From: Jarkko Sakkinen <jarkko@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
Andreas.Fuchs@infineon.com, James Prestwood <prestwoj@gmail.com>,
David Woodhouse <dwmw2@infradead.org>,
Eric Biggers <ebiggers@kernel.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
linux-crypto@vger.kernel.org,
Stefan Berger <stefanb@linux.ibm.com>,
Lennart Poettering <lennart@poettering.net>,
Jarkko Sakkinen <jarkko@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v7 0/5] KEYS: asymmetric: tpm2_key_{rsa,ecdsa}
Date: Wed, 29 May 2024 00:08:05 +0300 [thread overview]
Message-ID: <20240528210823.28798-1-jarkko@kernel.org> (raw)
Testing
=======
RSA
---
tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256
ECDSA
-----
tpm2_createprimary --hierarchy o -G ecc -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
tpm2_import -C 0x81000001 -G ecc -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_sign $serial 0 plaintext.txt hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat hash=sha256
Closed Issues
=============
* When verifying ECDSA signature, _ecdsa_verify() returns -EKEYREJECTED.
* v7: rewrote the signature encoder with a more structured layout.
References
==========
* v6: https://lore.kernel.org/linux-integrity/20240528035136.11464-1-jarkko@kernel.org/
* v5: https://lore.kernel.org/linux-integrity/20240523212515.4875-1-jarkko@kernel.org/
* v4: https://lore.kernel.org/linux-integrity/20240522005252.17841-1-jarkko@kernel.org/
* v3: https://lore.kernel.org/linux-integrity/20240521152659.26438-1-jarkko@kernel.org/
* v2: https://lore.kernel.org/linux-integrity/336755.1716327854@warthog.procyon.org.uk/
* v1: https://lore.kernel.org/linux-integrity/20240520184727.22038-1-jarkko@kernel.org/
* Derived from https://lore.kernel.org/all/20200518172704.29608-1-prestwoj@gmail.com/
Jarkko Sakkinen (5):
crypto: rsa-pkcs1pad: export rsa1_asn_lookup()
KEYS: trusted: Change -EINVAL to -E2BIG
crypto: tpm2_key: Introduce a TPM2 key type
keys: asymmetric: Add tpm2_key_rsa
keys: asymmetric: Add tpm2_key_ecdsa
crypto/Kconfig | 7 +
crypto/Makefile | 6 +
crypto/asymmetric_keys/Kconfig | 30 +
crypto/asymmetric_keys/Makefile | 2 +
crypto/asymmetric_keys/tpm2_key_ecdsa.c | 462 +++++++++++++++
crypto/asymmetric_keys/tpm2_key_rsa.c | 678 ++++++++++++++++++++++
crypto/ecdsa.c | 1 -
crypto/rsa-pkcs1pad.c | 16 +-
crypto/tpm2_key.asn1 | 11 +
crypto/tpm2_key.c | 134 +++++
drivers/char/tpm/tpm-buf.c | 2 +-
include/crypto/rsa-pkcs1pad.h | 20 +
include/crypto/tpm2_key.h | 46 ++
include/linux/tpm.h | 9 +
security/keys/trusted-keys/Kconfig | 2 +-
security/keys/trusted-keys/Makefile | 2 -
security/keys/trusted-keys/tpm2key.asn1 | 11 -
security/keys/trusted-keys/trusted_tpm2.c | 141 +----
18 files changed, 1447 insertions(+), 133 deletions(-)
create mode 100644 crypto/asymmetric_keys/tpm2_key_ecdsa.c
create mode 100644 crypto/asymmetric_keys/tpm2_key_rsa.c
create mode 100644 crypto/tpm2_key.asn1
create mode 100644 crypto/tpm2_key.c
create mode 100644 include/crypto/rsa-pkcs1pad.h
create mode 100644 include/crypto/tpm2_key.h
delete mode 100644 security/keys/trusted-keys/tpm2key.asn1
--
2.45.1
next reply other threads:[~2024-05-28 21:08 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-28 21:08 Jarkko Sakkinen [this message]
2024-05-28 21:08 ` [PATCH v7 1/5] crypto: rsa-pkcs1pad: export rsa1_asn_lookup() Jarkko Sakkinen
2024-05-28 23:20 ` Stefan Berger
2024-05-29 1:25 ` Jarkko Sakkinen
2024-05-28 21:08 ` [PATCH v7 2/5] KEYS: trusted: Change -EINVAL to -E2BIG Jarkko Sakkinen
2024-05-29 1:50 ` Stefan Berger
2024-05-29 12:20 ` Jarkko Sakkinen
2024-05-28 21:08 ` [PATCH v7 3/5] crypto: tpm2_key: Introduce a TPM2 key type Jarkko Sakkinen
2024-05-31 0:35 ` Stefan Berger
2024-06-04 17:23 ` Jarkko Sakkinen
2024-06-04 18:41 ` Stefan Berger
2024-06-04 22:33 ` Jarkko Sakkinen
2024-05-28 21:08 ` [PATCH v7 4/5] keys: asymmetric: Add tpm2_key_rsa Jarkko Sakkinen
2024-05-29 16:07 ` Jarkko Sakkinen
2024-05-31 1:10 ` Stefan Berger
2024-06-04 20:29 ` Jarkko Sakkinen
2024-06-07 10:58 ` Herbert Xu
2024-06-20 0:23 ` Jarkko Sakkinen
2025-08-26 8:25 ` Jarkko Sakkinen
2025-09-18 5:03 ` Jarkko Sakkinen
2024-05-28 21:08 ` [PATCH v7 5/5] keys: asymmetric: Add tpm2_key_ecdsa Jarkko Sakkinen
2024-05-28 21:42 ` Jarkko Sakkinen
2024-05-28 23:09 ` Jarkko Sakkinen
2024-05-28 23:15 ` Stefan Berger
2024-05-29 1:14 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240528210823.28798-1-jarkko@kernel.org \
--to=jarkko@kernel.org \
--cc=Andreas.Fuchs@infineon.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=davem@davemloft.net \
--cc=dwmw2@infradead.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=lennart@poettering.net \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=prestwoj@gmail.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).