[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240521152659.26438-1-jarkko@kernel.org>
Date: Tue, 21 May 2024 18:26:42 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: linux-integrity@...r.kernel.org,
keyrings@...r.kernel.org,
Andreas.Fuchs@...ineon.com,
James Prestwood <prestwoj@...il.com>,
David Woodhouse <dwmw2@...radead.org>,
Eric Biggers <ebiggers@...nel.org>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
linux-crypto@...r.kernel.org (open list:CRYPTO API),
linux-kernel@...r.kernel.org (open list)
Subject: [PATCH v3 0/5] KEYS: asymmetric: tpm2_key_rsa
## Overview
Introduce tpm2_key_rsa module, which implements asymmetric TPM2 RSA key.
The feature can be enabled with the CONFIG_ASYMMETRIC_TPM2_KEY_RSA_SUBTYPE
kconfig option.
The idea in the design is to over time to have submodule per key type
For instance, tpm2_key_ecdsa could be one potential future addition in
the future. Perhaps, it might sense to consider at that point also a
top-level tpm2_key module. The gist is that the naming convention is
free from potential future bottlencks.
## Change Log
v3:
* Dropped special policy when RH_NULL is given. Kernel will just try to
use the handle as parent given.
* Thus could drop the patch exporting tpm2_load_context().
v2:
* Cleaned up all the low-hanging fruit for the sake of saving everyones
time. After this I move into reactive mode (I promise) ;-)
## Testing
tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256
## References
- v2: https://lore.kernel.org/linux-integrity/20240521031645.17008-1-jarkko@kernel.org/
- v1: https://lore.kernel.org/linux-integrity/20240520184727.22038-1-jarkko@kernel.org/
- Derived from https://lore.kernel.org/all/20200518172704.29608-1-prestwoj@gmail.com/
James Prestwood (1):
keys: asymmetric: ASYMMETRIC_TPM2_KEY_RSA_SUBTYPE
Jarkko Sakkinen (4):
crypto: rsa-pkcs1pad: export rsa1_asn_lookup()
lib: Expand asn1_encode_integer() to variable size integers
KEYS: trusted: Move tpm2_key_decode() to the TPM driver
tpm: tpm2_key: Extend parser to TPM_LoadableKey
crypto/asymmetric_keys/Kconfig | 16 +
crypto/asymmetric_keys/Makefile | 1 +
crypto/asymmetric_keys/tpm2_key_rsa.c | 688 ++++++++++++++++++
crypto/rsa-pkcs1pad.c | 16 +-
drivers/char/tpm/Kconfig | 1 +
drivers/char/tpm/Makefile | 5 +
drivers/char/tpm/tpm2_key.c | 118 +++
.../char/tpm}/tpm2key.asn1 | 0
include/crypto/rsa-pkcs1pad.h | 20 +
include/crypto/tpm2_key.h | 35 +
include/linux/asn1_encoder.h | 3 +-
include/linux/tpm.h | 2 +
lib/asn1_encoder.c | 185 ++---
security/keys/trusted-keys/Makefile | 2 -
security/keys/trusted-keys/trusted_tpm2.c | 135 +---
15 files changed, 1020 insertions(+), 207 deletions(-)
create mode 100644 crypto/asymmetric_keys/tpm2_key_rsa.c
create mode 100644 drivers/char/tpm/tpm2_key.c
rename {security/keys/trusted-keys => drivers/char/tpm}/tpm2key.asn1 (100%)
create mode 100644 include/crypto/rsa-pkcs1pad.h
create mode 100644 include/crypto/tpm2_key.h
--
2.45.1
Powered by blists - more mailing lists