2018-10-19 10:19:09

by Stefan Berger

[permalink] [raw]
Subject: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

Extend the documentation for trusted keys with documentation for how to
set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.

Signed-off-by: Stefan Berger <[email protected]>
Reviewed-by: Mimi Zohar <[email protected]>
---
.../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..6ec6bb2ac497 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
when the kernel and initramfs are updated. The same key can have many saved
blobs under different PCR values, so multiple boots are easily supported.

+TPM 1.2
+-------
+
By default, trusted keys are sealed under the SRK, which has the default
authorization value (20 zeros). This can be set at takeownership time with the
trouser's utility: "tpm_takeownership -u -z".

+TPM 2.0
+-------
+
+The user must first create a storage key and make it persistent, so the key is
+available after reboot. This can be done using the following commands.
+
+With the IBM TSS 2 stack::
+
+ #> tsscreateprimary -hi o -st
+ Handle 80000000
+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
+
+Or with the Intel TSS 2 stack::
+
+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
+ [...]
+ handle: 0x800000FF
+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
+ persistentHandle: 0x81000001
+
Usage::

keyctl add trusted name "new keylen [options]" ring
@@ -30,7 +53,9 @@ Usage::
keyctl print keyid

options:
- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
+ keyhandle= ascii hex value of sealing key
+ TPM 1.2: default 0x40000000 (SRK)
+ TPM 2.0: no default; must be passed every time
keyauth= ascii hex auth for sealing key default 0x00...i
(40 ascii zeros)
blobauth= ascii hex auth for sealed data default 0x00...
@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:

Create and save a trusted key named "kmk" of length 32 bytes::

+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
+append 'keyhandle=0x81000001' to statements between quotes, such as
+"new 32 keyhandle=0x81000001".
+
$ keyctl add trusted kmk "new 32" @u
440502848

--
2.17.2



2018-10-19 23:10:03

by Randy Dunlap

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

Hi,
Feel free to ignore my comments. I don't know anything about TPM.

On 10/19/18 3:17 AM, Stefan Berger wrote:
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <[email protected]>
> Reviewed-by: Mimi Zohar <[email protected]>
> ---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..6ec6bb2ac497 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
> +TPM 1.2
> +-------
> +
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".

It appears to be TrouSerS or maybe just trousers (no ').

BTW, is this still the current location for it or has it moved elsewhere?
http://trousers.sourceforge.net/


>
> +TPM 2.0
> +-------
> +
> +The user must first create a storage key and make it persistent, so the key is
> +available after reboot. This can be done using the following commands.
> +
> +With the IBM TSS 2 stack::
> +
> + #> tsscreateprimary -hi o -st
> + Handle 80000000
> + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> +
> +Or with the Intel TSS 2 stack::
> +
> + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> + [...]
> + handle: 0x800000FF

Is that handle value important? It doesn't seem to be used later...

> + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> + persistentHandle: 0x81000001
> +
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
> @@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
> - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> + keyhandle= ascii hex value of sealing key

s/ascii/ASCII/g

> + TPM 1.2: default 0x40000000 (SRK)
> + TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
> @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
> +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> +append 'keyhandle=0x81000001' to statements between quotes, such as
> +"new 32 keyhandle=0x81000001".
> +
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>

ta.
--
~Randy

2018-11-05 16:59:40

by Dan Williams

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <[email protected]> wrote:
>
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <[email protected]>
> Reviewed-by: Mimi Zohar <[email protected]>

Thanks for the updates:

Acked-by: Dan Williams <[email protected]>

2018-11-05 20:44:10

by Jerry Snitselaar

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <[email protected]>
>Reviewed-by: Mimi Zohar <[email protected]>
>---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+ #> tsscreateprimary -hi o -st
>+ Handle 80000000
>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+ [...]
>+ handle: 0x800000FF
>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+ persistentHandle: 0x81000001
>+

Is that the correct option for tpm2_evictcontrol? What I'm seeing
in the versions I have is -S or -persistent= for specifying the persistent handle.

Other than that looks good to me.

> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>+ keyhandle= ascii hex value of sealing key
>+ TPM 1.2: default 0x40000000 (SRK)
>+ TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>--
>2.17.2
>

2018-11-06 16:01:59

by Jerry Snitselaar

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Mon Nov 05 18, Jerry Snitselaar wrote:
>On Fri Oct 19 18, Stefan Berger wrote:
>>Extend the documentation for trusted keys with documentation for how to
>>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>>
>>Signed-off-by: Stefan Berger <[email protected]>
>>Reviewed-by: Mimi Zohar <[email protected]>
>>---
>>.../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
>>1 file changed, 30 insertions(+), 1 deletion(-)
>>
>>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>>index 3bb24e09a332..6ec6bb2ac497 100644
>>--- a/Documentation/security/keys/trusted-encrypted.rst
>>+++ b/Documentation/security/keys/trusted-encrypted.rst
>>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
>>when the kernel and initramfs are updated. The same key can have many saved
>>blobs under different PCR values, so multiple boots are easily supported.
>>
>>+TPM 1.2
>>+-------
>>+
>>By default, trusted keys are sealed under the SRK, which has the default
>>authorization value (20 zeros). This can be set at takeownership time with the
>>trouser's utility: "tpm_takeownership -u -z".
>>
>>+TPM 2.0
>>+-------
>>+
>>+The user must first create a storage key and make it persistent, so the key is
>>+available after reboot. This can be done using the following commands.
>>+
>>+With the IBM TSS 2 stack::
>>+
>>+ #> tsscreateprimary -hi o -st
>>+ Handle 80000000
>>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>>+
>>+Or with the Intel TSS 2 stack::
>>+
>>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>>+ [...]
>>+ handle: 0x800000FF
>>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>>+ persistentHandle: 0x81000001
>>+
>
>Is that the correct option for tpm2_evictcontrol? What I'm seeing
>in the versions I have is -S or -persistent= for specifying the persistent handle.
>
>Other than that looks good to me.

William, is the above correct?

>
>>Usage::
>>
>> keyctl add trusted name "new keylen [options]" ring
>>@@ -30,7 +53,9 @@ Usage::
>> keyctl print keyid
>>
>> options:
>>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>>+ keyhandle= ascii hex value of sealing key
>>+ TPM 1.2: default 0x40000000 (SRK)
>>+ TPM 2.0: no default; must be passed every time
>> keyauth= ascii hex auth for sealing key default 0x00...i
>> (40 ascii zeros)
>> blobauth= ascii hex auth for sealed data default 0x00...
>>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>>
>>Create and save a trusted key named "kmk" of length 32 bytes::
>>
>>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>>+append 'keyhandle=0x81000001' to statements between quotes, such as
>>+"new 32 keyhandle=0x81000001".
>>+
>> $ keyctl add trusted kmk "new 32" @u
>> 440502848
>>
>>--
>>2.17.2
>>

2018-11-06 18:14:01

by Joshua Lock

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> On Mon Nov 05 18, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > > Extend the documentation for trusted keys with documentation for
> > > how to
> > > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as
> > > well.
> > >
> > > Signed-off-by: Stefan Berger <[email protected]>
> > > Reviewed-by: Mimi Zohar <[email protected]>
> > > ---
> > > .../security/keys/trusted-encrypted.rst | 31
> > > ++++++++++++++++++-
> > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > b/Documentation/security/keys/trusted-encrypted.rst
> > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded
> > > Trusted Key can be updated with new
> > > when the kernel and initramfs are updated. The same key can have
> > > many saved
> > > blobs under different PCR values, so multiple boots are easily
> > > supported.
> > >
> > > +TPM 1.2
> > > +-------
> > > +
> > > By default, trusted keys are sealed under the SRK, which has the
> > > default
> > > authorization value (20 zeros). This can be set at takeownership
> > > time with the
> > > trouser's utility: "tpm_takeownership -u -z".
> > >
> > > +TPM 2.0
> > > +-------
> > > +
> > > +The user must first create a storage key and make it persistent,
> > > so the key is
> > > +available after reboot. This can be done using the following
> > > commands.
> > > +
> > > +With the IBM TSS 2 stack::
> > > +
> > > + #> tsscreateprimary -hi o -st
> > > + Handle 80000000
> > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > +
> > > +Or with the Intel TSS 2 stack::
> > > +
> > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > + [...]
> > > + handle: 0x800000FF
> > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > + persistentHandle: 0x81000001
> > > +
> >
> > Is that the correct option for tpm2_evictcontrol? What I'm seeing
> > in the versions I have is -S or -persistent= for specifying the
> > persistent handle.
> >
> > Other than that looks good to me.
>
> William, is the above correct?

