Re: [PATCH v9 3/8] security: keys: trusted: fix TPM2 authorizations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2020-05-14 at 04:12 +0300, Jarkko Sakkinen wrote:
> On Thu, 2020-05-14 at 04:11 +0300, Jarkko Sakkinen wrote:
> > On Thu, 2020-05-07 at 16:11 -0700, James Bottomley wrote:
> > > In TPM 1.2 an authorization was a 20 byte number.  The spec
> > > actually recommended you to hash variable length passwords and
> > > use the sha1 hash as the authorization.  Because the spec doesn't
> > > require this hashing, the current authorization for trusted keys
> > > is a 40 digit hex number.  For TPM 2.0 the spec allows the
> > > passing in of variable length passwords and passphrases directly,
> > > so we should allow that in trusted keys for ease of use.  Update
> > > the 'blobauth' parameter to take this into account, so we can now
> > > use plain text passwords for the keys.
> > > 
> > > so before
> > > 
> > > keyctl add trusted kmk "new 32
> > > blobauth=f572d396fae9206628714fb2ce00f72e94f2258f"
> > > 
> > > after we will accept both the old hex sha1 form as well as a new
> > > directly supplied password:
> > > 
> > > keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001"
> > > 
> > > Since a sha1 hex code must be exactly 40 bytes long and a direct
> > > password must be 20 or less, we use the length as the
> > > discriminator for which form is input.
> > > 
> > > Note this is both and enhancement and a potential bug fix.  The
> > > TPM 2.0 spec requires us to strip leading zeros, meaning empyty
> > > authorization is a zero length HMAC whereas we're currently
> > > passing in 20 bytes of zeros.  A lot of TPMs simply accept this
> > > as OK, but the Microsoft TPM emulator rejects it with
> > > TPM_RC_BAD_AUTH, so this patch makes the Microsoft TPM emulator
> > > work with trusted keys.
> > > 
> > > Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0
> > > chips")
> > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership
> > > .com>
> > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> > 
> > Have not checked yet the tail. Probably won't check before PR for
> > v5.8 is out.
> > 
> > Just wondering would it hurt to merge everything up until this
> > patch?

Everything would be OK if you applied 1, 2 and 3.  Except we'd have an
ASN.1 API in the tree with no consumers, which excites some people.

> I.e. could land it also to the release.

That would likely be fine and should satisfy the API with no consumers
issue.

James
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux