Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6468099rwb; Mon, 5 Dec 2022 12:48:58 -0800 (PST) X-Google-Smtp-Source: AA0mqf5g4GcmAh9HjcTBABQ1RNPdAGwpYBaSReRat/YNflOSHhKf1Ma9YUYpZWu98shFueatSZ1J X-Received: by 2002:aa7:c256:0:b0:46c:a1f7:d9b9 with SMTP id y22-20020aa7c256000000b0046ca1f7d9b9mr6466073edo.168.1670273338263; Mon, 05 Dec 2022 12:48:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670273338; cv=none; d=google.com; s=arc-20160816; b=F4eBo5bQPdMq4+B1OIKu5LDlHgtJVqY6Jp3TbbmCCEwPLNsSgAJDwfD1Nb9tIsIDMs f0Yxo94j3rOm0KYpszBz5juyQPH7omDU9mQEX1QG/ssPJmkk5iSpg4HcaKFtjK6fhA4I NhrjhKI787st9SbOhhv6EHauqVtKSEe2TaCv6SYcb+LjdwwVgcrjBkQRUng0FTR2tO4a I8zUhx6ViX2kjb2soUbXCL68mavwR/yevYOJSKGjBC3Bcft90K2PGUluQrNpnYWqUYnR DRnSrYSPjTLzrKSocA/EV/rpheOw7MGPaiQtkrsKM8dfBpcxzE7vHNgmZqdbUNWE4N2m XJHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wAi9wb/ccr1V0J6asFIl7Azn5bhshYuD4nE6CW5xW+g=; b=A52Io7+xOk2SXAf+FXsZ+uTgO3ppMNqUkF117ceg/JEdukByCF9Jrs2VPoAdsK/SZl 6QALB9a9g8rR9k61G0WgNJPg6SeVG7CcoMuLeMdZg+dAXLCXAVW3A4zcCHZOUFvCDCzb AzQsY2NTFcp5djSjh0+0hyxbCgegPpf8lwUu2TAHNRrS2Z3BKEoOlqseHYOssvOvguz1 +tvVOVdRX4/efmKyxdeDiPMZWc1sDHQ/NdvyTgjuZwohz7ZP3s6PwTLW5qj0FhQRjhU/ NIWQO9GB9l6bPiRE/Z4RhFoX6uFJGDj76nnBUhHkDPk2abAnGmtBetqLOE20iKQayo/f Iuww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OPVtqaGQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bd23-20020a056402207700b004672d4e4ff2si357066edb.171.2022.12.05.12.48.36; Mon, 05 Dec 2022 12:48:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OPVtqaGQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230353AbiLESn5 (ORCPT + 81 others); Mon, 5 Dec 2022 13:43:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230293AbiLESnq (ORCPT ); Mon, 5 Dec 2022 13:43:46 -0500 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18F3612627 for ; Mon, 5 Dec 2022 10:43:44 -0800 (PST) Received: by mail-ed1-x534.google.com with SMTP id v8so17101909edi.3 for ; Mon, 05 Dec 2022 10:43:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wAi9wb/ccr1V0J6asFIl7Azn5bhshYuD4nE6CW5xW+g=; b=OPVtqaGQfZNdZ4DF7z8NeObdT3sHluUFseqPw49KCbN+wqTHkRGDlCNAdrUqnU5qq6 M/dZcdpbg6LMDtINPMHagxvEiD/e+KnOjJz+nt7H4s3lp1pprnp3qe4GMLa/QhYvpUQp yZVn5ofbBDCap0LFHONiDAaGYHExRbkxKOdis= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wAi9wb/ccr1V0J6asFIl7Azn5bhshYuD4nE6CW5xW+g=; b=5rB6EMkXMvDlRCCUJqRD+02cRCa9GyEmgoXbktw2K1DKuTQXg50gLlfi45esoBuzqR 1UBRnZsc3UulcRlLGj4QpxN9lHfjbGUY0u6wiwne5tvzf8qM/St+03TbP3IftPPtJFNL Yy5Zl7MxWcHIjC8a5hb9eF7uijzp7itubF+kwBc+lx6pYrHYDgzobM+9D4IcCqH3wHMX xq7OhbOZi2q+8ldSZFJhYaL0P83SgfcZkVcQg4o/0+AihB/JWmZ3E80wxoHIdJHlGceS r+bEkUf9SCpSIkmuMGKxFO3qMM54ShLnSHre/D7Eg/cGTFOFATDFU3XACVwDbeXkX18I dwOQ== X-Gm-Message-State: ANoB5pkGBurJQhGG31fbf5lq8VNuCQ8ts6i1VCNXtEMJJmfP7wT7kZhq hICabf3NK5/qUyhyb1zOHZl0nqK8CCl0sL63 X-Received: by 2002:a05:6402:399a:b0:468:fdf2:477f with SMTP id fk26-20020a056402399a00b00468fdf2477fmr46232421edb.329.1670265822394; Mon, 05 Dec 2022 10:43:42 -0800 (PST) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com. [209.85.128.54]) by smtp.gmail.com with ESMTPSA id o3-20020a170906768300b007b27fc3a1ffsm6492349ejm.121.2022.12.05.10.43.