Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5340208imm; Tue, 18 Sep 2018 08:03:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaR/RK0mBPiB3Uv1fiS+PkFyqnHSO8pMwCzPw79C+iC+2coOAobRwRopbabX2u4khv5/q4e X-Received: by 2002:a17:902:6b44:: with SMTP id g4-v6mr30266376plt.50.1537283017679; Tue, 18 Sep 2018 08:03:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537283017; cv=none; d=google.com; s=arc-20160816; b=HrmsfGilOtu0h9yNpGarkBUAX2Kp607E4oLaw/w73+CgXGjiHdCdklEK7QNHjDiBtB SeLrNrxuIK4Dr/+6mI/c+OVM5LOBv9jRxeJHXky0U+YgEL+inue9s29EPO/mW5+wWWpI hmKjk+6QdMwd5sZ8Trq7wcJCRk88YEW/0+0xwV6jPMRG50n29yqHvvB863w/WKcPPJQU oUTBregt4fbyJIUe6gqQl3RK3XPP/RMG7xNhOC+drSxEMfgl7xAiuTXdTOvSQkSO7LZ+ K1jQjl/p70TkwVrrXTWmV8i9QChzl7RD5yFnE7AiuDg1RtQnPgi3CjGJP01McbvOnPrA Jq/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization; bh=a60IG46yyqLeJWGhEZ5kree0bU60Kzugt028IrdoQJ8=; b=pVXSWvFhMIEMQWcP1EXW3t5fnxJxVU7Au40cdTOBC3WKYa4izxVJUNU2fBjozug6x0 5c+UQvFGZChGibxRs96urogNuz0e0+JNsnz1BM0RJNCL2FBf/7/hXYZ79n/FDUZXfxgB OtQOGu9tKzO0hi1CwknMCEE4y5016EEdZvsTMx4zGlI6/0gLqNQ02B6yHTgCdRRcyAhZ lnWPPGAiUP3DwsmwcVH3FPd4AnEWrPIqYsvE+Cv9V//KvJ+NTnGLQLekqY9voHIam64I npksds4SLl0gT10O/Wp4+ZSqsZ7c9yXesXixafoZrYHxNdVu7t+/72nkG7cVZNeXdBc6 HOFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d8-v6si19053171pgn.382.2018.09.18.08.03.10; Tue, 18 Sep 2018 08:03:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730033AbeIRUfM (ORCPT + 99 others); Tue, 18 Sep 2018 16:35:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57678 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729156AbeIRUfM (ORCPT ); Tue, 18 Sep 2018 16:35:12 -0400 Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7292A3001C5D; Tue, 18 Sep 2018 15:02:13 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-123-84.rdu2.redhat.com [10.10.123.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1DC0487502; Tue, 18 Sep 2018 15:02:11 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1537253993.20009.62.camel@infradead.org> References: <1537253993.20009.62.camel@infradead.org> <153618445730.7946.10001472635835806478.stgit@warthog.procyon.org.uk> To: David Woodhouse Cc: dhowells@redhat.com, jmorris@namei.org, denkenz@gmail.com, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20341.1537282931.1@warthog.procyon.org.uk> Date: Tue, 18 Sep 2018 16:02:11 +0100 Message-ID: <20342.1537282931@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Tue, 18 Sep 2018 15:02:13 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org David Woodhouse wrote: > Those examples aren't equivalent No one said that they are. But if you really can't figure it out, I can add: openssl genrsa -out private_key.pem 2048 at the front of the PKCS#8 example;-) I can even change the examples to have the same private key name. > For the PKCS#8 blob you are first using openssl to convert from an encrypted > PKCS#8 PEM to unencrypted DER, presumably because you haven't added > decryption support (or base64 decode) to keyctl yet. It would probably be done in the kernel rather than keyctl. If it's done in userspace, there's no need to do it in keyctl. The PKCS#8 parser is primarily a test port - especially as it doesn't need anything like a TPM. It's of limited real utility, I think, because even if the blob is encrypted and you can pass the decryption password to the kernel, the password still has to be present in userspace, however briefly. > For the TPM example though, you are also showing the *generation* of > the key, and importing it into the TPM. And then I'm confused by the > 'openssl asn1parse' line there... what is that actually doing? It's meant to be stripping off the PEM wrapper and outputting the DER, but see below. > If I run it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I > get no output at all. I lost a bit from the cover note. It needs "-out -" attaching. openssl asn1parse -inform pem -in modulekey1.priv -noout -out - | wc -c David