[PATCH] docs: Extend trusted keys documentation for TPM 2.0

[PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Stefan Berger]

Extend the documentation for trusted keys with documentation for how to
set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..6ec6bb2ac497 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
 when the kernel and initramfs are updated.  The same key can have many saved
 blobs under different PCR values, so multiple boots are easily supported.
 
+TPM 1.2
+-------
+
 By default, trusted keys are sealed under the SRK, which has the default
 authorization value (20 zeros).  This can be set at takeownership time with the
 trouser's utility: "tpm_takeownership -u -z".
 
+TPM 2.0
+-------
+
+The user must first create a storage key and make it persistent, so the key is
+available after reboot. This can be done using the following commands.
+
+With the IBM TSS 2 stack::
+
+  #> tsscreateprimary -hi o -st
+  Handle 80000000
+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
+
+Or with the Intel TSS 2 stack::
+
+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
+  [...]
+  handle: 0x800000FF
+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
+  persistentHandle: 0x81000001
+
 Usage::
 
     keyctl add trusted name "new keylen [options]" ring
@@ -30,7 +53,9 @@ Usage::
     keyctl print keyid
 
     options:
-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
+       keyhandle=    ascii hex value of sealing key
+                       TPM 1.2: default 0x40000000 (SRK)
+                       TPM 2.0: no default; must be passed every time
        keyauth=	     ascii hex auth for sealing key default 0x00...i
                      (40 ascii zeros)
        blobauth=     ascii hex auth for sealed data default 0x00...
@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
 
 Create and save a trusted key named "kmk" of length 32 bytes::
 
+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
+append 'keyhandle=0x81000001' to statements between quotes, such as
+"new 32 keyhandle=0x81000001".
+
     $ keyctl add trusted kmk "new 32" @u
     440502848
 
-- 
2.17.2

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Randy Dunlap]

Hi,
Feel free to ignore my comments.  I don't know anything about TPM.

On 10/19/18 3:17 AM, Stefan Berger wrote:
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
>  1 file changed, 30 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..6ec6bb2ac497 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
>  when the kernel and initramfs are updated.  The same key can have many saved
>  blobs under different PCR values, so multiple boots are easily supported.
>  
> +TPM 1.2
> +-------
> +
>  By default, trusted keys are sealed under the SRK, which has the default
>  authorization value (20 zeros).  This can be set at takeownership time with the
>  trouser's utility: "tpm_takeownership -u -z".

It appears to be TrouSerS or maybe just trousers (no ').

BTW, is this still the current location for it or has it moved elsewhere?
http://trousers.sourceforge.net/


>  
> +TPM 2.0
> +-------
> +
> +The user must first create a storage key and make it persistent, so the key is
> +available after reboot. This can be done using the following commands.
> +
> +With the IBM TSS 2 stack::
> +
> +  #> tsscreateprimary -hi o -st
> +  Handle 80000000
> +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> +
> +Or with the Intel TSS 2 stack::
> +
> +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> +  [...]
> +  handle: 0x800000FF

Is that handle value important?  It doesn't seem to be used later...

> +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> +  persistentHandle: 0x81000001
> +
>  Usage::
>  
>      keyctl add trusted name "new keylen [options]" ring
> @@ -30,7 +53,9 @@ Usage::
>      keyctl print keyid
>  
>      options:
> -       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
> +       keyhandle=    ascii hex value of sealing key

s/ascii/ASCII/g

> +                       TPM 1.2: default 0x40000000 (SRK)
> +                       TPM 2.0: no default; must be passed every time
>         keyauth=	     ascii hex auth for sealing key default 0x00...i
>                       (40 ascii zeros)
>         blobauth=     ascii hex auth for sealed data default 0x00...
> @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>  
>  Create and save a trusted key named "kmk" of length 32 bytes::
>  
> +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> +append 'keyhandle=0x81000001' to statements between quotes, such as
> +"new 32 keyhandle=0x81000001".
> +
>      $ keyctl add trusted kmk "new 32" @u
>      440502848
>  
> 

ta.
-- 
~Randy

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Dan Williams]

On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Thanks for the updates:

Acked-by: Dan Williams <dan.j.williams@intel.com>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>---
> .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated.  The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros).  This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+  #> tsscreateprimary -hi o -st
>+  Handle 80000000
>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+  [...]
>+  handle: 0x800000FF
>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+  persistentHandle: 0x81000001
>+

Is that the correct option for tpm2_evictcontrol? What I'm seeing
in the versions I have is -S or -persistent= for specifying the persistent handle.

