From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v11 3/5] security: keys: trusted: fix TPM2 authorizations
Date: Tue, 15 Sep 2020 12:09:50 +0300 [thread overview]
Message-ID: <20200915090950.GB3612@linux.intel.com> (raw)
In-Reply-To: <20200912172643.9063-4-James.Bottomley@HansenPartnership.com>
On Sat, Sep 12, 2020 at 10:26:41AM -0700, James Bottomley wrote:
> In TPM 1.2 an authorization was a 20 byte number. The spec actually
> recommended you to hash variable length passwords and use the sha1
> hash as the authorization. Because the spec doesn't require this
> hashing, the current authorization for trusted keys is a 40 digit hex
> number. For TPM 2.0 the spec allows the passing in of variable length
> passwords and passphrases directly, so we should allow that in trusted
> keys for ease of use. Update the 'blobauth' parameter to take this
> into account, so we can now use plain text passwords for the keys.
>
> so before
>
> keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258f"
>
> after we will accept both the old hex sha1 form as well as a new
> directly supplied password:
>
> keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001"
>
> Since a sha1 hex code must be exactly 40 bytes long and a direct
> password must be 20 or less, we use the length as the discriminator
> for which form is input.
>
> Note this is both and enhancement and a potential bug fix. The TPM
> 2.0 spec requires us to strip leading zeros, meaning empyty
> authorization is a zero length HMAC whereas we're currently passing in
> 20 bytes of zeros. A lot of TPMs simply accept this as OK, but the
> Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this patch
> makes the Microsoft TPM emulator work with trusted keys.
>
> Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0 chips")
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
I created a key:
$ sudo ./tpm2-root-key
0x80000000
$ sudo ./tpm2-list-handles
0x80000000
$ keyctl add trusted kmk "new 32 blobauth=hello keyhandle=0x80000000"
<keyctl usage>
$ lsmod
Module Size Used by
sha1_generic 16384 2
trusted 32768 0
asn1_encoder 16384 1 trusted
x86_pkg_temp_thermal 20480 0
iwlmvm 356352 0
iwlwifi 315392 1 iwlmvm
tpm_crb 16384 0
tpm_tis 16384 0
tpm_tis_core 24576 1 tpm_tis
tpm 61440 4 tpm_tis,trusted,tpm_crb,tpm_tis_core
efivarfs 16384 1
What could be wrong? Have the full seris applied on a test kernel.
The root key creation is contained in create_root_key():
https://github.com/jsakkine-intel/tpm2-scripts/blob/master/tpm2.py
/Jarkko
next prev parent reply other threads:[~2020-09-15 9:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-12 17:26 [PATCH v11 0/5] TPM 2.0 trusted key rework James Bottomley
2020-09-12 17:26 ` [PATCH v11 1/5] lib: add ASN.1 encoder James Bottomley
2020-09-12 17:26 ` [PATCH v11 2/5] oid_registry: Add TCG defined OIDS for TPM keys James Bottomley
2020-09-12 17:26 ` [PATCH v11 3/5] security: keys: trusted: fix TPM2 authorizations James Bottomley
2020-09-15 9:09 ` Jarkko Sakkinen [this message]
2020-09-16 19:52 ` James Bottomley
2020-09-17 15:21 ` Jarkko Sakkinen
2020-09-12 17:26 ` [PATCH v11 4/5] security: keys: trusted: use ASN.1 TPM2 key format for the blobs James Bottomley
2020-09-13 6:26 ` kernel test robot
2020-09-13 17:02 ` James Bottomley
[not found] ` <20200915091140.GC3612@linux.intel.com>
2020-09-15 20:20 ` Nick Desaulniers
2020-09-16 16:27 ` Jarkko Sakkinen
2020-09-16 18:04 ` Nick Desaulniers
2020-09-17 15:17 ` Jarkko Sakkinen
2020-09-12 17:26 ` [PATCH v11 5/5] security: keys: trusted: Make sealed key properly interoperable James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200915090950.GB3612@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).