Extend the documentation for trusted keys with documentation for how to
set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
Signed-off-by: Stefan Berger <[email protected]>
Reviewed-by: Mimi Zohar <[email protected]>
---
.../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..6ec6bb2ac497 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
when the kernel and initramfs are updated. The same key can have many saved
blobs under different PCR values, so multiple boots are easily supported.
+TPM 1.2
+-------
+
By default, trusted keys are sealed under the SRK, which has the default
authorization value (20 zeros). This can be set at takeownership time with the
trouser's utility: "tpm_takeownership -u -z".
+TPM 2.0
+-------
+
+The user must first create a storage key and make it persistent, so the key is
+available after reboot. This can be done using the following commands.
+
+With the IBM TSS 2 stack::
+
+ #> tsscreateprimary -hi o -st
+ Handle 80000000
+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
+
+Or with the Intel TSS 2 stack::
+
+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
+ [...]
+ handle: 0x800000FF
+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
+ persistentHandle: 0x81000001
+
Usage::
keyctl add trusted name "new keylen [options]" ring
@@ -30,7 +53,9 @@ Usage::
keyctl print keyid
options:
- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
+ keyhandle= ascii hex value of sealing key
+ TPM 1.2: default 0x40000000 (SRK)
+ TPM 2.0: no default; must be passed every time
keyauth= ascii hex auth for sealing key default 0x00...i
(40 ascii zeros)
blobauth= ascii hex auth for sealed data default 0x00...
@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
Create and save a trusted key named "kmk" of length 32 bytes::
+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
+append 'keyhandle=0x81000001' to statements between quotes, such as
+"new 32 keyhandle=0x81000001".
+
$ keyctl add trusted kmk "new 32" @u
440502848
--
2.17.2
Hi,
Feel free to ignore my comments. I don't know anything about TPM.
On 10/19/18 3:17 AM, Stefan Berger wrote:
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <[email protected]>
> Reviewed-by: Mimi Zohar <[email protected]>
> ---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..6ec6bb2ac497 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
> +TPM 1.2
> +-------
> +
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
It appears to be TrouSerS or maybe just trousers (no ').
BTW, is this still the current location for it or has it moved elsewhere?
http://trousers.sourceforge.net/
>
> +TPM 2.0
> +-------
> +
> +The user must first create a storage key and make it persistent, so the key is
> +available after reboot. This can be done using the following commands.
> +
> +With the IBM TSS 2 stack::
> +
> + #> tsscreateprimary -hi o -st
> + Handle 80000000
> + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> +
> +Or with the Intel TSS 2 stack::
> +
> + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> + [...]
> + handle: 0x800000FF
Is that handle value important? It doesn't seem to be used later...
> + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> + persistentHandle: 0x81000001
> +
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
> @@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
> - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> + keyhandle= ascii hex value of sealing key
s/ascii/ASCII/g
> + TPM 1.2: default 0x40000000 (SRK)
> + TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
> @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
> +Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> +append 'keyhandle=0x81000001' to statements between quotes, such as
> +"new 32 keyhandle=0x81000001".
> +
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>
ta.
--
~Randy
On Fri, Oct 19, 2018 at 3:19 AM Stefan Berger <[email protected]> wrote:
>
> Extend the documentation for trusted keys with documentation for how to
> set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
> Signed-off-by: Stefan Berger <[email protected]>
> Reviewed-by: Mimi Zohar <[email protected]>
Thanks for the updates:
Acked-by: Dan Williams <[email protected]>
On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <[email protected]>
>Reviewed-by: Mimi Zohar <[email protected]>
>---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+ #> tsscreateprimary -hi o -st
>+ Handle 80000000
>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+ [...]
>+ handle: 0x800000FF
>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+ persistentHandle: 0x81000001
>+
Is that the correct option for tpm2_evictcontrol? What I'm seeing
in the versions I have is -S or -persistent= for specifying the persistent handle.
Other than that looks good to me.
