From f2219745250f388edacabe6cca73654131c67d0a Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Wed, 27 Jan 2021 11:06:16 -0800 Subject: security: keys: trusted: use ASN.1 TPM2 key format for the blobs Modify the TPM2 key format blob output to export and import in the ASN.1 form for TPM2 sealed object keys. For compatibility with prior trusted keys, the importer will also accept two TPM2B quantities representing the public and private parts of the key. However, the export via keyctl pipe will only output the ASN.1 format. The benefit of the ASN.1 format is that it's a standard and thus the exported key can be used by userspace tools (openssl_tpm2_engine, openconnect and tpm2-tss-engine). The format includes policy specifications, thus it gets us out of having to construct policy handles in userspace and the format includes the parent meaning you don't have to keep passing it in each time. This patch only implements basic handling for the ASN.1 format, so keys with passwords but no policy. Signed-off-by: James Bottomley Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- security/keys/Kconfig | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security/keys/Kconfig') diff --git a/security/keys/Kconfig b/security/keys/Kconfig index c161642a8484..64b81abd087e 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -75,6 +75,9 @@ config TRUSTED_KEYS select CRYPTO_HMAC select CRYPTO_SHA1 select CRYPTO_HASH_INFO + select ASN1_ENCODER + select OID_REGISTRY + select ASN1 help This option provides support for creating, sealing, and unsealing keys in the kernel. Trusted keys are random number symmetric keys, -- cgit v1.2.3