Re: [PATCH 3/6] KEYS: trusted: add PCR policy to TPM2 keys

["Jarkko Sakkinen" <jarkko@kernel.org>]

On Fri May 24, 2024 at 4:04 PM EEST, James Bottomley wrote:
> This commit adds the ability to specify a PCR lock policy to TPM2
> keys.  There is a complexity in that keys that contain both a password
> (blobauth) and a PCR lock have to have two policy statements
> (POLICY_PCR and POLICY_AUTHVALUE).  The way to construct a pcrinfo
> statement for a key is simply to use the TPMS_PCR_SELECT structure to
> specify the PCRs and follow this by a hash of all their values in
> order of ascending PCR number.
>
> To construct a policy around the value of the resettable PCR 16 using
> the sha256 bank, first reset the pcr to zero giving a hash of all
      SHA-256                      PCR

> zeros as:
>
> 66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925

Please also provide example how this kind of hash is constructed, and
no mention about trial and policy modes, which are essential in order
to understand what is going on here.

>
> Then the TPMS_PCR_SELECT value for sha256 bank PCR 16 is
>
> 000b03000001
>
> So create a new 32 byte key with a policy locking the key to this
> value of PCR 16 with a parent key of 81000001 would be:
>
> keyctl add trusted kmk "new 32 keyhandle=0x81000001 pcrinfo=000b0300000166687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925" @u

PCINFO=0x66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925
HANDLE=0x81000001 
keyctl add trusted kmk "new 32 keyhandle=$HANDLE pcrinfo=$KEYINFO" @u

I won't look at the code this round because commit message is lacking
explanation what it does.

606 is a huge addition for single patch and requires belieable story
why it can't be smaller. I won't even try to understand all the changes
just looking at the code.

BR, Jarkko