| Message ID | 20240519002616.4432-1-jarkko@kernel.org |
|---|---|
| Headers | show |
| Series | Asymmetric TPM2 key type | expand |
On Sun May 19, 2024 at 3:25 AM EEST, Jarkko Sakkinen wrote: > ## Overview > > Introduce tpm2_key_rsa implementing asymmetric TPM RSA key. > > I submit this first as RFC as I could not execute the keyctl padd in the > following sequence (returns EBADF): > > tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt > tpm2_evictcontrol -c owner.txt 0x81000001 > tpm2_getcap handles-persistent > openssl genrsa -out private.pem 2048 > tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv > tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem > openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der > key_serial=`cat key.priv.der | keyctl padd asymmetric tpm @u` After v2 changes it ends up to -EINVAL and: OID is "2.23.133.10.1.3" which is not TPMSealedData which makes total sense. James' old patch set has already TPMLoadableKey parsing PoC'd so I use that as the reference. After the sequence above successfully completes keyctl public key ops are accesible by using $key_serial as the serial. BR, Jarkko
## Overview Introduce tpm2_key_rsa implementing asymmetric TPM RSA key. I submit this first as RFC as I could not execute the keyctl padd in the following sequence (returns EBADF): tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt tpm2_evictcontrol -c owner.txt 0x81000001 tpm2_getcap handles-persistent openssl genrsa -out private.pem 2048 tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der key_serial=`cat key.priv.der | keyctl padd asymmetric tpm @u` This is derived work from James Prestwood’s earlier work from 2020: https://lore.kernel.org/all/20200518172704.29608-1-prestwoj@gmail.com/ ## Change Log v2: Sorry for rush update. I noticed that not all changes were in the commits. This version just fixes those compilation errors. James Prestwood (1): keys: asymmetric: ASYMMETRIC_TPM2_KEY_RSA_SUBTYPE Jarkko Sakkinen (4): crypto: rsa-pkcs1pad: export rsa1_asn_lookup() tpm: export tpm2_load_context() KEYS: trusted: Do not use WARN when encode fails KEYS: trusted: Migrate tpm2_key_{encode,decode}() to TPM driver crypto/asymmetric_keys/Kconfig | 13 + crypto/asymmetric_keys/Makefile | 1 + crypto/asymmetric_keys/tpm2_key_rsa.c | 655 ++++++++++++++++++ crypto/rsa-pkcs1pad.c | 16 +- drivers/char/tpm/Kconfig | 2 + drivers/char/tpm/Makefile | 5 + drivers/char/tpm/tpm.h | 2 - drivers/char/tpm/tpm2-cmd.c | 77 ++ drivers/char/tpm/tpm2-space.c | 61 -- drivers/char/tpm/tpm2_key.c | 192 +++++ .../char/tpm}/tpm2key.asn1 | 0 include/crypto/rsa-pkcs1pad.h | 20 + include/crypto/tpm2_key.h | 36 + include/linux/tpm.h | 3 + security/keys/trusted-keys/Makefile | 2 - security/keys/trusted-keys/trusted_tpm2.c | 183 +---- 16 files changed, 1032 insertions(+), 236 deletions(-) create mode 100644 crypto/asymmetric_keys/tpm2_key_rsa.c create mode 100644 drivers/char/tpm/tpm2_key.c rename {security/keys/trusted-keys => drivers/char/tpm}/tpm2key.asn1 (100%) create mode 100644 include/crypto/rsa-pkcs1pad.h create mode 100644 include/crypto/tpm2_key.h