Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp400179imu; Tue, 8 Jan 2019 22:59:54 -0800 (PST) X-Google-Smtp-Source: ALg8bN7bFykuEeA/g37n39Oh8E9MUk2zmrKh4pK57VYXTZhXHSosrinbgtenBJfhKmcWiXaXlqo8 X-Received: by 2002:a62:4549:: with SMTP id s70mr4753253pfa.233.1547017194561; Tue, 08 Jan 2019 22:59:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547017194; cv=none; d=google.com; s=arc-20160816; b=w6B8nvuDlopz961gnp+CCR7on6genhfwwZNIMwoLKIbKkt/4/6ajgrtn3Zl4YQWPGj DemohppqSWq83XIordqYhhfKwqaEkPMPMfZ3Fw+2y/51U/kl/8hswcXeD21pU3nsiI0U GI39reIj139rL6emQJEievTFb0FmceOhJSqrW2IQrT19HhwU+uVx4ILEMwd+0rRfVBjb irZtXZfzQD1Z66CK9ygwoDz/1EbHYXeu/Q6+VamgiDH1ynMJ+eCuARtALKqcTrDGu6P0 vBNxdHwdzwz8BpyyjyiufEKrA+4u1pamedlIHClZ9oWJKPn88VT23wF8WbL7qxHqD4XW VB+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=nSp+oPLYiw2rMGqtQV0XfZ2kydHf9UMEZuha7DdLknk=; b=QX9iObxrpPTnHDaqSNF45r4o24sMoNlgW0/NLqcBf6VTtmu/2NNyltAau1BOMzbDsi 9oPckd1NOhcxSbWfwE9a5h2DXG6Iew7yYpdAMl2iKeyj9fbUeQb1QarS4aD0j7X1g7KE JIdbcTXH3cM06WBUpc/U4Ck/XQTTnav+8+iuf9lTvDvUbrx/D02dWVm1W0WIxm4y0JzL eZPp/CiV8NUC/C2TeuwfvEX8/qhcct0xFWD7/KTxiOJHlt4x9xOhpqyt8rweksEj74Mo aYPYCD+nsnxvARl4kCQe9Sg6njErFJBwLhLC4SgLBrGDn0gUfcDZO5iPb9vPSsD4N6lq nbPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=ASbMHLsl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c22si6650499pgb.254.2019.01.08.22.59.39; Tue, 08 Jan 2019 22:59:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=ASbMHLsl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729681AbfAIG6c (ORCPT + 99 others); Wed, 9 Jan 2019 01:58:32 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:58004 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729209AbfAIG6c (ORCPT ); Wed, 9 Jan 2019 01:58:32 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 75C108EE42E; Tue, 8 Jan 2019 22:58:30 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PmnL43oLfymR; Tue, 8 Jan 2019 22:58:30 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 891668EE0CD; Tue, 8 Jan 2019 22:58:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1547017110; bh=Y6wBS4NyjRVcBjBw4T9WK9b8P57p87P6kg4yLicGKo4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ASbMHLsls7Bn3yb2mVZ6vmCtPoPlxvxK1PBpJqwZi7MYn7H/XSj9gdnbMUPqcoCk/ sIx432fRIS+4UZyS1uixpYCdb5pCI4SAYm4/nKTWNe7Z7PCNiFrRVshCxWfFchm5vF DfhDMVDJLPQ+3a51urQieezA3egnxXSibUUcYCoI= Message-ID: <1547017108.2789.24.camel@HansenPartnership.com> Subject: Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler From: James Bottomley To: Stephan Mueller Cc: Andy Lutomirski , Herbert Xu , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn , Andy Lutomirski Date: Tue, 08 Jan 2019 22:58:28 -0800 In-Reply-To: <309406107.k3W2fMQUza@tauon.chronox.de> References: <20190103143227.9138-1-jlee@suse.com> <1546994671.6077.10.camel@HansenPartnership.com> <309406107.k3W2fMQUza@tauon.chronox.de> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2019-01-09 at 07:45 +0100, Stephan Mueller wrote: > Am Mittwoch, 9. Januar 2019, 01:44:31 CET schrieb James Bottomley: > > Hi James, > > > Actually, it would be enormously helpful if we could reuse these > > pieces for the TPM as well. > > Could you please help me understand whether the KDFs in TPM are > directly usable as a standalone cipher primitive or does it go > together with additional key generation operations? They're used as generators ... which means they deterministically produce keys from what the TPM calls seeds so we can get crypto agility of TPM 2.0 ... well KDFa does. KDFe is simply what NIST recommends you do when using EC for a shared key agreement ... and really we shouldn't be using ECDH in the kernel without it. > > It has two KDFs: KDFa, which is the CTR-KDF from > > SP800-108 and KDFe which is the SP800-56A KDF for elliptic curve > > one pass Diffie Hellman, so if we're going to do the former, I'd > > really like the latter as well. > > > > The way the TPM parametrises input to both KDFs is > > > > (hashAlg, key, label, contextU, contextV, bits) > > > > Where > > > > hashAlg = the hash algorithm used as the PRF > > key = the input parameter of variable bit size or > > the x co-ordinate of the shared point > > label = An ASCII string representing the use > > contextU = public input U > > contextV = public input V > > bits = number of output bits > > When implementing KDFs as an extension of the kernel crypto API's RNG > facility we currently have to handle the limitiation of the existing > API. The label/context data (and when considering RFC 5869 HKDF > requring IKM, salt and additional information as input) currently > cannot directly be communicated through the API. > > The issue is that the RNG facility currently has the following > prototype defined: > > int (*generate)(struct crypto_rng *tfm, > const u8 *src, unsigned int slen, > u8 *dst, unsigned int dlen); > > The src pointer would need to take the label/context data. That's probably good enough. For both KDFa and KDFe the label contextU and ContextV are concatenated, so in both cases a single source is probably good enough. However, we also need to feed in the key somehow since it's usually used separately in the derivation functions. > Would it be appropriate, to implement a type cast to a structure from > the u8 pointer? > > E.g. for the aforementioned label/context data, we could define > something like > > struct crypto_kdf_ctr { > char *label; > size_t label_len; > u8 *contextU; > size_t contextU_len; > u8 *contextV; > size_t contextV_len; > }; > > And the implementation of the generate function for CTR KDF would > then have a type cast along the following lines: > > if (slen != sizeof(struct crypto_kdf_ctr)) > return -EINVAL; > const struct crypto_kdf_ctr *kdf_ctr_input = (struct > crypto_kdf_ctr *)src; > > > For different KDFs, different structs would be needed. Actually, we probably just need the input key (or secret material), the concatenation and the number of output bits. James