Other than that looks good to me.

> Usage::
>
>     keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
>     keyctl print keyid
>
>     options:
>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>+       keyhandle=    ascii hex value of sealing key
>+                       TPM 1.2: default 0x40000000 (SRK)
>+                       TPM 2.0: no default; must be passed every time
>        keyauth=	     ascii hex auth for sealing key default 0x00...i
>                      (40 ascii zeros)
>        blobauth=     ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
>     $ keyctl add trusted kmk "new 32" @u
>     440502848
>
>-- 
>2.17.2
>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Mon Nov 05 18, Jerry Snitselaar wrote:
>On Fri Oct 19 18, Stefan Berger wrote:
>>Extend the documentation for trusted keys with documentation for how to
>>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>>
>>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>---
>>.../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
>>1 file changed, 30 insertions(+), 1 deletion(-)
>>
>>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>>index 3bb24e09a332..6ec6bb2ac497 100644
>>--- a/Documentation/security/keys/trusted-encrypted.rst
>>+++ b/Documentation/security/keys/trusted-encrypted.rst
>>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
>>when the kernel and initramfs are updated.  The same key can have many saved
>>blobs under different PCR values, so multiple boots are easily supported.
>>
>>+TPM 1.2
>>+-------
>>+
>>By default, trusted keys are sealed under the SRK, which has the default
>>authorization value (20 zeros).  This can be set at takeownership time with the
>>trouser's utility: "tpm_takeownership -u -z".
>>
>>+TPM 2.0
>>+-------
>>+
>>+The user must first create a storage key and make it persistent, so the key is
>>+available after reboot. This can be done using the following commands.
>>+
>>+With the IBM TSS 2 stack::
>>+
>>+  #> tsscreateprimary -hi o -st
>>+  Handle 80000000
>>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>>+
>>+Or with the Intel TSS 2 stack::
>>+
>>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>>+  [...]
>>+  handle: 0x800000FF
>>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>>+  persistentHandle: 0x81000001
>>+
>
>Is that the correct option for tpm2_evictcontrol? What I'm seeing
>in the versions I have is -S or -persistent= for specifying the persistent handle.
>
>Other than that looks good to me.

William, is the above correct?

>
>>Usage::
>>
>>    keyctl add trusted name "new keylen [options]" ring
>>@@ -30,7 +53,9 @@ Usage::
>>    keyctl print keyid
>>
>>    options:
>>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>>+       keyhandle=    ascii hex value of sealing key
>>+                       TPM 1.2: default 0x40000000 (SRK)
>>+                       TPM 2.0: no default; must be passed every time
>>       keyauth=	     ascii hex auth for sealing key default 0x00...i
>>                     (40 ascii zeros)
>>       blobauth=     ascii hex auth for sealed data default 0x00...
>>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>>
>>Create and save a trusted key named "kmk" of length 32 bytes::
>>
>>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>>+append 'keyhandle=0x81000001' to statements between quotes, such as
>>+"new 32 keyhandle=0x81000001".
>>+
>>    $ keyctl add trusted kmk "new 32" @u
>>    440502848
>>
>>-- 
>>2.17.2
>>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Joshua Lock]

On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> On Mon Nov 05 18, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > > Extend the documentation for trusted keys with documentation for
> > > how to
> > > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as
> > > well.
> > > 
> > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > ---
> > > .../security/keys/trusted-encrypted.rst       | 31
> > > ++++++++++++++++++-
> > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > b/Documentation/security/keys/trusted-encrypted.rst
> > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > @@ -18,10 +18,33 @@ integrity verifications match.  A loaded
> > > Trusted Key can be updated with new
> > > when the kernel and initramfs are updated.  The same key can have
> > > many saved
> > > blobs under different PCR values, so multiple boots are easily
> > > supported.
> > > 
> > > +TPM 1.2
> > > +-------
> > > +
> > > By default, trusted keys are sealed under the SRK, which has the
> > > default
> > > authorization value (20 zeros).  This can be set at takeownership
> > > time with the
> > > trouser's utility: "tpm_takeownership -u -z".
> > > 
> > > +TPM 2.0
> > > +-------
> > > +
> > > +The user must first create a storage key and make it persistent,
> > > so the key is
> > > +available after reboot. This can be done using the following
> > > commands.
> > > +
> > > +With the IBM TSS 2 stack::
> > > +
> > > +  #> tsscreateprimary -hi o -st
> > > +  Handle 80000000
> > > +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > +
> > > +Or with the Intel TSS 2 stack::
> > > +
> > > +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > +  [...]
> > > +  handle: 0x800000FF
> > > +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > +  persistentHandle: 0x81000001
> > > +
> > 
> > Is that the correct option for tpm2_evictcontrol? What I'm seeing
> > in the versions I have is -S or -persistent= for specifying the
> > persistent handle.
> > 
> > Other than that looks good to me.
> 
> William, is the above correct?

We're changing some of the options in master ahead of our next major
release, the -p/--persistent option is correct for that branch and the
eventual 4.X series.

Regards,
Joshua

> > 
> > > Usage::
> > > 
> > >    keyctl add trusted name "new keylen [options]" ring
> > > @@ -30,7 +53,9 @@ Usage::
> > >    keyctl print keyid
> > > 
> > >    options:
> > > -       keyhandle=    ascii hex value of sealing key default
> > > 0x40000000 (SRK)
> > > +       keyhandle=    ascii hex value of sealing key
> > > +                       TPM 1.2: default 0x40000000 (SRK)
> > > +                       TPM 2.0: no default; must be passed every
> > > time
> > >       keyauth=	     ascii hex auth for sealing key default
> > > 0x00...i
> > >                     (40 ascii zeros)
> > >       blobauth=     ascii hex auth for sealed data default
> > > 0x00...
> > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > 
> > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > 
> > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > 0x81000001,
> > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > as
> > > +"new 32 keyhandle=0x81000001".
> > > +
> > >    $ keyctl add trusted kmk "new 32" @u
> > >    440502848
> > > 
> > > -- 
> > > 2.17.2
> > > 

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jerry Snitselaar]

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>

>---
> .../security/keys/trusted-encrypted.rst       | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match.  A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated.  The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros).  This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+  #> tsscreateprimary -hi o -st
>+  Handle 80000000
>+  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+  [...]
>+  handle: 0x800000FF
>+  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+  persistentHandle: 0x81000001
>+
> Usage::
>
>     keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
>     keyctl print keyid
>
>     options:
>-       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
>+       keyhandle=    ascii hex value of sealing key
>+                       TPM 1.2: default 0x40000000 (SRK)
>+                       TPM 2.0: no default; must be passed every time
>        keyauth=	     ascii hex auth for sealing key default 0x00...i
>                      (40 ascii zeros)
>        blobauth=     ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
>     $ keyctl add trusted kmk "new 32" @u
>     440502848
>
>-- 
>2.17.2
>

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Mimi Zohar]

On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> On Fri Oct 19 18, Stefan Berger wrote:
> >Extend the documentation for trusted keys with documentation for how to
> >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> >
> >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>

Thanks!  This patch is now staged in the #next-integrity-queued
branch.

Mimi

RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Roberts, William C]

