From: "Zhao, Shirley" <shirley.zhao@intel.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"'Mauro Carvalho Chehab'" <mchehab+samsung@kernel.org>,
"Zhu, Bing" <bing.zhu@intel.com>,
"Chen, Luhai" <luhai.chen@intel.com>
Subject: RE: One question about trusted key of keyring in Linux kernel.
Date: Wed, 27 Nov 2019 02:46:44 +0000 [thread overview]
Message-ID: <A888B25CD99C1141B7C254171A953E8E490961E5@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1574796456.4793.248.camel@linux.ibm.com>
Hi, Mimi,
Answer your two questions:
1. Yes, I have verified trusted key works well without PCR policy protection as below:
$ keyctl add trusted kmk "new 32 keyhandle=0x81000001" @u
1055240928
$ keyctl list @u
1 keys in keyring:
1055240928: --alswrv 0 0 trusted: kmk
$ keyctl pipe 1055240928 > kmk.blob
$ cat kmk.blob
007f0020ff808bd8b7239194e89aac6a95b4d210114742c20afa33493f002dffd0685d510010c12d7ad51eb83d6d93895de066bf3d39718cc503adb4802cb087b88b2fff4b040fe3a2be6a3f87c6749d087c9fb6e8734cb23f438d64087581a13bc83d5dc3b026e77a894ece6620d0eb85df6449ff3c609fd77d5f0caf79b4535b002e0008000b000000400000001000209a5b00b0d558fcf9e8c029522715e6b5906366eaec5f34367b8ab16c0fb9009a0073000000000020e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b85501000b0022000bdcdb694e102e13a0fba5111081cb6cf616c118d404936cac3e84db24c71e47d50022000b04b5db1aa52635dfb242e76f6bde8e2176ae48fc682946c6c76d96f608079d1f0000002036b6fcca8206c7f722de85821d7ecb4785976fdd642bc7538505a2a818c8a23880214000000100202aedde4508f548d108193ec8fe166a7befde19113fe727ae2b29901bdece96e5
$ keyctl clear @u
$ keyctl list @u
keyring is empty
$ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001" @u
1022963731
$ keyctl print 1022963731
007f0020ff808bd8b7239194e89aac6a95b4d210114742c20afa33493f002dffd0685d510010c12d7ad51eb83d6d93895de066bf3d39718cc503adb4802cb087b88b2fff4b040fe3a2be6a3f87c6749d087c9fb6e8734cb23f438d64087581a13bc83d5dc3b026e77a894ece6620d0eb85df6449ff3c609fd77d5f0caf79b4535b002e0008000b000000400000001000209a5b00b0d558fcf9e8c029522715e6b5906366eaec5f34367b8ab16c0fb9009a0073000000000020e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b85501000b0022000bdcdb694e102e13a0fba5111081cb6cf616c118d404936cac3e84db24c71e47d50022000b04b5db1aa52635dfb242e76f6bde8e2176ae48fc682946c6c76d96f608079d1f0000002036b6fcca8206c7f722de85821d7ecb4785976fdd642bc7538505a2a818c8a23880214000000100202aedde4508f548d108193ec8fe166a7befde19113fe727ae2b29901bdece96e5
2. The following kernel file is related with this problem.
/security/keys/keyctl.c
/security/keys/key.c
/security/keys/trusted-keys/trusted_tpm1.c
/security/keys/trusted-keys/trusted_tpm2.c
To load the PCR policy protection trusted key, the call stack is:
SYSCALL_DEFINE5(add_key,...) --> key_create_or_update() --> __key_instantiate_and_link() --> trusted_instantiate() --> tpm2_unseal_trusted() --> tpm2_unseal_cmd().
Check dmesg, there will be error:
[73336.351596] trusted_key: key_unseal failed (-1)
- Shirley
-----Original Message-----
From: Mimi Zohar <zohar@linux.ibm.com>
Sent: Wednesday, November 27, 2019 3:28 AM
To: Zhao, Shirley <shirley.zhao@intel.com>; James Bottomley <jejb@linux.ibm.com>; Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>; Jonathan Corbet <corbet@lwn.net>
Cc: linux-integrity@vger.kernel.org; keyrings@vger.kernel.org; linux-doc@vger.kernel.org; linux-kernel@vger.kernel.org; 'Mauro Carvalho Chehab' <mchehab+samsung@kernel.org>; Zhu, Bing <bing.zhu@intel.com>; Chen, Luhai <luhai.chen@intel.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
On Tue, 2019-11-26 at 07:32 +0000, Zhao, Shirley wrote:
> Thanks for your feedback, Mimi.
