From: Mimi Zohar <zohar@linux.ibm.com>
To: "Zhao, Shirley" <shirley.zhao@intel.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
'Mauro Carvalho Chehab' <mchehab+samsung@kernel.org>,
"Zhu, Bing" <bing.zhu@intel.com>,
"Chen, Luhai" <luhai.chen@intel.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
Date: Wed, 27 Nov 2019 15:39:28 +0000 [thread overview]
Message-ID: <1574869168.4793.282.camel@linux.ibm.com> (raw)
In-Reply-To: <A888B25CD99C1141B7C254171A953E8E490961E5@shsmsx102.ccr.corp.intel.com>
Hi Shirley,
On Wed, 2019-11-27 at 02:46 +0000, Zhao, Shirley wrote:
> Hi, Mimi,
>
> Answer your two questions:
>
> 1. Yes, I have verified trusted key works well without PCR policy
> protection as below:
> $ keyctl add trusted kmk "new 32 keyhandle=0x81000001" @u
> 1055240928
> $ keyctl list @u
> 1 keys in keyring:
> 1055240928: --alswrv 0 0 trusted: kmk
> $ keyctl pipe 1055240928 > kmk.blob
> $ cat kmk.blob
> 007f0020ff808bd8b7239194e89aac6a95b4d210114742c20afa33493f002dffd068
> 5d510010c12d7ad51eb83d6d93895de066bf3d39718cc503adb4802cb087b88b2fff
> 4b040fe3a2be6a3f87c6749d087c9fb6e8734cb23f438d64087581a13bc83d5dc3b0
> 26e77a894ece6620d0eb85df6449ff3c609fd77d5f0caf79b4535b002e0008000b00
> 0000400000001000209a5b00b0d558fcf9e8c029522715e6b5906366eaec5f34367b
> 8ab16c0fb9009a0073000000000020e3b0c44298fc1c149afbf4c8996fb92427ae41
> e4649b934ca495991b7852b85501000b0022000bdcdb694e102e13a0fba5111081cb
> 6cf616c118d404936cac3e84db24c71e47d50022000b04b5db1aa52635dfb242e76f
> 6bde8e2176ae48fc682946c6c76d96f608079d1f0000002036b6fcca8206c7f722de
> 85821d7ecb4785976fdd642bc7538505a2a818c8a23880214000000100202aedde45
> 08f548d108193ec8fe166a7befde19113fe727ae2b29901bdece96e5
> $ keyctl clear @u
> $ keyctl list @u
> keyring is empty
> $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001"
> @u
> 1022963731
> $ keyctl print 1022963731
> 007f0020ff808bd8b7239194e89aac6a95b4d210114742c20afa33493f002dffd068
> 5d510010c12d7ad51eb83d6d93895de066bf3d39718cc503adb4802cb087b88b2fff
> 4b040fe3a2be6a3f87c6749d087c9fb6e8734cb23f438d64087581a13bc83d5dc3b0
> 26e77a894ece6620d0eb85df6449ff3c609fd77d5f0caf79b4535b002e0008000b00
> 0000400000001000209a5b00b0d558fcf9e8c029522715e6b5906366eaec5f34367b
> 8ab16c0fb9009a0073000000000020e3b0c44298fc1c149afbf4c8996fb92427ae41
> e4649b934ca495991b7852b85501000b0022000bdcdb694e102e13a0fba5111081cb
> 6cf616c118d404936cac3e84db24c71e47d50022000b04b5db1aa52635dfb242e76f
> 6bde8e2176ae48fc682946c6c76d96f608079d1f0000002036b6fcca8206c7f722de
> 85821d7ecb4785976fdd642bc7538505a2a818c8a23880214000000100202aedde45
> 08f548d108193ec8fe166a7befde19113fe727ae2b29901bdece96e5
>
> 2. The following kernel file is related with this problem.
> /security/keys/keyctl.c
> /security/keys/key.c
> /security/keys/trusted-keys/trusted_tpm1.c
> /security/keys/trusted-keys/trusted_tpm2.c
>
> To load the PCR policy protection trusted key, the call stack is:
> SYSCALL_DEFINE5(add_key,...) --> key_create_or_update() -->
> __key_instantiate_and_link() --> trusted_instantiate() -->
> tpm2_unseal_trusted() --> tpm2_unseal_cmd().
