Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761477AbbKUSu2 (ORCPT ); Sat, 21 Nov 2015 13:50:28 -0500 Received: from mga11.intel.com ([192.55.52.93]:41044 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751542AbbKUSu0 (ORCPT ); Sat, 21 Nov 2015 13:50:26 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,329,1444719600"; d="scan'208";a="604858942" Date: Sat, 21 Nov 2015 20:50:21 +0200 From: Jarkko Sakkinen To: Peter Huewe , Marcel Selhorst , David Howells Cc: Mimi Zohar , Jonathan Corbet , Jason Gunthorpe , James Morris , "Serge E. Hallyn" , "open list:KEYS-ENCRYPTED" , "open list:KEYS-ENCRYPTED" , "open list:DOCUMENTATION" , open list , "moderated list:TPM DEVICE DRIVER" Subject: Re: [PATCH 2/2] keys, trusted: seal with a policy Message-ID: <20151121185021.GA17656@intel.com> References: <1447777643-10777-1-git-send-email-jarkko.sakkinen@linux.intel.com> <1447777643-10777-3-git-send-email-jarkko.sakkinen@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1447777643-10777-3-git-send-email-jarkko.sakkinen@linux.intel.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1296 Lines: 36 On Tue, Nov 17, 2015 at 06:27:22PM +0200, Jarkko Sakkinen wrote: > Support for sealing with a authorization policy. > > Two new options for trusted keys: > > * 'policydigest=': provide an auth policy digest for sealing. > * 'policyhandle=': provide a policy session handle for unsealing. I think it is good to say a word about how to test this since the user space supports is still lagging a bit (there's no way to do a "sticky" handle in TSS2 yet). I have my own low-level test scripts over here: https://github.com/jsakkine/tpm2-scripts Trivial example: KEYHANDLE=$(sudo ./tpm2-root-key) POLICYDIGEST=$(sudo ./tpm2-pcr-policy --pcr 16 --name-alg=sha256 --bank=sha1 --trial) POLICYHANDLE=$(sudo ./tpm2-pcr-policy --pcr 16 --name-alg=sha256 --bank=sha1) KEYID=$(keyctl add trusted kmk "new 32 keyhandle=$KEYHANDLE hash=sha256 policydigest=$POLICYDIGEST" @u) keyctl pipe $KEYID keyctl clear @u keyctl add trusted kmk "load `cat blob.hex` keyhandle=$KEYHANDLE policyhandle=0x03000000" @u keyctl clear @u sudo ./tpm2-flush $KEYHANDLE /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/