbnV4LQ0KPiBrZXJuZWxA dmdlci5rZXJuZWwub3JnDQo+IENjOiBSb2JlcnRzLCBXaWxsaWFtIEMgPHdpbGxpYW0uYy5yb2Jl cnRzQGludGVsLmNvbT4NCj4gU3ViamVjdDogUmU6IFtQQVRDSF0gZG9jczogRXh0ZW5kIHRydXN0 ZWQga2V5cyBkb2N1bWVudGF0aW9uIGZvciBUUE0gMi4wDQo+IA0KPiBPbiBUdWUsIDIwMTgtMTEt MDYgYXQgMDk6MDAgLTA3MDAsIEplcnJ5IFNuaXRzZWxhYXIgd3JvdGU6DQo+ID4gT24gTW9uIE5v diAwNSAxOCwgSmVycnkgU25pdHNlbGFhciB3cm90ZToNCj4gPiA+IE9uIEZyaSBPY3QgMTkgMTgs IFN0ZWZhbiBCZXJnZXIgd3JvdGU6DQo+ID4gPiA+IEV4dGVuZCB0aGUgZG9jdW1lbnRhdGlvbiBm b3IgdHJ1c3RlZCBrZXlzIHdpdGggZG9jdW1lbnRhdGlvbiBmb3INCj4gPiA+ID4gaG93IHRvIHNl dCB1cCBhIGtleSBmb3IgYSBUUE0gMi4wIHNvIGl0IGNhbiBiZSB1c2VkIHdpdGggYSBUUE0gMi4w DQo+ID4gPiA+IGFzIHdlbGwuDQo+ID4gPiA+DQo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IFN0ZWZh biBCZXJnZXIgPHN0ZWZhbmJAbGludXguaWJtLmNvbT4NCj4gPiA+ID4gUmV2aWV3ZWQtYnk6IE1p bWkgWm9oYXIgPHpvaGFyQGxpbnV4LmlibS5jb20+DQo+ID4gPiA+IC0tLQ0KPiA+ID4gPiAuLi4v c2VjdXJpdHkva2V5cy90cnVzdGVkLWVuY3J5cHRlZC5yc3QgICAgICAgfCAzMQ0KPiA+ID4gPiAr KysrKysrKysrKysrKysrKystDQo+ID4gPiA+IDEgZmlsZSBjaGFuZ2VkLCAzMCBpbnNlcnRpb25z KCspLCAxIGRlbGV0aW9uKC0pDQo+ID4gPiA+DQo+ID4gPiA+IGRpZmYgLS1naXQgYS9Eb2N1bWVu dGF0aW9uL3NlY3VyaXR5L2tleXMvdHJ1c3RlZC1lbmNyeXB0ZWQucnN0DQo+ID4gPiA+IGIvRG9j dW1lbnRhdGlvbi9zZWN1cml0eS9rZXlzL3RydXN0ZWQtZW5jcnlwdGVkLnJzdA0KPiA+ID4gPiBp bmRleCAzYmIyNGUwOWEzMzIuLjZlYzZiYjJhYzQ5NyAxMDA2NDQNCj4gPiA+ID4gLS0tIGEvRG9j dW1lbnRhdGlvbi9zZWN1cml0eS9rZXlzL3RydXN0ZWQtZW5jcnlwdGVkLnJzdA0KPiA+ID4gPiAr KysgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2tleXMvdHJ1c3RlZC1lbmNyeXB0ZWQucnN0DQo+ ID4gPiA+IEBAIC0xOCwxMCArMTgsMzMgQEAgaW50ZWdyaXR5IHZlcmlmaWNhdGlvbnMgbWF0Y2gu ICBBIGxvYWRlZA0KPiA+ID4gPiBUcnVzdGVkIEtleSBjYW4gYmUgdXBkYXRlZCB3aXRoIG5ldyB3 aGVuIHRoZSBrZXJuZWwgYW5kIGluaXRyYW1mcw0KPiA+ID4gPiBhcmUgdXBkYXRlZC4gIFRoZSBz YW1lIGtleSBjYW4gaGF2ZSBtYW55IHNhdmVkIGJsb2JzIHVuZGVyDQo+ID4gPiA+IGRpZmZlcmVu dCBQQ1IgdmFsdWVzLCBzbyBtdWx0aXBsZSBib290cyBhcmUgZWFzaWx5IHN1cHBvcnRlZC4NCj4g PiA+ID4NCj4gPiA+ID4gK1RQTSAxLjINCj4gPiA+ID4gKy0tLS0tLS0NCj4gPiA+ID4gKw0KPiA+ ID4gPiBCeSBkZWZhdWx0LCB0cnVzdGVkIGtleXMgYXJlIHNlYWxlZCB1bmRlciB0aGUgU1JLLCB3 aGljaCBoYXMgdGhlDQo+ID4gPiA+IGRlZmF1bHQgYXV0aG9yaXphdGlvbiB2YWx1ZSAoMjAgemVy b3MpLiAgVGhpcyBjYW4gYmUgc2V0IGF0DQo+ID4gPiA+IHRha2Vvd25lcnNoaXAgdGltZSB3aXRo IHRoZSB0cm91c2VyJ3MgdXRpbGl0eTogInRwbV90YWtlb3duZXJzaGlwDQo+ID4gPiA+IC11IC16 Ii4NCj4gPiA+ID4NCj4gPiA+ID4gK1RQTSAyLjANCj4gPiA+ID4gKy0tLS0tLS0NCj4gPiA+ID4g Kw0KPiA+ID4gPiArVGhlIHVzZXIgbXVzdCBmaXJzdCBjcmVhdGUgYSBzdG9yYWdlIGtleSBhbmQg