From patchwork Thu May  7 23:11:39 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Bottomley <James.Bottomley@HansenPartnership.com>
X-Patchwork-Id: 11535079
Return-Path: <SRS0=yrNQ=6V=vger.kernel.org=keyrings-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BEADC913
	for <patchwork-keyrings@patchwork.kernel.org>;
 Thu,  7 May 2020 23:12:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 9818A208D6
	for <patchwork-keyrings@patchwork.kernel.org>;
 Thu,  7 May 2020 23:12:00 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=hansenpartnership.com header.i=@hansenpartnership.com
 header.b="ZY+lxo6h"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726618AbgEGXMA (ORCPT
        <rfc822;patchwork-keyrings@patchwork.kernel.org>);
        Thu, 7 May 2020 19:12:00 -0400
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:33278 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726598AbgEGXMA (ORCPT
        <rfc822;keyrings@vger.kernel.org>); Thu, 7 May 2020 19:12:00 -0400
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id 49D3B8EE268;
        Thu,  7 May 2020 16:11:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1588893119;
        bh=i8PwtoHfHnhIerQe5VNFH93nLH6QSZLg5E8FlTKVQ7U=;
        h=From:To:Cc:Subject:Date:From;
        b=ZY+lxo6hpMgGoyryHZSVFqHsNZJV1gXffAITr21AUOcQoESmH/SVaKnzLNq5Pza/t
         laJ7NBA1fnr3mNu+FUbMTD8jf6ZeJmzMCWp1NXqq9dZTp57vsWxzpRD0sB4QMpBQ2G
         3dfOMWVRkGgaNO35xkbtXrPJF7AhoRhW3h0v2LR4=
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1])
 (amavisd-new, port 10024)
        with ESMTP id aIOQ3UGjL4-R; Thu,  7 May 2020 16:11:59 -0700 (PDT)
Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id B176D8EE181;
        Thu,  7 May 2020 16:11:58 -0700 (PDT)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        David Woodhouse <dwmw2@infradead.org>,
        keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: [PATCH v9 0/8] TPM 2.0 trusted keys with attached policy
Date: Thu,  7 May 2020 16:11:39 -0700
Message-Id: <20200507231147.27025-1-James.Bottomley@HansenPartnership.com>
X-Mailer: git-send-email 2.26.1
MIME-Version: 1.0
Sender: keyrings-owner@vger.kernel.org
Precedence: bulk
List-ID: <keyrings.vger.kernel.org>
X-Mailing-List: keyrings@vger.kernel.org

This is a respin on v8 to make the encoder selectable and address
David's comments.  The trusted key part hasn't changed except to add a
now necessary select for ASN1_ENCODER to patch 4 and the changelog of
patch 6 has been updated to correct the cut and paste error in the
keyctl statement.

General cover letter:

This patch updates the trusted key code to export keys in the ASN.1
format used by current TPM key tools (openssl_tpm2_engine and
openconnect).  It also simplifies the use of policy with keys because
the ASN.1 format is designed to carry a description of how to
construct the policy, with the result that simple policies (like
authorization and PCR locking) can now be constructed and used in the
kernel, bringing the TPM 2.0 policy use into line with how TPM 1.2
works.

The key format is designed to be compatible with our two openssl
engine implementations as well as with the format used by openconnect.
I've added seal/unseal to my engine so I can use it for
interoperability testing and I'll later use this for sealed symmetric
keys via engine:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/

James
---

James Bottomley (8):
  lib: add ASN.1 encoder
  oid_registry: Add TCG defined OIDS for TPM keys
  security: keys: trusted: fix TPM2 authorizations
  security: keys: trusted: use ASN.1 TPM2 key format for the blobs
  security: keys: trusted: Make sealed key properly interoperable
  security: keys: trusted: add PCR policy to TPM2 keys
  security: keys: trusted: add ability to specify arbitrary policy
  security: keys: trusted: implement counter/timer policy

 .../security/keys/trusted-encrypted.rst       |  64 ++-
 include/keys/trusted-type.h                   |   7 +-
 include/linux/asn1_encoder.h                  |  32 ++
 include/linux/oid_registry.h                  |   5 +
 include/linux/tpm.h                           |   8 +
 lib/Kconfig                                   |   3 +
 lib/Makefile                                  |   1 +
 lib/asn1_encoder.c                            | 454 +++++++++++++++++
 security/keys/Kconfig                         |   3 +
 security/keys/trusted-keys/Makefile           |   2 +-
 security/keys/trusted-keys/tpm2-policy.c      | 463 ++++++++++++++++++
 security/keys/trusted-keys/tpm2-policy.h      |  31 ++
 security/keys/trusted-keys/tpm2key.asn1       |  23 +
 security/keys/trusted-keys/trusted_tpm1.c     |  56 ++-
 security/keys/trusted-keys/trusted_tpm2.c     | 370 +++++++++++++-
 15 files changed, 1486 insertions(+), 36 deletions(-)
 create mode 100644 include/linux/asn1_encoder.h
 create mode 100644 lib/asn1_encoder.c
 create mode 100644 security/keys/trusted-keys/tpm2-policy.c
 create mode 100644 security/keys/trusted-keys/tpm2-policy.h
 create mode 100644 security/keys/trusted-keys/tpm2key.asn1