mbox series

[v5,0/6] TPM 2.0 trusted keys with attached policy

Message ID 20200130101812.6271-1-James.Bottomley@HansenPartnership.com
Headers show
Series TPM 2.0 trusted keys with attached policy | expand

Message

James Bottomley Jan. 30, 2020, 10:18 a.m. UTC
This is mainly a respin to add more spacing as Jarkko requested.
However, I also added the seal/unseal operations to the
openssl_tpm2_engine (next branch):

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/

With the result that the kernel code completely failed the
interoperability checks because the ASN.1 format requires the TPM2B
length prepended to the public and private blobs.  I corrected this in
patch 4 and now all the interoperability tests are passing.

General cover letter:

This patch updates the trusted key code to export keys in the ASN.1
format used by current TPM key tools (openssl_tpm2_engine and
openconnect).  It also simplifies the use of policy with keys because
the ASN.1 format is designed to carry a description of how to
construct the policy, with the result that simple policies (like
authorization and PCR locking) can now be constructed and used in the
kernel, bringing the TPM 2.0 policy use into line with how TPM 1.2
works.

James

---

James Bottomley (6):
  lib: add ASN.1 encoder
  oid_registry: Add TCG defined OIDS for TPM keys
  security: keys: trusted fix tpm2 authorizations
  security: keys: trusted: use ASN.1 TPM2 key format for the blobs
  security: keys: trusted: add ability to specify arbitrary policy
  security: keys: trusted: implement counter/timer policy

 Documentation/security/keys/trusted-encrypted.rst |  64 ++-
 include/keys/trusted-type.h                       |   7 +-
 include/linux/asn1_encoder.h                      |  32 ++
 include/linux/oid_registry.h                      |   5 +
 include/linux/tpm.h                               |   8 +
 lib/Makefile                                      |   2 +-
 lib/asn1_encoder.c                                | 431 ++++++++++++++++++++
 security/keys/Kconfig                             |   2 +
 security/keys/trusted-keys/Makefile               |   2 +-
 security/keys/trusted-keys/tpm2-policy.c          | 463 ++++++++++++++++++++++
 security/keys/trusted-keys/tpm2-policy.h          |  31 ++
 security/keys/trusted-keys/tpm2key.asn1           |  23 ++
 security/keys/trusted-keys/trusted_tpm1.c         |  50 ++-
 security/keys/trusted-keys/trusted_tpm2.c         | 370 +++++++++++++++--
 14 files changed, 1454 insertions(+), 36 deletions(-)
 create mode 100644 include/linux/asn1_encoder.h
 create mode 100644 lib/asn1_encoder.c
 create mode 100644 security/keys/trusted-keys/tpm2-policy.c
 create mode 100644 security/keys/trusted-keys/tpm2-policy.h
 create mode 100644 security/keys/trusted-keys/tpm2key.asn1

Comments

Jarkko Sakkinen Feb. 20, 2020, 8:17 p.m. UTC | #1
On Thu, Jan 30, 2020 at 11:18:06AM +0100, James Bottomley wrote:
> This is mainly a respin to add more spacing as Jarkko requested.
> However, I also added the seal/unseal operations to the
> openssl_tpm2_engine (next branch):
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/
> 
> With the result that the kernel code completely failed the
> interoperability checks because the ASN.1 format requires the TPM2B
> length prepended to the public and private blobs.  I corrected this in
> patch 4 and now all the interoperability tests are passing.
> 
> General cover letter:
> 
> This patch updates the trusted key code to export keys in the ASN.1
> format used by current TPM key tools (openssl_tpm2_engine and
> openconnect).  It also simplifies the use of policy with keys because
> the ASN.1 format is designed to carry a description of how to
> construct the policy, with the result that simple policies (like
> authorization and PCR locking) can now be constructed and used in the
> kernel, bringing the TPM 2.0 policy use into line with how TPM 1.2
> works.
> 
> James
> 
> ---
> 
> James Bottomley (6):
>   lib: add ASN.1 encoder
>   oid_registry: Add TCG defined OIDS for TPM keys
>   security: keys: trusted fix tpm2 authorizations
>   security: keys: trusted: use ASN.1 TPM2 key format for the blobs
>   security: keys: trusted: add ability to specify arbitrary policy
>   security: keys: trusted: implement counter/timer policy
> 
>  Documentation/security/keys/trusted-encrypted.rst |  64 ++-
>  include/keys/trusted-type.h                       |   7 +-
>  include/linux/asn1_encoder.h                      |  32 ++
>  include/linux/oid_registry.h                      |   5 +
>  include/linux/tpm.h                               |   8 +
>  lib/Makefile                                      |   2 +-
>  lib/asn1_encoder.c                                | 431 ++++++++++++++++++++
>  security/keys/Kconfig                             |   2 +
>  security/keys/trusted-keys/Makefile               |   2 +-
>  security/keys/trusted-keys/tpm2-policy.c          | 463 ++++++++++++++++++++++
>  security/keys/trusted-keys/tpm2-policy.h          |  31 ++
>  security/keys/trusted-keys/tpm2key.asn1           |  23 ++
>  security/keys/trusted-keys/trusted_tpm1.c         |  50 ++-
>  security/keys/trusted-keys/trusted_tpm2.c         | 370 +++++++++++++++--
>  14 files changed, 1454 insertions(+), 36 deletions(-)
>  create mode 100644 include/linux/asn1_encoder.h
>  create mode 100644 lib/asn1_encoder.c
>  create mode 100644 security/keys/trusted-keys/tpm2-policy.c
>  create mode 100644 security/keys/trusted-keys/tpm2-policy.h
>  create mode 100644 security/keys/trusted-keys/tpm2key.asn1
> 
> -- 
> 2.16.4

Somehow managed to drown this to my emails. Looking into next week.

/Jarkko
>