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>+ keyhandle= ascii hex value of sealing key
>+ TPM 1.2: default 0x40000000 (SRK)
>+ TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>--
>2.17.2
>
On Mon Nov 05 18, Jerry Snitselaar wrote:
>On Fri Oct 19 18, Stefan Berger wrote:
>>Extend the documentation for trusted keys with documentation for how to
>>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>>
>>Signed-off-by: Stefan Berger <[email protected]>
>>Reviewed-by: Mimi Zohar <[email protected]>
>>---
>>.../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
>>1 file changed, 30 insertions(+), 1 deletion(-)
>>
>>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>>index 3bb24e09a332..6ec6bb2ac497 100644
>>--- a/Documentation/security/keys/trusted-encrypted.rst
>>+++ b/Documentation/security/keys/trusted-encrypted.rst
>>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
>>when the kernel and initramfs are updated. The same key can have many saved
>>blobs under different PCR values, so multiple boots are easily supported.
>>
>>+TPM 1.2
>>+-------
>>+
>>By default, trusted keys are sealed under the SRK, which has the default
>>authorization value (20 zeros). This can be set at takeownership time with the
>>trouser's utility: "tpm_takeownership -u -z".
>>
>>+TPM 2.0
>>+-------
>>+
>>+The user must first create a storage key and make it persistent, so the key is
>>+available after reboot. This can be done using the following commands.
>>+
>>+With the IBM TSS 2 stack::
>>+
>>+ #> tsscreateprimary -hi o -st
>>+ Handle 80000000
>>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>>+
>>+Or with the Intel TSS 2 stack::
>>+
>>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>>+ [...]
>>+ handle: 0x800000FF
>>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>>+ persistentHandle: 0x81000001
>>+
>
>Is that the correct option for tpm2_evictcontrol? What I'm seeing
>in the versions I have is -S or -persistent= for specifying the persistent handle.
>
>Other than that looks good to me.
William, is the above correct?
>
>>Usage::
>>
>> keyctl add trusted name "new keylen [options]" ring
>>@@ -30,7 +53,9 @@ Usage::
>> keyctl print keyid
>>
>> options:
>>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>>+ keyhandle= ascii hex value of sealing key
>>+ TPM 1.2: default 0x40000000 (SRK)
>>+ TPM 2.0: no default; must be passed every time
>> keyauth= ascii hex auth for sealing key default 0x00...i
>> (40 ascii zeros)
>> blobauth= ascii hex auth for sealed data default 0x00...
>>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>>
>>Create and save a trusted key named "kmk" of length 32 bytes::
>>
>>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>>+append 'keyhandle=0x81000001' to statements between quotes, such as
>>+"new 32 keyhandle=0x81000001".
>>+
>> $ keyctl add trusted kmk "new 32" @u
>> 440502848
>>
>>--
>>2.17.2
>>
On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> On Mon Nov 05 18, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > > Extend the documentation for trusted keys with documentation for
> > > how to
> > > set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as
> > > well.
> > >
> > > Signed-off-by: Stefan Berger <[email protected]>
> > > Reviewed-by: Mimi Zohar <[email protected]>
> > > ---
> > > .../security/keys/trusted-encrypted.rst | 31
> > > ++++++++++++++++++-
> > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > b/Documentation/security/keys/trusted-encrypted.rst
> > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded
> > > Trusted Key can be updated with new
> > > when the kernel and initramfs are updated. The same key can have
> > > many saved
> > > blobs under different PCR values, so multiple boots are easily
> > > supported.
> > >
> > > +TPM 1.2
> > > +-------
> > > +
> > > By default, trusted keys are sealed under the SRK, which has the
> > > default
> > > authorization value (20 zeros). This can be set at takeownership
> > > time with the
> > > trouser's utility: "tpm_takeownership -u -z".
> > >
> > > +TPM 2.0
> > > +-------
> > > +
> > > +The user must first create a storage key and make it persistent,
> > > so the key is
> > > +available after reboot. This can be done using the following
> > > commands.
