On Mon, Sep 21, 2020 at 07:28:07PM -0700, James Bottomley wrote: > In TPM 1.2 an authorization was a 20 byte number. The spec actually > recommended you to hash variable length passwords and use the sha1 > hash as the authorization. Because the spec doesn't require this > hashing, the current authorization for trusted keys is a 40 digit hex > number. For TPM 2.0 the spec allows the passing in of variable length > passwords and passphrases directly, so we should allow that in trusted > keys for ease of use. Update the 'blobauth' parameter to take this > into account, so we can now use plain text passwords for the keys. > > so before > > keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258fkeyhandle=81000001" @u > > after we will accept both the old hex sha1 form as well as a new > directly supplied password: > > keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001" @u I'm still getting -EINVAL from both with a Geminilake NUC. /Jarkko
