1 ==========================
2 Trusted and Encrypted Keys
3 ==========================
4
5 Trusted and Encrypted Keys are two new key typ
6 key ring service. Both of these new types are
7 and in both cases all keys are created in the
8 stores, and loads only encrypted blobs. Trust
9 of a Trust Source for greater security, while
10 system. All user level blobs, are displayed an
11 convenience, and are integrity verified.
12
13
14 Trust Source
15 ============
16
17 A trust source provides the source of security
18 section lists currently supported trust source
19 considerations. Whether or not a trust source
20 on the strength and correctness of its impleme
21 environment for a specific use case. Since th
22 environment is, and there is no metric of trus
23 consumer of the Trusted Keys to determine if t
24 safe.
25
26 * Root of trust for storage
27
28 (1) TPM (Trusted Platform Module: hardwar
29
30 Rooted to Storage Root Key (SRK) whic
31 provides crypto operation to establis
32
33 (2) TEE (Trusted Execution Environment: O
34
35 Rooted to Hardware Unique Key (HUK) w
36 fuses and is accessible to TEE only.
37
38 (3) CAAM (Cryptographic Acceleration and
39
40 When High Assurance Boot (HAB) is ena
41 mode, trust is rooted to the OTPMK, a
42 randomly generated and fused into eac
43 Otherwise, a common fixed test key is
44
45 (4) DCP (Data Co-Processor: crypto accele
46
47 Rooted to a one-time programmable key
48 in the on-chip fuses and is accessibl
49 DCP provides two keys that can be use
50 and the UNIQUE key. Default is to use
51 the OTP key can be done via a module
52
53 * Execution isolation
54
55 (1) TPM
56
57 Fixed set of operations running in is
58
59 (2) TEE
60
61 Customizable set of operations runnin
62 environment verified via Secure/Trust
63
64 (3) CAAM
65
66 Fixed set of operations running in is
67
68 (4) DCP
69
70 Fixed set of cryptographic operations
71 environment. Only basic blob key encr
72 The actual key sealing/unsealing is d
73
74 * Optional binding to platform integrity sta
75
76 (1) TPM
77
78 Keys can be optionally sealed to spec
79 values, and only unsealed by the TPM,
80 verifications match. A loaded Trusted
81 (future) PCR values, so keys are easi
82 such as when the kernel and initramfs
83 have many saved blobs under different
84 easily supported.
85
86 (2) TEE
87
88 Relies on Secure/Trusted boot process
89 be extended with TEE based measured b
90
91 (3) CAAM
92
93 Relies on the High Assurance Boot (HA
94 for platform integrity.
95
96 (4) DCP
97
98 Relies on Secure/Trusted boot process
99 platform integrity.
100
101 * Interfaces and APIs
102
103 (1) TPM
104
105 TPMs have well-documented, standardiz
106
107 (2) TEE
108
109 TEEs have well-documented, standardiz
110 more details refer to ``Documentation
111
112 (3) CAAM
113
114 Interface is specific to silicon vend
115
116 (4) DCP
117
118 Vendor-specific API that is implement
119 ``drivers/crypto/mxs-dcp.c``.
120
121 * Threat model
122
123 The strength and appropriateness of a par
124 purpose must be assessed when using them
125
126
127 Key Generation
128 ==============
129
130 Trusted Keys
131 ------------
132
133 New keys are created from random numbers. They
134 a child key in the storage key hierarchy. Encr
135 child key must be protected by a strong access
136 trust source. The random number generator in u
137 selected trust source:
138
139 * TPM: hardware device based RNG
140
141 Keys are generated within the TPM. Streng
142 from one device manufacturer to another.
143
144 * TEE: OP-TEE based on Arm TrustZone based
145
146 RNG is customizable as per platform needs
147 from platform specific hardware RNG or a
148 which can be seeded via multiple entropy
149
150 * CAAM: Kernel RNG
151
152 The normal kernel random number generator
153 CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RN
154 is probed.
155
156 * DCP (Data Co-Processor: crypto accelerato
157
158 The DCP hardware device itself does not p
159 so the kernel default RNG is used. SoCs w
160 a dedicated hardware RNG that is independ
161 to back the kernel RNG.
162
163 Users may override this by specifying ``truste
164 command-line to override the used RNG with the
165
166 Encrypted Keys
167 --------------
168
169 Encrypted keys do not depend on a trust source
170 for encryption/decryption. New keys are create
171 random numbers or user-provided decrypted data
172 using a specified ‘master’ key. The ‘mas
173 user-key type. The main disadvantage of encryp
174 rooted in a trusted key, they are only as secu
175 them. The master user key should therefore be
176 possible, preferably early in boot.
177
178
179 Usage
180 =====
181
182 Trusted Keys usage: TPM
183 -----------------------
184
185 TPM 1.2: By default, trusted keys are sealed u
186 default authorization value (20 bytes of 0s).