bWFrZSBpdCBwZXJzaXN0ZW50LA0KPiA+ID4gPiBzbyB0aGUga2V5IGlzDQo+ID4gPiA+ICthdmFp bGFibGUgYWZ0ZXIgcmVib290LiBUaGlzIGNhbiBiZSBkb25lIHVzaW5nIHRoZSBmb2xsb3dpbmcN Cj4gPiA+ID4gY29tbWFuZHMuDQo+ID4gPiA+ICsNCj4gPiA+ID4gK1dpdGggdGhlIElCTSBUU1Mg MiBzdGFjazo6DQo+ID4gPiA+ICsNCj4gPiA+ID4gKyAgIz4gdHNzY3JlYXRlcHJpbWFyeSAtaGkg byAtc3QNCj4gPiA+ID4gKyAgSGFuZGxlIDgwMDAwMDAwDQo+ID4gPiA+ICsgICM+IHRzc2V2aWN0 Y29udHJvbCAtaGkgbyAtaG8gODAwMDAwMDAgLWhwIDgxMDAwMDAxDQo+ID4gPiA+ICsNCj4gPiA+ ID4gK09yIHdpdGggdGhlIEludGVsIFRTUyAyIHN0YWNrOjoNCj4gPiA+ID4gKw0KPiA+ID4gPiAr ICAjPiB0cG0yX2NyZWF0ZXByaW1hcnkgLS1oaWVyYXJjaHkgbyAtRyByc2EyMDQ4IC1vIGtleS5j dHh0DQo+ID4gPiA+ICsgWy4uLl0NCj4gPiA+ID4gKyAgaGFuZGxlOiAweDgwMDAwMEZGDQo+ID4g PiA+ICsgICM+IHRwbTJfZXZpY3Rjb250cm9sIC1jIGtleS5jdHh0IC1wIDB4ODEwMDAwMDENCj4g PiA+ID4gKyAgcGVyc2lzdGVudEhhbmRsZTogMHg4MTAwMDAwMQ0KPiA+ID4gPiArDQo+ID4gPg0K PiA+ID4gSXMgdGhhdCB0aGUgY29ycmVjdCBvcHRpb24gZm9yIHRwbTJfZXZpY3Rjb250cm9sPyBX aGF0IEknbSBzZWVpbmcgaW4NCj4gPiA+IHRoZSB2ZXJzaW9ucyBJIGhhdmUgaXMgLVMgb3IgLXBl cnNpc3RlbnQ9IGZvciBzcGVjaWZ5aW5nIHRoZQ0KPiA+ID4gcGVyc2lzdGVudCBoYW5kbGUuDQo+ ID4gPg0KPiA+ID4gT3RoZXIgdGhhbiB0aGF0IGxvb2tzIGdvb2QgdG8gbWUuDQo+ID4NCj4gPiBX aWxsaWFtLCBpcyB0aGUgYWJvdmUgY29ycmVjdD8NCj4gDQo+IFdlJ3JlIGNoYW5naW5nIHNvbWUg b2YgdGhlIG9wdGlvbnMgaW4gbWFzdGVyIGFoZWFkIG9mIG91ciBuZXh0IG1ham9yIHJlbGVhc2Us DQo+IHRoZSAtcC8tLXBlcnNpc3RlbnQgb3B0aW9uIGlzIGNvcnJlY3QgZm9yIHRoYXQgYnJhbmNo IGFuZCB0aGUgZXZlbnR1YWwgNC5YIHNlcmllcy4NCg0KTEdUTS4NCg0KQWxzbyBpZiB5b3Ugc3Bl Y2lmeSAtLWhlbHA9bm8tbWFuIGl0IHdpbGwgZHVtcCBhIHNob3J0IHN1bW1hcnkgdG8gc3Rkb3V0 IChtYXN0ZXIgb25seSkgd2hpY2ggaXMgdXNlZnVsLg0KDQo+IA0KPiBSZWdhcmRzLA0KPiBKb3No dWENCj4gDQo+ID4gPg0KPiA+ID4gPiBVc2FnZTo6DQo+ID4gPiA+DQo+ID4gPiA+ICAgIGtleWN0 bCBhZGQgdHJ1c3RlZCBuYW1lICJuZXcga2V5bGVuIFtvcHRpb25zXSIgcmluZyBAQCAtMzAsNw0K PiA+ID4gPiArNTMsOSBAQCBVc2FnZTo6DQo+ID4gPiA+ICAgIGtleWN0bCBwcmludCBrZXlpZA0K PiA+ID4gPg0KPiA+ID4gPiAgICBvcHRpb25zOg0KPiA+ID4gPiAtICAgICAgIGtleWhhbmRsZT0g ICAgYXNjaWkgaGV4IHZhbHVlIG9mIHNlYWxpbmcga2V5IGRlZmF1bHQNCj4gPiA+ID4gMHg0MDAw MDAwMCAoU1JLKQ0KPiA+ID4gPiArICAgICAgIGtleWhhbmRsZT0gICAgYXNjaWkgaGV4IHZhbHVl IG9mIHNlYWxpbmcga2V5DQo+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICAgIFRQTSAxLjI6 IGRlZmF1bHQgMHg0MDAwMDAwMCAoU1JLKQ0KPiA+ID4gPiArICAgICAgICAgICAgICAgICAgICAg ICBUUE0gMi4wOiBubyBkZWZhdWx0OyBtdXN0IGJlIHBhc3NlZCBldmVyeQ0KPiA+ID4gPiB0aW1l DQo+ID4gPiA+ICAgICAgIGtleWF1dGg9CSAgICAgYXNjaWkgaGV4IGF1dGggZm9yIHNlYWxpbmcg