After LSS2016 I got this idea of having hardened trusted keys for TPM2 where the key material is never exposed to kernel. Child keys of a hardened trusted key would be unsealed using TPM2_EncryptDecrypt operation.
To retain backwards compatibility with the exiting trusted keys format, this would probably require a new option to keyctl. This is not my priority at the moment but just wanted to mirror does this sound like a grazy idea? /Jarkko ------------------------------------------------------------------------------ _______________________________________________ tpmdd-devel mailing list tpmdd-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
