grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 03/14] protectors: Add TPM2 Key Protector

From: Gary Lin
Subject: Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
Date: Tue, 7 Mar 2023 11:16:34 +0800 
On Mon, Mar 06, 2023 at 08:20:39AM -0500, James Bottomley wrote:
> On Mon, 2023-03-06 at 14:51 +0800, Gary Lin wrote:
> > On Wed, Feb 22, 2023 at 07:41:38AM -0500, James Bottomley wrote:
> > > On Wed, 2023-02-22 at 15:00 +0800, Gary Lin via Grub-devel wrote:
> > > > +GRUB_MOD_INIT (tpm2)
> > > > +{
> > > > +  grub_tpm2_protector_init_cmd =
> > > > +    grub_register_extcmd ("tpm2_key_protector_init",
> > > > +                         grub_tpm2_protector_init_cmd_handler,
> > > > 0,
> > > > +                         N_("[-m mode] "
> > > > +                            "[-p pcr_list] "
> > > > +                            "[-b pcr_bank] "
> > > > +                            "[-k sealed_key_file_path] "
> > > > +                            "[-s srk_handle] "
> > > > +                            "[-a asymmetric_key_type] "
> > > > +                            "[-n nv_index]"),
> > > > +                         N_("Initialize the TPM2 key
> > > > protector."),
> > > > +                         grub_tpm2_protector_init_cmd_options);
> > > > +  grub_tpm2_protector_clear_cmd =
> > > > +    grub_register_extcmd ("tpm2_key_protector_clear",
> > > > +                         grub_tpm2_protector_clear_cmd_handler,
> > > > 0,
> > > > NULL,
> > > > +                         N_("Clear the TPM2 key protector if
> > > > previously initialized."),
> > > > +                         NULL);
> > > > +  grub_key_protector_register (&grub_tpm2_key_protector);
> > > 
> > Hi James,
> > 
> > > Hang on, we've spend ages standardising the format of TPM key
> > > files: 
> > > 
> > > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> > > 
> > 
> > Per the spec, the type OIDs are defined as the following:
> > 
> >   id-tpmkey OBJECT IDENTIFIER ::=
> >     {joint-iso-itu-t(2) international-organizations(23) 133 10}
> > 
> >   id-loadablekey OBJECT IDENTIFIER ::=
> >     {id-tpmkey 3}
> > 
> >   id-importablekey OBJECT IDENTIFIER ::=
> >     {id-tpmkey 4}
> > 
> >   id-sealedkey OBJECT IDENTIFIER ::=
> >     {id-tpmkey 5}
> > 
> > Then I assume that the sealed key OID is 2.23.133.10.5. However, I
> > found
> > that the sealed key OID in openssl-tpm2-engine and linux kernel is
> > 2.23.133.10.1.5, and it doesn't match the tpm 2.0 key spec.
> > 
> > Did I miss anything in the spec?
> 
> Possibly not.  We went around the houses for ages with the TCG guardian
> of OID allocations trying to agree on the numbers.  It's probable the
> spec missed one of the iterations of the prefix.  If you'd like to send
> a patch to fix it, the list is:
> 
>  openssl-tpm2-engine@groups.io
> 
Well, I only spotted the missing number and have no idea of what it is.
It needs someone who knows the spec well to fix the OID properly.

Gary Lin

> The raw spec is in git here:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/doc/draft-bottomley-tpm2-keys.xml
> 
> James
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]