Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2379625lqo; Mon, 13 May 2024 17:29:15 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVg/rcS+K5iurAGAZmxkxe3EY0CjghKqpHLX7nxFFsEVNIST1EtPdtoFij43jrCdMu7glAU6YyNTj1KIi3uDcS9KtgD145himg8BhFaag== X-Google-Smtp-Source: AGHT+IFIkmGgklSlXJ1sqPvzOKnV9rNoAJuM4EYaclALNvWiFWIyV1szOAVGR3m21SQP2xf1Fc+a X-Received: by 2002:a17:906:3ad2:b0:a58:ca9d:7b6b with SMTP id a640c23a62f3a-a5a2d6653e9mr697806866b.60.1715646555160; Mon, 13 May 2024 17:29:15 -0700 (PDT) Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a17bfd478si556835166b.863.2024.05.13.17.29.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 May 2024 17:29:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178211-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@kernel.org header.s=k20201202 header.b=USk9NWby; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-178211-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178211-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AD1BC1F23A2D for ; Tue, 14 May 2024 00:29:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 855A0AD27; Tue, 14 May 2024 00:28:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="USk9NWby" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A78EB7470; Tue, 14 May 2024 00:28:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715646516; cv=none; b=P4hFjl+zAXJDQkSR/ty2CbDeOyrOPToRwRj1rKUxhA8X4kr621lxSxAcvL90AWCXvz0GwjyrQqPcYiQ0u9+1CMTHNhA9XXdSTs94IQgKbZQiD7SEdz9okYLDFGRV+YoNBOmPJweFFYiVoPSHJpISRKUPe6vUcyOkYgz9lh7y3BY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715646516; c=relaxed/simple; bh=vrfVCwMNSrpMBHio2ZoX7aks/0UpGwwNm55xOZdIHRQ=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=BjME783Rgo8cUR6x9bDdu6MXBhR859AWPaBvN/zpby8mxJrF9rq2DHfRPiZdQOZeeIvDmm61vCDpzrMFJW5SFZiWdol/Y1ppXThW1kUBHko1jGa8YR90yClYrp5GWr17tShrK7u8n4BBEEThb8WIiNyT27RoIWVusn+sg6LH+bU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=USk9NWby; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0449EC4AF08; Tue, 14 May 2024 00:28:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1715646516; bh=vrfVCwMNSrpMBHio2ZoX7aks/0UpGwwNm55xOZdIHRQ=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=USk9NWby9tjJ5bBcEQmIuIX2jOwXCQAnfWz9FHYcjMu0Mnwho1TcA2DL2dqLEsmId 3X6a3lsA/RPP/50vwF5Y7SHlkX7HVagQoafzbHiD0kuDbRC0taTHpgAljkl0KK43dt 6bvot2MDn0wylzm+EuhFm7S8R60grgRX2NrzjM1oBWxmTKMqqzN/x9661QPbZviBWK I9mSXhs1hg0CVwSTqEC8t1zrfF01C7F7w9RPo2eCE1NvDJca5w6rwQKO4ya1iQ7JDK MoCC3sz1yBhsyf0FZTuudauAiVhs11lS5IEB0rakg7ay1I7jAm018sSHtQ432myZDD spm7mIRvheH7A== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 14 May 2024 03:28:32 +0300 Message-Id: Cc: Subject: Re: [RFC PATCH 0/2] TPM derived keys From: "Jarkko Sakkinen" To: "Ignat Korchagin" , "James Bottomley" , "Mimi Zohar" , "David Howells" , "Paul Moore" , "James Morris" , , , , X-Mailer: aerc 0.17.0 References: <20240503221634.44274-1-ignat@cloudflare.com> In-Reply-To: On Mon May 13, 2024 at 8:11 PM EEST, Ignat Korchagin wrote: > On Fri, May 3, 2024 at 11:16=E2=80=AFPM Ignat Korchagin wrote: > I would like to point out to myself I was wrong: it is possible to ask > the kernel to generate a trusted key inside the kernel locally with > "keyctl add trusted kmk "new 32" @u" Not in a full-time kernel position ATM as I'm working as contract researcher up until beginning of Oct (took some industry break after a startup went down of business), so please, politely asking, write a bit more compact descriptions ;-) I'm trying to find a new position by the beginning of Oct but right now I'd appreciate a bit more thought out text descriptions. I'm working out a small patch set with James Prestwood to add asymmetric TPM2 keys based on his old patch set [1] but laid out on top of the existing baseline. I did already the key type shenanigans etc. for it and James P is laying his pre-existing RSA code and new ECDSA on top of that. So this will give x.509 compatibility [2]. This patch set will be out soon and likely part of 6.11 (or almost guaranteed as most of it is done). So by plain guess this might be along the lines what you might want? [1] https://lore.kernel.org/all/20200518172704.29608-1-prestwoj@gmail.com/ [2] https://datatracker.ietf.org/doc/draft-woodhouse-cert-best-practice/ BR, Jarkko