> > > +
> > > +With the IBM TSS 2 stack::
> > > +
> > > + #> tsscreateprimary -hi o -st
> > > + Handle 80000000
> > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > +
> > > +Or with the Intel TSS 2 stack::
> > > +
> > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > + [...]
> > > + handle: 0x800000FF
> > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > + persistentHandle: 0x81000001
> > > +
> >
> > Is that the correct option for tpm2_evictcontrol? What I'm seeing
> > in the versions I have is -S or -persistent= for specifying the
> > persistent handle.
> >
> > Other than that looks good to me.
>
> William, is the above correct?
We're changing some of the options in master ahead of our next major
release, the -p/--persistent option is correct for that branch and the
eventual 4.X series.
Regards,
Joshua
> >
> > > Usage::
> > >
> > > keyctl add trusted name "new keylen [options]" ring
> > > @@ -30,7 +53,9 @@ Usage::
> > > keyctl print keyid
> > >
> > > options:
> > > - keyhandle= ascii hex value of sealing key default
> > > 0x40000000 (SRK)
> > > + keyhandle= ascii hex value of sealing key
> > > + TPM 1.2: default 0x40000000 (SRK)
> > > + TPM 2.0: no default; must be passed every
> > > time
> > > keyauth= ascii hex auth for sealing key default
> > > 0x00...i
> > > (40 ascii zeros)
> > > blobauth= ascii hex auth for sealed data default
> > > 0x00...
> > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > >
> > > Create and save a trusted key named "kmk" of length 32 bytes::
> > >
> > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > 0x81000001,
> > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > as
> > > +"new 32 keyhandle=0x81000001".
> > > +
> > > $ keyctl add trusted kmk "new 32" @u
> > > 440502848
> > >
> > > --
> > > 2.17.2
> > >
On Fri Oct 19 18, Stefan Berger wrote:
>Extend the documentation for trusted keys with documentation for how to
>set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
>
>Signed-off-by: Stefan Berger <[email protected]>
>Reviewed-by: Mimi Zohar <[email protected]>
Acked-by: Jerry Snitselaar <[email protected]>
>---
> .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
>index 3bb24e09a332..6ec6bb2ac497 100644
>--- a/Documentation/security/keys/trusted-encrypted.rst
>+++ b/Documentation/security/keys/trusted-encrypted.rst
>@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
> when the kernel and initramfs are updated. The same key can have many saved
> blobs under different PCR values, so multiple boots are easily supported.
>
>+TPM 1.2
>+-------
>+
> By default, trusted keys are sealed under the SRK, which has the default
> authorization value (20 zeros). This can be set at takeownership time with the
> trouser's utility: "tpm_takeownership -u -z".
>
>+TPM 2.0
>+-------
>+
>+The user must first create a storage key and make it persistent, so the key is
>+available after reboot. This can be done using the following commands.
>+
>+With the IBM TSS 2 stack::
>+
>+ #> tsscreateprimary -hi o -st
>+ Handle 80000000
>+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
>+
>+Or with the Intel TSS 2 stack::
>+
>+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>+ [...]
>+ handle: 0x800000FF
>+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>+ persistentHandle: 0x81000001
>+
> Usage::
>
> keyctl add trusted name "new keylen [options]" ring
>@@ -30,7 +53,9 @@ Usage::
> keyctl print keyid
>
> options:
>- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
>+ keyhandle= ascii hex value of sealing key
>+ TPM 1.2: default 0x40000000 (SRK)
>+ TPM 2.0: no default; must be passed every time
> keyauth= ascii hex auth for sealing key default 0x00...i
> (40 ascii zeros)
> blobauth= ascii hex auth for sealed data default 0x00...
>@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
>
> Create and save a trusted key named "kmk" of length 32 bytes::
>
>+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
>+append 'keyhandle=0x81000001' to statements between quotes, such as
>+"new 32 keyhandle=0x81000001".
