Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp1117868lqb; Sat, 25 May 2024 06:42:19 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVdT1d56C8oBExnCVj1BszEJNgU+d2Q7cRlBychw9jktwZm0c6AdVjvdBApMbdGcBJlJft1WMb/i9VCZLGhVpZgB4DRSiJLO+QbqOpNxQ== X-Google-Smtp-Source: AGHT+IEvsA50f41nu2Qr6uZx9/wa49nhQpyX3r2gE9gRl0/atzL9NmsGkz0xmYqzHXkrPiHg1CZK X-Received: by 2002:a50:bb62:0:b0:578:625a:b7f3 with SMTP id 4fb4d7f45d1cf-578625ab902mr2599610a12.35.1716644538848; Sat, 25 May 2024 06:42:18 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716644538; cv=pass; d=google.com; s=arc-20160816; b=wdD6vYh8QY+rhYMVvKbNF0kiL0I8HZnZzV74pYCsFxjwaQqApcS/5ZG1eUMHWFmVB/ pv4bwyFqShdcSsFZAQPCaNvXQS5RECymYkSEmowJJkKUGgb+O3IEjcStO91sSRTWVsWp NJhxLHDDSwEe8TStQy9ZgfLjby3OD+AuKQVRGAJe1XtqS9EQLBmJBLGCZs2QkUi8nTKC b1FYXqbYA4J+9GvWRutdL+NTovgg0IRCMPcHps+1+7i3A6K9ngr0ZVHsbswl/YHQfkxA I8El2ra2TD/LMV+ysKQ57DefgIwM2Sh1t2Kb96qZdJcGTWPbw1dmXr+fdpkkOVqIpOFR bbmA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=DyNclyFiHbk/blT+CrfZn/F8b7DODbQ4Yi8S7qpTt4s=; fh=WZH3Z9UU2g8pS9Vrct34fUyyVJUEpqo49qdFuhfnWQY=; b=LJA+8jO+3E0VbTHoeG520vcmaGVjuQeHx67dxoXkOQ95AHoQg+WVWuz0yrwepqdDvE EW/COoWJDC4iQaVHVEtQ/9+EunhUezqaofiV+quxL1Fu/C8KqiQw8nqNeZdNU4Y8vy7p AIZSIkiWhjizX+uR462s3Y7EBkxAzwHd2MEX5/z40dwFtpAlGMqCk/5VuYfwoEYa/Q4Y qfUGpdhUKd0cqg5odERGzhf3rdIhdgn4LJw/dWP5h80NiJr2g32M3DAN9szTaNnaG7pS c0uXdgYhJ0kIDv8EOuzaHtd4BDGbPyOTVisrx2fzQBIhjdNok6vTXeY3OHu8cE9Jg95V 2E3w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=VtwIkuKh; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=VtwIkuKh; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-189368-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189368-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-578524b55c5si1907485a12.552.2024.05.25.06.42.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 May 2024 06:42:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-189368-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=VtwIkuKh; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=VtwIkuKh; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-189368-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189368-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8D71B1F21531 for ; Sat, 25 May 2024 13:42:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E4124DA15; Sat, 25 May 2024 13:42:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="VtwIkuKh"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="VtwIkuKh" Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F4BB1E480; Sat, 25 May 2024 13:42:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716644528; cv=none; b=tgUBkMQuKEAWmnPIRYAyidvQI8ln6haQkZyqTSz8Tq/UblDMfFGZN4S9oCMQR5WpceWhbYrkRIHiTwyobCL25uBRW0qUd0I5FXZIw1sGo1U9BdUa0GjgdnSWb2tFP7qPsyvHsT1xbBPD1x/BROqEpynzs1P3n4EhKmEjU60DcRo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716644528; c=relaxed/simple; bh=amI1SPYRnBjM8Ew/R6TtCgxDdWD5U2OLyaFMWH/xHco=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=aa1MMQQLBgU5qJ0eBmBtTOBfknBd+HJDXf7QKzay6smJ/8R1wudXxA7AgcXP+fNY99wXZ5W+y2C1G7D/ZiaRJNLQIcFthWDhYMjToySBWgzMVdnZP8WfkY9doUvzZAZ5m2Z8oP/X4yXjN0HimND+Wc6prxWQj4GoqMAHBTVLRSs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=VtwIkuKh; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=VtwIkuKh; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1716644525; bh=amI1SPYRnBjM8Ew/R6TtCgxDdWD5U2OLyaFMWH/xHco=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=VtwIkuKhcA50/tF3DmtgWWcszs8/cLEA02WPuZLwtGVta7DLVEO8WmZkDFCORIqsk M6F2y02YGWSrUrh4IyyC1rabzA8T7vAvMA5F4a6PBtoo6n2rbDP235Ww7vJVEqlYtz WCiaJ6fKL3qM5CCSGUtQApDaVgwDKWg4VEmYbi5o= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 7818B1287ABA; Sat, 25 May 2024 09:42:05 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id 1QvmScxBCgUX; Sat, 25 May 2024 09:42:05 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1716644525; bh=amI1SPYRnBjM8Ew/R6TtCgxDdWD5U2OLyaFMWH/xHco=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=VtwIkuKhcA50/tF3DmtgWWcszs8/cLEA02WPuZLwtGVta7DLVEO8WmZkDFCORIqsk M6F2y02YGWSrUrh4IyyC1rabzA8T7vAvMA5F4a6PBtoo6n2rbDP235Ww7vJVEqlYtz WCiaJ6fKL3qM5CCSGUtQApDaVgwDKWg4VEmYbi5o= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::a774]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 5AFC01287AB8; Sat, 25 May 2024 09:42:04 -0400 (EDT) Message-ID: Subject: Re: [PATCH] KEYS: trusted_tpm2: Only check options->keyhandle for ASN.1 From: James Bottomley To: Jarkko Sakkinen , linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org, stable@vger.kernel.org, Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Date: Sat, 25 May 2024 09:42:02 -0400 In-Reply-To: <20240525123634.3396-1-jarkko@kernel.org> References: <20240525123634.3396-1-jarkko@kernel.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit On Sat, 2024-05-25 at 15:36 +0300, Jarkko Sakkinen wrote: > tpm2_load_cmd incorrectly checks options->keyhandle also for the > legacy format, as also implied by the inline comment. Check > options->keyhandle when ASN.1 is loaded. No that's not right. keyhandle must be specified for the old format, because it's just the two private/public blobs and doesn't know it's parent. Since tpm2_key_decode() always places the ASN.1 parent into options->keyhandle, the proposed new code is fully redundant (options- >keyhandle must be non zero if the ASN.1 parsed correctly) but it loses the check that the loader must specify it for the old format. What the comment above the code you removed means is that the keyhandle must be non zero here, either extracted from the ASN.1 for the new format or specified on the command line for the old. James