a2V5IGRlZmF1bHQNCj4gPiA+ID4gMHgwMC4uLmkNCj4gPiA+ID4gICAgICAgICAgICAgICAgICAg ICAoNDAgYXNjaWkgemVyb3MpDQo+ID4gPiA+ICAgICAgIGJsb2JhdXRoPSAgICAgYXNjaWkgaGV4 IGF1dGggZm9yIHNlYWxlZCBkYXRhIGRlZmF1bHQNCj4gPiA+ID4gMHgwMC4uLg0KPiA+ID4gPiBA QCAtODQsNiArMTA5LDEwIEBAIEV4YW1wbGVzIG9mIHRydXN0ZWQgYW5kIGVuY3J5cHRlZCBrZXkg dXNhZ2U6DQo+ID4gPiA+DQo+ID4gPiA+IENyZWF0ZSBhbmQgc2F2ZSBhIHRydXN0ZWQga2V5IG5h bWVkICJrbWsiIG9mIGxlbmd0aCAzMiBieXRlczo6DQo+ID4gPiA+DQo+ID4gPiA+ICtOb3RlOiBX aGVuIHVzaW5nIGEgVFBNIDIuMCB3aXRoIGEgcGVyc2lzdGVudCBrZXkgd2l0aCBoYW5kbGUNCj4g PiA+ID4gMHg4MTAwMDAwMSwNCj4gPiA+ID4gK2FwcGVuZCAna2V5aGFuZGxlPTB4ODEwMDAwMDEn IHRvIHN0YXRlbWVudHMgYmV0d2VlbiBxdW90ZXMsIHN1Y2gNCj4gPiA+ID4gYXMNCj4gPiA+ID4g KyJuZXcgMzIga2V5aGFuZGxlPTB4ODEwMDAwMDEiLg0KPiA+ID4gPiArDQo+ID4gPiA+ICAgICQg a2V5Y3RsIGFkZCB0cnVzdGVkIGttayAibmV3IDMyIiBAdQ0KPiA+ID4gPiAgICA0NDA1MDI4NDgN Cj4gPiA+ID4NCj4gPiA+ID4gLS0NCj4gPiA+ID4gMi4xNy4yDQo+ID4gPiA+DQoNCg=
WARNING: multiple messages have this Message-ID (diff)
From: "Roberts, William C" <william.c.roberts@intel.com> To: Joshua Lock <joshua.g.lock@linux.intel.com>, Jerry Snitselaar <jsnitsel@redhat.com>, Stefan Berger <stefanb@linux.ibm.com>, "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>, "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>, "zohar@linux.ibm.com" <zohar@linux.ibm.com>, "jejb@linux.ibm.com" <jejb@linux.ibm.com>, "Alexander.Levin@microsoft.com" <Alexander.Levin@microsoft.com>, "jmorris@namei.org" <jmorris@namei.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Date: Wed, 7 Nov 2018 00:53:30 +0000 [thread overview] Message-ID: <476DC76E7D1DF2438D32BFADF679FC5649C7AF69@ORSMSX101.amr.corp.intel.com> (raw) In-Reply-To: <6c4576c012fca40a08e6db394b4c3620a2879aa8.camel@linux.intel.com> > -----Original Message----- > From: Joshua Lock [mailto:joshua.g.lock@linux.intel.com] > Sent: Tuesday, November 6, 2018 8:15 AM > To: Jerry Snitselaar <jsnitsel@redhat.com>; Stefan Berger > <stefanb@linux.ibm.com>; keyrings@vger.kernel.org; linux- > integrity@vger.kernel.org; zohar@linux.ibm.com; jejb@linux.ibm.com; > Alexander.Levin@microsoft.com; jmorris@namei.org; linux- > kernel@vger.kernel.org > Cc: Roberts, William C <william.c.roberts@intel.com> > Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0 > > On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote: > > On Mon Nov 05 18, Jerry Snitselaar wrote: > > > On Fri Oct 19 18, Stefan Berger wrote: > > > > Extend the