We're changing some of the options in master ahead of our next major
release, the -p/--persistent option is correct for that branch and the
eventual 4.X series.

Regards,
Joshua

> >
> > > Usage::
> > >
> > > keyctl add trusted name "new keylen [options]" ring
> > > @@ -30,7 +53,9 @@ Usage::
> > > keyctl print keyid
> > >
> > > options:
> > > - keyhandle= ascii hex value of sealing key default
> > > 0x40000000 (SRK)
> > > + keyhandle= ascii hex value of sealing key
> > > + TPM 1.2: default 0x40000000 (SRK)
> > > + TPM 2.0: no default; must be passed every
> > > time
> > > keyauth= ascii hex auth for sealing key default
> > > 0x00...i
> > > (40 ascii zeros)
> > > blobauth= ascii hex auth for sealed data default
> > > 0x00...
> > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > >
> > > Create and save a trusted key named "kmk" of length 32 bytes::
> > >
> > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > 0x81000001,
> > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > as
> > > +"new 32 keyhandle=0x81000001".
> > > +
> > > $ keyctl add trusted kmk "new 32" @u
> > > 440502848
> > >
> > > --
> > > 2.17.2
> > >


2018-11-06 18:16:18

by Jerry Snitselaar

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <[email protected]>
>Reviewed-by: Mimi Zohar <[email protected]>

Acked-by: Jerry Snitselaar <[email protected]>

>---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+ #> tsscreateprimary -hi o -st
>+ Handle 80000000
>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+ [...]
>+ handle: 0x800000FF
>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+ persistentHandle: 0x81000001
>+
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>+ keyhandle= ascii hex value of sealing key
>+ TPM 1.2: default 0x40000000 (SRK)
>+ TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>--
>2.17.2
>

2018-11-06 18:40:09

by Mimi Zohar

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> On Fri Oct 19 18, Stefan Berger wrote:
> >Extend the documentation for trusted keys with documentation for how to
> >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> >
> >Signed-off-by: Stefan Berger <[email protected]>
> >Reviewed-by: Mimi Zohar <[email protected]>
>
> Acked-by: Jerry Snitselaar <[email protected]>

Thanks!  This patch is now staged in the #next-integrity-queued
branch.

Mimi


2018-11-07 00:54:18

by Roberts, William C

[permalink] [raw]
Subject: RE: [PATCH] docs: Extend trusted keys documentation for TPM 2.0



> -----Original Message-----
> From: Joshua Lock [mailto:[email protected]]
> Sent: Tuesday, November 6, 2018 8:15 AM
> To: Jerry Snitselaar <[email protected]>; Stefan Berger
> <[email protected]>; [email protected]; linux-
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; linux-
> [email protected]
> Cc: Roberts, William C <[email protected]>
> Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
>
> On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> > On Mon Nov 05 18, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > Extend the documentation for trusted keys with documentation for
> > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0
> > > > as well.
> > > >
> > > > Signed-off-by: Stefan Berger <[email protected]>
> > > > Reviewed-by: Mimi Zohar <[email protected]>
> > > > ---
> > > > .../security/keys/trusted-encrypted.rst | 31
> > > > ++++++++++++++++++-
> > > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > > b/Documentation/security/keys/trusted-encrypted.rst
> > > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded
> > > > Trusted Key can be updated with new when the kernel and initramfs
> > > > are updated. The same key can have many saved blobs under
> > > > different PCR values, so multiple boots are easily supported.
> > > >
> > > > +TPM 1.2
> > > > +-------
> > > > +
> > > > By default, trusted keys are sealed under the SRK, which has the
> > > > default authorization value (20 zeros). This can be set at
> > > > takeownership time with the trouser's utility: "tpm_takeownership
> > > > -u -z".
> > > >
> > > > +TPM 2.0
> > > > +-------
> > > > +
> > > > +The user must first create a storage key and make it persistent,
> > > > so the key is
> > > > +available after reboot. This can be done using the following
> > > > commands.
> > > > +
> > > > +With the IBM TSS 2 stack::
> > > > +
> > > > + #> tsscreateprimary -hi o -st
> > > > + Handle 80000000
> > > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > > +
> > > > +Or with the Intel TSS 2 stack::
> > > > +
> > > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > > + [...]
> > > > + handle: 0x800000FF
> > > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > > + persistentHandle: 0x81000001
> > > > +
> > >
> > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in
> > > the versions I have is -S or -persistent= for specifying the
> > > persistent handle.
> > >
> > > Other than that looks good to me.
> >
> > William, is the above correct?
>
> We're changing some of the options in master ahead of our next major release,
> the -p/--persistent option is correct for that branch and the eventual 4.X series.

LGTM.

Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful.

>
> Regards,
> Joshua
>
> > >
> > > > Usage::
> > > >
> > > > keyctl add trusted name "new keylen [options]" ring @@ -30,7
> > > > +53,9 @@ Usage::
> > > > keyctl print keyid
> > > >
> > > > options:
> > > > - keyhandle= ascii hex value of sealing key default
> > > > 0x40000000 (SRK)
> > > > + keyhandle= ascii hex value of sealing key
> > > > + TPM 1.2: default 0x40000000 (SRK)
> > > > + TPM 2.0: no default; must be passed every
> > > > time
> > > > keyauth= ascii hex auth for sealing key default
> > > > 0x00...i
> > > > (40 ascii zeros)
> > > > blobauth= ascii hex auth for sealed data default
> > > > 0x00...
> > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > >
> > > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > >
> > > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > > 0x81000001,
> > > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > > as
> > > > +"new 32 keyhandle=0x81000001".
> > > > +
> > > > $ keyctl add trusted kmk "new 32" @u
> > > > 440502848
> > > >
> > > > --
> > > > 2.17.2
> > > >

2018-11-30 23:46:10

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > >Extend the documentation for trusted keys with documentation for how to
> > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > >
> > >Signed-off-by: Stefan Berger <[email protected]>
> > >Reviewed-by: Mimi Zohar <[email protected]>
> >
> > Acked-by: Jerry Snitselaar <[email protected]>
>
> Thanks! ?This patch is now staged in the #next-integrity-queued
> branch.
>
> Mimi

Reviewed-by: Jarkko Sakkinen <[email protected]>

/Jarkko

2018-11-30 23:47:55

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > >Extend the documentation for trusted keys with documentation for how to
> > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > >
> > > >Signed-off-by: Stefan Berger <[email protected]>
> > > >Reviewed-by: Mimi Zohar <[email protected]>
> > >
> > > Acked-by: Jerry Snitselaar <[email protected]>
> >
> > Thanks! ?This patch is now staged in the #next-integrity-queued
> > branch.
> >
> > Mimi
>
> Reviewed-by: Jarkko Sakkinen <[email protected]>

Brings to mind, in the long run where the backend code for trusted keys
should reside.

/Jarkko

2018-12-02 15:11:45

by Mimi Zohar

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > >Extend the documentation for trusted keys with documentation for how to
> > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > > >
> > > > >Signed-off-by: Stefan Berger <[email protected]>
> > > > >Reviewed-by: Mimi Zohar <[email protected]>
> > > >
> > > > Acked-by: Jerry Snitselaar <[email protected]>
> > >
> > > Thanks!  This patch is now staged in the #next-integrity-queued
> > > branch.
> > >
> > > Mimi
> >
> > Reviewed-by: Jarkko Sakkinen <[email protected]>
>
> Brings to mind, in the long run where the backend code for trusted keys
> should reside.

Are you asking about coordinating staging the trusted key patches to
be upstreamed or about moving portions of the encrypted keys code out
of the keyring subsystem?

I'm not sure there needs to be a separate encrypted-keys pull request.
 Either they can be upstreamed via the TPM or the integrity subsystem
for now.

Mimi


2018-12-02 23:07:02

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0

On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote:
> Are you asking about coordinating staging the trusted key patches to
> be upstreamed or about moving portions of the encrypted keys code out
> of the keyring subsystem?
>
> I'm not sure there needs to be a separate encrypted-keys pull request.
> ?Either they can be upstreamed via the TPM or the integrity subsystem
> for now.

Nothing that ought to be rushed.

I'm speaking about this situation:

1. TPM 1.x trusted keys code is inside keyring subsystem.
2. TPM 2.0 trusted keys code is inside tpm subsystem.

We are doing effort to make TPM subsystem more friendly to send custom
commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean
ups for TPM 1.x code) so I'm more dilated to the 2nd option.

/Jarkko