linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Zhao, Shirley" <shirley.zhao@intel.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jonathan Corbet <corbet@lwn.net>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	'Mauro Carvalho Chehab' <mchehab+samsung@kernel.org>,
	"Zhu, Bing" <bing.zhu@intel.com>,
	"Chen, Luhai" <luhai.chen@intel.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
Date: Sat, 30 Nov 2019 01:01:46 +0200	[thread overview]
Message-ID: <20191129230146.GB15726@linux.intel.com> (raw)
In-Reply-To: <1574796456.4793.248.camel@linux.ibm.com>

On Tue, Nov 26, 2019 at 02:27:36PM -0500, Mimi Zohar wrote:
> On Tue, 2019-11-26 at 07:32 +0000, Zhao, Shirley wrote:
> > Thanks for your feedback, Mimi. 
> > But the document of dracut can't solve my problem. 
> > 
> > I did more test these days and try to descript my question in more detail. 
> > 
> > In my scenario, the trusted key will be sealed into TPM with PCR policy. 
> > And there are some related options in manual like 
> >        hash=         hash algorithm name as a string. For TPM 1.x the only
> >                      allowed value is sha1. For TPM 2.x the allowed values
> >                      are sha1, sha256, sha384, sha512 and sm3-256.
> >        policydigest= digest for the authorization policy. must be calculated
> >                      with the same hash algorithm as specified by the 'hash='
> >                      option.
> >        policyhandle= handle to an authorization policy session that defines the
> >                      same policy and with the same hash algorithm as was used to
> >                      seal the key. 
> > 
> > Here is my test step. 
> > Firstly, the pcr policy is generated as below: 
> > $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy pcr7_bin.policy > pcr7.policy
> > 
> > Pcr7.policy is the ascii hex of policy:
> > $ cat pcr7.policy
> > 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
> > 
> > Then generate the trusted key and configure policydigest and get the key ID: 
> > $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr7.policy`" @u
> > 874117045
> > 
> > Save the trusted key. 
> > $ keyctl pipe 874117045 > kmk.blob
> > 
> > Reboot and load the key. 
> > Start a auth session to generate the policy:
> > $ tpm2_startauthsession -S session.ctx
> > session-handle: 0x3000000
> > $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256
> > $ tpm2_policypcr -S session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
> > policy-digest: 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9
> > 
> > Input the policy handle to load trusted key:
> > $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 policyhandle=0x3000000" @u
> > add_key: Operation not permitted
> > 
> > The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed. 
> > $ tpm2_unseal -c 0x81000001 -L sha256:7
> > ERROR on line: "81" in file: "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check failed
> > ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed!
> > ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run tpm2_unseal
> > 
> > So my question is:
> > 1. How to use the option, policydigest, policyhandle?? Is there any example? 
> > 2. What's wrong with my test step? 
> 
> When reporting a problem please state which kernel is experiencing
> this problem.  Recently there was a trusted key regression.  Refer to
> commit e13cd21ffd50 "tpm: Wrap the buffer from the caller to tpm_buf
> in tpm_send()" for the details.
> 
> Before delving into this particular problem, first please make sure
> you are able to create, save, remove, and then reload a trusted key
> not sealed to a PCR.

Please re-test with rc1 when available.

/Jarkko

  parent reply	other threads:[~2019-11-29 23:01 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
2019-11-13 15:46 ` One question about trusted key of keyring in Linux kernel Mimi Zohar
2019-11-26  7:32   ` Zhao, Shirley
2019-11-26 19:27     ` Mimi Zohar
2019-11-27  2:46       ` Zhao, Shirley
2019-11-27 15:39         ` Mimi Zohar
2019-11-29  1:54           ` Zhao, Shirley
2019-11-29 23:01       ` Jarkko Sakkinen [this message]
2019-12-02  1:45         ` Zhao, Shirley
2019-12-06 21:20           ` Jarkko Sakkinen
2019-11-27 18:06     ` James Bottomley
2019-11-29  1:40       ` Zhao, Shirley
2019-11-29 20:05         ` James Bottomley
2019-12-02  1:44           ` Zhao, Shirley
2019-12-02  4:17             ` James Bottomley
2019-12-02  5:55               ` Zhao, Shirley
2019-12-02  6:17                 ` James Bottomley
2019-12-02  6:23                   ` Zhao, Shirley
2019-12-02  6:44                     ` James Bottomley
2019-12-02  6:50                       ` Zhao, Shirley
2019-12-02 18:55                         ` James Bottomley
2019-12-03  2:11                           ` Zhao, Shirley
2019-12-03  3:12                             ` James Bottomley
2019-12-04  3:01                               ` Zhao, Shirley
2019-12-04  3:33                                 ` James Bottomley
2019-12-04  6:39                                   ` Zhao, Shirley
2019-12-09 19:47                           ` Jarkko Sakkinen
2019-12-09 20:31                             ` James Bottomley
2019-12-11 17:23                               ` Jarkko Sakkinen
2019-12-11 17:33                                 ` Jarkko Sakkinen
2019-12-11 17:53                                   ` Jarkko Sakkinen
2019-12-09 21:18                             ` Mimi Zohar
2019-12-11 17:12                               ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191129230146.GB15726@linux.intel.com \
    --to=jarkko.sakkinen@linux.intel.com \
    --cc=bing.zhu@intel.com \
    --cc=corbet@lwn.net \
    --cc=jejb@linux.ibm.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luhai.chen@intel.com \
    --cc=mchehab+samsung@kernel.org \
    --cc=shirley.zhao@intel.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).