From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v10 6/8] security: keys: trusted: add PCR policy to TPM2 keys
Date: Wed, 17 Jun 2020 23:44:03 +0000 [thread overview]
Message-ID: <20200617234403.GK62794@linux.intel.com> (raw)
In-Reply-To: <20200616160229.8018-7-James.Bottomley@HansenPartnership.com>
On Tue, Jun 16, 2020 at 09:02:27AM -0700, James Bottomley wrote:
> This commit adds the ability to specify a PCR lock policy to TPM2
> keys. There is a complexity in that the creator of the key must chose
> either to use a PCR lock policy or to use authentication. At the
> current time they can't use both due to a complexity with the way
> authentication works when policy registers are in use. The way to
> construct a pcrinfo statement for a key is simply to use the
> TPMS_PCR_SELECT structure to specify the PCRs and follow this by a
> hash of all their values in order of ascending PCR number.
>
> For simplicity, we require the policy name hash and the hash used for
> the PCRs to be the same. Thus to construct a policy around the value
> of the resettable PCR 16 using the sha1 bank, first reset the pcr to
> zero giving a hash of all zeros as:
>
> 6768033e216468247bd031a0a2d9876d79818f8f
>
> Then the TPMS_PCR_SELECT value for PCR 16 is
>
> 03000001
>
> So create a new 32 byte key with a policy policy locking the key to
> this value of PCR 16 with a parent key of 81000001 would be:
>
> keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha1 pcrinfo\x030000016768033e216468247bd031a0a2d9876d79818f8f" @u
>
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Policy stuff definitely should be a follow up and not part of the same
patch set. Too many decisions to make.
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v10 6/8] security: keys: trusted: add PCR policy to TPM2 keys
Date: Thu, 18 Jun 2020 02:44:03 +0300 [thread overview]
Message-ID: <20200617234403.GK62794@linux.intel.com> (raw)
In-Reply-To: <20200616160229.8018-7-James.Bottomley@HansenPartnership.com>
On Tue, Jun 16, 2020 at 09:02:27AM -0700, James Bottomley wrote:
> This commit adds the ability to specify a PCR lock policy to TPM2
> keys. There is a complexity in that the creator of the key must chose
> either to use a PCR lock policy or to use authentication. At the
> current time they can't use both due to a complexity with the way
> authentication works when policy registers are in use. The way to
> construct a pcrinfo statement for a key is simply to use the
> TPMS_PCR_SELECT structure to specify the PCRs and follow this by a
> hash of all their values in order of ascending PCR number.
>
> For simplicity, we require the policy name hash and the hash used for
> the PCRs to be the same. Thus to construct a policy around the value
> of the resettable PCR 16 using the sha1 bank, first reset the pcr to
> zero giving a hash of all zeros as:
>
> 6768033e216468247bd031a0a2d9876d79818f8f
>
> Then the TPMS_PCR_SELECT value for PCR 16 is
>
> 03000001
>
> So create a new 32 byte key with a policy policy locking the key to
> this value of PCR 16 with a parent key of 81000001 would be:
>
> keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha1 pcrinfo=030000016768033e216468247bd031a0a2d9876d79818f8f" @u
>
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Policy stuff definitely should be a follow up and not part of the same
patch set. Too many decisions to make.
/Jarkko
next prev parent reply other threads:[~2020-06-17 23:44 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 15:49 [PATCH v10 0/8] TPM 2.0 trusted keys with attached policy James Bottomley
2020-06-16 15:49 ` James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-16 16:02 ` [PATCH v10 1/8] lib: add ASN.1 encoder James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-16 16:02 ` [PATCH v10 2/8] oid_registry: Add TCG defined OIDS for TPM keys James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-17 21:42 ` Jerry Snitselaar
2020-06-17 21:42 ` Jerry Snitselaar
2020-06-18 0:25 ` James Bottomley
2020-06-18 0:25 ` James Bottomley
2020-06-18 7:14 ` Jarkko Sakkinen
2020-06-18 7:14 ` Jarkko Sakkinen
2020-06-18 19:22 ` James Bottomley
2020-06-18 19:22 ` James Bottomley
2020-06-22 22:04 ` Jarkko Sakkinen
2020-06-22 22:04 ` Jarkko Sakkinen
2020-06-16 16:02 ` [PATCH v10 3/8] security: keys: trusted: fix TPM2 authorizations James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-16 16:02 ` [PATCH v10 4/8] security: keys: trusted: use ASN.1 TPM2 key format for the blobs James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-16 16:02 ` [PATCH v10 5/8] security: keys: trusted: Make sealed key properly interoperable James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-17 23:46 ` Jarkko Sakkinen
2020-06-17 23:46 ` Jarkko Sakkinen
2020-06-16 16:02 ` [PATCH v10 6/8] security: keys: trusted: add PCR policy to TPM2 keys James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-17 23:44 ` Jarkko Sakkinen [this message]
2020-06-17 23:44 ` Jarkko Sakkinen
2020-06-16 16:02 ` [PATCH v10 7/8] security: keys: trusted: add ability to specify arbitrary policy James Bottomley
2020-06-16 16:02 ` James Bottomley
2020-06-17 23:42 ` Jarkko Sakkinen
2020-06-17 23:42 ` Jarkko Sakkinen
2020-06-18 0:27 ` James Bottomley
2020-06-18 0:27 ` James Bottomley
2020-06-18 7:12 ` Jarkko Sakkinen
2020-06-18 7:12 ` Jarkko Sakkinen
2020-06-18 19:45 ` James Bottomley
2020-06-18 19:45 ` James Bottomley
2020-06-23 0:46 ` Jarkko Sakkinen
2020-06-23 0:46 ` Jarkko Sakkinen
2020-06-16 16:02 ` [PATCH v10 8/8] security: keys: trusted: implement counter/timer policy James Bottomley
2020-06-16 16:02 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200617234403.GK62794@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.