From: "Zhao, Shirley" <shirley.zhao@intel.com>
To: James Bottomley <jejb@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"'Mauro Carvalho Chehab'" <mchehab+samsung@kernel.org>,
"Zhu, Bing" <bing.zhu@intel.com>,
"Chen, Luhai" <luhai.chen@intel.com>
Subject: RE: One question about trusted key of keyring in Linux kernel.
Date: Mon, 2 Dec 2019 01:44:00 +0000 [thread overview]
Message-ID: <A888B25CD99C1141B7C254171A953E8E4909BA3B@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1575057916.6220.7.camel@linux.ibm.com>
Hi, James,
The value of PCR7 is not changed. I have checked it with TPM command tpm_pcrlist.
So I think the problem is how to use the option policydigest and policyhandle? Is there any example?
Maybe the format in my command is not correct.
Thanks.
- Shirley
-----Original Message-----
From: James Bottomley <jejb@linux.ibm.com>
Sent: Saturday, November 30, 2019 4:05 AM
To: Zhao, Shirley <shirley.zhao@intel.com>; Mimi Zohar <zohar@linux.ibm.com>; Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>; Jonathan Corbet <corbet@lwn.net>
Cc: linux-integrity@vger.kernel.org; keyrings@vger.kernel.org; linux-doc@vger.kernel.org; linux-kernel@vger.kernel.org; 'Mauro Carvalho Chehab' <mchehab+samsung@kernel.org>; Zhu, Bing <bing.zhu@intel.com>; Chen, Luhai <luhai.chen@intel.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
On Fri, 2019-11-29 at 01:40 +0000, Zhao, Shirley wrote:
> Hi, James,
>
> Maybe the TPM command confused you.
Well you did seem to be saying we had a problem in the TPM sealed key subsystem.
> The question is I use keyctl command sealed a trusted key with PCR
> policy, but load it failed after reboot.
> I don't know why it was loaded failed. I use TPM command to help find
> it, it report policy check failed.
Right, so your question seems to be why after a reboot, the TPM policy no longer works to authorize the key even from user space? My best guess would be the PCR value you've sealed it to changed over the reboot for some reason.
> So my question is how to load the PCR policy sealed trusted key
> correctly?
You have to set the sealing release policy to something you know will be invariant across reboots for an unseal to happen reliably. However, usually you also want the unseal to fail if something you don't like changes, so you set the policy to be something that's invariant unless that happens. Not really knowing what your conditions are we can't really tell you what your policy should look like.
> How to use policydigest and policyhandle correctly.
I've no real idea how the tpm2_ commands work, but the tsspolicy commands all have man pages which do a pretty good explanation. If I infer how your tpm2_ commands seem to be working, I think you're sealing to a pcr7 hash? pcr7 is the one that's supposed to measure the secure boot path and properties and as such shouldn't change across reboots, so I think your problem becomes finding out why it changed.
James
next prev parent reply other threads:[~2019-12-02 1:44 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
2019-11-13 15:46 ` One question about trusted key of keyring in Linux kernel Mimi Zohar
2019-11-26 7:32 ` Zhao, Shirley
2019-11-26 19:27 ` Mimi Zohar
2019-11-27 2:46 ` Zhao, Shirley
2019-11-27 15:39 ` Mimi Zohar
2019-11-29 1:54 ` Zhao, Shirley
2019-11-29 23:01 ` Jarkko Sakkinen
2019-12-02 1:45 ` Zhao, Shirley
2019-12-06 21:20 ` Jarkko Sakkinen
2019-11-27 18:06 ` James Bottomley
2019-11-29 1:40 ` Zhao, Shirley
2019-11-29 20:05 ` James Bottomley
2019-12-02 1:44 ` Zhao, Shirley [this message]
2019-12-02 4:17 ` James Bottomley
2019-12-02 5:55 ` Zhao, Shirley
2019-12-02 6:17 ` James Bottomley
2019-12-02 6:23 ` Zhao, Shirley
2019-12-02 6:44 ` James Bottomley
2019-12-02 6:50 ` Zhao, Shirley
2019-12-02 18:55 ` James Bottomley
2019-12-03 2:11 ` Zhao, Shirley
2019-12-03 3:12 ` James Bottomley
2019-12-04 3:01 ` Zhao, Shirley
2019-12-04 3:33 ` James Bottomley
2019-12-04 6:39 ` Zhao, Shirley
2019-12-09 19:47 ` Jarkko Sakkinen
2019-12-09 20:31 ` James Bottomley
2019-12-11 17:23 ` Jarkko Sakkinen
2019-12-11 17:33 ` Jarkko Sakkinen
2019-12-11 17:53 ` Jarkko Sakkinen
2019-12-09 21:18 ` Mimi Zohar
2019-12-11 17:12 ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=A888B25CD99C1141B7C254171A953E8E4909BA3B@shsmsx102.ccr.corp.intel.com \
--to=shirley.zhao@intel.com \
--cc=bing.zhu@intel.com \
--cc=corbet@lwn.net \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luhai.chen@intel.com \
--cc=mchehab+samsung@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).