[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAE=gft4wvxOZ4CS2hJzYANRNbCtYUznmsEE-3n4=EDx-+L_f9Q@mail.gmail.com>
Date: Mon, 5 Dec 2022 10:43:05 -0800
From: Evan Green <evgreen@...omium.org>
To: jejb@...ux.ibm.com
Cc: Eric Biggers <ebiggers@...nel.org>, linux-kernel@...r.kernel.org,
corbet@....net, linux-integrity@...r.kernel.org,
gwendal@...omium.org, dianders@...omium.org, apronin@...omium.org,
Pavel Machek <pavel@....cz>, Ben Boeckel <me@...boeckel.net>,
rjw@...ysocki.net, Kees Cook <keescook@...omium.org>,
dlunev@...gle.com, zohar@...ux.ibm.com,
Matthew Garrett <mgarrett@...ora.tech>, jarkko@...nel.org,
linux-pm@...r.kernel.org, David Howells <dhowells@...hat.com>,
James Morris <jmorris@...ei.org>,
Paul Moore <paul@...l-moore.com>,
"Serge E. Hallyn" <serge@...lyn.com>, keyrings@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v5 04/11] security: keys: trusted: Include TPM2 creation data
On Fri, Dec 2, 2022 at 1:03 PM James Bottomley <jejb@...ux.ibm.com> wrote:
>
> On Mon, 2022-11-14 at 13:00 -0500, James Bottomley wrote:
> > On Mon, 2022-11-14 at 09:43 -0800, Evan Green wrote:
> > > On Mon, Nov 14, 2022 at 8:56 AM James Bottomley
> > > <jejb@...ux.ibm.com>
> > > wrote:
> > [...]
> > > > Of course, since openssl_tpm2_engine is the complete reference
> > > > implementation that means I'll have to add the creation PCRs
> > > > implementation to it ... unless you'd like to do it?
> > >
> > > I am willing to help as I'm the one making the mess. How does it
> > > sequence along with your draft submission (before, after,
> > > simultaneous)?
> >
> > At the moment, just send patches. The openssl_tpm2_engine is
> > developed on a groups.io mailing list:
> >
> > https://groups.io/g/openssl-tpm2-engine/
> >
> > You need an IETF specific tool (xml2rfc) to build the rfc from the
> > xml, but it's available in most distros as python3-xml2rfc. If you
> > don't want to learn the IETF XML I can help you code up the patch to
> > add that to the draft spec.
>
> Just as a heads up, the patch series implementing signed policy (and
> thus taking option [3]) is on the mailing list for review:
>
> https://groups.io/g/openssl-tpm2-engine/message/296
>
> With apologies for the awful lack of threading in the groups.io
> interface.
>
> So you don't have to build the RFC yourself, I published the proposed
> update on my website:
>
> https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt
>
> If you want to use option [4] for the creation data, it's available.
Perfect, thanks James!
-Evan
Powered by blists - more mailing lists