Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1035600imu; Mon, 5 Nov 2018 12:44:10 -0800 (PST) X-Google-Smtp-Source: AJdET5cZ9uteiSSIvSTbaJEZ0GwHG6zrqCdzu9iQ3ILX8E3oijvpXS/bETaGkXeo/m2NABnwRSxL X-Received: by 2002:a63:5407:: with SMTP id i7mr21386619pgb.413.1541450650743; Mon, 05 Nov 2018 12:44:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541450650; cv=none; d=google.com; s=arc-20160816; b=C8qhzS1XTZuGVL4y21ucbzA+BTj2ZN4DMQ/YmDQmlveEvwgweb+G5Gv2WmtSBfmvRZ 6fobV+Iw+WXnbTLHEkOlX+b3pUHH+YAAHVy/SI5Vgw9wXFh5CyFseLlqsUFgJ7RzS5Z4 aHlDfaTlRNokrChsaoyLPxGJI9iRsAZR9qCSFP75zeqD6ju7Nch8FuP6K99GRiJJk8iU I94VTnmuRMRQfsG904EVd1n2Er1Jfb2AkZFqXTHzndW7DqGeLGsI0BhqLnst9vZkIvzx hMEhbE+2oxdAnZ6PCk1Iw4UjxzqVOFW9Yd3S8AAXu1rYIrdMkjkvfik/LtoEr5fMv9YK 5rRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :reply-to:message-id:subject:cc:to:from:date; bh=iQEet/EtCgZb43MJS3yHnoNwAZwN35U8MBKnqNMR3Js=; b=u9YhNTIkrfqiMSpPjzoCJ+sLheFQwG7CvbnR+/lIB3hG6O9wHRMkWuiN8+gqiN1QAO 1/YP8U4HCesxg2HPu82b+be1L5b5h1Fw36uc23mwIaq+dpAQNgi3qyOcMB9Iu+WOr6LR rYCGhes8p+W3r9tLqsGs4TyqFmb7hrqyyEp1JlpAI/DSMRvGUjZZBl9p3yti42gZoTKM cU0gnssZPFw12/jfr39w1TIXRCEOn76u8ib9eOvYy9HiA/e+PbR9VE849eBZqdcXGdt9 vcjWweamYaa8VusSvB2OvHSybTiUvZLODz3ijgYHx+ZvE8UluxS/C3/SoMa4V9RIu+Rk GSiw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b3si7474919pgh.496.2018.11.05.12.43.54; Mon, 05 Nov 2018 12:44:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730239AbeKFGDs (ORCPT + 99 others); Tue, 6 Nov 2018 01:03:48 -0500 Received: from mail-qk1-f193.google.com ([209.85.222.193]:38131 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730161AbeKFGDs (ORCPT ); Tue, 6 Nov 2018 01:03:48 -0500 Received: by mail-qk1-f193.google.com with SMTP id d19so17136750qkg.5 for ; Mon, 05 Nov 2018 12:42:18 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:reply-to :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=iQEet/EtCgZb43MJS3yHnoNwAZwN35U8MBKnqNMR3Js=; b=qmKkRJ1mjHpqxDbGp+xcx6kUXmve0WxpORahGvoTZ4e3ZZO8DaxWQBqGyxCfKQe1v5 uz1WGHlQ0MWNuko3SA9vsjs7HgB2OsMXROvuXdU1VoZeFQfkCujFxuITMIB+Hdu/yjz9 plfkogY3MSmOI3fqpe9cceaoA/DXir1cgMy83zWckkVilV1AkZA8R4MA0iKks9mgwDuS qkAvsjaSrgqAgKWzU1hyzMa0j9gUqu6ItsPrCksRfhcoCjU0GoV45l1ntGX10sge+Xk2 l/Rgu4us5O+2oqVzQ852bL7OSZOJzICLeVCLyUz/wpW+aSKRbqkNdGvMWpw7+jlYmgPm Bh9A== X-Gm-Message-State: AGRZ1gLpyfz69shoNqTcR3tfMqrPUYuK9I0OQQKqYX8NuDs9UHzpevV1 /efWThR2CowKyuc11Xo6ST4/1RqXv3o= X-Received: by 2002:a37:c891:: with SMTP id t17mr21478836qkl.31.1541450537811; Mon, 05 Nov 2018 12:42:17 -0800 (PST) Received: from localhost (ip72-223-3-97.ph.ph.cox.net. [72.223.3.97]) by smtp.gmail.com with ESMTPSA id j67-v6sm9874398qtb.38.2018.11.05.12.42.16 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 05 Nov 2018 12:42:17 -0800 (PST) Date: Mon, 5 Nov 2018 13:42:15 -0700 From: Jerry Snitselaar To: Stefan Berger Cc: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, jejb@linux.ibm.com, Alexander.Levin@microsoft.com, jmorris@namei.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Message-ID: <20181105204215.hw6vme5epxcc3nch@cantor> Reply-To: Jerry Snitselaar Mail-Followup-To: Stefan Berger , keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, jejb@linux.ibm.com, Alexander.Levin@microsoft.com, jmorris@namei.org, linux-kernel@vger.kernel.org References: <20181019101758.1569-1-stefanb@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20181019101758.1569-1-stefanb@linux.ibm.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri Oct 19 18, Stefan Berger wrote: >Extend the documentation for trusted keys with documentation for how to >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > >Signed-off-by: Stefan Berger >Reviewed-by: Mimi Zohar >--- > .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > >diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst >index 3bb24e09a332..6ec6bb2ac497 100644 >--- a/Documentation/security/keys/trusted-encrypted.rst >+++ b/Documentation/security/keys/trusted-encrypted.rst >@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new > when the kernel and initramfs are updated. The same key can have many saved > blobs under different PCR values, so multiple boots are easily supported. > >+TPM 1.2 >+------- >+ > By default, trusted keys are sealed under the SRK, which has the default > authorization value (20 zeros). This can be set at takeownership time with the > trouser's utility: "tpm_takeownership -u -z". > >+TPM 2.0 >+------- >+ >+The user must first create a storage key and make it persistent, so the key is >+available after reboot. This can be done using the following commands. >+ >+With the IBM TSS 2 stack:: >+ >+ #> tsscreateprimary -hi o -st >+ Handle 80000000 >+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 >+ >+Or with the Intel TSS 2 stack:: >+ >+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt >+ [...] >+ handle: 0x800000FF >+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 >+ persistentHandle: 0x81000001 >+ Is that the correct option for tpm2_evictcontrol? What I'm seeing in the versions I have is -S or -persistent= for specifying the persistent handle. Other than that looks good to me. > Usage:: > > keyctl add trusted name "new keylen [options]" ring >@@ -30,7 +53,9 @@ Usage:: > keyctl print keyid > > options: >- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) >+ keyhandle= ascii hex value of sealing key >+ TPM 1.2: default 0x40000000 (SRK) >+ TPM 2.0: no default; must be passed every time > keyauth= ascii hex auth for sealing key default 0x00...i > (40 ascii zeros) > blobauth= ascii hex auth for sealed data default 0x00... >@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > Create and save a trusted key named "kmk" of length 32 bytes:: > >+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, >+append 'keyhandle=0x81000001' to statements between quotes, such as >+"new 32 keyhandle=0x81000001". >+ > $ keyctl add trusted kmk "new 32" @u > 440502848 > >-- >2.17.2 >