187 time with the TrouSerS utility: "tpm_takeowner
188
189 TPM 2.0: The user must first create a storage
190 key is available after reboot. This can be don
191
192 With the IBM TSS 2 stack::
193
194 #> tsscreateprimary -hi o -st
195 Handle 80000000
196 #> tssevictcontrol -hi o -ho 80000000 -hp 81
197
198 Or with the Intel TSS 2 stack::
199
200 #> tpm2_createprimary --hierarchy o -G rsa20
201 [...]
202 #> tpm2_evictcontrol -c key.ctxt 0x81000001
203 persistentHandle: 0x81000001
204
205 Usage::
206
207 keyctl add trusted name "new keylen [optio
208 keyctl add trusted name "load hex_blob [pc
209 keyctl update key "update [options]"
210 keyctl print keyid
211
212 options:
213 keyhandle= ascii hex value of sealin
214 TPM 1.2: default 0x4000
215 TPM 2.0: no default; mu
216 keyauth= ascii hex auth for sealin
217 (40 ascii zeros)
218 blobauth= ascii hex auth for sealed
219 (40 ascii zeros)
220 pcrinfo= ascii hex of PCR_INFO or
221 pcrlock= pcr number to be extended
222 migratable= 0|1 indicating permission
223 default 1 (resealing allo
224 hash= hash algorithm name as a
225 allowed value is sha1. Fo
226 are sha1, sha256, sha384,
227 policydigest= digest for the authorizat
228 with the same hash algori
229 option.
230 policyhandle= handle to an authorizatio
231 same policy and with the
232 seal the key.
233
234 "keyctl print" returns an ascii hex copy of th
235 TPM_STORED_DATA format. The key length for ne
236 Trusted Keys can be 32 - 128 bytes (256 - 1024
237 within the 2048 bit SRK (RSA) keylength, with
238
239 Trusted Keys usage: TEE
240 -----------------------
241
242 Usage::
243
244 keyctl add trusted name "new keylen" ring
245 keyctl add trusted name "load hex_blob" ri
246 keyctl print keyid
247
248 "keyctl print" returns an ASCII hex copy of th
249 specific to TEE device implementation. The ke
250 in bytes. Trusted Keys can be 32 - 128 bytes (
251
252 Trusted Keys usage: CAAM
253 ------------------------
254
255 Usage::
256
257 keyctl add trusted name "new keylen" ring
258 keyctl add trusted name "load hex_blob" ri
259 keyctl print keyid
260
261 "keyctl print" returns an ASCII hex copy of th
262 CAAM-specific format. The key length for new
263 Trusted Keys can be 32 - 128 bytes (256 - 1024
264
265 Trusted Keys usage: DCP
266 -----------------------
267
268 Usage::
269
270 keyctl add trusted name "new keylen" ring
271 keyctl add trusted name "load hex_blob" ri
272 keyctl print keyid
273
274 "keyctl print" returns an ASCII hex copy of th
275 specific to this DCP key-blob implementation.
276 always in bytes. Trusted Keys can be 32 - 128
277
278 Encrypted Keys usage
279 --------------------
280
281 The decrypted portion of encrypted keys can co
282 key or a more complex structure. The format of
283 application specific, which is identified by '
284
285 Usage::
286
287 keyctl add encrypted name "new [format] ke
288 ring
289 keyctl add encrypted name "new [format] ke
290 decrypted-data" ring
291 keyctl add encrypted name "load hex_blob"
292 keyctl update keyid "update key-type:maste
293
294 Where::
295
296 format:= 'default | ecryptfs | enc32'
297 key-type:= 'trusted' | 'user'
298
299 Examples of trusted and encrypted key usage
300 -------------------------------------------
301
302 Create and save a trusted key named "kmk" of l
303
304 Note: When using a TPM 2.0 with a persistent k
305 append 'keyhandle=0x81000001' to statements be
306 "new 32 keyhandle=0x81000001".
