RE: One question about trusted key of keyring in Linux kernel.

From: Zhao, Shirley
Date: Mon Dec 02 2019 - 00:55:55 EST

Next message: Andrey Ponomarenko: "Linux Hardware Trends"
Previous message: james qian wang (Arm Technology China): "Re: [01/30] drm: Introduce drm_bridge_init()"
In reply to: James Bottomley: "Re: One question about trusted key of keyring in Linux kernel."
Next in thread: James Bottomley: "Re: One question about trusted key of keyring in Linux kernel."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for your feedback, James.

The policy is generated by TPM command, tpm2_createpolicy, it just use the algorithm you mentioned, which is defined in TPM spec.
I re-attach my test steps as below.
Please help check it, is there anything wrong, especially the format of keyctl command.

Firstly, the pcr policy is generated as below:
$ tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy pcr7_bin.policy > pcr7.policy

Pcr7.policy is the ascii hex of policy:
$ cat pcr7.policy
321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9

Then generate the trusted key and configure policydigest and get the key ID:
$ keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr7.policy`" @u
874117045

Save the trusted key.
$ keyctl pipe 874117045 > kmk.blob

Reboot and load the key.
Start a auth session to generate the policy:
$ tpm2_startauthsession -S session.ctx
session-handle: 0x3000000
$ tpm2_pcrlist -L sha256:7 -o pcr7.sha256 $ tpm2_policypcr -S session.ctx -L sha256:7 -F pcr7.sha256 -f pcr7.policy
policy-digest: 0x321FBD28B60FCC23017D501B133BD5DBF2889814588E8A23510FE10105CB2CC9

Input the policy handle to load trusted key:
$ keyctl add trusted kmk "load `cat kmk.blob` keyhandle=0x81000001 policyhandle=0x3000000" @u
add_key: Operation not permitted

The error should be policy check failed, because I use TPM command to unseal directly with error of policy check failed.
$ tpm2_unseal -c 0x81000001 -L sha256:7
ERROR on line: "81" in file: "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal failed!
ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run tpm2_unseal

- Shirley

-----Original Message-----
From: James Bottomley <jejb@xxxxxxxxxxxxx>
Sent: Monday, December 2, 2019 12:17 PM
To: Zhao, Shirley <shirley.zhao@xxxxxxxxx>; Mimi Zohar <zohar@xxxxxxxxxxxxx>; Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>; Jonathan Corbet <corbet@xxxxxxx>
Cc: linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-doc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; 'Mauro Carvalho Chehab' <mchehab+samsung@xxxxxxxxxx>; Zhu, Bing <bing.zhu@xxxxxxxxx>; Chen, Luhai <luhai.chen@xxxxxxxxx>
Subject: Re: One question about trusted key of keyring in Linux kernel.

On Mon, 2019-12-02 at 01:44 +0000, Zhao, Shirley wrote:
> Hi, James,
>
> The value of PCR7 is not changed. I have checked it with TPM command
> tpm_pcrlist.
>
> So I think the problem is how to use the option policydigest and
> policyhandle? Is there any example?
> Maybe the format in my command is not correct.

OK, so previously you said that using the Intel TSS the policy also failed after a reboot:

> The error should be policy check failed, because I use TPM command to
> unseal directly with error of policy check failed.
> $ tpm2_unseal -c 0x81000001 -L sha256:7 ERROR on line: "81" in file:
> "./lib/log.h": Tss2_Sys_Unseal(0x99D) - tpm:session(1):a policy check
> failed ERROR on line: "213" in file: "tools/tpm2_unseal.c": Unseal
> failed!
> ERROR on line: "166" in file: "tools/tpm2_tool.c": Unable to run
> tpm2_unseal

So this must mean the actual policy hash you constructed was wrong in some way: it didn't correspond simply to a value of pcr7 ... well assuming the -L sha256:7 means construct a policy of the sha256 value of pcr7 and use it in the unseal.

I can tell you how to construct policies using TPM2 commands, but I think you want to know how to do it using the Intel TSS? In which case you really need to consult the experts in that TSS, like Phil Tricca.

For the plain TPM2 case, the policy looks like

TPM_CC_PolicyPCR || pcrs || pcrDigest

Where TPM_CC_PolicyPCR = 0000017f and for selecting pcr7 only. pcrs is a complicated entity: it's a counted array of pcr selections. For your policy you only need one entry, so it would be 00000001 followed by a single pcrSelection entry. pcrSelection is the hash algorithm, the size of the selection bitmap (always 3 since every current TPM only has
24 PCRs) and a bitmap selecting the PCRs in big endian format, so for
PCR7 using sha256 (algorithm 000b), pcrSelection = 000b 03 80 00 00.
And then you follow this by the hash of the PCR value you're looking for. The policyhash becomes the initial policy (all zeros for the start of the policy chain) hashed with this.

Regards,

James

Next message: Andrey Ponomarenko: "Linux Hardware Trends"
Previous message: james qian wang (Arm Technology China): "Re: [01/30] drm: Introduce drm_bridge_init()"
In reply to: James Bottomley: "Re: One question about trusted key of keyring in Linux kernel."
Next in thread: James Bottomley: "Re: One question about trusted key of keyring in Linux kernel."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]