[PATCH v6 2/2] KEYS: trusted: Store parent's name to the encoded keys
Jarkko Sakkinen
jarkko at kernel.org
Sun Dec 7 17:57:13 UTC 2025
On Sun, Dec 07, 2025 at 07:32:10PM +0200, Jarkko Sakkinen wrote:
> Extend TPMKey ASN.1 speciication [1] with an optional 'parentName'
> attribute containing TPM name of the parent key (in other words, TPMT_HA
> blob).
>
> The life-cycle for trusted keys will now proceed as follows:
>
> 1. Encode parent's name to the 'paretName' during tpm2_key_encode().
> 2. During tpm2_unseal_trusted, read parent's name from 'parentName'. When
> the attribute is not available, fallback on doing tpm2_read_public().
>
> In other words, in the common (i.e., not loading a legacy key blob),
> tpm2_read_public() will now only happen at the time when a key is first
> created.
>
> In addition, move tpm2_read_public() to 'tpm2-cmd.c' and make its body
> unconditional so that the binary format of the saved keys is not dependent
> on kernel configuration.
>
> [1] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt
>
> Cc: tpm2 at lists.linux.dev
> Signed-off-by: Jarkko Sakkinen <jarkko at kernel.org>
As an alternative workaround I think the following could be possibly
done (I need to trial it first though):
1. Maintain a cache where a name gets added at the time of
tpm2_seal_trusted(). It is from TPMT_HA to TPMT_HA mapping,
mapping TPMT_HA of the key to the TPMT of the parent.
2. At thet time tpm2_unseal_trusted() retrieve name of thet
parent from the cache.
Capturing TPM2_CreatePrimary would be essentially duct taping the
spec but I guess this could be more generally applicable. It neither
addresses persistent keys nor secondary parent keys, which we *have
to support*, as the kernel interface does.
BR, Jarkko
More information about the Linux-security-module-archive
mailing list