Re: [PATCH 03/14] protectors: Add TPM2 Key Protector

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 03/14] protectors: Add TPM2 Key Protector

From:	Gary Lin
Subject:	Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Date:	Mon, 6 Mar 2023 14:51:57 +0800

On Wed, Feb 22, 2023 at 07:41:38AM -0500, James Bottomley wrote:
> On Wed, 2023-02-22 at 15:00 +0800, Gary Lin via Grub-devel wrote:
> > +GRUB_MOD_INIT (tpm2)
> > +{
> > +  grub_tpm2_protector_init_cmd =
> > +    grub_register_extcmd ("tpm2_key_protector_init",
> > +                         grub_tpm2_protector_init_cmd_handler, 0,
> > +                         N_("[-m mode] "
> > +                            "[-p pcr_list] "
> > +                            "[-b pcr_bank] "
> > +                            "[-k sealed_key_file_path] "
> > +                            "[-s srk_handle] "
> > +                            "[-a asymmetric_key_type] "
> > +                            "[-n nv_index]"),
> > +                         N_("Initialize the TPM2 key protector."),
> > +                         grub_tpm2_protector_init_cmd_options);
> > +  grub_tpm2_protector_clear_cmd =
> > +    grub_register_extcmd ("tpm2_key_protector_clear",
> > +                         grub_tpm2_protector_clear_cmd_handler, 0,
> > NULL,
> > +                         N_("Clear the TPM2 key protector if
> > previously initialized."),
> > +                         NULL);
> > +  grub_key_protector_register (&grub_tpm2_key_protector);
> 
Hi James,

> Hang on, we've spend ages standardising the format of TPM key files: 
> 
> https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> 

Per the spec, the type OIDs are defined as the following:

  id-tpmkey OBJECT IDENTIFIER ::=
    {joint-iso-itu-t(2) international-organizations(23) 133 10}

  id-loadablekey OBJECT IDENTIFIER ::=
    {id-tpmkey 3}

  id-importablekey OBJECT IDENTIFIER ::=
    {id-tpmkey 4}

  id-sealedkey OBJECT IDENTIFIER ::=
    {id-tpmkey 5}

Then I assume that the sealed key OID is 2.23.133.10.5. However, I found
that the sealed key OID in openssl-tpm2-engine and linux kernel is
2.23.133.10.1.5, and it doesn't match the tpm 2.0 key spec.

Did I miss anything in the spec?

Cheers,

Gary Lin

> And every major TPM based key system uses this format, so a key file
> created by any TPM2 cryptosystem can be read by any other (meaning you
> can use any crypotosystem tools to manage the key).  What you're doing
> here just reinvents a non-standard format and creates a load of
> parameters that the user needs to know here, but are part of the key
> format standard, so you not only need to remember a load of information
> not in your key file, but you have to have a non-standard tool to
> create the key in the first place.
> 
> Even if you want to keep your own tool to create keys, what about
> interoperability with the kernel?  The kernel's TPM key subsystem
> (trusted keys) also speaks the above format
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/keys/trusted-keys/tpm2key.asn1
> 
> so  you wouldn't be able to send this key down to day dm-crypt as a
> trusted key, you'd have to create two separate key files to do that.
> 
> James
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin <=
- Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, James Bottomley, 2023/03/06
  - Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/03/06

Prev by Date: Re: [PATCH v2] tpm: Disable tpm verifier if tpm is not present
Next by Date: Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Previous by thread: Is the last blank in the output of grub-fstester a reliable feature ?
Next by thread: Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Index(es):
- Date
- Thread