aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/security
diff options
context:
space:
mode:
authorStefan Berger <stefanb@linux.ibm.com>2018-10-19 06:17:58 -0400
committerMimi Zohar <zohar@linux.ibm.com>2018-12-11 07:13:42 -0500
commit4264f27a0815c46dfda9c9dd6d5f4abc1df04415 (patch)
tree9ab2552e5cc13e3831a1dd4976cdf3127bfe0bca /Documentation/security
parentd958083a8f6408e76850bc7394976050d7e43173 (diff)
docs: Extend trusted keys documentation for TPM 2.0
Extend the documentation for trusted keys with documentation for how to set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Acked-by: Dan Williams <dan.j.williams@intel.com> Acked-by: Jerry Snitselaar <jsnitsel@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/keys/trusted-encrypted.rst31
1 files changed, 30 insertions, 1 deletions
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..6ec6bb2ac497 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -18,10 +18,33 @@ integrity verifications match. A loaded Trusted Key can be updated with new
18when the kernel and initramfs are updated. The same key can have many saved 18when the kernel and initramfs are updated. The same key can have many saved
19blobs under different PCR values, so multiple boots are easily supported. 19blobs under different PCR values, so multiple boots are easily supported.
20 20
21TPM 1.2
22-------
23
21By default, trusted keys are sealed under the SRK, which has the default 24By default, trusted keys are sealed under the SRK, which has the default
22authorization value (20 zeros). This can be set at takeownership time with the 25authorization value (20 zeros). This can be set at takeownership time with the
23trouser's utility: "tpm_takeownership -u -z". 26trouser's utility: "tpm_takeownership -u -z".
24 27
28TPM 2.0
29-------
30
31The user must first create a storage key and make it persistent, so the key is
32available after reboot. This can be done using the following commands.
33
34With the IBM TSS 2 stack::
35
36 #> tsscreateprimary -hi o -st
37 Handle 80000000
38 #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
39
40Or with the Intel TSS 2 stack::
41
42 #> tpm2_createprimary --hierarchy o -G rsa2048 -o key.ctxt
43 [...]
44 handle: 0x800000FF
45 #> tpm2_evictcontrol -c key.ctxt -p 0x81000001
46 persistentHandle: 0x81000001
47
25Usage:: 48Usage::
26 49
27 keyctl add trusted name "new keylen [options]" ring 50 keyctl add trusted name "new keylen [options]" ring
@@ -30,7 +53,9 @@ Usage::
30 keyctl print keyid 53 keyctl print keyid
31 54
32 options: 55 options:
33 keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) 56 keyhandle= ascii hex value of sealing key
57 TPM 1.2: default 0x40000000 (SRK)
58 TPM 2.0: no default; must be passed every time
34 keyauth= ascii hex auth for sealing key default 0x00...i 59 keyauth= ascii hex auth for sealing key default 0x00...i
35 (40 ascii zeros) 60 (40 ascii zeros)
36 blobauth= ascii hex auth for sealed data default 0x00... 61 blobauth= ascii hex auth for sealed data default 0x00...
@@ -84,6 +109,10 @@ Examples of trusted and encrypted key usage:
84 109
85Create and save a trusted key named "kmk" of length 32 bytes:: 110Create and save a trusted key named "kmk" of length 32 bytes::
86 111
112Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
113append 'keyhandle=0x81000001' to statements between quotes, such as
114"new 32 keyhandle=0x81000001".
115
87 $ keyctl add trusted kmk "new 32" @u 116 $ keyctl add trusted kmk "new 32" @u
88 440502848 117 440502848
89 118
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-03 12:11:28 -0400