Re: Seal/Unseal trusted keys against PCR policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2022-12-27 at 09:44 +0530, Sughosh Ganu wrote:
> hi,
> I am looking to use PCR policy to seal and unseal trusted keys. I
> tried using the interface described in the documentation [1], but I
> get an unseal error at the time of a key load operation. I came
> across a thread [2] which is pretty much the error that I get. As per
> my understanding of what James had explained on that thread, the API
> was broken for TPM2.0 based devices. Has that since been fixed.

Yes, that's been fixed for a while:

f2219745250f security: keys: trusted: use ASN.1 TPM2 key format for the
blobs

>  If so, has there been a change in the user interface for sealing and
> unsealing the trusted keys.
> 
> Here are the steps that I follow.
> 
> # tpm2_createpolicy --policy-pcr --pcr-list sha256:10 --policy
> pcr10_bin.policy > pcr.policy
> 
> # cat pcr.policy
> 16ef916486174ed6f68b09629d2920dd7493d0918fff1247420934c3836100d3
> 
> #keyctl add trusted kmk-pcr "new 32 keyhandle=0x81000001 hash=sha256
> policydigest=`cat pcr.policy`" @u
> 588568314
> 
> # keyctl pipe 588568314 > kmk-pcr.blob
> 
> On a reboot (or even w/o a reboot, after deleting the key)
> #keyctl add trusted kmk-pcr "load `cat kmk-pcr.blob`
> keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr.policy`" @u
> add_key: Operation not permitted

To reload a sealed key, you have to construct a policy session with the
matching policy digest and pass it down to the kernel with
policyhandle=

James




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux