Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] IMA, EVM, TPM, and keyctl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Mon Feb 04, 2019 3:24 am    Post subject: [SOLVED] IMA, EVM, TPM, and keyctl Reply with quote

I'm currently experimenting with TPM hardware via virtual machines using swtpm and qemu, and the main machine has a real TPM on it. I'm tying to create keys for EVM, but neither the Gentoo Wiki examples nor the offical ones work as far as creating the EVM key from a TPM.

These are the commands they tell you to run:

Code:
modprobe trusted
modprobe encrypted
keyctl add trusted kmk-trusted "new 32" @u
keyctl pipe `keyctl search @u trusted kmk-trusted` > /etc/keys/kmk-trusted.blob
keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
keyctl pipe `keyctl search @u encrypted evm-key` > /etc/keys/evm-trusted.blob


The first key, "kmk-trusted" saved normally (it took a little work under systemd, however - I had to "keyctl link @u @s" to get it to work). However, the last command fails with "keyctl_read_alloc: Operation not supported", on both the virtual TPM and on a real one.

The non-TPM version works, however:
Code:
modprobe encrypted
keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob
keyctl add encrypted evm-key "new user:kmk-user 32" @u
keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-user.blob


I want to do the first example: Create a TPM key that will be used to encrypt the EVM key. How do I make this work?


Last edited by salahx on Wed Feb 13, 2019 4:40 am; edited 1 time in total
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Wed Feb 13, 2019 4:40 am    Post subject: Reply with quote

SOLVED! Its WAS a kernel bug, not me. However, its only triggered when the "trusted" module is modular and the "encrypted" module is built in. One I made them both built-in , it worked! I had to analyze the source code of the Linux kernel which took me a while but i finally figured it out

The problem appears to be in /usr/src/linux/security/keys/encrypted-keys/encrypted.h:
Code:

#if defined(CONFIG_TRUSTED_KEYS) || \
  (defined(CONFIG_TRUSTED_KEYS_MODULE) && defined(CONFIG_ENCRYPTED_KEYS_MODULE))
extern struct key *request_trusted_key(const char *trusted_desc,
                                       const u8 **master_key, size_t *master_keylen);
#else
static inline struct key *request_trusted_key(const char *trusted_desc,
                                              const u8 **master_key,
                                              size_t *master_keylen)
{
        return ERR_PTR(-EOPNOTSUPP);
}
#endif


The first #if covers the case where the "trusted" is built in, or both "trusted" and "encrypted" are built as modules, but not "encrypted" built-in and "trusted" as a module. Now whether or not the problem is simple as changing the #if will require some experimentation.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum