* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-10-19 10:17 [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Stefan Berger
@ 2018-10-19 23:07 ` Randy Dunlap
2018-11-05 16:57 ` Dan Williams
` (2 subsequent siblings)
3 siblings, 0 replies; 13+ messages in thread
From: Randy Dunlap @ 2018-10-19 23:07 UTC (permalink / raw)
To: Stefan Berger, keyrings, linux-integrity
Cc: zohar, jejb, Alexander.Levin, jsnitsel, jmorris, linux-kernel
Hi,
Feel free to ignore my comments. I don't know anything about TPM.
On 10/19/18 3:17 AM, Stefan Berger wrote:
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..6ec6bb2ac497 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
> +TPM 1.2
> +-------
> +
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
It appears to be TrouSerS or maybe just trousers (no ').
BTW, is this still the current location for it or has it moved elsewhere?
http://trousers.sourceforge.net/
>
> +TPM 2.0
> +-------
> +
> +The user must first create a storage key and make it persistent, so the key is
> +available after reboot. This can be done using the following commands.
> +
> +With the IBM TSS 2 stack::
> +
> + #> tsscreateprimary -hi o -st
> + Handle 80000000
> + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> +
> +Or with the Intel TSS 2 stack::
> +
> + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> + [...]
> + handle: 0x800000FF
Is that handle value important? It doesn't seem to be used later...
> + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> + persistentHandle: 0x81000001
> +
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
> @@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
> - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> + keyhandle= ascii hex value of sealing key
s/ascii/ASCII/g
> + TPM 1.2: default 0x40000000 (SRK)
> + TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
> @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
> +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> +append 'keyhandle=0x81000001' to statements between quotes, such as
> +"new 32 keyhandle=0x81000001".
> +
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>
ta.
--
~Randy
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-10-19 10:17 [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Stefan Berger
2018-10-19 23:07 ` Randy Dunlap
@ 2018-11-05 16:57 ` Dan Williams
2018-11-05 20:42 ` Jerry Snitselaar
2018-11-06 16:46 ` Jerry Snitselaar
3 siblings, 0 replies; 13+ messages in thread
From: Dan Williams @ 2018-11-05 16:57 UTC (permalink / raw)
To: stefanb
Cc: keyrings, linux-integrity, zohar, jejb, Alexander.Levin,
jsnitsel, James Morris, Linux Kernel Mailing List
On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Thanks for the updates:
Acked-by: Dan Williams <dan.j.williams@intel.com>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-10-19 10:17 [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Stefan Berger
2018-10-19 23:07 ` Randy Dunlap
2018-11-05 16:57 ` Dan Williams
@ 2018-11-05 20:42 ` Jerry Snitselaar
2018-11-06 16:00 ` Jerry Snitselaar
2018-11-06 16:46 ` Jerry Snitselaar
3 siblings, 1 reply; 13+ messages in thread
From: Jerry Snitselaar @ 2018-11-05 20:42 UTC (permalink / raw)
To: Stefan Berger
Cc: keyrings, linux-integrity, zohar, jejb, Alexander.Levin, jmorris,
linux-kernel
On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+ #> tsscreateprimary -hi o -st
>+ Handle 80000000
>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+ [...]
>+ handle: 0x800000FF
>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+ persistentHandle: 0x81000001
>+
Is that the correct option for tpm2_evictcontrol? What I'm seeing
in the versions I have is -S or -persistent= for specifying the persistent handle.
Other than that looks good to me.
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>+ keyhandle= ascii hex value of sealing key
>+ TPM 1.2: default 0x40000000 (SRK)
>+ TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>--
>2.17.2
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-05 20:42 ` Jerry Snitselaar
@ 2018-11-06 16:00 ` Jerry Snitselaar
2018-11-06 16:14 ` Joshua Lock
0 siblings, 1 reply; 13+ messages in thread
From: Jerry Snitselaar @ 2018-11-06 16:00 UTC (permalink / raw)
To: Stefan Berger, keyrings, linux-integrity, zohar, jejb,
Alexander.Levin, jmorris, linux-kernel
Cc: William Roberts
On Mon Nov 05 18, Jerry Snitselaar wrote:
>On Fri Oct 19 18, Stefan Berger wrote:
>>Extend the documentation for trusted keys with documentation for how to
>>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>>
>>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>---
>>.../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
>>1 file changed, 30 insertions(+), 1 deletion(-)
>>
>>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>>index 3bb24e09a332..6ec6bb2ac497 100644
>>--- a/Documentation/security/keys/trusted-encrypted.rst
>>+++ b/Documentation/security/keys/trusted-encrypted.rst
>>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
>>when the kernel and initramfs are updated. The same key can have many saved
>>blobs under different PCR values, so multiple boots are easily supported.
