On Wed, Jan 17, 2024 at 04:13:17PM +0800, Gary Lin wrote: > On Tue, Jan 16, 2024 at 10:39:45AM -0500, James Bottomley wrote: > > On Tue, 2024-01-16 at 17:20 +0800, Gary Lin via Grub-devel wrote: > > [...] > > > (*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html > > > (*2) https://github.com/okirch/pcr-oracle > > > > Just a curiosity question, but have you tested the interoperability of > > pcr-oracle keys? It looks like you got the ASN header straight from > > openssl_tpm2_engine, so it should all just work, but verifying that the > > seal/unseal and sign_tpm2_policy commands from openssl_tpm2_engine: > > > > https://build.opensuse.org/package/show/security:tls/openssl_tpm2_engine > > > > can be used to create sealed keys for this code would nicely verify > > that. > > > I have to admit that the interoperability is not considered since the > sealed key is designed to be only valid in a short window and capped > after load linux kernel. However, it'd be nice to verify the format with > other programs like openssl_tpm2_engine. > > My playground of grub2 is an openSUSE Tumbleweed VM and > openssl_tpm2_engine is available. Will check if the key file from > pcr-oracle works for openssl_tpm2_engine. > I did quick check, and the major difference between pcr-oracle and openssl_tpm2_engine is the assumption of SRK. pcr-oracle choose RSA 2048 or above for the SRK template while openssl_tpm2_engine assumes ECC to be used as SRK, and openssl_tpm2_engine failed to unseal the key file created by pcr-oracle. Anyway, at least 'signed_tpm2_policy' can list the signed polices in the key.
Cheers, Gary Lin _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
