On Tue, Nov 17, 2015 at 06:27:22PM +0200, Jarkko Sakkinen wrote: > Support for sealing with a authorization policy. > > Two new options for trusted keys: > > * 'policydigest=': provide an auth policy digest for sealing. > * 'policyhandle=': provide a policy session handle for unsealing.
I think it is good to say a word about how to test this since the user space supports is still lagging a bit (there's no way to do a "sticky" handle in TSS2 yet). I have my own low-level test scripts over here: https://github.com/jsakkine/tpm2-scripts Trivial example: KEYHANDLE=$(sudo ./tpm2-root-key) POLICYDIGEST=$(sudo ./tpm2-pcr-policy --pcr 16 --name-alg=sha256 --bank=sha1 --trial) POLICYHANDLE=$(sudo ./tpm2-pcr-policy --pcr 16 --name-alg=sha256 --bank=sha1) KEYID=$(keyctl add trusted kmk "new 32 keyhandle=$KEYHANDLE hash=sha256 policydigest=$POLICYDIGEST" @u) keyctl pipe $KEYID keyctl clear @u keyctl add trusted kmk "load `cat blob.hex` keyhandle=$KEYHANDLE policyhandle=0x03000000" @u keyctl clear @u sudo ./tpm2-flush $KEYHANDLE /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