>+
> $ keyctl add trusted kmk "new 32" @u
> 440502848
>
>--
>2.17.2
>
On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> On Fri Oct 19 18, Stefan Berger wrote:
> >Extend the documentation for trusted keys with documentation for how to
> >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> >
> >Signed-off-by: Stefan Berger <[email protected]>
> >Reviewed-by: Mimi Zohar <[email protected]>
>
> Acked-by: Jerry Snitselaar <[email protected]>
Thanks! This patch is now staged in the #next-integrity-queued
branch.
Mimi
> -----Original Message-----
> From: Joshua Lock [mailto:[email protected]]
> Sent: Tuesday, November 6, 2018 8:15 AM
> To: Jerry Snitselaar <[email protected]>; Stefan Berger
> <[email protected]>; [email protected]; linux-
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; linux-
> [email protected]
> Cc: Roberts, William C <[email protected]>
> Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0
>
> On Tue, 2018-11-06 at 09:00 -0700, Jerry Snitselaar wrote:
> > On Mon Nov 05 18, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > Extend the documentation for trusted keys with documentation for
> > > > how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0
> > > > as well.
> > > >
> > > > Signed-off-by: Stefan Berger <[email protected]>
> > > > Reviewed-by: Mimi Zohar <[email protected]>
> > > > ---
> > > > .../security/keys/trusted-encrypted.rst | 31
> > > > ++++++++++++++++++-
> > > > 1 file changed, 30 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/Documentation/security/keys/trusted-encrypted.rst
> > > > b/Documentation/security/keys/trusted-encrypted.rst
> > > > index 3bb24e09a332..6ec6bb2ac497 100644
> > > > --- a/Documentation/security/keys/trusted-encrypted.rst
> > > > +++ b/Documentation/security/keys/trusted-encrypted.rst
> > > > @@ -18,10 +18,33 @@ integrity verifications match. A loaded
> > > > Trusted Key can be updated with new when the kernel and initramfs
> > > > are updated. The same key can have many saved blobs under
> > > > different PCR values, so multiple boots are easily supported.
> > > >
> > > > +TPM 1.2
> > > > +-------
> > > > +
> > > > By default, trusted keys are sealed under the SRK, which has the
> > > > default authorization value (20 zeros). This can be set at
> > > > takeownership time with the trouser's utility: "tpm_takeownership
> > > > -u -z".
> > > >
> > > > +TPM 2.0
> > > > +-------
> > > > +
> > > > +The user must first create a storage key and make it persistent,
> > > > so the key is
> > > > +available after reboot. This can be done using the following
> > > > commands.
> > > > +
> > > > +With the IBM TSS 2 stack::
> > > > +
> > > > + #> tsscreateprimary -hi o -st
> > > > + Handle 80000000
> > > > + #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
> > > > +
> > > > +Or with the Intel TSS 2 stack::
> > > > +
> > > > + #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
> > > > + [...]
> > > > + handle: 0x800000FF
> > > > + #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
> > > > + persistentHandle: 0x81000001
> > > > +
> > >
> > > Is that the correct option for tpm2_evictcontrol? What I'm seeing in
> > > the versions I have is -S or -persistent= for specifying the
> > > persistent handle.
> > >
> > > Other than that looks good to me.
> >
> > William, is the above correct?
>
> We're changing some of the options in master ahead of our next major release,
> the -p/--persistent option is correct for that branch and the eventual 4.X series.
LGTM.
Also if you specify --help=no-man it will dump a short summary to stdout (master only) which is useful.
