Re: One question about trusted key of keyring in Linux kernel.

linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: James Bottomley <jejb@linux.ibm.com>
To: "Zhao, Shirley" <shirley.zhao@intel.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Jonathan Corbet <corbet@lwn.net>
Cc: "linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"'Mauro Carvalho Chehab'" <mchehab+samsung@kernel.org>,
	"Zhu, Bing" <bing.zhu@intel.com>,
	"Chen, Luhai" <luhai.chen@intel.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
Date: Sun, 01 Dec 2019 22:44:35 -0800	[thread overview]
Message-ID: <1575269075.4080.31.camel@linux.ibm.com> (raw)
In-Reply-To: <A888B25CD99C1141B7C254171A953E8E4909E381@shsmsx102.ccr.corp.intel.com>

On Mon, 2019-12-02 at 06:23 +0000, Zhao, Shirley wrote:
> Hi, James, 
> 
> The PCR7 value and PCR7 policy is as below, please review, thanks. 
> 
> # tpm2_pcrlist -L sha256:7 -o pcr7_2.sha256
> sha256:
>   7 :
> 0x061AAD0705A62361AD18E58B65D3D7383F4D10F7F5A7E78924BE057AC6797408
> 
> # tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy
> pcr7_bin.policy > pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
> 
> # cat pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9

Well, the IBM TSS says that's the correct policy.  Your policy command
is

jejb@jarvis:~> tsspolicymakerpcr -bm 000080 -if ~/pcr7.txt -pr | tee tmp.policy
0000017f00000001000b038000009a47350fdbcc77ebeadcb4b4818d8e82a21717ea24434333c791c0cd0d1dc14e

And that hashes to
jejb@jarvis:~> tsspolicymaker -if ~/tmp.policy  -pr
 policy digest length 32
 32 1f bd 28 b6 0f cc 23 01 7d 50 1b 13 3b d5 db 
 f2 88 98 14 58 8e 8a 23 51 0f e1 01 05 cb 2c c9 

So I don't understand why the userspace Intel TSS command is failing to
do the unseal.

James

next prev parent reply	other threads:[~2019-12-02  6:44 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <A888B25CD99C1141B7C254171A953E8E49094313@shsmsx102.ccr.corp.intel.com>
2019-11-13 15:46 ` One question about trusted key of keyring in Linux kernel Mimi Zohar
2019-11-26  7:32   ` Zhao, Shirley
2019-11-26 19:27     ` Mimi Zohar
2019-11-27  2:46       ` Zhao, Shirley
2019-11-27 15:39         ` Mimi Zohar
2019-11-29  1:54           ` Zhao, Shirley
2019-11-29 23:01       ` Jarkko Sakkinen
2019-12-02  1:45         ` Zhao, Shirley
2019-12-06 21:20           ` Jarkko Sakkinen
2019-11-27 18:06     ` James Bottomley
2019-11-29  1:40       ` Zhao, Shirley
2019-11-29 20:05         ` James Bottomley
2019-12-02  1:44           ` Zhao, Shirley
2019-12-02  4:17             ` James Bottomley
2019-12-02  5:55               ` Zhao, Shirley
2019-12-02  6:17                 ` James Bottomley
2019-12-02  6:23                   ` Zhao, Shirley
2019-12-02  6:44                     ` James Bottomley [this message]
2019-12-02  6:50                       ` Zhao, Shirley
2019-12-02 18:55                         ` James Bottomley
2019-12-03  2:11                           ` Zhao, Shirley
2019-12-03  3:12                             ` James Bottomley
2019-12-04  3:01                               ` Zhao, Shirley
2019-12-04  3:33                                 ` James Bottomley
2019-12-04  6:39                                   ` Zhao, Shirley
2019-12-09 19:47                           ` Jarkko Sakkinen
2019-12-09 20:31                             ` James Bottomley
2019-12-11 17:23                               ` Jarkko Sakkinen
2019-12-11 17:33                                 ` Jarkko Sakkinen
2019-12-11 17:53                                   ` Jarkko Sakkinen
2019-12-09 21:18                             ` Mimi Zohar
2019-12-11 17:12                               ` Jarkko Sakkinen
2019-11-14 17:01 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1575269075.4080.31.camel@linux.ibm.com \
    --to=jejb@linux.ibm.com \
    --cc=bing.zhu@intel.com \
    --cc=corbet@lwn.net \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luhai.chen@intel.com \
    --cc=mchehab+samsung@kernel.org \
    --cc=shirley.zhao@intel.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).