Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2182938imu; Tue, 6 Nov 2018 10:16:18 -0800 (PST) X-Google-Smtp-Source: AJdET5dc9nvJSBzkNmzrRTtJgtR4Ju79xqoDRY9eSeLY7X+pl3XDdm4ivfPufQdNKycy/52bs7i1 X-Received: by 2002:a63:e54d:: with SMTP id z13-v6mr24372702pgj.169.1541528178159; Tue, 06 Nov 2018 10:16:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541528178; cv=none; d=google.com; s=arc-20160816; b=iYg7HeuNve7X5zeypgGnMvvLdy4B+9koEUdsgkzEDJ41Ax2iCqPZFwDM8roI/W+2SS 9J8aqWfY99RVEvHYz3PeuvkzIXBUnplBBdQKcTw2qJsjNoLP37O3VksKtw3WYPIm0P/y 26gq5fQiqO7ZtbJKXWxSMlK2VndA+vr8X5l3oG0IUtW+ROQRWpIb8rT8gSK/EtpLb7UZ wL++wr4tA9jNSspC2RH2XfXhvlzaQEkWLcl3C4RvppWGpFEIWRiQC5KXBEugL9uQHAY9 83aDErXdbdJYPtX/aIdkb6ohmvVZ7R0glh57BTDnbQwcEjiKUyZhfSyomYfQF2aHjfBR 9Sag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :reply-to:message-id:subject:cc:to:from:date; bh=mSE/CnPe+apf4nMSIKLe+8JhfT5FCMvi4o2vYS4TSPs=; b=mZ0D0didkGG4euooTZ+YoDsadlCRhznBK/NGkZon9508kuZ+itSpXUtpd1LvtbyGYY eJsCVVyiOr5jKs6iL1Wl+aO9xoRJmZlSECN1J+p+HjnsOKOn5KrvYGdz4QbVWMyfCciY xyZiJNa3674V+miYAqfvz8rkaBmnLsX67GnxjWx35T0c704YhNkb3dTUkfrAO7ShWibP 7AB2YEWHT2f6hr4xqP2YPBdvfNZn05JTeFx9Mh84c5Yx+qWQCSlklEuES/Mol7+vkZWE ypIZY45jiYmTM6MEkH8bnNndgJvJRPAsxFibu4OnXRlorvc9dsBEd5H8nALC4NUUje1K musQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s2si2034566pgj.60.2018.11.06.10.16.02; Tue, 06 Nov 2018 10:16:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389409AbeKGCMK (ORCPT + 99 others); Tue, 6 Nov 2018 21:12:10 -0500 Received: from mail-qk1-f196.google.com ([209.85.222.196]:40610 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389380AbeKGCMK (ORCPT ); Tue, 6 Nov 2018 21:12:10 -0500 Received: by mail-qk1-f196.google.com with SMTP id y16so17623060qki.7 for ; Tue, 06 Nov 2018 08:46:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:reply-to :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=mSE/CnPe+apf4nMSIKLe+8JhfT5FCMvi4o2vYS4TSPs=; b=EI8Nzk5JR5StFwBs9lxmFCMHiyzvzsAVk0gYeEucn7zutrxe5kOGV7rRZROOsidZT6 0h2mat1sDQROipEukwu51+XJEcybGpdUAOB09TjSyjEXJ+7mcwH5omok2euRsj1fbrNO XRIA715yAVBEF2kqb2Q1hnDXDwTBA9pvXYoFyTIjtaixEI9ngzD6n3+7FL5Ul7qPfeen GWVKoicqpbOUBoBduXGOxgsJc/03phs962h5yV9lrd7+kbBEv7PvJbfnGFRdIbWsDEqo rHmm94mToyKqegQq8DUOZG78nhK0zfynfaZkdfT9oSBZAZK8vTvG1ZE8E9eJx9vT8lsg kLFA== X-Gm-Message-State: AGRZ1gINwqQn8Y7yKsL3VRfouhRPh4J18SDzWilLWp/gQsv7n4EtS/9E SVOok4kShmQvQLKIPnQijRkWaQ== X-Received: by 2002:ae9:e901:: with SMTP id x1mr24167785qkf.332.1541522765700; Tue, 06 Nov 2018 08:46:05 -0800 (PST) Received: from localhost (ip72-223-3-97.ph.ph.cox.net. [72.223.3.97]) by smtp.gmail.com with ESMTPSA id f19sm6308289qkh.20.2018.11.06.08.46.04 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 06 Nov 2018 08:46:05 -0800 (PST) Date: Tue, 6 Nov 2018 09:46:03 -0700 From: Jerry Snitselaar To: Stefan Berger Cc: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, jejb@linux.ibm.com, Alexander.Levin@microsoft.com, jmorris@namei.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] docs: Extend trusted keys documentation for TPM 2.0 Message-ID: <20181106164603.w46wspmdj5e4slwe@cantor> Reply-To: Jerry Snitselaar Mail-Followup-To: Stefan Berger , keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, jejb@linux.ibm.com, Alexander.Levin@microsoft.com, jmorris@namei.org, linux-kernel@vger.kernel.org References: <20181019101758.1569-1-stefanb@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20181019101758.1569-1-stefanb@linux.ibm.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri Oct 19 18, Stefan Berger wrote: >Extend the documentation for trusted keys with documentation for how to >set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. > >Signed-off-by: Stefan Berger >Reviewed-by: Mimi Zohar Acked-by: Jerry Snitselaar >--- > .../security/keys/trusted-encrypted.rst | 31 ++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > >diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst >index 3bb24e09a332..6ec6bb2ac497 100644 >--- a/Documentation/security/keys/trusted-encrypted.rst >+++ b/Documentation/security/keys/trusted-encrypted.rst >@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new > when the kernel and initramfs are updated. The same key can have many saved > blobs under different PCR values, so multiple boots are easily supported. > >+TPM 1.2 >+------- >+ > By default, trusted keys are sealed under the SRK, which has the default > authorization value (20 zeros). This can be set at takeownership time with the > trouser's utility: "tpm_takeownership -u -z". > >+TPM 2.0 >+------- >+ >+The user must first create a storage key and make it persistent, so the key is >+available after reboot. This can be done using the following commands. >+ >+With the IBM TSS 2 stack:: >+ >+ #> tsscreateprimary -hi o -st >+ Handle 80000000 >+ #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 >+ >+Or with the Intel TSS 2 stack:: >+ >+ #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt >+ [...] >+ handle: 0x800000FF >+ #> tpm2_evictcontrol -c key.ctxt -p 0x81000001 >+ persistentHandle: 0x81000001 >+ > Usage:: > > keyctl add trusted name "new keylen [options]" ring >@@ -30,7 +53,9 @@ Usage:: > keyctl print keyid > > options: >- keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) >+ keyhandle= ascii hex value of sealing key >+ TPM 1.2: default 0x40000000 (SRK) >+ TPM 2.0: no default; must be passed every time > keyauth= ascii hex auth for sealing key default 0x00...i > (40 ascii zeros) > blobauth= ascii hex auth for sealed data default 0x00... >@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: > > Create and save a trusted key named "kmk" of length 32 bytes:: > >+Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, >+append 'keyhandle=0x81000001' to statements between quotes, such as >+"new 32 keyhandle=0x81000001". >+ > $ keyctl add trusted kmk "new 32" @u > 440502848 > >-- >2.17.2 >