/openbmc/linux/security/keys/trusted-keys/ |
H A D | tpm2key.asn1 | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
H A D | Makefile | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
H A D | trusted_tpm2.c | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
H A D | trusted_tpm1.c | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
/openbmc/linux/Documentation/security/keys/ |
H A D | trusted-encrypted.rst | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
/openbmc/linux/include/keys/ |
H A D | trusted-type.h | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
/openbmc/linux/security/keys/ |
H A D | Kconfig | f2219745 Wed Jan 27 13:06:16 CST 2021 James Bottomley <James.Bottomley@HansenPartnership.com> security: keys: trusted: use ASN.1 TPM2 key format for the blobs
Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format.
The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time.
This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|