RE: One question about trusted key of keyring in Linux kernel.

From: Zhao, Shirley
Date: Tue Nov 26 2019 - 02:32:17 EST

Next message: Paolo Valente: "Re: [PATCH v6 0/4] Add MMC software queue support"
Previous message: Masami Hiramatsu: "Re: [BUGFIX PATCH v3 1/4] selftests/ftrace: Fix to check the existence of set_ftrace_filter"
Next in thread: Mimi Zohar: "Re: One question about trusted key of keyring in Linux kernel."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for your feedback, Mimi.
But the document of dracut can't solve my problem.

I did more test these days and try to descript my question in more detail.

In my scenario, the trusted key will be sealed into TPM with PCR policy.
And there are some related options in manual like
hash= hash algorithm name as a string. For TPM 1.x the only
allowed value is sha1. For TPM 2.x the allowed values
are sha1, sha256, sha384, sha512 and sm3-256.
policydigest= digest for the authorization policy. must be calculated
with the same hash algorithm as specified by the 'hash='
option.
policyhandle= handle to an authorization policy session that defines the
same policy and with the same hash algorithm as was used to
seal the key.

Here is my test step.
Firstly, the pcr policy is generated as below:
$ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy pcr7_bin.policy > pcr7.policy

Pcr7.policy is the ascii hex of policy:
$ cat pcr7.policy
321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9

Then generate the trusted key and configure policydigest and get the key ID:
$ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr7.policy`" @u
874117045

Save the trusted key.
$ keyctl pipe 874117045 > kmk.blob

Reboot and load the key.
Start a auth session to generate the policy:
$ tpm2_startauthsession -S session.ctx
session-handle: 0x3000000
$ tpm2_pcrlist -L sha256:7 -o pcr7.sha256
$ tpm2_policypcr -S session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
policy-digest: 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9

Input the policy handle to load trusted key:
$ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 policyhandle=0x3000000" @u
add_key: Operation not permitted

The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed.
$ tpm2_unseal -c 0x81000001 -L sha256:7
ERROR on line: "81" in file: "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check failed
ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed!
ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run tpm2_unseal

So my question is:
1. How to use the option, policydigest, policyhandle?? Is there any example?
2. What's wrong with my test step?

Thanks.

- Shirley

-----Original Message-----
From: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Sent: Wednesday, November 13, 2019 11:46 PM
To: Zhao, Shirley <shirley.zhao@xxxxxxxxx>; James Bottomley <jejb@xxxxxxxxxxxxx>; Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>; Jonathan Corbet <corbet@xxxxxxx>
Cc: linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-doc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; 'Mauro Carvalho Chehab' <mchehab+samsung@xxxxxxxxxx>
Subject: Re: One question about trusted key of keyring in Linux kernel.

On Wed, 2019-11-13 at 01:22 +0000, Zhao, Shirley wrote:
> Hi, all,
>
> This is Shirley from Intel. I have one question about trusted key of
> keyring in kernel. Please help.
>
> According the to description in https://github.com/torvalds/linux/bl
> ob/master/Documentation/security/keys/trusted-encrypted.rst.
> Trusted key will be saved in TPM with PCR policy protected.

"Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed under a 2048 bit RSA key in the TPM, ..."

Trusted keys are not TPM keys. ÂThey are not stored in the TPM.

>
> Then, I running the following command to create a trusted key.
> keyctl add trusted test_trusted "new 32 keyhandle=0x81000001" @u
>
> I also tried the following command, it can add one trusted key, too.
> keyctl add trusted test_trusted "new 32 keyhandle=0x81000001
> pcrinfo=`cat pcr7.blob`" @u
>
> But after reboot, this key will be removed.
> I need to re-added during boot.

Right, they need to be re-loaded on boot. ÂRefer to the dracut module /modules.d/97masterkey for loading a trusted key during boot.

>
> Then the question is since this key is saved in TPM, how to get it
> back from TPM?

Trusted keys are not stored in the TPM. ÂRefer to the ima-evm-utils README for examples of creating a trusted key (kmk) and an encrypted key (evm-key).

>
> From the document, I need to use "keyctl pipe" to save the key into a
> blob, then load it.
> But the blob contend key text, and this is a file on hard disk, it is
> not safe to protect the key.
>
> So what can TPM do here?

The hex ascii encoded trusted key is sealed under the TPM SRK.

Mimi

Next message: Paolo Valente: "Re: [PATCH v6 0/4] Add MMC software queue support"
Previous message: Masami Hiramatsu: "Re: [BUGFIX PATCH v3 1/4] selftests/ftrace: Fix to check the existence of set_ftrace_filter"
Next in thread: Mimi Zohar: "Re: One question about trusted key of keyring in Linux kernel."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]