On Wed, 2019-11-13 at 01:22 +0000, Zhao, Shirley wrote: > Hi, all, > > This is Shirley from Intel. I have one question about trusted key of > keyring in kernel. Please help. > > According the to description in https://github.com/torvalds/linux/bl > ob/master/Documentation/security/keys/trusted-encrypted.rst. > Trusted key will be saved in TPM with PCR policy protected. "Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed under a 2048 bit RSA key in the TPM, ..." Trusted keys are not TPM keys. They are not stored in the TPM. > > Then, I running the following command to create a trusted key. > keyctl add trusted test_trusted "new 32 keyhandle=0x81000001" @u > > I also tried the following command, it can add one trusted key, too. > keyctl add trusted test_trusted "new 32 keyhandle=0x81000001 > pcrinfo=`cat pcr7.blob`" @u > > But after reboot, this key will be removed. > I need to re-added during boot. Right, they need to be re-loaded on boot. Refer to the dracut module /modules.d/97masterkey for loading a trusted key during boot. > > Then the question is since this key is saved in TPM, how to get it > back from TPM? Trusted keys are not stored in the TPM. Refer to the ima-evm-utils README for examples of creating a trusted key (kmk) and an encrypted key (evm-key). > > From the document, I need to use "keyctl pipe" to save the key into > a blob, then load it. > But the blob contend key text, and this is a file on hard disk, it > is not safe to protect the key. > > So what can TPM do here? The hex ascii encoded trusted key is sealed under the TPM SRK. Mimi
