Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2713511lqo; Tue, 14 May 2024 07:11:35 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV+8kpblegS42xmubpcr/jKEo3helv4lTa4R2EZSyonT8O1ywvVmKhiVnopcb+EH3nxvYG1FaGzrRK1HuCoiwji3yva/ndvF3L7/rpsow== X-Google-Smtp-Source: AGHT+IFfHhap1t71eUmTSqZorRU16IIQnGrRpL7foE+JXSsrqjjdvrijsuYCenmlRjdwO8ucw7q1 X-Received: by 2002:a17:906:69cf:b0:a59:a356:3f6d with SMTP id a640c23a62f3a-a5a2d672c34mr866304066b.54.1715695895696; Tue, 14 May 2024 07:11:35 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715695895; cv=pass; d=google.com; s=arc-20160816; b=qMSdCJflwAwbgEV99m5OS5/6p+DK7BVdTiYl+7KKf1VRFVuYP4iQmuD/9A+0RMNKct eJ6tgtTF+jxVOL0qbekL0BNc9QdCSbod0GMIJKwOFiux2H3POTL0pBXf+GVdRkImn4EW 1Zuw9gdWohAb2VUJBVP/2mdNZHDRrh2ZZ1ebu8BJpKw/WDtho+yYFsVVjtysMtfSZ7JH PlwQjlXY3snAr0+rZIcmvBhXYUs2BWzm9NfA9JmqX/KurVIUN7VdXvuLZUgHYfHKFz/M hnv+rhS/XmFBGsjcwPObnO+XLDXmWbQr9LdMgFbFHS3uG4mgimqQ7n0WZLr9zf0j0mdC 3gyA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=AFRVdCfx92Rrtk/UXqNp6roSrRgzW4r2xJYB+V8Wzhc=; fh=7kq6WGb4conSOi7eEyLOtYRXUM2xPzxds3vGjQLvShg=; b=IfoThVDLrKTAc5IW+q0ExCGX4ogpevlDcF1fh3VFr2eUntZ/puEn0D9kBMN8ZXdsXh OG3T26S9hIjrZ5BT8dkkFwKyfMV/F44FkvF7WvvjwjUz18JB+iOF18QTIznONYoNi8/7 Ma4ZgQzAz1kYaEF8CF6iXrDJ09nVWVrQY4R0/5tO6SQ+0g3jLhBWUdI2HgoIhhVJ+nFI Ppwy3tTa9/Ah4saGhbHHuLeKvwSr9IlavgqYOXqHKMnHLYiub8BZWjOyhs2Nq5FQe+hp K3ECvKZWj7HNOSvpEJe+258TauKyLitbFuW/a8zTDH3N/M0X4HaYKUhbR2wdwzhc5cHk j/zA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b="piHCb5b/"; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kziy3ax8; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-178793-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178793-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a1797c2b0si622209066b.224.2024.05.14.07.11.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 07:11:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178793-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b="piHCb5b/"; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kziy3ax8; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-178793-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178793-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 499661F22680 for ; Tue, 14 May 2024 14:11:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EADB614533C; Tue, 14 May 2024 14:11:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="piHCb5b/"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="kziy3ax8" Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED7601448FA; Tue, 14 May 2024 14:11:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715695879; cv=none; b=Eg4tmcb7wGy3uaj3ZSkVvlRD/RkLCcVUEBiiD+dIIbiMBonTAfzdntmyiMMFibKP0EZhPQ9y/mGojF8Y+sesrgQ/G1YJahPm7l1nfBJDH7JU9E1vdSfzoycmFp9gQh4E11jwrbadjuCOO42WOGjBqefmHqzduQZ8jbaz2iBS3ww= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715695879; c=relaxed/simple; bh=r2Nahr78aiF4tYkW2zYCQNncVvwBxFAGr+UJ6/ZGIpQ=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=CrpA+40uF/ymOTsa01lMp+3UgDPErTLJUeFFazpRyCMqJ8yutl20d/n5NfXcAm+WmUM20Sk3L2moSw2RPna0YdRKZHTn3h0bDwS1kTTp042JOCzqYLeAQsr3ESak2WP6JiAL2N0Rd/PqXuuq56MgZvMPeJ8luDTZLkNRpo7eBWE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=piHCb5b/; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=kziy3ax8; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1715695876; bh=r2Nahr78aiF4tYkW2zYCQNncVvwBxFAGr+UJ6/ZGIpQ=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=piHCb5b/FbG2smVbhene+15kh7ccoAWtS0G1EBGOXMvkKz3H+P17VYYbce7LNU36R Sfkh62GBisH1D/e1Nv1e1vm5lmzMJrYHFLlaRWHRGM4v0PBUVSJZ/6xLEC6wAIcgv3 69Yzt56BlomtSbofrZ0YqStcBc8iH2YwMVeyd9Tk= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id F3D361286A24; Tue, 14 May 2024 10:11:15 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id bzeQuPRiwXnQ; Tue, 14 May 2024 10:11:15 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1715695875; bh=r2Nahr78aiF4tYkW2zYCQNncVvwBxFAGr+UJ6/ZGIpQ=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=kziy3ax8L7uocRtXywqUBFk1VaQX82be3dHcg8Pj/W39cUuGMHZAUICRLO4GWdrbV nQ9VrRis55hVDLdW502b9Pf/X5UAVNmGrRUIbVL8hXLFs3OXG5865se3L5XB6AqE8i rW9AcgLO4o6Pt+zHhNfb6tzF0x/E+WFxNUJ5z69Y= Received: from [172.21.4.27] (unknown [50.204.89.