Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3326865pxb; Sun, 31 Jan 2021 12:02:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJxYNaCuOtNlQBUZ+MTktH6VFBY7+7yzmnXgxEtuDy42FgWUO3uany/dqoOoLZ9Q+cjB6Za+ X-Received: by 2002:a17:907:76c5:: with SMTP id kf5mr3049779ejc.534.1612123325003; Sun, 31 Jan 2021 12:02:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612123324; cv=none; d=google.com; s=arc-20160816; b=JNEMaofgeOWwhUn9Jg95vOzujOx1xtWidTbf+hhmFmD+0VgcE7mQYQzTrm0A00E7aw KZ56mDmRi5/5M0lxg7hFmh+69RHj9MNq1ScDuYviRDRQx4JW8EW+X8b/eo0hOJsdvuYb OVkrAjNjxYl4PqyZ1HNU8nzxWdhdyr0gLO/BCntF0GDHkzenkVLwp9682CusLIDfntvw 6W0TLcGrZlfbU2oEwncqcix7M6FkDW+7dL4TQuI+FOuNoVcylZAv+vDInEMwZfHWkfEe GUjavvwrvek89Tz/Zj9cVqrXY6F5TREZbFlgAE1MGx3Z9G0nan6kDXCnCzgN0A7DKLdQ ExBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=t6GOFFqXF4+RT2s3I0nJug5NJG5wMksRVJGgJbwHJ8Q=; b=0yRrw1vuiXLfS3z+yfi8LXE+Q03NZSIC4GYTgojtHxaaXiPgMuWnMD5rZxm0fYmr61 gf6JJgL+cwUvFbK1D4KGrY9egq1e71PrLpRD1yVdxNYn7+2BZFZ2PPCv0PkXhJObmV9p FXdAPcQbKSPsVsTbJSLQ73KJICaXB7yMVQB+Xaou2wKn6D6uUJMg8ctPknCa9bfcd6Xu KB4kxjna0XJPJJw/ZwMbuEXLVp66aHiBonZBNWdaF+qyOpC57KeTaJ600jMpc+SITa8r 8KSPbeBZ0flNvR4J2azUSFXaAROl/W1ALG8rZ6w2XteaScmQ+ubTDsWa9wgxdEV7hi1a 7ySg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=JzzEb71T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x12si8821884ejf.85.2021.01.31.12.01.38; Sun, 31 Jan 2021 12:02:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=JzzEb71T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231358AbhAaOcC (ORCPT + 99 others); Sun, 31 Jan 2021 09:32:02 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56856 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231388AbhAaOa0 (ORCPT ); Sun, 31 Jan 2021 09:30:26 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 10VEMLt2065853; Sun, 31 Jan 2021 09:29:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=t6GOFFqXF4+RT2s3I0nJug5NJG5wMksRVJGgJbwHJ8Q=; b=JzzEb71TQyAUqIqVwBZI6Lm5Zqs5Vzy9nTTU3TSyzry9bPUCe3oiZ43M2hdPRHhF0FAJ kRiW5TOKl066NrG+fXKytf/hB3stXbaQs+/fly/5tPuloiU6uKF/ASGjmz2GnDOoxIF4 E+6+nBTocAN9qPH6slDKic3htcMvT8GGGkVK0KNXsobtbx1xIwmziEFMBMrnuVjURTIY wRHIdcdXx+7aSTy0Z9xLhoXisG9D4gD27+FQc/hd3adpJJCSuzXk9MzeGrdpux7+w3pS W7X6RZOXt6QMBEXZtEB/Dj3Iz5mkTTB1FJoXrmHnh0wKF6Rygosh+QZIogYoRbNBG3dF fw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36dx8m82gq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 31 Jan 2021 09:29:37 -0500 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 10VETbT7085826; Sun, 31 Jan 2021 09:29:37 -0500 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 36dx8m82gg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 31 Jan 2021 09:29:37 -0500 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 10VES3CA003395; Sun, 31 Jan 2021 14:29:35 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma03ams.nl.ibm.com with ESMTP id 36cy38h1rn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 31 Jan 2021 14:29:35 +0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 10VETOn533096086 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 31 Jan 2021 14:29:25 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 09E2711C05B; Sun, 31 Jan 2021 14:29:33 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 74D2611C04C; Sun, 31 Jan 2021 14:29:30 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com (unknown [9.160.28.14]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sun, 31 Jan 2021 14:29:30 +0000 (GMT) Message-ID: Subject: Re: Migration to trusted keys: sealing user-provided key? From: Mimi Zohar To: Jan =?ISO-8859-1?Q?L=FCbbe?= , Jarkko Sakkinen , Ahmad Fatoum , James Bottomley , David Howells , keyrings@vger.kernel.org, Sumit Garg Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel@pengutronix.de Date: Sun, 31 Jan 2021 09:29:29 -0500 In-Reply-To: <8b9477e150d7c939dc0def3ebb4443efcc83cd85.camel@pengutronix.de> References: <74830d4f-5a76-8ba8-aad0-0d79f7c01af9@pengutronix.de> <6dc99fd9ffbc5f405c5f64d0802d1399fc6428e4.camel@kernel.org> <8b9477e150d7c939dc0def3ebb4443efcc83cd85.camel@pengutronix.de> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-14.el8) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-01-31_04:2021-01-29,2021-01-31 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 phishscore=0 mlxlogscore=951 impostorscore=0 adultscore=0 bulkscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101310076 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2021-01-31 at 15:14 +0100, Jan L?bbe wrote: > On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote: > > > > [1] The ima-evm-utils README contains EVM examples of "trusted" and > > "user" based "encrypted" keys. > > I assume you refer to > https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143 > "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"? > > In both cases, the key used by EVM is a *newly generated* random key. The only > difference is whether it's encrypted to a user key or a (random) trusted key. The "encrypted" asymmetric key data doesn't change, "update" just changes the key under which it is encrypted/decrypted. Usage:: keyctl add encrypted name "new [format] key-type:master-key-name keylen" ring keyctl add encrypted name "load hex_blob" ring keyctl update keyid "update key-type:master-key-name" Mimi