git.kernel.dk Git - linux-2.6-block.git/commit

security: keys: trusted: use ASN.1 TPM2 key format for the blobs

Modify the TPM2 key format blob output to export and import in the
ASN.1 form for TPM2 sealed object keys.  For compatibility with prior
trusted keys, the importer will also accept two TPM2B quantities
representing the public and private parts of the key.  However, the
export via keyctl pipe will only output the ASN.1 format.

The benefit of the ASN.1 format is that it's a standard and thus the
exported key can be used by userspace tools (openssl_tpm2_engine,
openconnect and tpm2-tss-engine).  The format includes policy
specifications, thus it gets us out of having to construct policy
handles in userspace and the format includes the parent meaning you
don't have to keep passing it in each time.

This patch only implements basic handling for the ASN.1 format, so
keys with passwords but no policy.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

author	James Bottomley <James.Bottomley@HansenPartnership.com>
	Wed, 27 Jan 2021 19:06:16 +0000 (11:06 -0800)
committer	Jarkko Sakkinen <jarkko@kernel.org>
	Wed, 14 Apr 2021 13:30:30 +0000 (16:30 +0300)
commit	f2219745250f388edacabe6cca73654131c67d0a
tree	051936ef02a33f9a08ab24994178b7cff3d6b946	tree \| snapshot
parent	de66514d934d70ce73c302ce0644b54970fc7196	commit \| diff

Documentation/security/keys/trusted-encrypted.rst		diff \| blob \| blame \| history
include/keys/trusted-type.h		diff \| blob \| blame \| history
security/keys/Kconfig		diff \| blob \| blame \| history
security/keys/trusted-keys/Makefile		diff \| blob \| blame \| history
security/keys/trusted-keys/tpm2key.asn1	[new file with mode: 0644]	blob
security/keys/trusted-keys/trusted_tpm1.c		diff \| blob \| blame \| history
security/keys/trusted-keys/trusted_tpm2.c		diff \| blob \| blame \| history