Hi, James, The PCR7 value and PCR7 policy is as below, please review, thanks. # tpm2_pcrlist -L sha256:7 -o pcr7_2.sha256 sha256: 7 : 0x061AAD0705A62361AD18E58B65D3D7383F4D10F7F5A7E78924BE057AC6797408 # tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy pcr7_bin.policy > pcr7.policy 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 # cat pcr7.policy 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 - Shirley -----Original Message----- From: James Bottomley <jejb@xxxxxxxxxxxxx> Sent: Monday, December 2, 2019 2:18 PM To: Zhao, Shirley <shirley.zhao@xxxxxxxxx>; Mimi Zohar <zohar@xxxxxxxxxxxxx>; Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>; Jonathan Corbet <corbet@xxxxxxx> Cc: linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-doc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; 'Mauro Carvalho Chehab' <mchehab+samsung@xxxxxxxxxx>; Zhu, Bing <bing.zhu@xxxxxxxxx>; Chen, Luhai <luhai.chen@xxxxxxxxx> Subject: Re: One question about trusted key of keyring in Linux kernel. On Mon, 2019-12-02 at 05:55 +0000, Zhao, Shirley wrote: > Thanks for your feedback, James. > > The policy is generated by TPM command, tpm2_createpolicy, it just use > the algorithm you mentioned, which is defined in TPM spec. > I re-attach my test steps as below. > Please help check it, is there anything wrong, especially the format > of keyctl command. > > Firstly, the pcr policy is generated as below: > $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy > pcr7_bin.policy > pcr7.policy I don't use the Intel TSS, so I can't help you with this command: you need to ask someone who does use it it, like Phil. > Pcr7.policy is the ascii hex of policy: > $ cat pcr7.policy > 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9 You haven't provided enough information. If you tell me what the pcr7 value you tied the policy to is, I can run it through the IBM TSS policy maker and tell you if this is the correct hash. But obviously, since it's a hash, I can't reverse it to tell you what the policy it mandates is. James > Then generate the trusted key and configure policydigest and get the > key ID: > $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 > policydigest=`cat pcr7.policy`" @u > 874117045 > > Save the trusted key. > $ keyctl pipe 874117045 > kmk.blob > > Reboot and load the key. > Start a auth session to generate the policy: > $ tpm2_startauthsession -S session.ctx > session-handle: 0x3000000 > $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S > session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy > policy-digest: > 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9 > > Input the policy handle to load trusted key: > $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 > policyhandle=0x3000000" @u > add_key: Operation not permitted > > The error should be policy check failed, because I use TPM command to > unseal directly with error of policy check failed. > $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in file: > "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check > failed ERROR on line: "213" in file: > "tools/tpm2_unseal.c": Unseal failed! > ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run > tpm2_unseal > > - Shirley > > -----Original Message----- > From: James Bottomley <jejb@xxxxxxxxxxxxx> > Sent: Monday, December 2, 2019 12:17 PM > To: Zhao, Shirley <shirley.zhao@xxxxxxxxx>; Mimi Zohar <zohar@linux.i > bm.com>; Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>; Jonathan > Corbet <corbet@xxxxxxx> > Cc: linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux- > doc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; 'Mauro Carvalho > Chehab' <mchehab+samsung@xxxxxxxxxx>; Zhu, Bing <bing.zhu@xxxxxxxxx>; > Chen, Luhai <luhai.chen@xxxxxxxxx> > Subject: Re: One question about trusted key of keyring in Linux > kernel. > > On Mon, 2019-12-02 at 01:44 +0000, Zhao, Shirley wrote: > > Hi, James, > > > > The value of PCR7 is not changed. I have checked it with TPM command > > tpm_pcrlist. > > > > So I think the problem is how to use the option policydigest and > > policyhandle? Is there any example? > > Maybe the format in my command is not correct. > > OK, so previously you said that using the Intel TSS the policy also > failed after a reboot: > > > The error should be policy check failed, because I use TPM command > > to unseal directly with error of policy check failed. > > $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in > > file: > > "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy > > check failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": > > Unseal failed! > > ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run > > tpm2_unseal > > So this must mean the actual policy hash you constructed was wrong in > some way: it didn't correspond simply to a value of pcr7 ... well > assuming the -L sha256:7 means construct a policy of the sha256 value > of pcr7 and use it in the unseal. > > I can tell you how to construct policies using TPM2 commands, but I > think you want to know how to do it using the Intel TSS? In which > case you really need to consult the experts in that TSS, like Phil > Tricca. > > For the plain TPM2 case, the policy looks like > > TPM_CC_PolicyPCR || pcrs || pcrDigest > > Where TPM_CC_PolicyPCR = 0000017f and for selecting pcr7 only. pcrs > is a complicated entity: it's a counted array of pcr selections. For > your policy you only need one entry, so it would be 00000001 followed > by a single pcrSelection entry. pcrSelection is the hash algorithm, > the size of the selection bitmap (always 3 since every current TPM > only has > 24 PCRs) and a bitmap selecting the PCRs in big endian format, so for > PCR7 using sha256 (algorithm 000b), pcrSelection = 000b 03 80 00 00. > And then you follow this by the hash of the PCR value you're looking > for. The policyhash becomes the initial policy (all zeros for the > start of the policy chain) hashed with this. > > Regards, > > James >
