[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 03/14] protectors: Add TPM2 Key Protector
|
From: |
James Bottomley |
|
Subject: |
Re: [PATCH 03/14] protectors: Add TPM2 Key Protector |
|
Date: |
Wed, 22 Feb 2023 07:41:38 -0500 |
|
User-agent: |
Evolution 3.42.4 |
On Wed, 2023-02-22 at 15:00 +0800, Gary Lin via Grub-devel wrote:
> +GRUB_MOD_INIT (tpm2)
> +{
> + grub_tpm2_protector_init_cmd =
> + grub_register_extcmd ("tpm2_key_protector_init",
> + grub_tpm2_protector_init_cmd_handler, 0,
> + N_("[-m mode] "
> + "[-p pcr_list] "
> + "[-b pcr_bank] "
> + "[-k sealed_key_file_path] "
> + "[-s srk_handle] "
> + "[-a asymmetric_key_type] "
> + "[-n nv_index]"),
> + N_("Initialize the TPM2 key protector."),
> + grub_tpm2_protector_init_cmd_options);
> + grub_tpm2_protector_clear_cmd =
> + grub_register_extcmd ("tpm2_key_protector_clear",
> + grub_tpm2_protector_clear_cmd_handler, 0,
> NULL,
> + N_("Clear the TPM2 key protector if
> previously initialized."),
> + NULL);
> + grub_key_protector_register (&grub_tpm2_key_protector);
Hang on, we've spend ages standardising the format of TPM key files:
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
And every major TPM based key system uses this format, so a key file
created by any TPM2 cryptosystem can be read by any other (meaning you
can use any crypotosystem tools to manage the key). What you're doing
here just reinvents a non-standard format and creates a load of
parameters that the user needs to know here, but are part of the key
format standard, so you not only need to remember a load of information
not in your key file, but you have to have a non-standard tool to
create the key in the first place.
Even if you want to keep your own tool to create keys, what about
interoperability with the kernel? The kernel's TPM key subsystem
(trusted keys) also speaks the above format
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/keys/trusted-keys/tpm2key.asn1
so you wouldn't be able to send this key down to day dm-crypt as a
trusted key, you'd have to create two separate key files to do that.
James
- [PATCH 00/14] Automatic Disk Unlock with TPM2, Gary Lin, 2023/02/22
- [PATCH 01/14] protectors: Add key protectors framework, Gary Lin, 2023/02/22
- [PATCH 02/14] tpm2: Add TPM Software Stack (TSS), Gary Lin, 2023/02/22
- [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/02/22
- Re: [PATCH 03/14] protectors: Add TPM2 Key Protector,
James Bottomley <=
- [PATCH 05/14] util/grub-protect: Add new tool, Gary Lin, 2023/02/22
- [PATCH 07/14] tpm2: Don't measure the sealed key, Gary Lin, 2023/02/22
- [PATCH 09/14] tpm2: declare the input arguments of TPM2 functions as const, Gary Lin, 2023/02/22
- [PATCH 13/14] tpm2: allow some command parameters to be NULL, Gary Lin, 2023/02/22
- [PATCH 14/14] tpm2: remove the unnecessary variables, Gary Lin, 2023/02/22
- [PATCH 04/14] cryptodisk: Support key protectors, Gary Lin, 2023/02/22
- [PATCH 06/14] crytodisk: fix cryptodisk module looking up, Gary Lin, 2023/02/22
- [PATCH 08/14] tpm2: adjust the input parameters of TPM2_EvictControl, Gary Lin, 2023/02/22