| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1574796456.4793.248.camel@linux.ibm.com>
Date: Tue, 26 Nov 2019 14:27:36 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: "Zhao, Shirley" <shirley.zhao@...el.com>,
James Bottomley <jejb@...ux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Jonathan Corbet <corbet@....net>
Cc: "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"'Mauro Carvalho Chehab'" <mchehab+samsung@...nel.org>,
"Zhu, Bing" <bing.zhu@...el.com>,
"Chen, Luhai" <luhai.chen@...el.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
On Tue, 2019-11-26 at 07:32 +0000, Zhao, Shirley wrote:
> Thanks for your feedback, Mimi.
> But the document of dracut can't solve my problem.
>
> I did more test these days and try to descript my question in more detail.
>
> In my scenario, the trusted key will be sealed into TPM with PCR policy.
> And there are some related options in manual like
> hash= hash algorithm name as a string. For TPM 1.x the only
> allowed value is sha1. For TPM 2.x the allowed values
> are sha1, sha256, sha384, sha512 and sm3-256.
> policydigest= digest for the authorization policy. must be calculated
> with the same hash algorithm as specified by the 'hash='
> option.
> policyhandle= handle to an authorization policy session that defines the
> same policy and with the same hash algorithm as was used to
> seal the key.
>
> Here is my test step.
> Firstly, the pcr policy is generated as below:
> $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy pcr7_bin.policy > pcr7.policy
>
> Pcr7.policy is the ascii hex of policy:
> $ cat pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
>
> Then generate the trusted key and configure policydigest and get the key ID:
> $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr7.policy`" @u
> 874117045
>
> Save the trusted key.
> $ keyctl pipe 874117045 > kmk.blob
>
> Reboot and load the key.
> Start a auth session to generate the policy:
> $ tpm2_startauthsession -S session.ctx
> session-handle: 0x3000000
> $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256
> $ tpm2_policypcr -S session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
> policy-digest: 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9
>
> Input the policy handle to load trusted key:
> $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 policyhandle=0x3000000" @u
> add_key: Operation not permitted
>
> The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed.
> $ tpm2_unseal -c 0x81000001 -L sha256:7
> ERROR on line: "81" in file: "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check failed
> ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed!
> ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run tpm2_unseal
>
> So my question is:
> 1. How to use the option, policydigest, policyhandle?? Is there any example?
> 2. What's wrong with my test step?
When reporting a problem please state which kernel is experiencing
this problem. Recently there was a trusted key regression. Refer to
commit e13cd21ffd50 "tpm: Wrap the buffer from the caller to tpm_buf
in tpm_send()" for the details.
Before delving into this particular problem, first please make sure
you are able to create, save, remove, and then reload a trusted key
not sealed to a PCR.
Mimi
Powered by blists - more mailing lists