From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C054C43603 for ; Mon, 9 Dec 2019 19:11:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 447E620692 for ; Mon, 9 Dec 2019 19:11:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="OHyJD2bN"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="ifyUm5fR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726584AbfLITLi (ORCPT ); Mon, 9 Dec 2019 14:11:38 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:60494 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726562AbfLITLi (ORCPT ); Mon, 9 Dec 2019 14:11:38 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 0146D8EE18E; Mon, 9 Dec 2019 11:11:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1575918698; bh=SeDIzjtoGpLlj036iuJgTTwNKpk3GNf/1SPZkuBFIUk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=OHyJD2bNs2LYIvwKDZ+VZaFX3SC1inDv++GzVXfvYK1/WTnLlbxzFcTiOQjRJ0TYp lHvyqBCcCOp9BM7OtBa6H0013y4Lv/FqEuQ6JvGFBcW6ZU296Iy5WOEYEkadVr4CSt xACpdoCpL/Vbq/DeyQ/cREraVv4QhNRma3Vc40zk= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kd7VfqiUd6OY; Mon, 9 Dec 2019 11:11:37 -0800 (PST) Received: from jarvis.lan (unknown [50.35.76.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 68D5C8EE0FC; Mon, 9 Dec 2019 11:11:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1575918697; bh=SeDIzjtoGpLlj036iuJgTTwNKpk3GNf/1SPZkuBFIUk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ifyUm5fRC/wI8qC0hmkb7gteAjhRbvRhoWQP8oIkk4AP5/ezlGw7n+RPZ6LIru6zn 3ld1x7W9/drcFxGmb0zLnya2aqM0ldNA9uAWO9XtIVAAdQNilTh6kUuWptKRIzVfJJ 4VALtmzeetPbsiD7fC8mWZnpDkzSzWBc5Gpyavmc= Message-ID: <1575918695.31378.18.camel@HansenPartnership.com> Subject: Re: [PATCH 6/8] security: keys: trusted: add PCR policy to TPM2 keys From: James Bottomley To: David Woodhouse , linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen Date: Mon, 09 Dec 2019 11:11:35 -0800 In-Reply-To: <59E96950-5803-4231-88B2-33278357F934@infradead.org> References: <1575781600.14069.8.camel@HansenPartnership.com> <1575781957.14069.16.camel@HansenPartnership.com> <1575914591.31378.11.camel@HansenPartnership.com> <59E96950-5803-4231-88B2-33278357F934@infradead.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Mon, 2019-12-09 at 18:44 +0000, David Woodhouse wrote: > On 9 December 2019 18:03:11 GMT, James Bottomley > wrote: [...] > > > Then in the happy case where it is <128, just go back and fill it > > > in as you currently do. Otherwise append 0x00 0x00 as the end > > > marker. > > > > That doesn't work ... the format of these octet strings is likely > > to have two zeros together, so they *have* to be definite length > > encoded. > > The octet-strings sure, but we know the length of those. It was the > sequence you have that <127 check and bail out for... wasn't it? The interior sequence encloses the octet streams. In theory the standard requires any parser to skip over the interior structures rather than simply chunk down the sequence looking for the two byte zero, but doing definite length allows us not to have to worry about buggy parsers in that case. > > > None of this has to be DER, does it? > > > > None of what? The policy? the DER format is already in use so we > > can't change it. > > What we *output* doesn't need to be DER (mandatory definite length) > and can be BER though, right? I'm not sure. I think the openssl routines that save and load the structure in userspace do BER but I'd rather stick to DER to be on the safe side. Plus, I know of no policy statement that's anywhere near 127 bytes long, so there's no problem with doing the single byte fixed length that DER requires. James