hi James, On Tue, 27 Dec 2022 at 21:10, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > On Tue, 2022-12-27 at 09:44 +0530, Sughosh Ganu wrote: > > hi, > > I am looking to use PCR policy to seal and unseal trusted keys. I > > tried using the interface described in the documentation [1], but I > > get an unseal error at the time of a key load operation. I came > > across a thread [2] which is pretty much the error that I get. As per > > my understanding of what James had explained on that thread, the API > > was broken for TPM2.0 based devices. Has that since been fixed. > > Yes, that's been fixed for a while: > > f2219745250f security: keys: trusted: use ASN.1 TPM2 key format for the > blobs > > > If so, has there been a change in the user interface for sealing and > > unsealing the trusted keys. > > > > Here are the steps that I follow. > > > > # tpm2_createpolicy --policy-pcr --pcr-list sha256:10 --policy > > pcr10_bin.policy > pcr.policy > > > > # cat pcr.policy > > 16ef916486174ed6f68b09629d2920dd7493d0918fff1247420934c3836100d3 > > > > #keyctl add trusted kmk-pcr "new 32 keyhandle=0x81000001 hash=sha256 > > policydigest=`cat pcr.policy`" @u > > 588568314 > > > > # keyctl pipe 588568314 > kmk-pcr.blob > > > > On a reboot (or even w/o a reboot, after deleting the key) > > #keyctl add trusted kmk-pcr "load `cat kmk-pcr.blob` > > keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr.policy`" @u > > add_key: Operation not permitted > > To reload a sealed key, you have to construct a policy session with the > matching policy digest and pass it down to the kernel with > policyhandle= Thanks for your reply. For reloading the sealed key, I am trying to start a policy session through the tpm2_startauthsession command, followed by the tpm2_policypcr command to get the same policy digest. However, I am not sure how to get the session handle. As per my understanding, the policyhandle is a uint32_t object. However, none of the above two commands give back the session handle. I tried the tpm2_getcap command with the handles-saved-session, which shows a handle once I have run the tpm2_startauthsession command. However, providing this value to the keyctl command as policyhandle does not work. Can you please point out what I am doing wrong? -sughosh
