From: Mimi Zohar <zohar@linux.ibm.com>
To: "Zhao, Shirley" <shirley.zhao@intel.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
'Mauro Carvalho Chehab' <mchehab+samsung@kernel.org>
Subject: Re: One question about trusted key of keyring in Linux kernel.
Date: Wed, 13 Nov 2019 15:46:18 +0000 [thread overview]
Message-ID: <1573659978.17949.83.camel@linux.ibm.com> (raw)
In-Reply-To: <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
On Wed, 2019-11-13 at 01:22 +0000, Zhao, Shirley wrote:
> Hi, all,
>
> This is Shirley from Intel. I have one question about trusted key of
> keyring in kernel. Please help.
>
> According the to description in https://github.com/torvalds/linux/bl
> ob/master/Documentation/security/keys/trusted-encrypted.rst.
> Trusted key will be saved in TPM with PCR policy protected.
"Trusted Keys use a TPM both to generate and to seal the keys. Keys
are sealed under a 2048 bit RSA key in the TPM, ..."
Trusted keys are not TPM keys. They are not stored in the TPM.
>
> Then, I running the following command to create a trusted key.
> keyctl add trusted test_trusted "new 32 keyhandle=0x81000001" @u
>
> I also tried the following command, it can add one trusted key, too.
> keyctl add trusted test_trusted "new 32 keyhandle=0x81000001
> pcrinfo=`cat pcr7.blob`" @u
>
> But after reboot, this key will be removed.
> I need to re-added during boot.
Right, they need to be re-loaded on boot. Refer to the dracut
module /modules.d/97masterkey for loading a trusted key during boot.
>
> Then the question is since this key is saved in TPM, how to get it
> back from TPM?
Trusted keys are not stored in the TPM. Refer to the ima-evm-utils
README for examples of creating a trusted key (kmk) and an encrypted
key (evm-key).
>
> From the document, I need to use "keyctl pipe" to save the key into
> a blob, then load it.
> But the blob contend key text, and this is a file on hard disk, it
> is not safe to protect the key.
>
> So what can TPM do here?
The hex ascii encoded trusted key is sealed under the TPM SRK.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Zhao, Shirley" <shirley.zhao@intel.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"'Mauro Carvalho Chehab'" <mchehab+samsung@kernel.org>
Subject: Re: One question about trusted key of keyring in Linux kernel.
Date: Wed, 13 Nov 2019 10:46:18 -0500 [thread overview]
Message-ID: <1573659978.17949.83.camel@linux.ibm.com> (raw)
In-Reply-To: <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
On Wed, 2019-11-13 at 01:22 +0000, Zhao, Shirley wrote:
> Hi, all,
>
> This is Shirley from Intel. I have one question about trusted key of
> keyring in kernel. Please help.
>
> According the to description in https://github.com/torvalds/linux/bl
> ob/master/Documentation/security/keys/trusted-encrypted.rst.
> Trusted key will be saved in TPM with PCR policy protected.
"Trusted Keys use a TPM both to generate and to seal the keys. Keys
are sealed under a 2048 bit RSA key in the TPM, ..."
Trusted keys are not TPM keys. They are not stored in the TPM.
>
> Then, I running the following command to create a trusted key.
> keyctl add trusted test_trusted "new 32 keyhandle=0x81000001" @u
>
> I also tried the following command, it can add one trusted key, too.
> keyctl add trusted test_trusted "new 32 keyhandle=0x81000001
> pcrinfo=`cat pcr7.blob`" @u
>
> But after reboot, this key will be removed.
> I need to re-added during boot.
Right, they need to be re-loaded on boot. Refer to the dracut
module /modules.d/97masterkey for loading a trusted key during boot.
>
> Then the question is since this key is saved in TPM, how to get it
> back from TPM?
Trusted keys are not stored in the TPM. Refer to the ima-evm-utils
README for examples of creating a trusted key (kmk) and an encrypted
key (evm-key).
>
> From the document, I need to use "keyctl pipe" to save the key into
> a blob, then load it.
> But the blob contend key text, and this is a file on hard disk, it
> is not safe to protect the key.
>
> So what can TPM do here?
The hex ascii encoded trusted key is sealed under the TPM SRK.
Mimi
next parent reply other threads:[~2019-11-13 15:46 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
2019-11-13 15:46 ` Mimi Zohar [this message]
2019-11-13 15:46 ` One question about trusted key of keyring in Linux kernel Mimi Zohar
2019-11-26 7:32 ` Zhao, Shirley
2019-11-26 7:32 ` Zhao, Shirley
2019-11-26 19:27 ` Mimi Zohar
2019-11-26 19:27 ` Mimi Zohar
2019-11-27 2:46 ` Zhao, Shirley
2019-11-27 2:46 ` Zhao, Shirley
2019-11-27 15:39 ` Mimi Zohar
2019-11-27 15:39 ` Mimi Zohar
2019-11-29 1:54 ` Zhao, Shirley
2019-11-29 1:54 ` Zhao, Shirley
2019-11-29 23:01 ` Jarkko Sakkinen
2019-11-29 23:01 ` Jarkko Sakkinen
2019-12-02 1:45 ` Zhao, Shirley
2019-12-02 1:45 ` Zhao, Shirley
2019-12-06 21:20 ` Jarkko Sakkinen
2019-12-06 21:20 ` Jarkko Sakkinen
2019-11-27 18:06 ` James Bottomley
2019-11-27 18:06 ` James Bottomley
2019-11-29 1:40 ` Zhao, Shirley
2019-11-29 1:40 ` Zhao, Shirley
2019-11-29 20:05 ` James Bottomley
2019-11-29 20:05 ` James Bottomley
2019-12-02 1:44 ` Zhao, Shirley
2019-12-02 1:44 ` Zhao, Shirley
2019-12-02 4:17 ` James Bottomley
2019-12-02 4:17 ` James Bottomley
2019-12-02 5:55 ` Zhao, Shirley
2019-12-02 5:55 ` Zhao, Shirley
2019-12-02 6:17 ` James Bottomley
2019-12-02 6:17 ` James Bottomley
2019-12-02 6:23 ` Zhao, Shirley
2019-12-02 6:23 ` Zhao, Shirley
2019-12-02 6:44 ` James Bottomley
2019-12-02 6:44 ` James Bottomley
2019-12-02 6:50 ` Zhao, Shirley
2019-12-02 6:50 ` Zhao, Shirley
2019-12-02 18:55 ` James Bottomley
2019-12-02 18:55 ` James Bottomley
2019-12-03 2:11 ` Zhao, Shirley
2019-12-03 2:11 ` Zhao, Shirley
2019-12-03 3:12 ` James Bottomley
2019-12-03 3:12 ` James Bottomley
2019-12-04 3:01 ` Zhao, Shirley
2019-12-04 3:01 ` Zhao, Shirley
2019-12-04 3:33 ` James Bottomley
2019-12-04 3:33 ` James Bottomley
2019-12-04 6:39 ` Zhao, Shirley
2019-12-04 6:39 ` Zhao, Shirley
2019-12-09 19:47 ` Jarkko Sakkinen
2019-12-09 19:47 ` Jarkko Sakkinen
2019-12-09 20:31 ` James Bottomley
2019-12-09 20:31 ` James Bottomley
2019-12-11 17:23 ` Jarkko Sakkinen
2019-12-11 17:23 ` Jarkko Sakkinen
2019-12-11 17:33 ` Jarkko Sakkinen
2019-12-11 17:33 ` Jarkko Sakkinen
2019-12-11 17:53 ` Jarkko Sakkinen
2019-12-11 17:53 ` Jarkko Sakkinen
2019-12-09 21:18 ` Mimi Zohar
2019-12-09 21:18 ` Mimi Zohar
2019-12-11 17:12 ` Jarkko Sakkinen
2019-12-11 17:12 ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1573659978.17949.83.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=corbet@lwn.net \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=shirley.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.