[PATCH v5 04/11] security: keys: trusted: Include TPM2 creation data

James Bottomley jejb at linux.ibm.com
Fri Dec 2 21:03:09 UTC 2022


On Mon, 2022-11-14 at 13:00 -0500, James Bottomley wrote:
> On Mon, 2022-11-14 at 09:43 -0800, Evan Green wrote:
> > On Mon, Nov 14, 2022 at 8:56 AM James Bottomley
> > <jejb at linux.ibm.com>
> > wrote:
> [...]
> > > Of course, since openssl_tpm2_engine is the complete reference
> > > implementation that means I'll have to add the creation PCRs
> > > implementation to it ... unless you'd like to do it?
> > 
> > I am willing to help as I'm the one making the mess. How does it
> > sequence along with your draft submission (before, after,
> > simultaneous)?
> 
> At the moment, just send patches.  The openssl_tpm2_engine is
> developed on a groups.io mailing list:
> 
> https://groups.io/g/openssl-tpm2-engine/
> 
> You need an IETF specific tool (xml2rfc) to build the rfc from the
> xml, but it's available in most distros as python3-xml2rfc.  If you
> don't want to learn the IETF XML I can help you code up the patch to
> add that to the draft spec.

Just as a heads up, the patch series implementing signed policy (and
thus taking option [3]) is on the mailing list for review:

https://groups.io/g/openssl-tpm2-engine/message/296

With apologies for the awful lack of threading in the groups.io
interface.

So you don't have to build the RFC yourself, I published the proposed
update on my website:

https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt

If you want to use option [4] for the creation data, it's available.

Regards,

James




More information about the Linux-security-module-archive mailing list