* TPM trusted keys code
@ 2017-10-24 16:06 Jarkko Sakkinen
2017-10-26 15:13 ` David Howells
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Jarkko Sakkinen @ 2017-10-24 16:06 UTC (permalink / raw)
To: keyrings
Hi David,
I have a proposal.
We are soon going to have the following tools for in-kernel consumers
of the TPM:
* tpm_send() that takes struct tpm_buf that gives easy tools to
construct variable length commands. It has been already in use
inside the TPM driver since 2015.
* tpm_find_and_get() and tpm_put() for locking the in-kernel API
before use.
* All TPM constant values in include/linux/tpm.h
My main intention would be to refactor trusted keys code in the
following way:
1. Refactor TPM 1.x trusted keys code to use tpm_buf for constructing
sealing messages and remove the custom stuff that you have currently.
2. Move TPM 2.x trusted keys code to security/keys/trusted
I originally implemeted TPM 2.x trusted keys code originally to the TPM
driver because the infrastructure was lacking.
My rationale here is that it is domain specific code used by only one
subsystem. For overall kernel arch it probably makes sense to have that
code located in that subsystems and have TPM driver only provide great
tools to implement that, right?
Just wanted to ask you before I start this effort. Thank you.
/Jarkko
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: TPM trusted keys code
2017-10-24 16:06 TPM trusted keys code Jarkko Sakkinen
@ 2017-10-26 15:13 ` David Howells
2017-10-26 16:16 ` Jarkko Sakkinen
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: David Howells @ 2017-10-26 15:13 UTC (permalink / raw)
To: keyrings
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote:
> My rationale here is that it is domain specific code used by only one
> subsystem. For overall kernel arch it probably makes sense to have that
> code located in that subsystems and have TPM driver only provide great
> tools to implement that, right?
>
> Just wanted to ask you before I start this effort. Thank you.
I have a partial asymmetric key subtype implementation that uses the TPM code
also - but that broken thoroughly when the tpm-2 stuff was added. I'll have
to have another look at that (unless you want to), but it won't be till after
the next merge window.
My approach was to make a common library of routines that both the asymmetric
subtype and the trusted/encrypted types could use.
David
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: TPM trusted keys code
2017-10-24 16:06 TPM trusted keys code Jarkko Sakkinen
2017-10-26 15:13 ` David Howells
@ 2017-10-26 16:16 ` Jarkko Sakkinen
2017-11-16 15:33 ` Tudor Ambarus
2017-11-20 22:00 ` Jarkko Sakkinen
3 siblings, 0 replies; 5+ messages in thread
From: Jarkko Sakkinen @ 2017-10-26 16:16 UTC (permalink / raw)
To: keyrings
On Thu, Oct 26, 2017 at 04:13:35PM +0100, David Howells wrote:
> Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote:
>
> > My rationale here is that it is domain specific code used by only one
> > subsystem. For overall kernel arch it probably makes sense to have that
> > code located in that subsystems and have TPM driver only provide great
> > tools to implement that, right?
> >
> > Just wanted to ask you before I start this effort. Thank you.
>
> I have a partial asymmetric key subtype implementation that uses the TPM code
> also - but that broken thoroughly when the tpm-2 stuff was added. I'll have
> to have another look at that (unless you want to), but it won't be till after
> the next merge window.
>
> My approach was to make a common library of routines that both the asymmetric
> subtype and the trusted/encrypted types could use.
>
> David
That sounds like a awesome idea to me!
I'll continue to rework the TPM driver to the direction where you pass
struct tpm_buf to tpm_send() function instead of plain buffer.
After all the ad hoc code that trusted keys has to build TPM command
buffers can be taken away and replaced with tpm_buf helpers.
/Jarkko
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: TPM trusted keys code
2017-10-24 16:06 TPM trusted keys code Jarkko Sakkinen
2017-10-26 15:13 ` David Howells
2017-10-26 16:16 ` Jarkko Sakkinen
@ 2017-11-16 15:33 ` Tudor Ambarus
2017-11-20 22:00 ` Jarkko Sakkinen
3 siblings, 0 replies; 5+ messages in thread
From: Tudor Ambarus @ 2017-11-16 15:33 UTC (permalink / raw)
To: keyrings
Hi, David,
On 10/26/2017 06:13 PM, David Howells wrote:
> I have a partial asymmetric key subtype implementation that uses the TPM code
> also - but that broken thoroughly when the tpm-2 stuff was added.
I would like to take a look at your implementation, if you don't mind.
Have you made it public somewhere?
Thanks,
ta
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: TPM trusted keys code
2017-10-24 16:06 TPM trusted keys code Jarkko Sakkinen
` (2 preceding siblings ...)
2017-11-16 15:33 ` Tudor Ambarus
@ 2017-11-20 22:00 ` Jarkko Sakkinen
3 siblings, 0 replies; 5+ messages in thread
From: Jarkko Sakkinen @ 2017-11-20 22:00 UTC (permalink / raw)
To: keyrings
On Thu, Nov 16, 2017 at 05:33:16PM +0200, Tudor Ambarus wrote:
> Hi, David,
>
> On 10/26/2017 06:13 PM, David Howells wrote:
> > I have a partial asymmetric key subtype implementation that uses the TPM code
> > also - but that broken thoroughly when the tpm-2 stuff was added.
>
> I would like to take a look at your implementation, if you don't mind.
> Have you made it public somewhere?
>
> Thanks,
> ta
I'll start rework on TPM in-kernel API as soon as the SGX driver has
been upstreamed. Instead of a raw buffer you pass a struct tpm_buf
instance to tpm_send() and get also the response to that buffer.
There is a set of helpers to construct command buffers already widely
used inside the TPM driver.
I'll also move all the protocol specific constants to
include/linux/tpm.h.
/Jarkko
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-11-20 22:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-24 16:06 TPM trusted keys code Jarkko Sakkinen
2017-10-26 15:13 ` David Howells
2017-10-26 16:16 ` Jarkko Sakkinen
2017-11-16 15:33 ` Tudor Ambarus
2017-11-20 22:00 ` Jarkko Sakkinen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.