> But the document of dracut can't solve my problem.
>
> I did more test these days and try to descript my question in more detail.
>
> In my scenario, the trusted key will be sealed into TPM with PCR policy.
> And there are some related options in manual like
> hash= hash algorithm name as a string. For TPM 1.x the only
> allowed value is sha1. For TPM 2.x the allowed values
> are sha1, sha256, sha384, sha512 and sm3-256.
> policydigest= digest for the authorization policy. must be calculated
> with the same hash algorithm as specified by the 'hash='
> option.
> policyhandle= handle to an authorization policy session that defines the
> same policy and with the same hash algorithm as was used to
> seal the key.
>
> Here is my test step.
> Firstly, the pcr policy is generated as below:
> $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy
> pcr7_bin.policy > pcr7.policy
>
> Pcr7.policy is the ascii hex of policy:
> $ cat pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
>
> Then generate the trusted key and configure policydigest and get the key ID:
> $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256
> policydigest=`cat pcr7.policy`" @u
> 874117045
>
> Save the trusted key.
> $ keyctl pipe 874117045 > kmk.blob
>
> Reboot and load the key.
> Start a auth session to generate the policy:
> $ tpm2_startauthsession -S session.ctx
> session-handle: 0x3000000
> $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S
> session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
> policy-digest:
> 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9
>
> Input the policy handle to load trusted key:
> $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001
> policyhandle=0x3000000" @u
> add_key: Operation not permitted
>
> The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed.
> $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in file:
> "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check
> failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed!
> ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run
> tpm2_unseal
>
> So my question is:
> 1. How to use the option, policydigest, policyhandle?? Is there any example?
> 2. What's wrong with my test step?
When reporting a problem please state which kernel is experiencing this problem. Recently there was a trusted key regression. Refer to commit e13cd21ffd50 "tpm: Wrap the buffer from the caller to tpm_buf in tpm_send()" for the details.
Before delving into this particular problem, first please make sure you are able to create, save, remove, and then reload a trusted key not sealed to a PCR.
Mimi
next prev parent reply other threads:[~2019-11-27 2:46 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
2019-11-13 15:46 ` One question about trusted key of keyring in Linux kernel Mimi Zohar
2019-11-26 7:32 ` Zhao, Shirley
2019-11-26 19:27 ` Mimi Zohar
2019-11-27 2:46 ` Zhao, Shirley [this message]
2019-11-27 15:39 ` Mimi Zohar
2019-11-29 1:54 ` Zhao, Shirley
2019-11-29 23:01 ` Jarkko Sakkinen
2019-12-02 1:45 ` Zhao, Shirley
2019-12-06 21:20 ` Jarkko Sakkinen
2019-11-27 18:06 ` James Bottomley
2019-11-29 1:40 ` Zhao, Shirley
2019-11-29 20:05 ` James Bottomley
2019-12-02 1:44 ` Zhao, Shirley
2019-12-02 4:17 ` James Bottomley
2019-12-02 5:55 ` Zhao, Shirley
2019-12-02 6:17 ` James Bottomley
2019-12-02 6:23 ` Zhao, Shirley
2019-12-02 6:44 ` James Bottomley
2019-12-02 6:50 ` Zhao, Shirley
2019-12-02 18:55 ` James Bottomley
2019-12-03 2:11 ` Zhao, Shirley
2019-12-03 3:12 ` James Bottomley
2019-12-04 3:01 ` Zhao, Shirley
2019-12-04 3:33 ` James Bottomley
2019-12-04 6:39 ` Zhao, Shirley
2019-12-09 19:47 ` Jarkko Sakkinen
2019-12-09 20:31 ` James Bottomley
2019-12-11 17:23 ` Jarkko Sakkinen
2019-12-11 17:33 ` Jarkko Sakkinen
2019-12-11 17:53 ` Jarkko Sakkinen
2019-12-09 21:18 ` Mimi Zohar
2019-12-11 17:12 ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=A888B25CD99C1141B7C254171A953E8E490961E5@shsmsx102.ccr.corp.intel.com \
--to=shirley.zhao@intel.com \
--cc=bing.zhu@intel.com \
--cc=corbet@lwn.net \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luhai.chen@intel.com \
--cc=mchehab+samsung@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).