>>
>>+TPM 1.2
>>+-------
>>+
>>By default, trusted keys are sealed under the SRK, which has the default
>>authorization value (20 zeros). This can be set at takeownership time with the
>>trouser's utility: "tpm_takeownership -u -z".
>>
>>+TPM 2.0
>>+-------
>>+
>>+The user must first create a storage key and make it persistent, so the key is
>>+available after reboot. This can be done using the following commands.
>>+
>>+With the IBM TSS 2 stack::
>>+
>>+ #> tsscreateprimary -hi o -st
>>+ Handle 80000000
>>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>>+
>>+Or with the Intel TSS 2 stack::
>>+
>>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>>+ [...]
>>+ handle: 0x800000FF
>>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>>+ persistentHandle: 0x81000001
>>+
>
>Is that the correct option for tpm2_evictcontrol? What I'm seeing
>in the versions I have is -S or -persistent= for specifying the persistent handle.
>
>Other than that looks good to me.
William, is the above correct?
>
>>Usage::
>>
>> keyctl add trusted name "new keylen [options]" ring
>>@@ -30,7 +53,9 @@ Usage::
>> keyctl print keyid
>>
>> options:
>>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>>+ keyhandle= ascii hex value of sealing key
>>+ TPM 1.2: default 0x40000000 (SRK)
>>+ TPM 2.0: no default; must be passed every time
>> keyauth= ascii hex auth for sealing key default 0x00...i
>> (40 ascii zeros)
>> blobauth= ascii hex auth for sealed data default 0x00...
>>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>>
>>Create and save a trusted key named "kmk" of length 32 bytes::
>>
>>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>>+append 'keyhandle=0x81000001' to statements between quotes, such as
>>+"new 32 keyhandle=0x81000001".
>>+
>> $ keyctl add trusted kmk "new 32" @u
>> 440502848
>>
>>--
>>2.17.2
>>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-06 16:00 ` Jerry Snitselaar
@ 2018-11-06 16:14 ` Joshua Lock
2018-11-07 0:53 ` Roberts, William C
0 siblings, 1 reply; 13+ messages in thread
From: Joshua Lock @ 2018-11-06 16:14 UTC (permalink / raw)
To: Jerry Snitselaar, Stefan Berger, keyrings, linux-integrity,
zohar, jejb, Alexander.Levin, jmorris, linux-kernel
Cc: William Roberts
On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> On Mon Nov 05 18, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > > Extend the documentation for trusted keys with documentation for
> > > how to
> > > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as
> > > well.
> > >
> > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > ---
> > > .../security/keys/trusted-encrypted.rst | 31
> > > ++++++++++++++++++-
> > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > b/Documentation/security/keys/trusted-encrypted.rst
> > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded
> > > Trusted Key can be updated with new
> > > when the kernel and initramfs are updated. The same key can have
> > > many saved
> > > blobs under different PCR values, so multiple boots are easily
> > > supported.
> > >
> > > +TPM 1.2
> > > +-------
> > > +
> > > By default, trusted keys are sealed under the SRK, which has the
> > > default
> > > authorization value (20 zeros). This can be set at takeownership
> > > time with the
> > > trouser's utility: "tpm_takeownership -u -z".
> > >
> > > +TPM 2.0
> > > +-------
> > > +
> > > +The user must first create a storage key and make it persistent,
> > > so the key is
> > > +available after reboot. This can be done using the following
> > > commands.
> > > +
> > > +With the IBM TSS 2 stack::
> > > +
> > > + #> tsscreateprimary -hi o -st
> > > + Handle 80000000
> > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > +
> > > +Or with the Intel TSS 2 stack::
> > > +
> > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > + [...]
> > > + handle: 0x800000FF
> > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > + persistentHandle: 0x81000001
> > > +
> >
> > Is that the correct option for tpm2_evictcontrol? What I'm seeing
> > in the versions I have is -S or -persistent= for specifying the
> > persistent handle.
> >
> > Other than that looks good to me.
>
> William, is the above correct?
We're changing some of the options in master ahead of our next major
release, the -p/--persistent option is correct for that branch and the
eventual 4.X series.
Regards,
Joshua
> >
> > > Usage::
> > >
> > > keyctl add trusted name "new keylen [options]" ring
> > > @@ -30,7 +53,9 @@ Usage::
> > > keyctl print keyid
> > >
> > > options:
> > > - keyhandle= ascii hex value of sealing key default
> > > 0x40000000 (SRK)
> > > + keyhandle= ascii hex value of sealing key
> > > + TPM 1.2: default 0x40000000 (SRK)
> > > + TPM 2.0: no default; must be passed every
> > > time
> > > keyauth= ascii hex auth for sealing key default
> > > 0x00...i
> > > (40 ascii zeros)
> > > blobauth= ascii hex auth for sealed data default
> > > 0x00...
> > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > >
> > > Create and save a trusted key named "kmk" of length 32 bytes::
> > >
> > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > 0x81000001,
> > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > as
> > > +"new 32 keyhandle=0x81000001".
> > > +
> > > $ keyctl add trusted kmk "new 32" @u
> > > 440502848
> > >
> > > --
> > > 2.17.2
> > >
^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-06 16:14 ` Joshua Lock
@ 2018-11-07 0:53 ` Roberts, William C
0 siblings, 0 replies; 13+ messages in thread
From: Roberts, William C @ 2018-11-07 0:53 UTC (permalink / raw)
To: Joshua Lock, Jerry Snitselaar, Stefan Berger, keyrings,
linux-integrity, zohar, jejb, Alexander.Levin, jmorris,
linux-kernel
> -----Original Message-----
> From: Joshua Lock [mailto:joshua.g.lock@linux.intel.com]
> Sent: Tuesday, November 6, 2018 8:15 AM
> To: Jerry Snitselaar <jsnitsel@redhat.com>; Stefan Berger
> <stefanb@linux.ibm.com>; keyrings@vger.kernel.org; linux-
> integrity@vger.kernel.org; zohar@linux.ibm.com; jejb@linux.ibm.com;
> Alexander.Levin@microsoft.com; jmorris@namei.org; linux-
> kernel@vger.kernel.org
> Cc: Roberts, William C <william.c.roberts@intel.com>
> Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
>
> On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> > On Mon Nov 05 18, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > Extend the documentation for trusted keys with documentation for
> > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0
> > > > as well.
> > > >
> > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > ---
> > > > .../security/keys/trusted-encrypted.rst | 31
> > > > ++++++++++++++++++-
> > > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > > b/Documentation/security/keys/trusted-encrypted.rst
> > > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded
> > > > Trusted Key can be updated with new when the kernel and initramfs
> > > > are updated. The same key can have many saved blobs under
> > > > different PCR values, so multiple boots are easily supported.
> > > >
> > > > +TPM 1.2
> > > > +-------
> > > > +
> > > > By default, trusted keys are sealed under the SRK, which has the
> > > > default authorization value (20 zeros). This can be set at
> > > > takeownership time with the trouser's utility: "tpm_takeownership
> > > > -u -z".
> > > >
> > > > +TPM 2.0
> > > > +-------
> > > > +
> > > > +The user must first create a storage key and make it persistent,
> > > > so the key is
> > > > +available after reboot. This can be done using the following
> > > > commands.
> > > > +
> > > > +With the IBM TSS 2 stack::
> > > > +
> > > > + #> tsscreateprimary -hi o -st
> > > > + Handle 80000000
> > > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > > +
> > > > +Or with the Intel TSS 2 stack::
> > > > +
> > > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > > + [...]
> > > > + handle: 0x800000FF
> > > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > > + persistentHandle: 0x81000001
> > > > +
> > >
> > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in
> > > the versions I have is -S or -persistent= for specifying the
> > > persistent handle.
> > >
> > > Other than that looks good to me.
> >
> > William, is the above correct?
>
> We're changing some of the options in master ahead of our next major release,
> the -p/--persistent option is correct for that branch and the eventual 4.X series.
LGTM.
Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful.
>
> Regards,
> Joshua
>
> > >
> > > > Usage::
> > > >
> > > > keyctl add trusted name "new keylen [options]" ring @@ -30,7
> > > > +53,9 @@ Usage::
> > > > keyctl print keyid
> > > >
> > > > options:
> > > > - keyhandle= ascii hex value of sealing key default
> > > > 0x40000000 (SRK)
> > > > + keyhandle= ascii hex value of sealing key
> > > > + TPM 1.2: default 0x40000000 (SRK)
> > > > + TPM 2.0: no default; must be passed every
> > > > time
> > > > keyauth= ascii hex auth for sealing key default
> > > > 0x00...i
> > > > (40 ascii zeros)
> > > > blobauth= ascii hex auth for sealed data default
> > > > 0x00...
> > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > >
> > > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > >
> > > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > > 0x81000001,
> > > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > > as
> > > > +"new 32 keyhandle=0x81000001".
> > > > +
> > > > $ keyctl add trusted kmk "new 32" @u
> > > > 440502848
> > > >
> > > > --
> > > > 2.17.2
> > > >
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-10-19 10:17 [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Stefan Berger
` (2 preceding siblings ...)
2018-11-05 20:42 ` Jerry Snitselaar
@ 2018-11-06 16:46 ` Jerry Snitselaar
2018-11-06 18:17 ` Mimi Zohar
3 siblings, 1 reply; 13+ messages in thread
From: Jerry Snitselaar @ 2018-11-06 16:46 UTC (permalink / raw)
To: Stefan Berger
Cc: keyrings, linux-integrity, zohar, jejb, Alexander.Levin, jmorris,
linux-kernel
On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
>---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+ #> tsscreateprimary -hi o -st
>+ Handle 80000000
>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+ [...]
