From: denkenz@gmail.com (Denis Kenzior)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops
Date: Thu, 20 Sep 2018 12:07:51 -0500 [thread overview]
Message-ID: <c8608829-2669-077f-b7d4-5a199f4bf4c8@gmail.com> (raw)
In-Reply-To: <219367882d33fda9705485aa4a40b2ef55f3992f.camel@infradead.org>
David,
On 09/20/2018 11:45 AM, David Woodhouse wrote:
> On Thu, 2018-09-20 at 09:26 +0200, Marcel Holtmann wrote:
>> Hi David,
>>
>>>>> Yes. It shouldn't be much code, either. You still have to check for X.509
>>>>> DER since the kernel currently supports that.
>>>>
>>>> For reasons of backward compatibility, correct? The kernel also has
>>>> mscode.asn1 which we would need to support as well. Since we can't break
>>>> compatibility then perhaps this doesn't buy us a whole lot in the end.
>>>
>>> Don't worry about mscode - that's not an asymmetric key parser. That's only
>>> ever used directly from verify_pefile_signature().
>>>
>>> Currently, we have to retain support for DER-encoded X.509.
>>>
>>> But there's no reason we can't have a PEM parser that decodes the PEM and
>>> selects X.509, PKCS#8 or TPM based on the ascii header in that. PKCS#8 and
>>> TPM don't need to take DER directly.
>>
>> since we have to support DER-encoded anyway, can we get the current
>> patches merged (with fixes to the commit messages for the openssl
>> examples if needed) and then work on PEM support inside the kernel.
>> For me these seems to be two independent features. And in the current
>> form the patches have been tested and used.
>>
>> Or let me ask this differently, are there any objections to merging
>> these patches with just DER support?
>
> Let me rephrase that question slightly: Are we happy to have to make
> inferences from the ASN.1 structure, and in particular that a bare
> OCTET-STRING is a TPMv1 blob? I believe James ended up doing something
> somewhat more sensible for the TPMv2 blob so that might end up being
> OK...?
>
I think it should be OK. It is highly unlikely that we get another
OCTET string type format, and even then we can actually peek inside and
try to parse the TPM structure carried in the DER if there is indeed a
conflict.
Also, after refreshing my memory of how PEM format is actually
specified, I'm no longer convinced that having it in the kernel is such
a good idea. It would probably be made to work, but the PEM file format
itself isn't that precise, at least compared to DER.
James, is there a document / official place with your TPMKey ASN.1
format? The only reference I can find is here:
https://kernel.googlesource.com/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine/+/93b2f4f3f0f2260292f54de4e6333219063c77b1/tpm2-asn.h
Regards,
-Denis
next prev parent reply other threads:[~2018-09-20 17:07 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 21:54 [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops David Howells
2018-09-05 21:54 ` [PATCH 01/22] KEYS: Provide key type operations for asymmetric key ops David Howells
2018-09-05 21:54 ` [PATCH 02/22] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys David Howells
2018-09-05 21:54 ` [PATCH 03/22] KEYS: Provide missing asymmetric key subops for new key type ops David Howells
2018-10-03 19:03 ` James Morris
2018-10-05 15:39 ` David Howells
2018-09-05 21:54 ` [PATCH 04/22] KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type David Howells
2018-10-03 19:12 ` James Morris
2018-10-05 15:43 ` David Howells
2018-09-05 21:54 ` [PATCH 05/22] KEYS: Provide software public key query function David Howells
2018-10-03 19:24 ` James Morris
2018-10-05 15:51 ` David Howells
2018-10-05 16:28 ` James Morris
2018-10-05 18:23 ` James Morris
2018-10-09 15:21 ` David Howells
2018-09-05 21:54 ` [PATCH 06/22] KEYS: Allow the public_key struct to hold a private key David Howells
2018-09-05 21:55 ` [PATCH 07/22] KEYS: Implement encrypt, decrypt and sign for software asymmetric key David Howells
2018-09-05 21:55 ` [PATCH 08/22] KEYS: Implement PKCS#8 RSA Private Key parser David Howells
2018-09-05 21:55 ` [PATCH 09/22] crypto: rsa-pkcs1pad: Allow hash to be optional David Howells
2018-09-05 21:55 ` [PATCH 10/22] KEYS: asym_tpm: add skeleton for asym_tpm David Howells
2018-09-05 21:55 ` [PATCH 11/22] KEYS: asym_tpm: extract key size & public key David Howells
2018-09-05 21:55 ` [PATCH 12/22] KEYS: Add parser for TPM-based keys David Howells
2018-09-05 21:55 ` [PATCH 13/22] KEYS: asym_tpm: Implement pkey_query David Howells
2018-09-05 21:55 ` [PATCH 14/22] KEYS: asym_tpm: Implement encryption operation David Howells
2018-09-05 21:55 ` [PATCH 15/22] KEYS: trusted: Expose common functionality David Howells
2018-09-05 21:56 ` [PATCH 16/22] KEYS: Move trusted.h to include/keys David Howells
2018-09-05 21:56 ` [PATCH 17/22] KEYS: asym_tpm: Add loadkey2 and flushspecific David Howells
2018-09-05 21:56 ` [PATCH 18/22] KEYS: asym_tpm: Implement tpm_unbind David Howells
2018-09-05 21:56 ` [PATCH 19/22] KEYS: asym_tpm: Implement the decrypt operation David Howells
2018-09-05 21:56 ` [PATCH 20/22] KEYS: asym_tpm: Implement signature verification David Howells
2018-09-05 21:56 ` [PATCH 21/22] KEYS: asym_tpm: Implement tpm_sign David Howells
2018-09-05 21:56 ` [PATCH 22/22] KEYS: asym_tpm: Add support for the sign operation David Howells
2018-09-06 0:07 ` [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops James Morris
2018-09-07 17:31 ` Marcel Holtmann
2018-09-07 17:32 ` James Morris
2018-09-08 15:26 ` David Howells
[not found] ` <1537254055.20009.64.camel@infradead.org>
2018-09-18 11:30 ` James Bottomley
[not found] ` <1537253993.20009.62.camel@infradead.org>
2018-09-18 4:34 ` Denis Kenzior
2018-09-18 15:50 ` David Howells
2018-09-18 5:24 ` Denis Kenzior
[not found] ` <0d51fca9a29458a40121df0c5380af91e3429c08.camel@infradead.org>
2018-09-18 5:41 ` Denis Kenzior
2018-09-18 16:33 ` David Howells
2018-09-18 5:51 ` Denis Kenzior
2018-09-18 16:55 ` David Howells
2018-09-18 17:00 ` Denis Kenzior
2018-09-18 17:18 ` David Howells
2018-09-20 7:26 ` Marcel Holtmann
[not found] ` <219367882d33fda9705485aa4a40b2ef55f3992f.camel@infradead.org>
2018-09-20 17:07 ` Denis Kenzior [this message]
2018-09-28 17:20 ` Marcel Holtmann
2018-09-18 15:02 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c8608829-2669-077f-b7d4-5a199f4bf4c8@gmail.com \
--to=denkenz@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).