James, > -----Original Message----- > From: David Woodhouse <dwmw2@xxxxxxxxxxxxx> > Sent: December 9, 2019 03:56 AM > To: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>; linux- > integrity@xxxxxxxxxxxxxxx; Wiseman, Monty (GE Global Research, US) > <monty.wiseman@xxxxxx> > Cc: Mimi Zohar <zohar@xxxxxxxxxxxxx>; Jarkko Sakkinen > <jarkko.sakkinen@xxxxxxxxxxxxxxx> > Subject: EXT: Re: [PATCH 3/8] oid_registry: Add TCG defined OIDS for TPM > keys > > On Sat, 2019-12-07 at 21:09 -0800, James Bottomley wrote: > > The TCG has defined an OID prefix "2.23.133.10.1" for the various TPM > > key uses. We've defined three of the available numbers: > > > > 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key (Usually > > RSA2048 or Elliptic Curve) which can be imported by a > > TPM2_Load() operation. > > > > 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key (Usually > > RSA2048 or Elliptic Curve) which can be imported by a > > TPM2_Import() operation. > > > > Both loadable and importable keys are specific to a given TPM, the > > difference is that a loadable key is wrapped with the symmetric > > secret, so must have been created by the TPM itself. An importable > > key is wrapped with a DH shared secret, and may be created without > > access to the TPM provided you know the public part of the parent key. > > > > 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to 128 > > bytes) which is sealed by the TPM. It usually > > represents a symmetric key and must be unsealed before > > use. > > Do we still not have an official reference for these that you can > provide in the commit or the file itself? > > It would be very nice to have something more than a verbal assurance > that they're in Monty's spreadsheet. > > > > Signed-off-by: James Bottomley > <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > > --- > > include/linux/oid_registry.h | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h > > index 657d6bf2c064..a4cee888f9b0 100644 > > --- a/include/linux/oid_registry.h > > +++ b/include/linux/oid_registry.h > > @@ -107,6 +107,11 @@ enum OID { > > OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */ > > OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */ > > > > + /* TCG defined OIDS for TPM based keys */ > > + OID_TPMLoadableKey, /* 2.23.133.10.1.3 */ > > + OID_TPMImporableKey, /* 2.23.133.10.1.4 */ > > + OID_TPMSealedData, /* 2.23.133.10.1.5 */ > > + > > OID__NR > > }; > > Bring back an old thread. We are finally getting the TCG OID registry ready to publish and wanted to verifier the OIDs you requested and we assigned above. I can find 2.23.133.10.1.3 TPM Loadable key in the tpm2-tss-engine project. I do not see this one, nor the others list above in the kernel source. Did these ever get used? If so, where and can you provide a use case for a relying party? Also, I have in my local spreadsheet the following which I believe were just drafts and never assigned. Please confirm. 2.23.133.10.1.1.2 Secondary Identifier: tcg-wellKnownAuthValue This in intended to be bitmap of well-known authValues. This is not intended to contain an actual authValue. For example. Bit 1 means and authValue of hashsize all zeros, Bit 2 means an authValue of hashsize all NULLs, etc. [Note: Bit 1 is lsb in this notation] 2.23.133.10.1.1.3 No secondary identifier or description 2.23.133.10.1.1.4 No secondary identifier or description Monty Wiseman Principal Engineer, Security Architecture Controls & Optimization
Attachment:
smime.p7s
Description: S/MIME cryptographic signature