* RFC: "Hardened" trusted keys
@ 2016-08-29 19:05 Jarkko Sakkinen
[not found] ` <20160829190547.GA18827-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Jarkko Sakkinen @ 2016-08-29 19:05 UTC (permalink / raw)
To: keyrings-u79uwXL29TY76Z2rM5mHXA,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
After LSS2016 I got this idea of having hardened trusted keys for TPM2
where the key material is never exposed to kernel. Child keys of a
hardened trusted key would be unsealed using TPM2_EncryptDecrypt
operation.
To retain backwards compatibility with the exiting trusted keys format,
this would probably require a new option to keyctl.
This is not my priority at the moment but just wanted to mirror does
this sound like a grazy idea?
/Jarkko
------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: RFC: "Hardened" trusted keys
[not found] ` <20160829190547.GA18827-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
@ 2016-09-13 13:31 ` Ken Goldman
0 siblings, 0 replies; 2+ messages in thread
From: Ken Goldman @ 2016-09-13 13:31 UTC (permalink / raw)
To: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
On 8/29/2016 3:05 PM, Jarkko Sakkinen wrote:
> After LSS2016 I got this idea of having hardened trusted keys for TPM2
> where the key material is never exposed to kernel. Child keys of a
> hardened trusted key would be unsealed using TPM2_EncryptDecrypt
> operation.
Beware that the TPM2_EncryptDecrypt command is optional. I know of at
least one TPM vendor that does not implement the command due to export
restrictions.
Why not seal to a parent symmetric key and use TPM2_Unseal? Unseal is
just a restricted decryption operation.
------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-09-13 13:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-29 19:05 RFC: "Hardened" trusted keys Jarkko Sakkinen
[not found] ` <20160829190547.GA18827-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-13 13:31 ` Ken Goldman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.