307
308 ::
309
310 $ keyctl add trusted kmk "new 32" @u
311 440502848
312
313 $ keyctl show
314 Session Keyring
315 -3 --alswrv 500 500 keyring:
316 97833714 --alswrv 500 -1 \_ keyri
317 440502848 --alswrv 500 500 \_ t
318
319 $ keyctl print 440502848
320 0101000000000000000001005d01b7e3f4a6be5709
321 3f60da455bbf1144ad12e4f92b452f966929f6105f
322 27351119f822911b0a11ba3d3498ba6a32e50dac7f
323 a52e56a097e6a68b3f56f7a52ece0cdccba1eb62ca
324 d568bd4a706cb60bb37be6d8f1240661199d640b66
325 dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471
326 f1f8fff03ad0acb083725535636addb08d73dedb98
327 e4a8aea2b607ec96931e6f4d4fe563ba
328
329 $ keyctl pipe 440502848 > kmk.blob
330
331 Load a trusted key from the saved blob::
332
333 $ keyctl add trusted kmk "load `cat kmk.bl
334 268728824
335
336 $ keyctl print 268728824
337 0101000000000000000001005d01b7e3f4a6be5709
338 3f60da455bbf1144ad12e4f92b452f966929f6105f
339 27351119f822911b0a11ba3d3498ba6a32e50dac7f
340 a52e56a097e6a68b3f56f7a52ece0cdccba1eb62ca
341 d568bd4a706cb60bb37be6d8f1240661199d640b66
342 dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471
343 f1f8fff03ad0acb083725535636addb08d73dedb98
344 e4a8aea2b607ec96931e6f4d4fe563ba
345
346 Reseal (TPM specific) a trusted key under new
347
348 $ keyctl update 268728824 "update pcrinfo=
349 $ keyctl print 268728824
350 010100000000002c0002800093c35a09b70fff26e7
351 77c8a6377aed9d3219c6dfec4b23ffe3000001005d
352 d3a076c0858f6f1dcaa39ea0f119911ff03f5406df
353 df449f266253aa3f52e55c53de147773e00f0f9aca
354 9638c5ae99c89de1e0997242edfb0b501744e11ff9
355 e782c29435c7ec2edafaa2f4c1fe6e7a781b59549f
356 94bc67ede19e43ddb9dc2baacad374a36feaf0314d
357 7ef6a24defe4846104209bf0c3eced7fa1a672ed5b
358 df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f
359
360
361 The initial consumer of trusted keys is EVM, w
362 quality symmetric key for HMAC protection of f
363 trusted key provides strong guarantees that th
364 compromised by a user level problem, and when
365 state, protects against boot and offline attac
366 encrypted key "evm" using the above trusted ke
367
368 option 1: omitting 'format'::
369
370 $ keyctl add encrypted evm "new trusted:km
371 159771175
372
373 option 2: explicitly defining 'format' as 'def
374
375 $ keyctl add encrypted evm "new default tr
376 159771175
377
378 $ keyctl print 159771175
379 default trusted:kmk 32 2375725ad57798846a9
380 82dbbc55be2a44616e4959430436dc4f2a7a9659aa
381 24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
382
383 $ keyctl pipe 159771175 > evm.blob
384
385 Load an encrypted key "evm" from saved blob::
386
387 $ keyctl add encrypted evm "load `cat evm.
388 831684262
389
390 $ keyctl print 831684262
391 default trusted:kmk 32 2375725ad57798846a9
392 82dbbc55be2a44616e4959430436dc4f2a7a9659aa
393 24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
394
395 Instantiate an encrypted key "evm" using user-
396
397 $ evmkey=$(dd if=/dev/urandom bs=1 count=3
398 $ keyctl add encrypted evm "new default us
399 794890253
400
401 $ keyctl print 794890253
402 default user:kmk 32 2375725ad57798846a9bbd
403 bbc55be2a44616e4959430436dc4f2a7a9659aa60b
404 17c64 5972dcb82ab2dde83376d82b2e3c09ffc
405
406 Other uses for trusted and encrypted keys, suc
407 are anticipated. In particular the new format
408 in order to use encrypted keys to mount an eCr
409 about the usage can be found in the file
410 ``Documentation/security/keys/ecryptfs.rst``.
411
412 Another new format 'enc32' has been defined in
413 with payload size of 32 bytes. This will initi
414 but may expand to other usages that require 32
415
416
417 TPM 2.0 ASN.1 Key Format
418 ------------------------
419
420 The TPM 2.0 ASN.1 key format is designed to be
421 even in binary form (fixing a problem we had w
422 format) and to be extensible for additions lik
423 policy::
424
425 TPMKey ::= SEQUENCE {
426 type OBJECT IDENTIFIER
427 emptyAuth [0] EXPLICIT BOOLEAN O
428 parent INTEGER
429 pubkey OCTET STRING
430 privkey OCTET STRING
431 }
432
433 type is what distinguishes the key even in bin
434 is provided by the TCG to be unique and thus f
435 binary pattern at offset 3 in the key. The OI
436 available are::
437
438 2.23.133.10.1.3 TPM Loadable key. This is
439 RSA2048 or Elliptic Curve)
440 TPM2_Load() operation.
441
442 2.23.133.10.1.4 TPM Importable Key. This
443 RSA2048 or Elliptic Curve)
444 TPM2_Import() operation.
445
446 2.23.133.10.1.5 TPM Sealed Data. This is
447 bytes) which is sealed by
448 represents a symmetric key
449 use.
450
451 The trusted key code only uses the TPM Sealed
452
453 emptyAuth is true if the key has well known au
454 is false or not present, the key requires an e
455 phrase. This is used by most user space consu
456 to prompt for a password.
457
458 parent represents the parent key handle, eithe
459 like 0x81000001 for the RSA primary storage ke
460 also support specifying the primary handle in
461 this happens the Elliptic Curve variant of the
462 TCG defined template will be generated on the
463 object and used as the parent. The current ke
464 the 0x81 MSO form.
465
466 pubkey is the binary representation of TPM2B_P
467 initial TPM2B header, which can be reconstruct
468 string length.
469
470 privkey is the binary representation of TPM2B_
471 initial TPM2B header which can be reconstructe
472 string length.
473
474 DCP Blob Format
475 ---------------
476
477 .. kernel-doc:: security/keys/trusted-keys/tru
478 :doc: dcp blob format
479
480 .. kernel-doc:: security/keys/trusted-keys/tru
481 :identifiers: struct dcp_blob_fmt
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.