Re: [PATCH 03/14] protectors: Add TPM2 Key Protector

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 03/14] protectors: Add TPM2 Key Protector

From:	James Bottomley
Subject:	Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Date:	Mon, 06 Mar 2023 08:20:39 -0500
User-agent:	Evolution 3.42.4

On Mon, 2023-03-06 at 14:51 +0800, Gary Lin wrote:
> On Wed, Feb 22, 2023 at 07:41:38AM -0500, James Bottomley wrote:
> > On Wed, 2023-02-22 at 15:00 +0800, Gary Lin via Grub-devel wrote:
> > > +GRUB_MOD_INIT (tpm2)
> > > +{
> > > +  grub_tpm2_protector_init_cmd =
> > > +    grub_register_extcmd ("tpm2_key_protector_init",
> > > +                         grub_tpm2_protector_init_cmd_handler,
> > > 0,
> > > +                         N_("[-m mode] "
> > > +                            "[-p pcr_list] "
> > > +                            "[-b pcr_bank] "
> > > +                            "[-k sealed_key_file_path] "
> > > +                            "[-s srk_handle] "
> > > +                            "[-a asymmetric_key_type] "
> > > +                            "[-n nv_index]"),
> > > +                         N_("Initialize the TPM2 key
> > > protector."),
> > > +                         grub_tpm2_protector_init_cmd_options);
> > > +  grub_tpm2_protector_clear_cmd =
> > > +    grub_register_extcmd ("tpm2_key_protector_clear",
> > > +                         grub_tpm2_protector_clear_cmd_handler,
> > > 0,
> > > NULL,
> > > +                         N_("Clear the TPM2 key protector if
> > > previously initialized."),
> > > +                         NULL);
> > > +  grub_key_protector_register (&grub_tpm2_key_protector);
> > 
> Hi James,
> 
> > Hang on, we've spend ages standardising the format of TPM key
> > files: 
> > 
> > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> > 
> 
> Per the spec, the type OIDs are defined as the following:
> 
>   id-tpmkey OBJECT IDENTIFIER ::=
>     {joint-iso-itu-t(2) international-organizations(23) 133 10}
> 
>   id-loadablekey OBJECT IDENTIFIER ::=
>     {id-tpmkey 3}
> 
>   id-importablekey OBJECT IDENTIFIER ::=
>     {id-tpmkey 4}
> 
>   id-sealedkey OBJECT IDENTIFIER ::=
>     {id-tpmkey 5}
> 
> Then I assume that the sealed key OID is 2.23.133.10.5. However, I
> found
> that the sealed key OID in openssl-tpm2-engine and linux kernel is
> 2.23.133.10.1.5, and it doesn't match the tpm 2.0 key spec.
> 
> Did I miss anything in the spec?

Possibly not.  We went around the houses for ages with the TCG guardian
of OID allocations trying to agree on the numbers.  It's probable the
spec missed one of the iterations of the prefix.  If you'd like to send
a patch to fix it, the list is:

 openssl-tpm2-engine@groups.io

The raw spec is in git here:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/doc/draft-bottomley-tpm2-keys.xml

James

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/03/06
- Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, James Bottomley <=
  - Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/03/06

Prev by Date: Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Next by Date: strange grub error on ARM64
Previous by thread: Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Next by thread: Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Index(es):
- Date
- Thread