Re: One question about trusted key of keyring in Linux kernel.

From: James Bottomley
Date: Mon Dec 02 2019 - 01:45:05 EST

Next message: syzbot: "KASAN: slab-out-of-bounds Write in pipe_write"
Previous message: CK Hu: "Re: [PATCH v1 3/6] drm/mediatek: handle events when enabling/disabling crtc"
In reply to: Zhao, Shirley: "RE: One question about trusted key of keyring in Linux kernel."
Next in thread: Zhao, Shirley: "RE: One question about trusted key of keyring in Linux kernel."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2019-12-02 at 06:23 +0000, Zhao, Shirley wrote:
> Hi, James,
>
> The PCR7 value and PCR7 policy is as below, please review, thanks.
>
> # tpm2_pcrlist -L sha256:7 -o pcr7_2.sha256
> sha256:
> 7 :
> 0x061AAD0705A62361AD18E58B65D3D7383F4D10F7F5A7E78924BE057AC6797408
>
> # tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy
> pcr7_bin.policy > pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9
>
> # cat pcr7.policy
> 321fbd28b60fcc23017d501b133bd5dbf2889814588e8a23510fe10105cb2cc9

Well, the IBM TSS says that's the correct policy. Your policy command
is

jejb@jarvis:~> tsspolicymakerpcr -bm 000080 -if ~/pcr7.txt -pr | tee tmp.policy
0000017f00000001000b038000009a47350fdbcc77ebeadcb4b4818d8e82a21717ea24434333c791c0cd0d1dc14e

And that hashes to
jejb@jarvis:~> tsspolicymaker -if ~/tmp.policy -pr
policy digest length 32
32 1f bd 28 b6 0f cc 23 01 7d 50 1b 13 3b d5 db
f2 88 98 14 58 8e 8a 23 51 0f e1 01 05 cb 2c c9

So I don't understand why the userspace Intel TSS command is failing to
do the unseal.

James

Next message: syzbot: "KASAN: slab-out-of-bounds Write in pipe_write"
Previous message: CK Hu: "Re: [PATCH v1 3/6] drm/mediatek: handle events when enabling/disabling crtc"
In reply to: Zhao, Shirley: "RE: One question about trusted key of keyring in Linux kernel."
Next in thread: Zhao, Shirley: "RE: One question about trusted key of keyring in Linux kernel."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]