| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <A888B25CD99C1141B7C254171A953E8E4909E399@shsmsx102.ccr.corp.intel.com>
Date: Mon, 2 Dec 2019 06:50:17 +0000
From: "Zhao, Shirley" <shirley.zhao@...el.com>
To: James Bottomley <jejb@...ux.ibm.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Jonathan Corbet <corbet@....net>
CC: "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"'Mauro Carvalho Chehab'" <mchehab+samsung@...nel.org>,
"Zhu, Bing" <bing.zhu@...el.com>,
"Chen, Luhai" <luhai.chen@...el.com>
Subject: RE: One question about trusted key of keyring in Linux kernel.
So I guess mostly like, it is the format of policydigest, policyhandle is not correctly in my keyctl command.
But what is the correct using?
My keyctl commands are attached as below:
$ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr7.policy`" @u
874117045
Save the trusted key.
$ keyctl pipe 874117045 > kmk.blob
Reboot and load the key.
Start a auth session to generate the policy:
$ tpm2_startauthsession -S session.ctx
session-handle: 0x3000000
$ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
policy-digest: 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9
Input the policy handle to load trusted key:
$ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 policyhandle=0x3000000" @u
add_key: Operation not permitted
Thanks.
- Shirley
-----Original Message-----
From: James Bottomley <jejb@...ux.ibm.com>
Sent: Monday, December 2, 2019 2:45 PM
To: Zhao, Shirley <shirley.zhao@...el.com>; Mimi Zohar <zohar@...ux.ibm.com>; Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>; Jonathan Corbet <corbet@....net>
Cc: linux-integrity@...r.kernel.org; keyrings@...r.kernel.org; linux-doc@...r.kernel.org; linux-kernel@...r.kernel.org; 'Mauro Carvalho Chehab' <mchehab+samsung@...nel.org>; Zhu, Bing <bing.zhu@...el.com>; Chen, Luhai <luhai.chen@...el.com>
Subject: Re: One question about trusted key of keyring in Linux kernel.
On Mon, 2019-12-02 at 06:23 +0000, Zhao, Shirley wrote:
> Hi, James,
>
> The PCR7 value and PCR7 policy is as below, please review, thanks.
>
> # tpm2_pcrlist -L sha256:7 -o pcr7_2.sha256
> sha256:
> 7 :
> 0x061AAD0705A62361AD18E58B65D3D7383F4D10F7F5A7E78924BE057AC6797408
>
> # tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy
> pcr7_bin.policy > pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
>
> # cat pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
Well, the IBM TSS says that's the correct policy. Your policy command is
jejb@...vis:~> tsspolicymakerpcr -bm 000080 -if ~/pcr7.txt -pr | tee tmp.policy 0000017f00000001000b038000009a47350fdbcc77ebeadcb4b4818d8e82a21717ea24434333c791c0cd0d1dc14e
And that hashes to
jejb@...vis:~> tsspolicymaker -if ~/tmp.policy -pr policy digest length 32
32 1f bd 28 b6 0f cc 23 01 7d 50 1b 13 3b d5 db
f2 88 98 14 58 8e 8a 23 51 0f e1 01 05 cb 2c c9
So I don't understand why the userspace Intel TSS command is failing to do the unseal.
James
Powered by blists - more mailing lists