[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
From: |
Gary Lin |
Subject: |
Re: [PATCH 03/14] protectors: Add TPM2 Key Protector |
Date: |
Tue, 7 Mar 2023 11:16:34 +0800 |
On Mon, Mar 06, 2023 at 08:20:39AM -0500, James Bottomley wrote:
> On Mon, 2023-03-06 at 14:51 +0800, Gary Lin wrote:
> > On Wed, Feb 22, 2023 at 07:41:38AM -0500, James Bottomley wrote:
> > > On Wed, 2023-02-22 at 15:00 +0800, Gary Lin via Grub-devel wrote:
> > > > +GRUB_MOD_INIT (tpm2)
> > > > +{
> > > > + grub_tpm2_protector_init_cmd =
> > > > + grub_register_extcmd ("tpm2_key_protector_init",
> > > > + grub_tpm2_protector_init_cmd_handler,
> > > > 0,
> > > > + N_("[-m mode] "
> > > > + "[-p pcr_list] "
> > > > + "[-b pcr_bank] "
> > > > + "[-k sealed_key_file_path] "
> > > > + "[-s srk_handle] "
> > > > + "[-a asymmetric_key_type] "
> > > > + "[-n nv_index]"),
> > > > + N_("Initialize the TPM2 key
> > > > protector."),
> > > > + grub_tpm2_protector_init_cmd_options);
> > > > + grub_tpm2_protector_clear_cmd =
> > > > + grub_register_extcmd ("tpm2_key_protector_clear",
> > > > + grub_tpm2_protector_clear_cmd_handler,
> > > > 0,
> > > > NULL,
> > > > + N_("Clear the TPM2 key protector if
> > > > previously initialized."),
> > > > + NULL);
> > > > + grub_key_protector_register (&grub_tpm2_key_protector);
> > >
> > Hi James,
> >
> > > Hang on, we've spend ages standardising the format of TPM key
> > > files:
> > >
> > > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> > >
> >
> > Per the spec, the type OIDs are defined as the following:
> >
> > id-tpmkey OBJECT IDENTIFIER ::=
> > {joint-iso-itu-t(2) international-organizations(23) 133 10}
> >
> > id-loadablekey OBJECT IDENTIFIER ::=
> > {id-tpmkey 3}
> >
> > id-importablekey OBJECT IDENTIFIER ::=
> > {id-tpmkey 4}
> >
> > id-sealedkey OBJECT IDENTIFIER ::=
> > {id-tpmkey 5}
> >
> > Then I assume that the sealed key OID is 2.23.133.10.5. However, I
> > found
> > that the sealed key OID in openssl-tpm2-engine and linux kernel is
> > 2.23.133.10.1.5, and it doesn't match the tpm 2.0 key spec.
> >
> > Did I miss anything in the spec?
>
> Possibly not. We went around the houses for ages with the TCG guardian
> of OID allocations trying to agree on the numbers. It's probable the
> spec missed one of the iterations of the prefix. If you'd like to send
> a patch to fix it, the list is:
>
> openssl-tpm2-engine@groups.io
>
Well, I only spotted the missing number and have no idea of what it is.
It needs someone who knows the spec well to fix the OID properly.
Gary Lin
> The raw spec is in git here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/tree/doc/draft-bottomley-tpm2-keys.xml
>
> James
>