>
> Regards,
> Joshua
>
> > >
> > > > Usage::
> > > >
> > > > keyctl add trusted name "new keylen [options]" ring @@ -30,7
> > > > +53,9 @@ Usage::
> > > > keyctl print keyid
> > > >
> > > > options:
> > > > - keyhandle= ascii hex value of sealing key default
> > > > 0x40000000 (SRK)
> > > > + keyhandle= ascii hex value of sealing key
> > > > + TPM 1.2: default 0x40000000 (SRK)
> > > > + TPM 2.0: no default; must be passed every
> > > > time
> > > > keyauth= ascii hex auth for sealing key default
> > > > 0x00...i
> > > > (40 ascii zeros)
> > > > blobauth= ascii hex auth for sealed data default
> > > > 0x00...
> > > > @@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
> > > >
> > > > Create and save a trusted key named "kmk" of length 32 bytes::
> > > >
> > > > +Note: When using a TPM 2.0 with a persistent key with handle
> > > > 0x81000001,
> > > > +append 'keyhandle=0x81000001' to statements between quotes, such
> > > > as
> > > > +"new 32 keyhandle=0x81000001".
> > > > +
> > > > $ keyctl add trusted kmk "new 32" @u
> > > > 440502848
> > > >
> > > > --
> > > > 2.17.2
> > > >
On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > On Fri Oct 19 18, Stefan Berger wrote:
> > >Extend the documentation for trusted keys with documentation for how to
> > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > >
> > >Signed-off-by: Stefan Berger <[email protected]>
> > >Reviewed-by: Mimi Zohar <[email protected]>
> >
> > Acked-by: Jerry Snitselaar <[email protected]>
>
> Thanks! ?This patch is now staged in the #next-integrity-queued
> branch.
>
> Mimi
Reviewed-by: Jarkko Sakkinen <[email protected]>
/Jarkko
On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > On Fri Oct 19 18, Stefan Berger wrote:
> > > >Extend the documentation for trusted keys with documentation for how to
> > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > >
> > > >Signed-off-by: Stefan Berger <[email protected]>
> > > >Reviewed-by: Mimi Zohar <[email protected]>
> > >
> > > Acked-by: Jerry Snitselaar <[email protected]>
> >
> > Thanks! ?This patch is now staged in the #next-integrity-queued
> > branch.
> >
> > Mimi
>
> Reviewed-by: Jarkko Sakkinen <[email protected]>
Brings to mind, in the long run where the backend code for trusted keys
should reside.
/Jarkko
On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > On Fri Oct 19 18, Stefan Berger wrote:
> > > > >Extend the documentation for trusted keys with documentation for how to
> > > > >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
> > > > >
> > > > >Signed-off-by: Stefan Berger <[email protected]>
> > > > >Reviewed-by: Mimi Zohar <[email protected]>
> > > >
> > > > Acked-by: Jerry Snitselaar <[email protected]>
> > >
> > > Thanks! This patch is now staged in the #next-integrity-queued
> > > branch.
> > >
> > > Mimi
> >
> > Reviewed-by: Jarkko Sakkinen <[email protected]>
>
> Brings to mind, in the long run where the backend code for trusted keys
> should reside.
Are you asking about coordinating staging the trusted key patches to
be upstreamed or about moving portions of the encrypted keys code out
of the keyring subsystem?
I'm not sure there needs to be a separate encrypted-keys pull request.
Either they can be upstreamed via the TPM or the integrity subsystem
for now.
Mimi
On Sun, Dec 02, 2018 at 10:10:36AM -0500, Mimi Zohar wrote:
> Are you asking about coordinating staging the trusted key patches to
> be upstreamed or about moving portions of the encrypted keys code out
> of the keyring subsystem?
>
> I'm not sure there needs to be a separate encrypted-keys pull request.
> ?Either they can be upstreamed via the TPM or the integrity subsystem
> for now.
Nothing that ought to be rushed.
I'm speaking about this situation:
1. TPM 1.x trusted keys code is inside keyring subsystem.
2. TPM 2.0 trusted keys code is inside tpm subsystem.
We are doing effort to make TPM subsystem more friendly to send custom
commands outside (tpm_buf, my unnesting effort in progress, Tomas' clean
ups for TPM 1.x code) so I'm more dilated to the 2nd option.
/Jarkko