On Sun, Oct 25, 2015 at 03:21:31PM -0400, Mimi Zohar wrote:
> On Sat, 2015-10-24 at 15:42 +0300, Jarkko Sakkinen wrote:
> > Added 'hashalg=' option for selecting the hash algorithm.
> >
> > Currently available options are:
> >
> > * sha1
> > * sha256
Added entry for sm3-256 to the following tables:
* hash_algo_name
* hash_digest_size
Needed for TPM 2.0 trusted key sealing.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
crypto/hash_info.c | 2 ++
include/crypto/hash_info.h | 3 +++
include/uapi
Documented 'hash=' option.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
Documentation/security/keys-trusted-encrypted.txt | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Documentation/security/keys-trusted-encrypted.txt
b/Documentation/security/keys-t
Jarkko Sakkinen (4):
crypto: add entry for sm3-256
tpm: choose hash algorithm for sealing when using TPM 2.0
keys, trusted: select the hash algorithm
keys, trusted: update documentation for 'hash=' option
Documentation/security/keys-trusted-encrypted.txt | 3 ++
crypto/hash_info.c
Added 'hash=' option for selecting the hash algorithm for add_key()
syscall.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
security/keys/trusted.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/security/keys/trusted.c b/se
/hash_info.h.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
drivers/char/tpm/tpm.h | 10 +++---
drivers/char/tpm/tpm2-cmd.c | 42 +++---
include/keys/trusted-type.h | 1 +
3 files changed, 47 insertions(+), 6 deletions(-)
diff
On Thu, Oct 29, 2015 at 05:59:26PM +0200, Jarkko Sakkinen wrote:
> Added hash member to the struct trusted_key_options for choosing the
> hash algorithm and support for the following hash algorithms to the TPM
> 2.0 sealing code:
>
> * sha1
> * sha256
> * sha384
&
On Sat, Oct 24, 2015 at 03:42:42PM +0300, Jarkko Sakkinen wrote:
> Added 'hashalg=' option for selecting the hash algorithm.
>
> Currently available options are:
>
> * sha1
> * sha256
> * sha384
> * sha512
> * sm3_256
>
> Signed-off-by: Jarkko Sakkinen <jark
in tpm_chip_register() (2015-11-09
17:52:56 +0200)
TPM fixes for v4.4
Christophe JAILLET (1):
TPM: Avoid reference to potentially freed memory
Jarkko Sakkinen (3):
TPM
.
* Got rid of TPM2_HASH_COUNT and moved into ARRAY_SIZE(tpm2_hash_map).
v4:
* Added missing select CRYPTO_HASH_INFO to drivers/char/tpm/Kconfig
v5:
* Minor clean ups.
* Removed dev_dbg() from tpm2-cmd.c in order to get rid of
CRYPTO_HASH_INFO dep.
Signed-off-by: Jarkko Sakkinen <jarkko.sa
and dTPM and it does not have any
side-effects to TPM 1.2.
/Jarkko
On Thu, Nov 05, 2015 at 12:20:23PM +0200, Jarkko Sakkinen wrote:
> The 'migratable' flag was not added to the key payload. This patch
> fixes the problem.
>
> Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0
On Mon, Nov 02, 2015 at 07:16:49AM -0500, Mimi Zohar wrote:
> On Fri, 2015-10-30 at 13:35 +0200, Jarkko Sakkinen wrote:
>
> > @@ -787,6 +791,20 @@ static int getoptions(char *c, struct
> > trusted_key_payload *pay,
> > return -EINVAL;
>
On Mon, Nov 02, 2015 at 07:48:42AM -0500, Mimi Zohar wrote:
> On Sat, 2015-10-31 at 17:53 +0200, Jarkko Sakkinen wrote:
> > Support for sealing with a policy.
> >
> > Two new options for trusted keys:
> >
> > * 'policydigest=': provide a policydigest for the se
On Mon, Nov 02, 2015 at 07:16:49AM -0500, Mimi Zohar wrote:
> On Fri, 2015-10-30 at 13:35 +0200, Jarkko Sakkinen wrote:
>
> > @@ -787,6 +791,20 @@ static int getoptions(char *c, struct
> > trusted_key_payload *pay,
> > return -EINVAL;
>
Support for the following hash algorithms in TPM 2.0 trusted key
sealing:
* sha1
* sha256
* sha384
* sha512
* sm3-256
The hash algorithm can be selected by using HASH_ALGO_* constants in
include/uapi/linux/hash_info.h.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.
