From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: [PATCH v13 0/3] Trusted Key policy for TPM 2.0
Date: Tue, 22 Sep 2020 02:32:15 +0000 [thread overview]
Message-ID: <20200922023218.7466-1-James.Bottomley@HansenPartnership.com> (raw)
Updated to fix compile problem identified by 0day
Original cover letter:
This is a lockstep patch with the prior trusted key rework patch (so
requires it as a percursor). Now the key format is ASN.1, the policy
statements needed to unseal the key can be coded into the key file
itself meaning the kernel can now construct and use the policy session
necessary rather than the user having to do it. This makes using TPM
2.0 keys with policy much easier.
The current implementation only has a limited subset of the full TPM
2.0 policy commands, but it is enough to implement keys locked to PCR
values and expiring keys. The main missing feature is support for the
TPM2_PolicyOR statement, which means all current policy has to be AND
chains (key doesn't unlock unless every policy statement succeeds).
James
---
James Bottomley (3):
security: keys: trusted: add PCR policy to TPM2 keys
security: keys: trusted: add ability to specify arbitrary policy
security: keys: trusted: implement counter/timer policy
.../security/keys/trusted-encrypted.rst | 83 +++-
include/keys/trusted-type.h | 5 +-
include/linux/tpm.h | 6 +
security/keys/Kconfig | 2 +
security/keys/trusted-keys/Makefile | 4 +-
security/keys/trusted-keys/tpm2-policy.c | 465 ++++++++++++++++++
security/keys/trusted-keys/tpm2-policy.h | 31 ++
security/keys/trusted-keys/tpm2key.asn1 | 13 +
security/keys/trusted-keys/trusted_tpm1.c | 23 +-
security/keys/trusted-keys/trusted_tpm2.c | 120 ++++-
10 files changed, 736 insertions(+), 16 deletions(-)
create mode 100644 security/keys/trusted-keys/tpm2-policy.c
create mode 100644 security/keys/trusted-keys/tpm2-policy.h
--
2.26.2
next reply other threads:[~2020-09-22 2:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-22 2:32 James Bottomley [this message]
2020-09-22 2:32 ` [PATCH v13 1/3] security: keys: trusted: add PCR policy to TPM2 keys James Bottomley
2020-09-22 2:32 ` [PATCH v13 2/3] security: keys: trusted: add ability to specify arbitrary policy James Bottomley
2020-09-22 2:32 ` [PATCH v13 3/3] security: keys: trusted: implement counter/timer policy James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200922023218.7466-1-James.Bottomley@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).