Re: [PATCH RESEND] docs: update trusted-encrypted.rst
From: Coly Li
Date: Sun Aug 16 2020 - 13:02:01 EST
On 2020/8/17 00:06, Stefan Berger wrote:
> On 8/15/20 3:51 AM, Coly Li wrote:
>> The parameters in tmp2 commands are outdated, people are not able to
>> create trusted key by the example commands.
>>
>> This patch updates the paramerters of tpm2 commands, they are verified
>> by tpm2-tools-4.1 with Linux v5.8 kernel.
>>
>> Signed-off-by: Coly Li <colyli@xxxxxxx>
>> Cc: Dan Williams <dan.j.williams@xxxxxxxxx>
>> Cc: James Bottomley <jejb@xxxxxxxxxxxxx>
>> Cc: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
>> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>> Cc: Stefan Berger <stefanb@xxxxxxxxxxxxx>
>> ---
>> Documentation/security/keys/trusted-encrypted.rst | 9 ++++-----
>> 1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/Documentation/security/keys/trusted-encrypted.rst
>> b/Documentation/security/keys/trusted-encrypted.rst
>> index 9483a7425ad5..442a2775156e 100644
>> --- a/Documentation/security/keys/trusted-encrypted.rst
>> +++ b/Documentation/security/keys/trusted-encrypted.rst
>> @@ -39,10 +39,9 @@ With the IBM TSS 2 stack::
>> Or with the Intel TSS 2 stack::
>> - #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
>> + #> tpm2_createprimary --hierarchy o -G rsa2048 key.ctxt
>> [...]
>> - handle: 0x800000FF
>
>
> Are you sure about this? My documentation for 4.1.3 on F32 states
>
>
> -c, --key-context=FILE:
>
> The file path to save the object context of the generated
> primary object.
>
>
Yes of course you are right, it is s/-o/-c
>
>> - #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
>> + #> tpm2_evictcontrol -c key.ctxt 0x81000001
>> persistentHandle: 0x81000001
>
>
> This seems correct.
>
>
>> Usage::
>> @@ -115,7 +114,7 @@ append 'keyhandle=0x81000001' to statements
>> between quotes, such as
>
>
> A note in this file states this:
>
> Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
> append 'keyhandle=0x81000001' to statements between quotes, such as
> "new 32 keyhandle=0x81000001".
>
> Now if someone was (still) interested in TPM 1.2 then the below changes
> you are proposing wouldn't work for them. Maybe you should adapt the
> note to state that these keyhandle=... should be removed for the TPM 1.2
> case.
>
I agree. Indeed I have no idea why number 0x81000001 is used, and I
don't have practice experience with TPM 1.2. Now the purpose of this
patch accomplished: experts response and confirm my guess :-)
Thanks.
>> ::
>> - $ keyctl add trusted kmk "new 32" @u
>> + $ keyctl add trusted kmk "new 32 keyhandle=0x81000001" @u
>> 440502848
>> $ keyctl show
>> @@ -138,7 +137,7 @@ append 'keyhandle=0x81000001' to statements
>> between quotes, such as
>> Load a trusted key from the saved blob::
>> - $ keyctl add trusted kmk "load `cat kmk.blob`" @u
>> + $ keyctl add trusted kmk "load `cat kmk.blob`
>> keyhandle=0x81000001" @u
>> 268728824
>> $ keyctl print 268728824
>
>
Coly Li