On Fri, May 21, 2021 at 02:48:55PM +0100, David Woodhouse wrote: > On Thu, 2021-05-20 at 17:43 -0700, James Bottomley wrote: > > Now that the ASN.1 representation of trusted keys is upstream we can > > add policy to the keys as a sequence of policy statements meaning the > > kernel can now construct and use the policy session rather than the > > user having to do it and pass the session down to the kernel. This > > makes TPM 2.0 keys with policy much easier. > > > > The format of the policy statements is compatible with the > > openssl_tpm2_engine policy implementation: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/ > > > > And the seal_tpm2_data command in the above can be used to create > > sealed keys (including with policy statements) for the kernel. > > I'd love to see that format properly defined and documented instead of > just a reference to another implementation. A valid point. How can we know that this is good for "everyone"? Also, one major thing that this patch set is kselftest's. It's too obnoxious to copy-paste examples from commit messages, and also does not really create a good platform to discuss any possible issues that these patches might have. /Jarkko
