From: David Woodhouse <dwmw2@infradead.org>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
openssl-tpm2-engine@groups.io
Cc: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH 0/1] draft RFC for TPM key format
Date: Mon, 24 May 2021 12:48:35 +0100 [thread overview]
Message-ID: <e58482aa4ed2dcee7a0f463e3026b1fbfb6b33e5.camel@infradead.org> (raw)
In-Reply-To: <960faddc4b5141379d05deff462d9a7a6c4f7c2a.camel@infradead.org>
[-- Attachment #1: Type: text/plain, Size: 1405 bytes --]
On Mon, 2021-05-24 at 08:36 +0100, David Woodhouse wrote:
> On Sat, 2021-05-22 at 11:15 -0700, James Bottomley wrote:
> > If a permanent handle (MSO 0x40) is specified then the implementation
> > MUST run TPM2_CreatePrimary on the handle using the TCG specified
> > Elliptic Curve template for the NIST P-256 curve and use the primary
> > key so generated as the parent.
>
> Looks good in general; can we be more explicit here about the template,
> with a specific reference to where it's found?
>
> This is where we found incompatibilities between the implementations
> because things like NODA led to a different generated key, isn't it?
Looking for this in the TPM specs so I could heckle more usefully in
'diff -up' form, I don't actually find it. I *do* find wording such as
(§23.7 of the Architecture spec) "A Primary Object may have fixedParent
SET or CLEAR".
Which doesn't really help, since in our case the derived object really
MUST have all of TPMA_OBJECT_NODA, TPMA_OBJECT_FIXEDTPM,
TPMA_OBJECT_FIXEDPARENT etc. otherwise it won't match between
implementations. When we reconciled the tpm2-tss-engine with yours, I
recall that we added NODA, and FIXEDTPM|FIXEDPARENT to them
respectively to make them match.
Is the template we use actually spelled out somewhere in the TPM specs
that I'm missing, or do we need to make it explicit in your draft?
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]
prev parent reply other threads:[~2021-05-24 11:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-22 18:15 [PATCH 0/1] draft RFC for TPM key format James Bottomley
2021-05-22 18:15 ` [PATCH 1/1] doc: add draft RFC for TPM Key format James Bottomley
2021-05-22 22:48 ` [PATCH 0/1] draft RFC for TPM key format Jarkko Sakkinen
2021-05-24 7:36 ` David Woodhouse
2021-05-24 11:48 ` David Woodhouse [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e58482aa4ed2dcee7a0f463e3026b1fbfb6b33e5.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=openssl-tpm2-engine@groups.io \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).