Added entry for sm3-256 to the following tables:
* hash_algo_name
* hash_digest_size
Needed for TPM 2.0 trusted key sealing.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
crypto/hash_info.c | 2 ++
include/crypto/hash_info.h | 3 +++
include/uapi
Jarkko Sakkinen (3):
keys, trusted: select the hash algorithm
crypto: add entry for sm3-256
tpm: choose hash algorithm for sealing when using TPM 2.0
Documentation/security/keys-trusted-encrypted.txt | 3 ++
crypto/hash_info.c| 2 ++
drivers/char/tpm/tpm.h
of TPM2_HASH_COUNT and moved into ARRAY_SIZE(tpm2_hash_map).
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
Documentation/security/keys-trusted-encrypted.txt | 3 ++
crypto/hash_info.c| 2 ++
drivers/char/tpm/tpm.h
.
* Got rid of TPM2_HASH_COUNT and moved into ARRAY_SIZE(tpm2_hash_map).
v4:
* Added missing select CRYPTO_HASH_INFO in drivers/char/tpm/Kconfig
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
Documentation/security/keys-trusted-encrypted.txt | 3 ++
crypto/hash_
Support for sealing with a policy.
Two new options for trusted keys:
* 'policydigest=': provide a policydigest for the seal operation.
* 'policyhandle=': provide handle for a policy session for unsealing.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
drivers/ch
On Thu, Oct 29, 2015 at 03:26:02PM -0400, Mimi Zohar wrote:
> On Thu, 2015-10-29 at 17:59 +0200, Jarkko Sakkinen wrote:
> > Documented 'hash=' option.
>
> No reason for a separate patch. Please squash this patch with the one
> that introduced the new option.
Right. I'm going t
Hi
On Fri, Oct 16, 2015 at 05:21:02PM +0100, David Howells wrote:
> Hi Jarkko,
>
> For some reason I don't see patch 1.
Weird. Well, maybe the best way to proceed is that I'll send the
contents of for-peter-v44 branch for review. It's 9 patches in total,
PPI, trusted keys and couple of bug
This patch set enables distributions to start production of for TPM 2.0:
* Two critical bug fixes
* PPI support
* Basic trusted keys with authentication value and SHA256 for keyed hash
Next steps after this is to add policy based sealing for trusted keys and
algorithmic agility.
Jarkko Sakkinen
Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.
This patch implements basic sealing and unsealing functionality for
TPM 2.0:
* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.
Signed-off-by: Jarkko Sakkinen
Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
We require explicit 'keyhandle=' option because there's no a fixed
storage root key inside TPM2 chips.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
Reviewed-by: Andreas Fuchs <andreas.fu...@sit.frau
On Wed, 2015-10-07 at 10:32 +, Fuchs, Andreas wrote:
> > > > > > > I looked at Patch 3/4 and it seems you default to -EPERM
> > > > > > > on TPM2_Create()-
> > > > > > > and TPM2_Load()-failures ?
> > > > > > > You might want to test against rc == TPM_RC_OBJECT_MEMORY
> > > > > > > and return
On Tue, Oct 06, 2015 at 01:16:02PM +, Fuchs, Andreas wrote:
> > > I was just trying to point out that the concept is not too difficult,
> > > since
> > > kernel-space (minimal) resource-manager makes a lot of people go "oh god,
> > > never ever, way too big, way too complicated", which IMHO
sense to always state
the sealing key because there's no any fixed keys on the chip (thanks
to Andreas Fuchs for this comment).
* I updated tpm_buf to a be heap based structure. Now there's one full
page of memory for variable sized messages. Also the stack is greatly
reduced.
Jarkko
On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote:
> Basic trusted keys support: auth value and SHA256.
>
> v2:
>
> * Removed all the changes that modify the existing functions to use
> the new struct tpm_buf. These changes should be done separately from
Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.
This patch implements basic sealing and unsealing functionality for
TPM 2.0:
* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.
Signed-off-by: Jarkko Sakkinen
On Tue, Oct 13, 2015 at 11:41:20AM -0600, Jason Gunthorpe wrote:
> On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote:
>
> > * I updated tpm_buf to a be heap based structure. Now there's one full
> > page of memory for variable sized messages. Also th
On Tue, Oct 13, 2015 at 11:34:42AM -0600, Jason Gunthorpe wrote:
> On Fri, Oct 02, 2015 at 11:38:17AM +0300, Jarkko Sakkinen wrote:
> > Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
> > trusted keys.
