On Tue Feb 13, 2024 at 7:13 PM EET, James Bottomley wrote:
> This is the last component of encrypted tpm2 session handling that
> allows us to verify from userspace that the key derived from the NULL
> seed genuinely belongs to the TPM and has not been spoofed.
>
> The procedure for doing this involves creating an attestation identity
> key (which requires verification of the TPM EK certificate) and then
> using that AIK to sign a certification of the Elliptic Curve key over
> the NULL seed. Userspace must create this EC Key using the parameters
> prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if
> this is done correctly the names will match and the TPM can then run a
> TPM2_Certify operation on this derived primary key using the newly
> created AIK.
>
> Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
> Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
>
> ---
> v6: change config name
> v7: add review
> ---
> drivers/char/tpm/tpm-sysfs.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
> index 54c71473aa29..94231f052ea7 100644
> --- a/drivers/char/tpm/tpm-sysfs.c
> +++ b/drivers/char/tpm/tpm-sysfs.c
> @@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev,
> }
> static DEVICE_ATTR_RO(tpm_version_major);
>
> +#ifdef CONFIG_TCG_TPM2_HMAC
> +static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
> + char *buf)
> +{
> + struct tpm_chip *chip = to_tpm_chip(dev);
> + int size = TPM2_NAME_SIZE;
> +
> + bin2hex(buf, chip->null_key_name, size);
> + size *= 2;
> + buf[size++] = '\n';
> + return size;
> +}
> +static DEVICE_ATTR_RO(null_name);
> +#endif
> +
> static struct attribute *tpm1_dev_attrs[] = {
> &dev_attr_pubek.attr,
> &dev_attr_pcrs.attr,
> @@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = {
>
> static struct attribute *tpm2_dev_attrs[] = {
> &dev_attr_tpm_version_major.attr,
> +#ifdef CONFIG_TCG_TPM2_HMAC
> + &dev_attr_null_name.attr,
> +#endif
> NULL
> };
>
Ditto.
Could also have my tested-by. I removed my test suite from Github.
Soon relocating it to gitlab. The reason being that I'm also
enabling full keyutils test suite in it and in more distant
future might refactor it into a CI test (ATM do not have
bandwidth to accomplish the last step).
David, I've been carrying couple of minor fixes to keyutils test.
When you have time, could you check if they make sense (attached).
Came to mind while reviewing this and they are pretty small so
maybe they could be picked like this.
BR, Jarkko
From d3472a81decc0a982b8154be7b873436a91873d8 Mon Sep 17 00:00:00 2001
From: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
Date: Tue, 19 Dec 2023 12:27:09 +0200
Subject: [PATCH 1/4] test: check for lsb_release command existence before
applying it
Requiring `lsb_release` makes keyutils test suite very unrobust towards
CI. Therefore, check its existence before applying the command.
Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
---
tests/prepare.inc.sh | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/tests/prepare.inc.sh b/tests/prepare.inc.sh
index 4033d69..1a1acc9 100644
--- a/tests/prepare.inc.sh
+++ b/tests/prepare.inc.sh
@@ -66,13 +66,16 @@ then
echo -n >$OUTPUTFILE
fi
-case `lsb_release -i -s` in
- Fedora*) OSDIST=Fedora;;
- RedHatEnterprise*) OSDIST=RHEL;;
- *) OSDIST=Unknown;;
-esac
+if command -v lsb_release &> /dev/null
+then
+ case `lsb_release -i -s` in
+ Fedora*) OSDIST=Fedora;;
+ RedHatEnterprise*) OSDIST=RHEL;;
+ *) OSDIST=Unknown;;
+ esac
-OSRELEASE=`lsb_release -r -s`
+ OSRELEASE=`lsb_release -r -s`
+fi
KEYUTILSVER=`keyctl --version 2>/dev/null`
if [ -n "$KEYUTILSVER" ]
--
2.40.1
From 19d54acb57e8960e386119088d57e2385c71862c Mon Sep 17 00:00:00 2001
From: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
Date: Fri, 22 Dec 2023 21:42:11 +0200
Subject: [PATCH 2/4] test: fix typo in builtin_trusted/runtest.sh
s/fail/failed/
Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
---
tests/features/builtin_trusted/runtest.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/features/builtin_trusted/runtest.sh b/tests/features/builtin_trusted/runtest.sh
index 6bd073b..c0736d6 100644
--- a/tests/features/builtin_trusted/runtest.sh
+++ b/tests/features/builtin_trusted/runtest.sh
@@ -24,7 +24,7 @@ id_key --to=blk %:.blacklist
# There should be at least one built-in trusted key for module signing.
list_keyring $btk
expect_keyring_rlist bkeys
-if [ `echo $bkeys | wc -w` = 0 ]; then fail; fi
+if [ `echo $bkeys | wc -w` = 0 ]; then failed; fi
# Check we can't add random keys to those keyrings
marker "TRY ADDING USER KEYS"
--
2.40.1