>
> Check dmesg, there will be error:
> [73336.351596] trusted_key: key_unseal failed (-1)
Like the other kernel mailing lists, please bottom post. When
reporting a problem, please include the kernel version and other
relevant details. For example, the TPM version and type (eg. hardware
vendor, software TPM, etc). Please indicate if this is a new problem
and which kernel release it first start happening?
I have no experience with the tpm2_ commands, I suggest trying to
extend a single measurement to a PCR and sealing to that value.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Zhao, Shirley" <shirley.zhao@intel.com>,
James Bottomley <jejb@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"'Mauro Carvalho Chehab'" <mchehab+samsung@kernel.org>,
"Zhu, Bing" <bing.zhu@intel.com>,
"Chen, Luhai" <luhai.chen@intel.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
Date: Wed, 27 Nov 2019 10:39:28 -0500 [thread overview]
Message-ID: <1574869168.4793.282.camel@linux.ibm.com> (raw)
In-Reply-To: <A888B25CD99C1141B7C254171A953E8E490961E5@shsmsx102.ccr.corp.intel.com>
Hi Shirley,
On Wed, 2019-11-27 at 02:46 +0000, Zhao, Shirley wrote:
> Hi, Mimi,
>
> Answer your two questions:
>
> 1. Yes, I have verified trusted key works well without PCR policy
> protection as below:
> $ keyctl add trusted kmk "new 32 keyhandle=0x81000001" @u
> 1055240928
> $ keyctl list @u
> 1 keys in keyring:
> 1055240928: --alswrv 0 0 trusted: kmk
> $ keyctl pipe 1055240928 > kmk.blob
> $ cat kmk.blob
> 007f0020ff808bd8b7239194e89aac6a95b4d210114742c20afa33493f002dffd068
> 5d510010c12d7ad51eb83d6d93895de066bf3d39718cc503adb4802cb087b88b2fff
> 4b040fe3a2be6a3f87c6749d087c9fb6e8734cb23f438d64087581a13bc83d5dc3b0
> 26e77a894ece6620d0eb85df6449ff3c609fd77d5f0caf79b4535b002e0008000b00
> 0000400000001000209a5b00b0d558fcf9e8c029522715e6b5906366eaec5f34367b
> 8ab16c0fb9009a0073000000000020e3b0c44298fc1c149afbf4c8996fb92427ae41
> e4649b934ca495991b7852b85501000b0022000bdcdb694e102e13a0fba5111081cb
> 6cf616c118d404936cac3e84db24c71e47d50022000b04b5db1aa52635dfb242e76f
> 6bde8e2176ae48fc682946c6c76d96f608079d1f0000002036b6fcca8206c7f722de
> 85821d7ecb4785976fdd642bc7538505a2a818c8a23880214000000100202aedde45
> 08f548d108193ec8fe166a7befde19113fe727ae2b29901bdece96e5
> $ keyctl clear @u
> $ keyctl list @u
> keyring is empty
> $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001"
> @u
> 1022963731
> $ keyctl print 1022963731
> 007f0020ff808bd8b7239194e89aac6a95b4d210114742c20afa33493f002dffd068
> 5d510010c12d7ad51eb83d6d93895de066bf3d39718cc503adb4802cb087b88b2fff
> 4b040fe3a2be6a3f87c6749d087c9fb6e8734cb23f438d64087581a13bc83d5dc3b0
> 26e77a894ece6620d0eb85df6449ff3c609fd77d5f0caf79b4535b002e0008000b00
> 0000400000001000209a5b00b0d558fcf9e8c029522715e6b5906366eaec5f34367b
> 8ab16c0fb9009a0073000000000020e3b0c44298fc1c149afbf4c8996fb92427ae41
> e4649b934ca495991b7852b85501000b0022000bdcdb694e102e13a0fba5111081cb
> 6cf616c118d404936cac3e84db24c71e47d50022000b04b5db1aa52635dfb242e76f
> 6bde8e2176ae48fc682946c6c76d96f608079d1f0000002036b6fcca8206c7f722de
> 85821d7ecb4785976fdd642bc7538505a2a818c8a23880214000000100202aedde45
> 08f548d108193ec8fe166a7befde19113fe727ae2b29901bdece96e5
>
> 2. The following kernel file is related with this problem.
> /security/keys/keyctl.c
> /security/keys/key.c
> /security/keys/trusted-keys/trusted_tpm1.c
> /security/keys/trusted-keys/trusted_tpm2.c
>
> To load the PCR policy protection trusted key, the call stack is:
> SYSCALL_DEFINE5(add_key,...) --> key_create_or_update() -->
> __key_instantiate_and_link() --> trusted_instantiate() -->
> tpm2_unseal_trusted() --> tpm2_unseal_cmd().
>
> Check dmesg, there will be error:
> [73336.351596] trusted_key: key_unseal failed (-1)
Like the other kernel mailing lists, please bottom post. When
reporting a problem, please include the kernel version and other
relevant details. For example, the TPM version and type (eg. hardware
vendor, software TPM, etc). Please indicate if this is a new problem
and which kernel release it first start happening?
I have no experience with the tpm2_ commands, I suggest trying to
extend a single measurement to a PCR and sealing to that value.
Mimi
next prev parent reply other threads:[~2019-11-27 15:39 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
2019-11-13 15:46 ` One question about trusted key of keyring in Linux kernel Mimi Zohar
2019-11-13 15:46 ` Mimi Zohar
2019-11-26 7:32 ` Zhao, Shirley
2019-11-26 7:32 ` Zhao, Shirley
2019-11-26 19:27 ` Mimi Zohar
2019-11-26 19:27 ` Mimi Zohar
2019-11-27 2:46 ` Zhao, Shirley
2019-11-27 2:46 ` Zhao, Shirley
2019-11-27 15:39 ` Mimi Zohar [this message]
2019-11-27 15:39 ` Mimi Zohar
2019-11-29 1:54 ` Zhao, Shirley
2019-11-29 1:54 ` Zhao, Shirley
2019-11-29 23:01 ` Jarkko Sakkinen
2019-11-29 23:01 ` Jarkko Sakkinen
2019-12-02 1:45 ` Zhao, Shirley
2019-12-02 1:45 ` Zhao, Shirley
2019-12-06 21:20 ` Jarkko Sakkinen
2019-12-06 21:20 ` Jarkko Sakkinen
2019-11-27 18:06 ` James Bottomley
2019-11-27 18:06 ` James Bottomley
2019-11-29 1:40 ` Zhao, Shirley
2019-11-29 1:40 ` Zhao, Shirley
2019-11-29 20:05 ` James Bottomley
2019-11-29 20:05 ` James Bottomley
2019-12-02 1:44 ` Zhao, Shirley
2019-12-02 1:44 ` Zhao, Shirley
2019-12-02 4:17 ` James Bottomley
2019-12-02 4:17 ` James Bottomley
2019-12-02 5:55 ` Zhao, Shirley
2019-12-02 5:55 ` Zhao, Shirley
2019-12-02 6:17 ` James Bottomley
2019-12-02 6:17 ` James Bottomley
2019-12-02 6:23 ` Zhao, Shirley
2019-12-02 6:23 ` Zhao, Shirley
2019-12-02 6:44 ` James Bottomley
2019-12-02 6:44 ` James Bottomley
2019-12-02 6:50 ` Zhao, Shirley
2019-12-02 6:50 ` Zhao, Shirley
2019-12-02 18:55 ` James Bottomley
2019-12-02 18:55 ` James Bottomley
2019-12-03 2:11 ` Zhao, Shirley
2019-12-03 2:11 ` Zhao, Shirley
2019-12-03 3:12 ` James Bottomley
2019-12-03 3:12 ` James Bottomley
2019-12-04 3:01 ` Zhao, Shirley
2019-12-04 3:01 ` Zhao, Shirley
2019-12-04 3:33 ` James Bottomley
2019-12-04 3:33 ` James Bottomley
2019-12-04 6:39 ` Zhao, Shirley
2019-12-04 6:39 ` Zhao, Shirley
2019-12-09 19:47 ` Jarkko Sakkinen
2019-12-09 19:47 ` Jarkko Sakkinen
2019-12-09 20:31 ` James Bottomley
2019-12-09 20:31 ` James Bottomley
2019-12-11 17:23 ` Jarkko Sakkinen
2019-12-11 17:23 ` Jarkko Sakkinen
2019-12-11 17:33 ` Jarkko Sakkinen
2019-12-11 17:33 ` Jarkko Sakkinen
2019-12-11 17:53 ` Jarkko Sakkinen
2019-12-11 17:53 ` Jarkko Sakkinen
2019-12-09 21:18 ` Mimi Zohar
2019-12-09 21:18 ` Mimi Zohar
2019-12-11 17:12 ` Jarkko Sakkinen
2019-12-11 17:12 ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574869168.4793.282.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bing.zhu@intel.com \
--cc=corbet@lwn.net \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luhai.chen@intel.com \
--cc=mchehab+samsung@kernel.org \
--cc=shirley.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.