> >
> > This patch implements basic sealing
On Sat, Oct 03, 2015 at 01:26:55PM +0300, Jarkko Sakkinen wrote:
> On Sat, Oct 03, 2015 at 10:00:59AM +, Fuchs, Andreas wrote:
> > Hi Jarkko,
> >
> > [snip]
> >
> > diff --git a/security/keys/trusted.h b/security/keys/trusted.h
> > index ff001a5.
way to provide the sealing key as blob later
on if the simple approach chosen would not be sufficient. I'm confident
that for 99% of all real-world use cases the interface provided by the
patch set is sufficient.
> Cheers,
> Andreas
/Jarkko
> From: Jarkko Sakkinen [jarkko.sakki...@lin
Basic trusted keys support, which means basic sealing with an
authentication value by using SHA256. After we get the groundwork in
place the functionality will be refined with algorithmic agility and
policy based sealing.
Jarkko Sakkinen (4):
tpm: introduce struct tpm_buf
trusted: move struct
Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.
This patch implements basic sealing and unsealing functionality for
TPM 2.0:
* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.
Signed-off-by: Jarkko Sakkinen
Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
drivers/char/tpm/tpm2-cmd.c | 2 +-
include/linux/tpm_command.h | 1 -
security/keys/trusted.c | 18 ++
security/keys/trusted.h
I don't mean to be impolite but could line up your replies properly
and avoid top-posting. I'd recommend 72 chars per line. Thanks.
On Mon, Oct 05, 2015 at 12:20:47PM +, Fuchs, Andreas wrote:
> That's why I propose to give the context-save-blob into the kernel. It
> does not require any
developers on this
as they are using TPM quite extensively for user data encryption and
various other use cases.
> Cheers,
> Andreas
/Jarkko
> ____
> From: Jarkko Sakkinen [jarkko.sakki...@linux.intel.com]
> Sent: Monday, October 05, 2015 10:37
> To: F
On Mon, Oct 05, 2015 at 01:36:18PM +, Fuchs, Andreas wrote:
> > It's still unnecessary functionality and increases the kernel image size
> > and every hack requires maintenance. It would probably end up needing
> > compilation flag as there exists efforts like:
> >
> >
On Fri, Nov 20, 2015 at 01:34:35PM +1100, James Morris wrote:
> On Wed, 18 Nov 2015, Jarkko Sakkinen wrote:
>
> > On Wed, Nov 18, 2015 at 11:21:01AM +1100, James Morris wrote:
> > > On Tue, 17 Nov 2015,
On Mon, Dec 14, 2015 at 08:46:33AM -0500, Mimi Zohar wrote:
> On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> > The trusted keys option parsing allows specifying the same option
> > multiple times. The last option value specified is used.
> >
> > This
On Mon, Dec 14, 2015 at 08:49:00AM -0500, Mimi Zohar wrote:
> On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> > TPM2 supports authorization policies, which are essentially
> > combinational logic statements repsenting the conditions where the data
> > can be unse
.
Jarkko Sakkinen (3):
keys, trusted: fix: *do not* allow duplicate key options
keys, trusted: select hash algorithm for TPM2 chips
keys, trusted: seal with a TPM2 authorization policy
Documentation/security/keys-trusted-encrypted.txt | 31 +++-
crypto/hash_info.c
keys:
* 'policydigest=': provide an auth policy digest for sealing.
* 'policyhandle=': provide a policy session handle for unsealing.
If 'hash=' option is supplied after 'policydigest=' option, this
will result an error because the state of the option would become
mixed.
Signed-off-by: Jarkko
<jmor...@namei.org>
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
security/keys/trusted.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 903dace..7c183c7 100644
--- a/security/keys/trusted.c
+++ b/s
* sha384
* sha512
* sm3-256
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
Tested-by: Colin Ian King <colin.k...@canonical.com>
Reviewed-by: James Morris <james.l.mor...@oracle.com>
---
Documentation/security/keys-trusted-encrypted.txt | 3 ++
for Linux 4.5
Jarkko Sakkinen (3):
keys, trusted: fix: *do not* allow duplicate key options
keys, trusted: select hash algorithm for TPM2 chips
keys, trusted: seal with a TPM2 authorization policy
Jason Gunthorpe (6
On Tue, Nov 17, 2015 at 06:27:22PM +0200, Jarkko Sakkinen wrote:
> Support for sealing with a authorization policy.
>
> Two new options for trusted keys:
>
> * 'policydigest=': provide an auth policy digest for sealing.
> * 'policyhandle=': provide a policy session handle for u
49 matches
Mail list logo