On Fri Jun 19 20, Wiseman, Monty (GE Research, US) wrote:
James,-----Original Message----- From: David Woodhouse <dwmw2@xxxxxxxxxxxxx> Sent: December 9, 2019 03:56 AM To: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>; linux- integrity@xxxxxxxxxxxxxxx; Wiseman, Monty (GE Global Research, US) <monty.wiseman@xxxxxx> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxx>; Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> Subject: EXT: Re: [PATCH 3/8] oid_registry: Add TCG defined OIDS for TPM keys On Sat, 2019-12-07 at 21:09 -0800, James Bottomley wrote: > The TCG has defined an OID prefix "2.23.133.10.1" for the various TPM > key uses. We've defined three of the available numbers: > > 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key (Usually > RSA2048 or Elliptic Curve) which can be imported by a > TPM2_Load() operation. > > 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key (Usually > RSA2048 or Elliptic Curve) which can be imported by a > TPM2_Import() operation. > > Both loadable and importable keys are specific to a given TPM, the > difference is that a loadable key is wrapped with the symmetric > secret, so must have been created by the TPM itself. An importable > key is wrapped with a DH shared secret, and may be created without > access to the TPM provided you know the public part of the parent key. > > 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to 128 > bytes) which is sealed by the TPM. It usually > represents a symmetric key and must be unsealed before > use. Do we still not have an official reference for these that you can provide in the commit or the file itself? It would be very nice to have something more than a verbal assurance that they're in Monty's spreadsheet. > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > --- > include/linux/oid_registry.h | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h > index 657d6bf2c064..a4cee888f9b0 100644 > --- a/include/linux/oid_registry.h > +++ b/include/linux/oid_registry.h > @@ -107,6 +107,11 @@ enum OID { > OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */ > OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */ > > + /* TCG defined OIDS for TPM based keys */ > + OID_TPMLoadableKey, /* 2.23.133.10.1.3 */ > + OID_TPMImporableKey, /* 2.23.133.10.1.4 */ > + OID_TPMSealedData, /* 2.23.133.10.1.5 */ > + > OID__NR > }; >Bring back an old thread. We are finally getting the TCG OID registry ready to publish and wanted to verifier the OIDs you requested and we assigned above. I can find 2.23.133.10.1.3 TPM Loadable key in the tpm2-tss-engine project. I do not see this one, nor the others list above in the kernel source. Did these ever get used? If so, where and can you provide a use case for a relying party? Also, I have in my local spreadsheet the following which I believe were just drafts and never assigned. Please confirm. 2.23.133.10.1.1.2 Secondary Identifier: tcg-wellKnownAuthValue This in intended to be bitmap of well-known authValues. This is not intended to contain an actual authValue. For example. Bit 1 means and authValue of hashsize all zeros, Bit 2 means an authValue of hashsize all NULLs, etc. [Note: Bit 1 is lsb in this notation] 2.23.133.10.1.1.3 No secondary identifier or description 2.23.133.10.1.1.4 No secondary identifier or description Monty Wiseman Principal Engineer, Security Architecture Controls & Optimization
Hi Monty, The patchset is still being reviewed and discussed: https://lore.kernel.org/linux-integrity/20200616160229.8018-3-James.Bottomley@xxxxxxxxxxxxxxxxxxxxx/
