Re: [PATCH v6 2/2] KEYS: trusted: Store parent's name to the encoded keys

[Jarkko Sakkinen <jarkko@kernel.org>]

On Sun, Dec 07, 2025 at 07:32:10PM +0200, Jarkko Sakkinen wrote:
> Extend TPMKey ASN.1 speciication [1] with an optional 'parentName'
> attribute containing TPM name of the parent key (in other words, TPMT_HA
> blob).
> 
> The life-cycle for trusted keys will now proceed as follows:
> 
> 1. Encode parent's name to the 'paretName' during tpm2_key_encode().
> 2. During tpm2_unseal_trusted, read parent's name from 'parentName'. When
>    the attribute is not available, fallback on doing tpm2_read_public().
> 
> In other words, in the common (i.e., not loading a legacy key blob),
> tpm2_read_public() will now only happen at the time when a key is first
> created.
> 
> In addition, move tpm2_read_public() to 'tpm2-cmd.c' and make its body
> unconditional so that the binary format of the saved keys is not dependent
> on kernel configuration.
> 
> [1] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt
> 
> Cc: tpm2@lists.linux.dev
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

As an alternative workaround I think the following could be possibly
done (I need to trial it first though):

1. Maintain a cache where a name gets added at the time of
   tpm2_seal_trusted(). It is from TPMT_HA to TPMT_HA mapping,
   mapping TPMT_HA of the key to the TPMT of the parent.
2. At thet time tpm2_unseal_trusted() retrieve name of thet
   parent from the cache.

Capturing TPM2_CreatePrimary would be essentially duct taping the
spec but I guess this could be more generally applicable. It neither 
addresses persistent keys nor secondary parent keys, which we *have
to support*, as the kernel interface does.

BR, Jarkko