From patchwork Thu May 7 23:11:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 11535079 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BEADC913 for ; Thu, 7 May 2020 23:12:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9818A208D6 for ; Thu, 7 May 2020 23:12:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="ZY+lxo6h" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726618AbgEGXMA (ORCPT ); Thu, 7 May 2020 19:12:00 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:33278 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726598AbgEGXMA (ORCPT ); Thu, 7 May 2020 19:12:00 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 49D3B8EE268; Thu, 7 May 2020 16:11:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1588893119; bh=i8PwtoHfHnhIerQe5VNFH93nLH6QSZLg5E8FlTKVQ7U=; h=From:To:Cc:Subject:Date:From; b=ZY+lxo6hpMgGoyryHZSVFqHsNZJV1gXffAITr21AUOcQoESmH/SVaKnzLNq5Pza/t laJ7NBA1fnr3mNu+FUbMTD8jf6ZeJmzMCWp1NXqq9dZTp57vsWxzpRD0sB4QMpBQ2G 3dfOMWVRkGgaNO35xkbtXrPJF7AhoRhW3h0v2LR4= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIOQ3UGjL4-R; Thu, 7 May 2020 16:11:59 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id B176D8EE181; Thu, 7 May 2020 16:11:58 -0700 (PDT) From: James Bottomley To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , David Woodhouse , keyrings@vger.kernel.org, David Howells Subject: [PATCH v9 0/8] TPM 2.0 trusted keys with attached policy Date: Thu, 7 May 2020 16:11:39 -0700 Message-Id: <20200507231147.27025-1-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.1 MIME-Version: 1.0 Sender: keyrings-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org This is a respin on v8 to make the encoder selectable and address David's comments. The trusted key part hasn't changed except to add a now necessary select for ASN1_ENCODER to patch 4 and the changelog of patch 6 has been updated to correct the cut and paste error in the keyctl statement. General cover letter: This patch updates the trusted key code to export keys in the ASN.1 format used by current TPM key tools (openssl_tpm2_engine and openconnect). It also simplifies the use of policy with keys because the ASN.1 format is designed to carry a description of how to construct the policy, with the result that simple policies (like authorization and PCR locking) can now be constructed and used in the kernel, bringing the TPM 2.0 policy use into line with how TPM 1.2 works. The key format is designed to be compatible with our two openssl engine implementations as well as with the format used by openconnect. I've added seal/unseal to my engine so I can use it for interoperability testing and I'll later use this for sealed symmetric keys via engine: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/ James --- James Bottomley (8): lib: add ASN.1 encoder oid_registry: Add TCG defined OIDS for TPM keys security: keys: trusted: fix TPM2 authorizations security: keys: trusted: use ASN.1 TPM2 key format for the blobs security: keys: trusted: Make sealed key properly interoperable security: keys: trusted: add PCR policy to TPM2 keys security: keys: trusted: add ability to specify arbitrary policy security: keys: trusted: implement counter/timer policy .../security/keys/trusted-encrypted.rst | 64 ++- include/keys/trusted-type.h | 7 +- include/linux/asn1_encoder.h | 32 ++ include/linux/oid_registry.h | 5 + include/linux/tpm.h | 8 + lib/Kconfig | 3 + lib/Makefile | 1 + lib/asn1_encoder.c | 454 +++++++++++++++++ security/keys/Kconfig | 3 + security/keys/trusted-keys/Makefile | 2 +- security/keys/trusted-keys/tpm2-policy.c | 463 ++++++++++++++++++ security/keys/trusted-keys/tpm2-policy.h | 31 ++ security/keys/trusted-keys/tpm2key.asn1 | 23 + security/keys/trusted-keys/trusted_tpm1.c | 56 ++- security/keys/trusted-keys/trusted_tpm2.c | 370 +++++++++++++- 15 files changed, 1486 insertions(+), 36 deletions(-) create mode 100644 include/linux/asn1_encoder.h create mode 100644 lib/asn1_encoder.c create mode 100644 security/keys/trusted-keys/tpm2-policy.c create mode 100644 security/keys/trusted-keys/tpm2-policy.h create mode 100644 security/keys/trusted-keys/tpm2key.asn1