Commit 4264f27a authored by Stefan Berger's avatar Stefan Berger Committed by Mimi Zohar

docs: Extend trusted keys documentation for TPM 2.0

Extend the documentation for trusted keys with documentation for how to
set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.
Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarDave Jiang <dave.jiang@intel.com>
Acked-by: default avatarDan Williams <dan.j.williams@intel.com>
Acked-by: default avatarJerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent d958083a
...@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new ...@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
when the kernel and initramfs are updated. The same key can have many saved when the kernel and initramfs are updated. The same key can have many saved
blobs under different PCR values, so multiple boots are easily supported. blobs under different PCR values, so multiple boots are easily supported.
TPM 1.2
-------
By default, trusted keys are sealed under the SRK, which has the default By default, trusted keys are sealed under the SRK, which has the default
authorization value (20 zeros). This can be set at takeownership time with the authorization value (20 zeros). This can be set at takeownership time with the
trouser's utility: "tpm_takeownership -u -z". trouser's utility: "tpm_takeownership -u -z".
TPM 2.0
-------
The user must first create a storage key and make it persistent, so the key is
available after reboot. This can be done using the following commands.
With the IBM TSS 2 stack::
#> tsscreateprimary -hi o -st
Handle 80000000
#> tssevictcontrol -hi o -ho 80000000 -hp 81000001
Or with the Intel TSS 2 stack::
#> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
[...]
handle: 0x800000FF
#> tpm2_evictcontrol -c key.ctxt -p 0x81000001
persistentHandle: 0x81000001
Usage:: Usage::
keyctl add trusted name "new keylen [options]" ring keyctl add trusted name "new keylen [options]" ring
...@@ -30,7 +53,9 @@ Usage:: ...@@ -30,7 +53,9 @@ Usage::
keyctl print keyid keyctl print keyid
options: options:
keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) keyhandle= ascii hex value of sealing key
TPM 1.2: default 0x40000000 (SRK)
TPM 2.0: no default; must be passed every time
keyauth= ascii hex auth for sealing key default 0x00...i keyauth= ascii hex auth for sealing key default 0x00...i
(40 ascii zeros) (40 ascii zeros)
blobauth= ascii hex auth for sealed data default 0x00... blobauth= ascii hex auth for sealed data default 0x00...
...@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage: ...@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
Create and save a trusted key named "kmk" of length 32 bytes:: Create and save a trusted key named "kmk" of length 32 bytes::
Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
append 'keyhandle=0x81000001' to statements between quotes, such as
"new 32 keyhandle=0x81000001".
$ keyctl add trusted kmk "new 32" @u $ keyctl add trusted kmk "new 32" @u
440502848 440502848
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment