From: James Bottomley <jejb@linux.ibm.com>
To: Evan Green <evgreen@chromium.org>
Cc: Eric Biggers <ebiggers@kernel.org>,
linux-kernel@vger.kernel.org, corbet@lwn.net,
linux-integrity@vger.kernel.org, gwendal@chromium.org,
dianders@chromium.org, apronin@chromium.org,
Pavel Machek <pavel@ucw.cz>, Ben Boeckel <me@benboeckel.net>,
rjw@rjwysocki.net, Kees Cook <keescook@chromium.org>,
dlunev@google.com, zohar@linux.ibm.com,
Matthew Garrett <mgarrett@aurora.tech>,
jarkko@kernel.org, linux-pm@vger.kernel.org,
David Howells <dhowells@redhat.com>,
James Morris <jmorris@namei.org>,
Paul Moore <paul@paul-moore.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 04/11] security: keys: trusted: Include TPM2 creation data
Date: Mon, 14 Nov 2022 11:56:08 -0500 [thread overview]
Message-ID: <c31d1a3af53515f2a9d3f53eb27ce698e796f9b9.camel@linux.ibm.com> (raw)
In-Reply-To: <CAE=gft63-jdKqKmepB+LXPm6WUWSnz+CMWcWWnyN1y-EnS4kVg@mail.gmail.com>
On Mon, 2022-11-14 at 08:32 -0800, Evan Green wrote:
> On Sun, Nov 13, 2022 at 7:32 PM James Bottomley <jejb@linux.ibm.com>
> wrote:
> >
> > On Sun, 2022-11-13 at 13:20 -0800, Eric Biggers wrote:
> > > On Fri, Nov 11, 2022 at 03:16:29PM -0800, Evan Green wrote:
> > > > diff --git a/security/keys/trusted-keys/tpm2key.asn1
> > > > b/security/keys/trusted-keys/tpm2key.asn1
> > > > index f57f869ad60068..608f8d9ca95fa8 100644
> > > > --- a/security/keys/trusted-keys/tpm2key.asn1
> > > > +++ b/security/keys/trusted-keys/tpm2key.asn1
> > > > @@ -7,5 +7,18 @@ TPMKey ::= SEQUENCE {
> > > > emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
> > > > parent INTEGER ({tpm2_key_parent}),
> > > > pubkey OCTET STRING ({tpm2_key_pub}),
> > > > - privkey OCTET STRING ({tpm2_key_priv})
> > > > + privkey OCTET STRING ({tpm2_key_priv}),
> > > > + ---
> > > > + --- A TPM2B_CREATION_DATA struct as returned from the
> > > > TPM2_Create command.
> > > > + ---
> > > > + creationData [1] EXPLICIT OCTET STRING OPTIONAL
> > > > ({tpm2_key_creation_data}),
> > > > + ---
> > > > + --- A TPM2B_DIGEST of the creationHash as returned from
> > > > the
> > > > TPM2_Create
> > > > + --- command.
> > > > + ---
> > > > + creationHash [2] EXPLICIT OCTET STRING OPTIONAL
> > > > ({tpm2_key_creation_hash}),
> > > > + ---
> > > > + --- A TPMT_TK_CREATION ticket as returned from the
> > > > TPM2_Create command.
> > > > + ---
> > > > + creationTk [3] EXPLICIT OCTET STRING OPTIONAL
> > > > ({tpm2_key_creation_tk})
> > > > }
> > >
> > > The commit that added this file claimed:
> > >
> > > "The benefit of the ASN.1 format is that it's a standard
> > > and thus the
> > > exported key can be used by userspace tools
> > > (openssl_tpm2_engine,
> > > openconnect and tpm2-tss-engine"
> > >
> > > Are these new fields in compliance with whatever standard that
> > > was referring to?
> >
> > Not really, no. The current use case (and draft standard) is
> > already using [1] for policies and [2] for importable keys:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/doc/draft-bottomley-tpm2-keys.xml
> >
> > I'm actually planning to use [3] for signed policies. There's no
> > reason why you can't use [4] though. Since the creation data, hash
> > and ticket are likely used as a job lot, it strikes me they should
> > be a single numbered optional sequence instead of individually
> > numbered, since you're unlikely to have one without the others.
>
> Thanks, I was hoping James might pipe up and tell me what to do.
> Grouping them as a single numbered optional sequence sounds
> reasonable to me. Is your draft too far along to squeeze this in?
Not at all. The draft only becomes frozen once I submit it to the IETF
which, so far thanks to lack of any reviewers I haven't done (That's
why I was also thinking of adding signed policies).
> If it is and I'm on my own to draft up and submit this, I would
> definitely appreciate any pointers on getting started you might have.
>
> I notice the draft and the code seem to be out of alignment.
The kernel code is out of alignment just because development moves a
bit slowly. Policy based keys were submitted a long time ago as part
of the original move to interoperable sealed keys based on ASN.1:
https://lore.kernel.org/all/20200616160229.8018-7-James.Bottomley@HansenPartnership.com/
But eventually the policy part was split out and forgotten about. I
think the only complete implementation of the draft standard is the
openssl_tpm2_engine.
> I'm unfamiliar with this process, is the idea to get through all the
> iterations and land the standard, then fix up the code? What happens
> to existing data handed out in the old format?
No, it doesn't matter at all. That's the whole point of using ASN.1
explicit optionals: the ASN.1 is always backwards compatible. If I
ever submit the draft, there'll have to be a new RFC to add new
explicit optionals, but keys conforming to the old RFC will still be
valid under the new one.
Of course, since openssl_tpm2_engine is the complete reference
implementation that means I'll have to add the creation PCRs
implementation to it ... unless you'd like to do it?
Regards,
James
next prev parent reply other threads:[~2022-11-14 16:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-11 23:16 [PATCH v5 00/11] Encrypted Hibernation Evan Green
2022-11-11 23:16 ` [PATCH v5 04/11] security: keys: trusted: Include TPM2 creation data Evan Green
2022-11-13 21:20 ` Eric Biggers
2022-11-14 3:32 ` James Bottomley
2022-11-14 16:32 ` Evan Green
2022-11-14 16:56 ` James Bottomley [this message]
2022-11-14 17:43 ` Evan Green
2022-11-14 18:00 ` James Bottomley
2022-12-02 21:03 ` James Bottomley
2022-12-05 18:43 ` Evan Green
2022-11-11 23:16 ` [PATCH v5 05/11] security: keys: trusted: Allow storage of PCR values in " Evan Green
2022-11-13 22:01 ` Eric Biggers
2022-11-11 23:16 ` [PATCH v5 06/11] security: keys: trusted: Verify " Evan Green
2022-11-13 22:13 ` Eric Biggers
2022-12-07 23:54 ` [PATCH v5 00/11] Encrypted Hibernation Evan Green
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c31d1a3af53515f2a9d3f53eb27ce698e796f9b9.camel@linux.ibm.com \
--to=jejb@linux.ibm.com \
--cc=apronin@chromium.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=dianders@chromium.org \
--cc=dlunev@google.com \
--cc=ebiggers@kernel.org \
--cc=evgreen@chromium.org \
--cc=gwendal@chromium.org \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=me@benboeckel.net \
--cc=mgarrett@aurora.tech \
--cc=paul@paul-moore.com \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).