> -----Original Message-----
> From: Joshua Lock [mailto:joshua.g.lock@linux.intel.com]
> Sent: Tuesday, November 6, 2018 8:15 AM
> To: Jerry Snitselaar <jsnitsel@redhat.com>; Stefan Berger
> <stefanb@linux.ibm.com>; keyrings@vger.kernel.org; linux-
> integrity@vger.kernel.org; zohar@linux.ibm.com; jejb@linux.ibm.com;
> Alexander.Levin@microsoft.com; jmorris@namei.org; linux-
> kernel@vger.kernel.org
> Cc: Roberts, William C <william.c.roberts@intel.com>
> Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
> 
> On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> > On Mon Nov 05 18, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > Extend the documentation for trusted keys with documentation for
> > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0
> > > > as well.
> > > >
> > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > ---
> > > > .../security/keys/trusted-encrypted.rst       | 31
> > > > ++++++++++++++++++-
> > > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > > b/Documentation/security/keys/trusted-encrypted.rst
> > > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > > @@ -18,10 +18,33 @@ integrity verifications match.  A loaded
> > > > Trusted Key can be updated with new when the kernel and initramfs
> > > > are updated.  The same key can have many saved blobs under
> > > > different PCR values, so multiple boots are easily supported.
> > > >
> > > > +TPM 1.2
> > > > +-------
> > > > +
> > > > By default, trusted keys are sealed under the SRK, which has the
> > > > default authorization value (20 zeros).  This can be set at
> > > > takeownership time with the trouser's utility: "tpm_takeownership
> > > > -u -z".
> > > >
> > > > +TPM 2.0
> > > > +-------
> > > > +
> > > > +The user must first create a storage key and make it persistent,
> > > > so the key is
> > > > +available after reboot. This can be done using the following
> > > > commands.
> > > > +
> > > > +With the IBM TSS 2 stack::
> > > > +
> > > > +  #> tsscreateprimary -hi o -st
> > > > +  Handle 80000000
> > > > +  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > > +
> > > > +Or with the Intel TSS 2 stack::
> > > > +
> > > > +  #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > > + [...]
> > > > +  handle: 0x800000FF
> > > > +  #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > > +  persistentHandle: 0x81000001
> > > > +
> > >
> > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in
> > > the versions I have is -S or -persistent= for specifying the
> > > persistent handle.
> > >
> > > Other than that looks good to me.
> >
> > William, is the above correct?
> 
> We're changing some of the options in master ahead of our next major release,
> the -p/--persistent option is correct for that branch and the eventual 4.X series.

LGTM.

Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful.

> 
> Regards,
> Joshua
> 
> > >
> > > > Usage::
> > > >
> > > >    keyctl add trusted name "new keylen [options]" ring @@ -30,7
> > > > +53,9 @@ Usage::
> > > >    keyctl print keyid
> > > >
> > > >    options:
> > > > -       keyhandle=    ascii hex value of sealing key default
> > > > 0x40000000 (SRK)
> > > > +       keyhandle=    ascii hex value of sealing key
> > > > +                       TPM 1.2: default 0x40000000 (SRK)
> > > > +                       TPM 2.0: no default; must be passed every
> > > > time
> > > >       keyauth=	     ascii hex auth for sealing key default
> > > > 0x00...i
> > > >                     (40 ascii zeros)
> > > >       blobauth=     ascii hex auth for sealed data default
> > > > 0x00...
> > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > >
> > > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > >
> > > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > > 0x81000001,
> > > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > > as
> > > > +"new 32 keyhandle=0x81000001".
> > > > +
> > > >    $ keyctl add trusted kmk "new 32" @u
> > > >    440502848
> > > >
> > > > --
> > > > 2.17.2
> > > >

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > >Extend the documentation for trusted keys with documentation for how to
> > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > >
> > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> 
> Thanks!  This patch is now staged in the #next-integrity-queued
> branch.
> 
> Mimi

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > >Extend the documentation for trusted keys with documentation for how to
> > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > >
> > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > 
> > Thanks!  This patch is now staged in the #next-integrity-queued
> > branch.
> > 
> > Mimi
> 
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Brings to mind, in the long run where the backend code for trusted keys
should reside.

/Jarkko

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Mimi Zohar]

On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > >Extend the documentation for trusted keys with documentation for how to
> > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > > >
> > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > 
> > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > > 
> > > Thanks!  This patch is now staged in the #next-integrity-queued
> > > branch.
> > > 
> > > Mimi
> > 
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> 
> Brings to mind, in the long run where the backend code for trusted keys
> should reside.

Are you asking about coordinating staging the trusted key patches to
be upstreamed or about moving portions of the encrypted keys code out
of the keyring subsystem?

I'm not sure there needs to be a separate encrypted-keys pull request.
 Either they can be upstreamed via the TPM or the integrity subsystem
for now.

Mimi

Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

[Jarkko Sakkinen]

On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote:
> Are you asking about coordinating staging the trusted key patches to
> be upstreamed or about moving portions of the encrypted keys code out
> of the keyring subsystem?
> 
> I'm not sure there needs to be a separate encrypted-keys pull request.
>  Either they can be upstreamed via the TPM or the integrity subsystem
> for now.

Nothing that ought to be rushed.

I'm speaking about this situation:

1. TPM 1.x trusted keys code is inside keyring subsystem.
2. TPM 2.0 trusted keys code is inside tpm subsystem.

We are doing effort to make TPM subsystem more friendly to send custom
commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean
ups for TPM 1.x code) so I'm more dilated to the 2nd option.

/Jarkko