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id BCCA31286A09; Tue, 14 May 2024 10:11:10 -0400 (EDT) Message-ID: Subject: Re: [RFC PATCH 0/2] TPM derived keys From: James Bottomley To: Ignat Korchagin Cc: Jarkko Sakkinen , Ben Boeckel , Mimi Zohar , David Howells , Paul Moore , James Morris , serge@hallyn.com, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Date: Tue, 14 May 2024 08:11:06 -0600 In-Reply-To: References: <20240503221634.44274-1-ignat@cloudflare.com> <44cd50b60a0a4e376d01544d25187556b8badf94.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Tue, 2024-05-14 at 10:50 +0100, Ignat Korchagin wrote: > On Mon, May 13, 2024 at 11:33 PM James Bottomley > wrote: > > > > On Mon, 2024-05-13 at 18:09 +0100, Ignat Korchagin wrote: > > [...] > > > TPM derived keys attempt to address the above use cases by > > > allowing applications to deterministically derive unique > > > cryptographic keys for their own purposes directly from the TPM > > > seed in the owner hierarchy. The idea is that when an application > > > requests a new key, instead of generating a random key and > > > wrapping it with the TPM, the implementation generates a key via > > > KDF(hierarchy seed, application specific info). Therefore, the > > > resulting keys will always be cryptographically bound to the > > > application itself and the device they were generated on. > > > > So I think what confuses me is what the expected cryptographic > > secrecy properties of the derived keys are.  I get they're a KDF of > > seed and deterministic properties, but if those mixing values are > > well known (as the path or binary checksum cases) then anyone with > > access to the TPM can derive the key from user space because they > > can easily obtain the mixing parameters and there's no protection > > to the TPM keyed hash operation. > > > > Consider the use case where two users are using derived keys on the > > same system (so same TPM).  Assuming they use them to protect > > sensitive information, what prevents user1 from simply deriving > > user2's key and getting the information, or am I missing the point > > of this? > > You are correct: it is possible, but in practice it would be limited > only to privileged users/applications. I remember there was a push to > set a 666 mask for the TPM device file, but it is not how it is done > today by default. No, it's 660, but in consequence of that every user of the TPM is a member of the tpm group which, since TPM use from userspace is growing, is everyone, so it might as well have been 666. In other words relying on access restrictions to the TPM itself is largely useless. > Also I think the same applies to trusted keys as well, at least > without any additional authorizations or PCR restrictions on the blob > (I remember I could manually unwrap a trusted key blob in userspace > as root). Well, that's correct, but a TPM key file without policy still has two protections: the file itself (so the key owner can choose what permissions and where it is) and the key authority (or password) although for the mechanical (unsupervised insertion) use case keys tend not to have an authority. > It would be fixed if we could limit access to some TPM ops only from > the kernel, but I remember from one of your presentations that it is > generally a hard problem and that some solution was in the works (was > it based on limiting access to a resettable PCR?). I'm happy to > consider adopting it here as well somehow. Well, that was based on constructing a policy that meant only the kernel could access the data (so it requires PCR policy). In addition to the expected secrecy property question which I don't think is fully answered I did think of another issue: what if the application needs to rotate keys because of a suspected compromise? For sealed keys, we just generate a new one an use that in place of the old, but for your derived keys we'd have to change one of the mixing values, which all look to be based on fairly permanent properties of the system. James