RE: One question about trusted key of keyring in Linux kernel.

[Zhao, Shirley]

Hi, James, 

Maybe the TPM command confused you. 

The question is I use keyctl command sealed a trusted key with PCR policy, but load it failed after reboot. 
I don't know why it was loaded failed. I use TPM command to help find it, it report policy check failed. 

So my question is how to load the PCR policy sealed trusted key correctly? 
How to use policydigest and policyhandle correctly. 

Thanks. 

- Shirley 

-----Original Message-----
From: James Bottomley <jejb@xxxxxxxxxxxxx> 
Sent: Thursday, November 28, 2019 2:06 AM
To: Zhao, Shirley <shirley.zhao@xxxxxxxxx>; Mimi Zohar <zohar@xxxxxxxxxxxxx>; Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>; Jonathan Corbet <corbet@xxxxxxx>
Cc: linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-doc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; 'Mauro Carvalho Chehab' <mchehab+samsung@xxxxxxxxxx>; Zhu, Bing <bing.zhu@xxxxxxxxx>; Chen, Luhai <luhai.chen@xxxxxxxxx>
Subject: Re: One question about trusted key of keyring in Linux kernel.

On Tue, 2019-11-26 at 07:32 +0000, Zhao, Shirley wrote:
> Thanks for your feedback, Mimi. 
> But the document of dracut can't solve my problem. 
> 
> I did more test these days and try to descript my question in more 
> detail.
> 
> In my scenario, the trusted key will be sealed into TPM with PCR 
> policy.
> And there are some related options in manual like 
>        hash=         hash algorithm name as a string. For TPM 1.x the
> only
>                      allowed value is sha1. For TPM 2.x the allowed 
> values
>                      are sha1, sha256, sha384, sha512 and sm3-256.
>        policydigest= digest for the authorization policy. must be 
> calculated
>                      with the same hash algorithm as specified by the 
> 'hash='
>                      option.
>        policyhandle= handle to an authorization policy session that 
> defines the
>                      same policy and with the same hash algorithm as 
> was used to
>                      seal the key. 
> 
> Here is my test step. 
> Firstly, the pcr policy is generated as below: 
> $ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy 
> pcr7_bin.policy > pcr7.policy
> 
> Pcr7.policy is the ascii hex of policy:
> $ cat pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
> 
> Then generate the trusted key and configure policydigest and get the 
> key ID:
> $ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 
> policydigest=`cat pcr7.policy`" @u
> 874117045
> 
> Save the trusted key. 
> $ keyctl pipe 874117045 > kmk.blob
> 
> Reboot and load the key. 
> Start a auth session to generate the policy:
> $ tpm2_startauthsession -S session.ctx
> session-handle: 0x3000000
> $ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S 
> session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
> policy-digest:
> 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9
> 
> Input the policy handle to load trusted key:
> $ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 
> policyhandle=0x3000000" @u
> add_key: Operation not permitted
> 
> The error should be policy check failed, because I use TPM command to 
> unseal directly with error of policy check failed.
> $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in file: 
> "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check 
> failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal 
> failed!
> ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run 
> tpm2_unseal

I think there's a miscommunication here: you're complaining about the error returned from a trusted key unseal operation that *should* fail, correct?  You think it should return a TPM error but instead it returns -EPERM.  That's completely correct: we translate all TPM errors into linux ones as we pass them up to userspace, so the best we can do is operation not permitted.

James