Hi, Jarkko, The rc1 you mentioned is the version for what? How to download it and update it? Thanks. - Shirley -----Original Message----- From: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> Sent: Saturday, November 30, 2019 7:02 AM To: Mimi Zohar <zohar@xxxxxxxxxxxxx> Cc: Zhao, Shirley <shirley.zhao@xxxxxxxxx>; James Bottomley <jejb@xxxxxxxxxxxxx>; Jonathan Corbet <corbet@xxxxxxx>; linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-doc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; 'Mauro Carvalho Chehab' <mchehab+samsung@xxxxxxxxxx>; Zhu, Bing <bing.zhu@xxxxxxxxx>; Chen, Luhai <luhai.chen@xxxxxxxxx> Subject: Re: One question about trusted key of keyring in Linux kernel. On Tue, Nov 26, 2019 at 02:27:36PM -0500, Mimi Zohar wrote: > On Tue, 2019-11-26 at 07:32 +0000, Zhao, Shirley wrote: > > Thanks for your feedback, Mimi. > > But the document of dracut can't solve my problem. > > > > I did more test these days and try to descript my question in more detail. > > > > In my scenario, the trusted key will be sealed into TPM with PCR policy. > > And there are some related options in manual like > > hash= hash algorithm name as a string. For TPM 1.x the only > > allowed value is sha1. For TPM 2.x the allowed values > > are sha1, sha256, sha384, sha512 and sm3-256. > > policydigest= digest for the authorization policy. must be calculated > > with the same hash algorithm as specified by the 'hash=' > > option. > > policyhandle= handle to an authorization policy session that defines the > > same policy and with the same hash algorithm as was used to > > seal the key. > > > > Here is my test step. > > Firstly, the pcr policy is generated as below: > > $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy > > pcr7_bin.policy > pcr7.policy > > > > Pcr7.policy is the ascii hex of policy: > > $ cat pcr7.policy > > 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 > > > > Then generate the trusted key and configure policydigest and get the key ID: > > $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 > > policydigest=`cat pcr7.policy`" @u > > 874117045 > > > > Save the trusted key. > > $ keyctl pipe 874117045 > kmk.blob > > > > Reboot and load the key. > > Start a auth session to generate the policy: > > $ tpm2_startauthsession -S session.ctx > > session-handle: 0x3000000 > > $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S > > session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy > > policy-digest: > > 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9 > > > > Input the policy handle to load trusted key: > > $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 > > policyhandle=0x3000000" @u > > add_key: Operation not permitted > > > > The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed. > > $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in file: > > "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy > > check failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed! > > ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run > > tpm2_unseal > > > > So my question is: > > 1. How to use the option, policydigest, policyhandle?? Is there any example? > > 2. What's wrong with my test step? > > When reporting a problem please state which kernel is experiencing > this problem. Recently there was a trusted key regression. Refer to > commit e13cd21ffd50 "tpm: Wrap the buffer from the caller to tpm_buf > in tpm_send()" for the details. > > Before delving into this particular problem, first please make sure > you are able to create, save, remove, and then reload a trusted key > not sealed to a PCR. Please re-test with rc1 when available. /Jarkko