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 05 Dec 2022 10:43:41 -0800 (PST) Received: by mail-wm1-f54.google.com with SMTP id j5-20020a05600c410500b003cfa9c0ea76so10809913wmi.3 for ; Mon, 05 Dec 2022 10:43:41 -0800 (PST) X-Received: by 2002:a05:600c:4e4c:b0:3cf:87c6:890b with SMTP id e12-20020a05600c4e4c00b003cf87c6890bmr62524251wmq.194.1670265821267; Mon, 05 Dec 2022 10:43:41 -0800 (PST) MIME-Version: 1.0 References: <20221111231636.3748636-1-evgreen@chromium.org> <20221111151451.v5.4.Ieb1215f598bc9df56b0e29e5977eae4fcca25e15@changeid> <95ffac38780bf0ec6084cb354bfcb3b7bee686b9.camel@linux.ibm.com> <6f66f174af92a9b23bddd72945e94e888b0c9420.camel@linux.ibm.com> In-Reply-To: <6f66f174af92a9b23bddd72945e94e888b0c9420.camel@linux.ibm.com> From: Evan Green Date: Mon, 5 Dec 2022 10:43:05 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v5 04/11] security: keys: trusted: Include TPM2 creation data To: jejb@linux.ibm.com Cc: Eric Biggers , linux-kernel@vger.kernel.org, corbet@lwn.net, linux-integrity@vger.kernel.org, gwendal@chromium.org, dianders@chromium.org, apronin@chromium.org, Pavel Machek , Ben Boeckel , rjw@rjwysocki.net, Kees Cook , dlunev@google.com, zohar@linux.ibm.com, Matthew Garrett , jarkko@kernel.org, linux-pm@vger.kernel.org, David Howells , James Morris , Paul Moore , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 2, 2022 at 1:03 PM James Bottomley wrote: > > On Mon, 2022-11-14 at 13:00 -0500, James Bottomley wrote: > > On Mon, 2022-11-14 at 09:43 -0800, Evan Green wrote: > > > On Mon, Nov 14, 2022 at 8:56 AM James Bottomley > > > > > > wrote: > > [...] > > > > Of course, since openssl_tpm2_engine is the complete reference > > > > implementation that means I'll have to add the creation PCRs > > > > implementation to it ... unless you'd like to do it? > > > > > > I am willing to help as I'm the one making the mess. How does it > > > sequence along with your draft submission (before, after, > > > simultaneous)? > > > > At the moment, just send patches. The openssl_tpm2_engine is > > developed on a groups.io mailing list: > > > > https://groups.io/g/openssl-tpm2-engine/ > > > > You need an IETF specific tool (xml2rfc) to build the rfc from the > > xml, but it's available in most distros as python3-xml2rfc. If you > > don't want to learn the IETF XML I can help you code up the patch to > > add that to the draft spec. > > Just as a heads up, the patch series implementing signed policy (and > thus taking option [3]) is on the mailing list for review: > > https://groups.io/g/openssl-tpm2-engine/message/296 > > With apologies for the awful lack of threading in the groups.io > interface. > > So you don't have to build the RFC yourself, I published the proposed > update on my website: > > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt > > If you want to use option [4] for the creation data, it's available. Perfect, thanks James! -Evan