On Tue, 2022-12-27 at 09:44 +0530, Sughosh Ganu wrote: > hi, > I am looking to use PCR policy to seal and unseal trusted keys. I > tried using the interface described in the documentation [1], but I > get an unseal error at the time of a key load operation. I came > across a thread [2] which is pretty much the error that I get. As per > my understanding of what James had explained on that thread, the API > was broken for TPM2.0 based devices. Has that since been fixed. Yes, that's been fixed for a while: f2219745250f security: keys: trusted: use ASN.1 TPM2 key format for the blobs > If so, has there been a change in the user interface for sealing and > unsealing the trusted keys. > > Here are the steps that I follow. > > # tpm2_createpolicy --policy-pcr --pcr-list sha256:10 --policy > pcr10_bin.policy > pcr.policy > > # cat pcr.policy > 16ef916486174ed6f68b09629d2920dd7493d0918fff1247420934c3836100d3 > > #keyctl add trusted kmk-pcr "new 32 keyhandle=0x81000001 hash=sha256 > policydigest=`cat pcr.policy`" @u > 588568314 > > # keyctl pipe 588568314 > kmk-pcr.blob > > On a reboot (or even w/o a reboot, after deleting the key) > #keyctl add trusted kmk-pcr "load `cat kmk-pcr.blob` > keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr.policy`" @u > add_key: Operation not permitted To reload a sealed key, you have to construct a policy session with the matching policy digest and pass it down to the kernel with policyhandle= James
