Testing ======= RSA ---
tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt tpm2_evictcontrol -c owner.txt 0x81000001 tpm2_getcap handles-persistent openssl genrsa -out private.pem 2048 tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der serial=`cat key.priv.der | keyctl padd asymmetric tpm @u` echo "abcdefg" > plaintext.txt keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256 ECDSA ----- tpm2_createprimary --hierarchy o -G ecc -c owner.txt tpm2_evictcontrol -c owner.txt 0x81000001 openssl ecparam -name prime256v1 -genkey -noout -out private.pem tpm2_import -C 0x81000001 -G ecc -i private.pem -u key.pub -r key.priv tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der serial=`cat key.priv.der | keyctl padd asymmetric tpm @u` echo "abcdefg" > plaintext.txt keyctl pkey_sign $serial 0 plaintext.txt hash=sha256 > signed.dat keyctl pkey_verify $serial 0 plaintext.txt signed.dat hash=sha256 Open Issues =========== * When verifying ECDSA signature, _ecdsa_verify() returns -EKEYREJECTED. References ========== * v5: https://lore.kernel.org/linux-integrity/20240523212515.4875-1-jar...@kernel.org/ * v4: https://lore.kernel.org/linux-integrity/20240522005252.17841-1-jar...@kernel.org/ * v3: https://lore.kernel.org/linux-integrity/20240521152659.26438-1-jar...@kernel.org/ * v2: https://lore.kernel.org/linux-integrity/336755.1716327...@warthog.procyon.org.uk/ * v1: https://lore.kernel.org/linux-integrity/20240520184727.22038-1-jar...@kernel.org/ * Derived from https://lore.kernel.org/all/20200518172704.29608-1-prest...@gmail.com/ Jarkko Sakkinen (6): tpm: Open code tpm_buf_parameters() crypto: rsa-pkcs1pad: export rsa1_asn_lookup() KEYS: trusted: Change -EINVAL to -E2BIG crypto: tpm2_key: Introduce a TPM2 key type keys: asymmetric: Add tpm2_key_rsa keys: asymmetric: Add tpm2_key_ecdsa crypto/Kconfig | 7 + crypto/Makefile | 6 + crypto/asymmetric_keys/Kconfig | 30 + crypto/asymmetric_keys/Makefile | 2 + crypto/asymmetric_keys/tpm2_key_ecdsa.c | 441 ++++++++++++++ crypto/asymmetric_keys/tpm2_key_rsa.c | 678 ++++++++++++++++++++++ crypto/ecdsa.c | 1 - crypto/rsa-pkcs1pad.c | 16 +- crypto/tpm2_key.asn1 | 11 + crypto/tpm2_key.c | 134 +++++ drivers/char/tpm/tpm-buf.c | 26 - drivers/char/tpm/tpm2-cmd.c | 10 +- include/crypto/rsa-pkcs1pad.h | 20 + include/crypto/tpm2_key.h | 46 ++ include/linux/tpm.h | 10 +- security/keys/trusted-keys/Kconfig | 2 +- security/keys/trusted-keys/Makefile | 2 - security/keys/trusted-keys/tpm2key.asn1 | 11 - security/keys/trusted-keys/trusted_tpm2.c | 141 +---- 19 files changed, 1433 insertions(+), 161 deletions(-) create mode 100644 crypto/asymmetric_keys/tpm2_key_ecdsa.c create mode 100644 crypto/asymmetric_keys/tpm2_key_rsa.c create mode 100644 crypto/tpm2_key.asn1 create mode 100644 crypto/tpm2_key.c create mode 100644 include/crypto/rsa-pkcs1pad.h create mode 100644 include/crypto/tpm2_key.h delete mode 100644 security/keys/trusted-keys/tpm2key.asn1 -- 2.45.1