Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1192500ybl; Sun, 1 Dec 2019 22:46:28 -0800 (PST) X-Google-Smtp-Source: APXvYqy4PwapFtvvR+PGncOuU3aYNueqippTAs5zh2jpCVK4ppOfZuplIcS5mYLYCm1AsIdbLuuZ X-Received: by 2002:a05:6402:1296:: with SMTP id w22mr56883969edv.65.1575269187977; Sun, 01 Dec 2019 22:46:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575269187; cv=none; d=google.com; s=arc-20160816; b=J0hGe9mQ0SpW25TurIRNlmexL6+uqMIVKQ1f1YAzopNmxOLgrASZK1YuaXvrgBlsj4 5t7LSOrR7xTvV7gOPyCVUOPqta4Js0IyZE9HYS8qF5GpDMQpsKPpwoay1lWLp5HHoTrL CDgKYb2nm2DWNDTYoJ5BkQ7o7QFCtcI96YEpkTAM5WNCU4/Mcsf12KOwFCZA3guOJ348 9v6pqekX/x7aCCMzJpimEFvzqcRpifwero4bX4mHiFKFOwo4bYpf2h6FQGorrmwU8her dwxtKw3o0lVjJer3HpTkFzW8VZjuuBR8SNbCW68A1thkjROuz6FktOlmXcr4NlNdRz4u 1AmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=Zy9Ablcg+CInwfiw7ENJBb2C1scOyXExX+8xrXjH9xU=; b=KIERRaKp2WMn2ZxICDvpfvmjvsG00tSZvguXCwsWzv+5vLRIqXMis/Mcz00xZPoKd4 mMhRx4BBRX7le8xwfJCj2uEopK8AgT7ZR9aVXskbfDIqGrTI2G/mfxMf9kCYDFBwm03U 3k0YzqbftlEsnVsFIzhi7vApzKgLQqz9q2EL+17POMNY8zav4pz8hACnR8nUJx7qkDvI B6LccBhtbNmq3asTFVPArqO5Rmda6RWU1ynQot7qlICoepLtYih46syM1s0Vlz8MDU+X pjOQ8s4VOTlejQJCy76tVPwE3uoMSIwbHf7xQ/9z2bAboYd58V6uGf3YcDPND178R3JW QJcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h40si8644420edb.128.2019.12.01.22.46.04; Sun, 01 Dec 2019 22:46:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726592AbfLBGov (ORCPT + 99 others); Mon, 2 Dec 2019 01:44:51 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40882 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725976AbfLBGou (ORCPT ); Mon, 2 Dec 2019 01:44:50 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB26gDgM072442; Mon, 2 Dec 2019 01:44:40 -0500 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wm6g7xxfd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 02 Dec 2019 01:44:39 -0500 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xB26eOtN021563; Mon, 2 Dec 2019 06:44:39 GMT Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma03wdc.us.ibm.com with ESMTP id 2wkg26882x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 02 Dec 2019 06:44:39 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB26iccR48366026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 2 Dec 2019 06:44:38 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 12BD478063; Mon, 2 Dec 2019 06:44:38 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1F6F67805E; Mon, 2 Dec 2019 06:44:36 +0000 (GMT) Received: from jarvis.ext.hansenpartnership.com (unknown [9.85.189.151]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Mon, 2 Dec 2019 06:44:35 +0000 (GMT) Message-ID: <1575269075.4080.31.camel@linux.ibm.com> Subject: Re: One question about trusted key of keyring in Linux kernel. From: James Bottomley To: "Zhao, Shirley" , Mimi Zohar , Jarkko Sakkinen , Jonathan Corbet Cc: "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "'Mauro Carvalho Chehab'" , "Zhu, Bing" , "Chen, Luhai" Date: Sun, 01 Dec 2019 22:44:35 -0800 In-Reply-To: References: <1573659978.17949.83.camel@linux.ibm.com> <1574877977.3551.5.camel@linux.ibm.com> <1575057916.6220.7.camel@linux.ibm.com> <1575260220.4080.17.camel@linux.ibm.com> <1575267453.4080.26.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-01_04:2019-11-29,2019-12-01 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 lowpriorityscore=0 bulkscore=0 phishscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 spamscore=0 mlxscore=0 adultscore=0 mlxlogscore=883 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912020059 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2019-12-02 at 06:23 +0000, Zhao, Shirley wrote: > Hi, James, > > The PCR7 value and PCR7 policy is as below, please review, thanks. > > # tpm2_pcrlist -L sha256:7 -o pcr7_2.sha256 > sha256: > 7 : > 0x061AAD0705A62361AD18E58B65D3D7383F4D10F7F5A7E78924BE057AC6797408 > > # tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy > pcr7_bin.policy > pcr7.policy > 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 > > # cat pcr7.policy > 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 Well, the IBM TSS says that's the correct policy. Your policy command is jejb@jarvis:~> tsspolicymakerpcr -bm 000080 -if ~/pcr7.txt -pr | tee tmp.policy 0000017f00000001000b038000009a47350fdbcc77ebeadcb4b4818d8e82a21717ea24434333c791c0cd0d1dc14e And that hashes to jejb@jarvis:~> tsspolicymaker -if ~/tmp.policy -pr policy digest length 32 32 1f bd 28 b6 0f cc 23 01 7d 50 1b 13 3b d5 db f2 88 98 14 58 8e 8a 23 51 0f e1 01 05 cb 2c c9 So I don't understand why the userspace Intel TSS command is failing to do the unseal. James