Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp993985ybl; Sun, 1 Dec 2019 17:49:43 -0800 (PST) X-Google-Smtp-Source: APXvYqw4wZaKqtkPdbnFaxKZKG42LvD+gLKkr/SuMgt9kn1JijlbetX5sp3irTP9j2udl06z0h6j X-Received: by 2002:aa7:c994:: with SMTP id c20mr20349763edt.113.1575251383683; Sun, 01 Dec 2019 17:49:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575251383; cv=none; d=google.com; s=arc-20160816; b=LgsvqaRWgCOGLkp17WjjWCQGQfSzGwDgpaoO0k8rfq1QKiWLAzoSU9fiwSRjmZRyVB reoSjoL1eNB+6csEcbA75x/MRxUxPisCPUl95zD2VeM4KxGna7sl1XDqBKcihAzzWgY8 j+GVxmz55QstQcZ+qz7zESHiAP5AE7Ws0c7SSmAmgfjvgxELZzVcpgQXr4LNuvVRPHcZ icTsAIQZ1gt5WXK0wU+a6brI/q6ID1JN8HDOYDouQS8+9B50TWJczcPCTW1VPOiA2SKJ VOBPL8/WByZ04VPgXmuf4FgtyK2nisfZgNXEMEKK+t9NwKMkA+QmTXmFRxy2e3w4xOi6 cQpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=+2aybtDBrPqHwUbKO6sLZcDw/EoAvTXwFVVVeklrtw8=; b=izeOdfwNvwi/Xy0l5doQ7p36p51mi0riw7VljLdaDFLnsD+2BbJqma3VlgGRSs+qKH hDhTiK9etk5+1A0AhdoPjca7ZHzSGIE5ZJOwDhM7Ck35BDyPdV5T9dN4af9pXnBNGCTd myb2koBKYUZ2+/s9iI65M0O6TMhQBO4VcOqfBI6Nn8F4D7xT8hM208W1QoqLdHHFcdF3 eg5NREzNj1aqDx+hlJRQnTpdkVL0OnNJkwZ8XXAYF33B72OeUOxTBieXaQyDJQy2zioZ 7R6pWNlUpsqVA8Qi+mHXu/nSjLpWzGSFiFVlqBLft99L/BdzxHRyq8D3ZrC0/WKH5hD8 FUGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n26si13233701ejz.245.2019.12.01.17.49.19; Sun, 01 Dec 2019 17:49:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727413AbfLBBph convert rfc822-to-8bit (ORCPT + 99 others); Sun, 1 Dec 2019 20:45:37 -0500 Received: from mga12.intel.com ([192.55.52.136]:45963 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727394AbfLBBph (ORCPT ); Sun, 1 Dec 2019 20:45:37 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Dec 2019 17:45:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,267,1571727600"; d="scan'208";a="212870090" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga006.jf.intel.com with ESMTP; 01 Dec 2019 17:45:35 -0800 Received: from fmsmsx605.amr.corp.intel.com (10.18.126.85) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 1 Dec 2019 17:45:34 -0800 Received: from fmsmsx605.amr.corp.intel.com (10.18.126.85) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Sun, 1 Dec 2019 17:45:34 -0800 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Sun, 1 Dec 2019 17:45:34 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.109]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.90]) with mapi id 14.03.0439.000; Mon, 2 Dec 2019 09:45:31 +0800 From: "Zhao, Shirley" To: Jarkko Sakkinen , Mimi Zohar CC: James Bottomley , Jonathan Corbet , "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "'Mauro Carvalho Chehab'" , "Zhu, Bing" , "Chen, Luhai" Subject: RE: One question about trusted key of keyring in Linux kernel. Thread-Topic: One question about trusted key of keyring in Linux kernel. Thread-Index: AdWZwFKzDBwFOydYTGGk+Aqs+6BIxAANhxEAAoxRZMAACTMHAACeWpwAAHsDLGA= Date: Mon, 2 Dec 2019 01:45:30 +0000 Message-ID: References: <1573659978.17949.83.camel@linux.ibm.com> <1574796456.4793.248.camel@linux.ibm.com> <20191129230146.GB15726@linux.intel.com> In-Reply-To: <20191129230146.GB15726@linux.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZGJjNWFmN2MtZWU2Ny00MGNmLTk2N2UtZWZiMTU0Mjk3OTNiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoidG1Nck1haHRoaDNJaEhmRlFFXC8zYVo4VHNHS1o2NmhKdU42UlBNdXBoM1o0Y2FrR1d5ck1VbDNOYTZaYU9WYVEifQ== x-ctpclassification: CTP_NT x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Jarkko, The rc1 you mentioned is the version for what? How to download it and update it? Thanks. - Shirley -----Original Message----- From: Jarkko Sakkinen Sent: Saturday, November 30, 2019 7:02 AM To: Mimi Zohar Cc: Zhao, Shirley ; James Bottomley ; Jonathan Corbet ; linux-integrity@vger.kernel.org; keyrings@vger.kernel.org; linux-doc@vger.kernel.org; linux-kernel@vger.kernel.org; 'Mauro Carvalho Chehab' ; Zhu, Bing ; Chen, Luhai Subject: Re: One question about trusted key of keyring in Linux kernel. On Tue, Nov 26, 2019 at 02:27:36PM -0500, Mimi Zohar wrote: > On Tue, 2019-11-26 at 07:32 +0000, Zhao, Shirley wrote: > > Thanks for your feedback, Mimi. > > But the document of dracut can't solve my problem. > > > > I did more test these days and try to descript my question in more detail. > > > > In my scenario, the trusted key will be sealed into TPM with PCR policy. > > And there are some related options in manual like > > hash= hash algorithm name as a string. For TPM 1.x the only > > allowed value is sha1. For TPM 2.x the allowed values > > are sha1, sha256, sha384, sha512 and sm3-256. > > policydigest= digest for the authorization policy. must be calculated > > with the same hash algorithm as specified by the 'hash=' > > option. > > policyhandle= handle to an authorization policy session that defines the > > same policy and with the same hash algorithm as was used to > > seal the key. > > > > Here is my test step. > > Firstly, the pcr policy is generated as below: > > $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy > > pcr7_bin.policy > pcr7.policy > > > > Pcr7.policy is the ascii hex of policy: > > $ cat pcr7.policy > > 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 > > > > Then generate the trusted key and configure policydigest and get the key ID: > > $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 > > policydigest=`cat pcr7.policy`" @u > > 874117045 > > > > Save the trusted key. > > $ keyctl pipe 874117045 > kmk.blob > > > > Reboot and load the key. > > Start a auth session to generate the policy: > > $ tpm2_startauthsession -S session.ctx > > session-handle: 0x3000000 > > $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S > > session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy > > policy-digest: > > 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9 > > > > Input the policy handle to load trusted key: > > $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 > > policyhandle=0x3000000" @u > > add_key: Operation not permitted > > > > The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed. > > $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in file: > > "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy > > check failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed! > > ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run > > tpm2_unseal > > > > So my question is: > > 1. How to use the option, policydigest, policyhandle?? Is there any example? > > 2. What's wrong with my test step? > > When reporting a problem please state which kernel is experiencing > this problem. ?Recently there was a trusted key regression. ?Refer to > commit e13cd21ffd50 "tpm: Wrap the buffer from the caller to tpm_buf > in tpm_send()" for the details. > > Before delving into this particular problem, first please make sure > you are able to create, save, remove, and then reload a trusted key > not sealed to a PCR. Please re-test with rc1 when available. /Jarkko