Topics

[PATCH 0/4] Add importable keys

James Bottomley
 

This patch adds the capability for importable keys. An importable key
is a duplicate structure with an outer wrapper that is encrypted with a
symmetric key that is itself encrypted to the public key of the parent.
The creation of this encrypted secret is somewhat complex, so the only
current algorithm implemented is ECDH encryption (meaning the parent
key must be an elliptic curve one). We can add RSA later, but it's
more complicated because it must be done with special OAEP padding
which openssl can't produce.

Importable keys require an additional optional parameter in the ASN.1
for the encrypted secret. This makes the full ASN.1 structure now

TPMKey ::= SEQUENCE {
type OBJECT IDENTIFIER
emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL
policy [1] EXPLICIT SEQUENCE OF TPMPolicy
OPTIONAL
secret [2] EXPLICIT OCTET STRING OPTIONAL
parent INTEGER
pubkey OCTET STRING
privkey OCTET STRING
}

The utility of the importable keys is that they can be created without
access to the actual physical TPM; all you need is a representation of
the parent public key, so this enables you to create the TPM
representation in a secure environment away from the use machine.

The way importable keys are implemented in the engine is that as soon
as the key is loaded, if we see it's importable, we run the import
command to convert it internally to loadable form and then run the
engine as normal (so if you have key create with multiple operations,
we only run the import once).

There are also a couple of precursor patches shifting common code
around.

James


---

James Bottomley (4):
tpm2-common: add point conversion routines
tpm2-common: remove interfaces only used by create-tpm2-key
Add importable keys
Add tests for importable keys

create_tpm2_key.1.in | 17 ++
create_tpm2_key.c | 441 ++++++++++++++++++++++++++++++++++++++++++----
e_tpm2-ecc.c | 22 +--
e_tpm2.c | 108 ++++++++++--
tests/Makefile.am | 1 +
tests/check_importable.sh | 20 +++
tpm2-asn.h | 3 +
tpm2-common.c | 162 +++--------------
tpm2-common.h | 11 +-
9 files changed, 571 insertions(+), 214 deletions(-)
create mode 100755 tests/check_importable.sh

--
2.16.4