documentation for trusted keys with documentation for > > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0 > > > > as well. > > > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > --- > > > > .../security/keys/trusted-encrypted.rst | 31 > > > > ++++++++++++++++++- > > > > 1 file changed, 30 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst > > > > b/Documentation/security/keys/trusted-encrypted.rst > > > > index 3bb24e09a332..6ec6bb2ac497 100644 > > > > --- a/Documentation/security/keys/trusted-encrypted.rst > > > > +++ b/Documentation/security/keys/trusted-encrypted.rst > > > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded > > > > Trusted Key can be updated with new when the kernel and initramfs > > > > are updated. The same key can have many saved blobs under > > > > different PCR values, so multiple boots are easily supported. > > > > > > > > +TPM 1.2 > > > > +------- > > > > + > > > > By default, trusted keys are sealed under the SRK, which has the > > > > default authorization value (20 zeros). This can be set at > > > > takeownership time with the trouser's utility: "tpm_takeownership > > > > -u -z". > > > > > > > > +TPM 2.0 > > > > +------- > > > > + > > > > +The user must first create a storage key and make it persistent, > > > > so the key is > > > > +available after reboot. This can be done using the following > > > > commands. > > > > + > > > > +With the IBM TSS 2 stack:: > > > > + > > > > + #> tsscreateprimary -hi o -st > > > > + Handle 80000000 > > > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 > > > > + > > > > +Or with the Intel TSS 2 stack:: > > > > + > > > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt > > > > + [...] > > > > + handle: 0x800000FF > > > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 > > > > + persistentHandle: 0x81000001 > > > > + > > > > > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in > > > the versions I have is -S or -persistent= for specifying the > > > persistent handle. > > > > > > Other than that looks good to me. > > > > William, is the above correct? > > We're changing some of the options in master ahead of our next major release, > the -p/--persistent option is correct for that branch and the eventual 4.X series. LGTM. Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful. > > Regards, > Joshua > > > > > > > > Usage:: > > > > > > > > keyctl add trusted name "new keylen [options]" ring @@ -30,7 > > > > +53,9 @@ Usage:: > > > > keyctl print keyid > > > > > > > > options: > > > > - keyhandle= ascii hex value of sealing key default > > > > 0x40000000 (SRK) > > > > + keyhandle= ascii hex value of sealing key > > > > + TPM 1.2: default 0x40000000 (SRK) > > > > + TPM 2.0: no default; must be passed every > > > > time > > > > keyauth= ascii hex auth for sealing key default > > > > 0x00...i > > > > (40 ascii zeros) > > > > blobauth= ascii hex auth for sealed data default > > > > 0x00... > > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > > > > > > > Create and save a trusted key named "kmk" of length 32 bytes:: > > > > > > > > +Note: When using a TPM 2.0 with a persistent key with handle > > > > 0x81000001, > > > > +append 'keyhandle=0x81000001' to statements between quotes, such > > > > as > > > > +"new 32 keyhandle=0x81000001". > > > > + > > > > $ keyctl add trusted kmk "new 32" @u > > > > 440502848 > > > > > > > > -- > > > > 2.17.2 > > > >
next prev parent reply other threads:[~2018-11-07 0:53 UTC|newest] Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-19 10:17 [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Stefan Berger 2018-10-19 10:17 ` Stefan Berger 2018-10-19 23:07 ` Randy Dunlap 2018-10-19 23:07 ` Randy Dunlap 2018-11-05 16:57 ` Dan Williams 2018-11-05 16:57 ` Dan Williams 2018-11-05 20:42 ` Jerry Snitselaar 2018-11-05 20:42 ` Jerry Snitselaar 2018-11-06 16:00 ` Jerry Snitselaar 2018-11-06 16:00 ` Jerry Snitselaar 2018-11-06 16:14 ` Joshua Lock 2018-11-07 0:53 ` Roberts, William C [this message] 2018-11-07 0:53 ` Roberts, William C 2018-11-06 16:46 ` Jerry Snitselaar 2018-11-06 16:46 ` Jerry Snitselaar 2018-11-06 18:17 ` Mimi Zohar 2018-11-06 18:17 ` Mimi Zohar 2018-11-30 23:45 ` Jarkko Sakkinen 2018-11-30 23:45 ` Jarkko Sakkinen 2018-11-30 23:46 ` Jarkko Sakkinen 2018-11-30 23:46 ` Jarkko Sakkinen 2018-12-02 15:10 ` Mimi Zohar 2018-12-02 15:10 ` Mimi Zohar 2018-12-02 23:04 ` Jarkko Sakkinen 2018-12-02 23:04 ` Jarkko Sakkinen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=476DC76E7D1DF2438D32BFADF679FC5649C7AF69@ORSMSX101.amr.corp.intel.com \ --to=william.c.roberts@intel.com \ --cc=Alexander.Levin@microsoft.com \ --cc=jejb@linux.ibm.com \ --cc=jmorris@namei.org \ --cc=joshua.g.lock@linux.intel.com \ --cc=jsnitsel@redhat.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=stefanb@linux.ibm.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.