Re: [PATCH v8 16/22] tpm2: Support authorized policy

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v8 16/22] tpm2: Support authorized policy

From:	Gary Lin
Subject:	Re: [PATCH v8 16/22] tpm2: Support authorized policy
Date:	Wed, 17 Jan 2024 16:13:17 +0800

On Tue, Jan 16, 2024 at 10:39:45AM -0500, James Bottomley wrote:
> On Tue, 2024-01-16 at 17:20 +0800, Gary Lin via Grub-devel wrote:
> [...]
> > (*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> > (*2) https://github.com/okirch/pcr-oracle
> 
> Just a curiosity question, but have you tested the interoperability of
> pcr-oracle keys?  It looks like you got the ASN header straight from
> openssl_tpm2_engine, so it should all just work, but verifying that the
> seal/unseal and sign_tpm2_policy commands from openssl_tpm2_engine:
> 
> https://build.opensuse.org/package/show/security:tls/openssl_tpm2_engine
> 
> can be used to create sealed keys for this code would nicely verify
> that.
> 
I have to admit that the interoperability is not considered since the
sealed key is designed to be only valid in a short window and capped
after load linux kernel. However, it'd be nice to verify the format with
other programs like openssl_tpm2_engine.

My playground of grub2 is an openSUSE Tumbleweed VM and
openssl_tpm2_engine is available. Will check if the key file from
pcr-oracle works for openssl_tpm2_engine.

THanks,

Gary Lin

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v8 08/22] protectors: Add key protectors framework, (continued)
- [PATCH v8 09/22] tpm2: Add TPM Software Stack (TSS), Gary Lin, 2024/01/16
- [PATCH v8 11/22] cryptodisk: Support key protectors, Gary Lin, 2024/01/16
- [PATCH v8 10/22] protectors: Add TPM2 Key Protector, Gary Lin, 2024/01/16
- [PATCH v8 13/22] tpm2: Add TPM2 types, structures, and command constants, Gary Lin, 2024/01/16
- [PATCH v8 12/22] util/grub-protect: Add new tool, Gary Lin, 2024/01/16
- [PATCH v8 14/22] tpm2: Add more marshal/unmarshal functions, Gary Lin, 2024/01/16
- [PATCH v8 15/22] tpm2: Implement more TPM2 commands, Gary Lin, 2024/01/16
- [PATCH v8 16/22] tpm2: Support authorized policy, Gary Lin, 2024/01/16
  - Re: [PATCH v8 16/22] tpm2: Support authorized policy, James Bottomley, 2024/01/16
    - Re: [PATCH v8 16/22] tpm2: Support authorized policy, Gary Lin <=
- [PATCH v8 18/22] cryptodisk: Fallback to passphrase, Gary Lin, 2024/01/16
- [PATCH v8 17/22] protectors: Implement NV index, Gary Lin, 2024/01/16
- [PATCH v8 19/22] cryptodisk: wipe out the cached keys from protectors, Gary Lin, 2024/01/16
- [PATCH v8 20/22] diskfilter: look up cryptodisk devices first, Gary Lin, 2024/01/16
- [PATCH v8 22/22] tests: Add tpm2_test, Gary Lin, 2024/01/16
- [PATCH v8 21/22] tpm2: Enable tpm2 module for grub-emu, Gary Lin, 2024/01/16

Prev by Date: Re: [PATCH V2] ieee1275/ofdisk: vscsi lun handling on lun len
Next by Date: Re: [PATCH v8 03/22] libtasn1: disable code not needed in grub
Previous by thread: Re: [PATCH v8 16/22] tpm2: Support authorized policy
Next by thread: [PATCH v8 18/22] cryptodisk: Fallback to passphrase
Index(es):
- Date
- Thread