>+ handle: 0x800000FF
>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+ persistentHandle: 0x81000001
>+
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>+ keyhandle= ascii hex value of sealing key
>+ TPM 1.2: default 0x40000000 (SRK)
>+ TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>--
>2.17.2
>
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-06 16:46 ` Jerry Snitselaar
@ 2018-11-06 18:17 ` Mimi Zohar
2018-11-30 23:45 ` Jarkko Sakkinen
0 siblings, 1 reply; 13+ messages in thread
From: Mimi Zohar @ 2018-11-06 18:17 UTC (permalink / raw)
To: Jerry Snitselaar, Stefan Berger; +Cc: keyrings, linux-integrity, linux-kernel
On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> On Fri Oct 19 18, Stefan Berger wrote:
> >Extend the documentation for trusted keys with documentation for how to
> >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> >
> >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>
> Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
Thanks! This patch is now staged in the #next-integrity-queued
branch.
Mimi
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-06 18:17 ` Mimi Zohar
@ 2018-11-30 23:45 ` Jarkko Sakkinen
2018-11-30 23:46 ` Jarkko Sakkinen
0 siblings, 1 reply; 13+ messages in thread
From: Jarkko Sakkinen @ 2018-11-30 23:45 UTC (permalink / raw)
To: Mimi Zohar
Cc: Jerry Snitselaar, Stefan Berger, keyrings, linux-integrity, linux-kernel
On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > >Extend the documentation for trusted keys with documentation for how to
> > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > >
> > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> >
> > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
>
> Thanks! This patch is now staged in the #next-integrity-queued
> branch.
>
> Mimi
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
/Jarkko
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-30 23:45 ` Jarkko Sakkinen
@ 2018-11-30 23:46 ` Jarkko Sakkinen
2018-12-02 15:10 ` Mimi Zohar
0 siblings, 1 reply; 13+ messages in thread
From: Jarkko Sakkinen @ 2018-11-30 23:46 UTC (permalink / raw)
To: Mimi Zohar
Cc: Jerry Snitselaar, Stefan Berger, keyrings, linux-integrity, linux-kernel
On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > >Extend the documentation for trusted keys with documentation for how to
> > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > >
> > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > >
> > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> >
> > Thanks! This patch is now staged in the #next-integrity-queued
> > branch.
> >
> > Mimi
>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Brings to mind, in the long run where the backend code for trusted keys
should reside.
/Jarkko
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-11-30 23:46 ` Jarkko Sakkinen
@ 2018-12-02 15:10 ` Mimi Zohar
2018-12-02 23:04 ` Jarkko Sakkinen
0 siblings, 1 reply; 13+ messages in thread
From: Mimi Zohar @ 2018-12-02 15:10 UTC (permalink / raw)
To: Jarkko Sakkinen, James Bottomley
Cc: Jerry Snitselaar, Stefan Berger, keyrings, linux-integrity, linux-kernel
On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > >Extend the documentation for trusted keys with documentation for how to
> > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > > >
> > > > >Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > >
> > > > Acked-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > >
> > > Thanks! This patch is now staged in the #next-integrity-queued
> > > branch.
> > >
> > > Mimi
> >
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
>
> Brings to mind, in the long run where the backend code for trusted keys
> should reside.
Are you asking about coordinating staging the trusted key patches to
be upstreamed or about moving portions of the encrypted keys code out
of the keyring subsystem?
I'm not sure there needs to be a separate encrypted-keys pull request.
Either they can be upstreamed via the TPM or the integrity subsystem
for now.
Mimi
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
2018-12-02 15:10 ` Mimi Zohar
@ 2018-12-02 23:04 ` Jarkko Sakkinen
0 siblings, 0 replies; 13+ messages in thread
From: Jarkko Sakkinen @ 2018-12-02 23:04 UTC (permalink / raw)
To: Mimi Zohar
Cc: James Bottomley, Jerry Snitselaar, Stefan Berger, keyrings,
linux-integrity, linux-kernel
On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote:
> Are you asking about coordinating staging the trusted key patches to
> be upstreamed or about moving portions of the encrypted keys code out
> of the keyring subsystem?
>
> I'm not sure there needs to be a separate encrypted-keys pull request.
> Either they can be upstreamed via the TPM or the integrity subsystem
> for now.
Nothing that ought to be rushed.
I'm speaking about this situation:
1. TPM 1.x trusted keys code is inside keyring subsystem.
2. TPM 2.0 trusted keys code is inside tpm subsystem.
We are doing effort to make TPM subsystem more friendly to send custom
commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean
ups for TPM 1.x code) so I'm more dilated to the 2nd option.
/Jarkko
^ permalink raw reply [flat|nested] 13+ messages in thread