| View previous topic :: View next topic |
| Author |
Message |
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
 Posted: Mon Feb 04, 2019 3:24 am Post subject: [SOLVED] IMA, EVM, TPM, and keyctl |
 |
|
I'm currently experimenting with TPM hardware via virtual machines using swtpm and qemu, and the main machine has a real TPM on it. I'm tying to create keys for EVM, but neither the Gentoo Wiki examples nor the offical ones work as far as creating the EVM key from a TPM.
These are the commands they tell you to run:
| Code: | modprobe trusted
modprobe encrypted
keyctl add trusted kmk-trusted "new 32" @u
keyctl pipe `keyctl search @u trusted kmk-trusted` > /etc/keys/kmk-trusted.blob
keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
keyctl pipe `keyctl search @u encrypted evm-key` > /etc/keys/evm-trusted.blob |
The first key, "kmk-trusted" saved normally (it took a little work under systemd, however - I had to "keyctl link @u @s" to get it to work). However, the last command fails with "keyctl_read_alloc: Operation not supported", on both the virtual TPM and on a real one.
The non-TPM version works, however:
| Code: | modprobe encrypted
keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob
keyctl add encrypted evm-key "new user:kmk-user 32" @u
keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-user.blob |
I want to do the first example: Create a TPM key that will be used to encrypt the EVM key. How do I make this work?
Last edited by salahx on Wed Feb 13, 2019 4:40 am; edited 1 time in total |
|
| Back to top |
|
 |
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Wed Feb 13, 2019 4:40 am Post subject: |
|
|
SOLVED! Its WAS a kernel bug, not me. However, its only triggered when the "trusted" module is modular and the "encrypted" module is built in. One I made them both built-in , it worked! I had to analyze the source code of the Linux kernel which took me a while but i finally figured it out
The problem appears to be in /usr/src/linux/security/keys/encrypted-keys/encrypted.h:
| Code: |
#if defined(CONFIG_TRUSTED_KEYS) || \
(defined(CONFIG_TRUSTED_KEYS_MODULE) && defined(CONFIG_ENCRYPTED_KEYS_MODULE))
extern struct key *request_trusted_key(const char *trusted_desc,
const u8 **master_key, size_t *master_keylen);
#else
static inline struct key *request_trusted_key(const char *trusted_desc,
const u8 **master_key,
size_t *master_keylen)
{
return ERR_PTR(-EOPNOTSUPP);
}
#endif
|
The first #if covers the case where the "trusted" is built in, or both "trusted" and "encrypted" are built as modules, but not "encrypted" built-in and "trusted" as a module. Now whether or not the problem is simple as changing the #if will require some experimentation. |
|
| Back to top |
|
|
glassman
n00b
Joined: 17 Sep 2019
Posts: 1
|
| Posted: Fri Sep 20, 2019 12:16 am Post subject: |
|
|
I know this is solved, and salahx has been kind enough to reply in a private message about how to use this on a TPM 2.0 chip, but I'm receiving some error messages that I'm not quite sure how to work out. I'm following a guide on sourceforge for IMA/EVM, and I'm in the Creating Trusted and EVM Encrypted Keys section that can be found here: https://sourceforge.net/p/linux-ima/wiki/Home/#creating-trusted-and-evm-encrypted-keys.
I start with the first few commands, but I am immediately greeted with an error when using keyctl pipe, after making a new key in the trusted keyring:
| Code: | user@hostname:~ $ sudo modprobe trusted encrypted
user@hostname:~ $ sudo keyctl add trusted kmk-trusted "new 32 keyhandle=0x81010001" @u
77506649
user@hostname~ $ sudo keyctl pipe `keyctl search @u trusted kmk-trusted` >/etc/keys/kmk-trusted.blob
keyctl_search: Required key not available
-bash: /etc/keys/kmk-trusted.blob: Permission denied |
Since I'm also getting a search error, I then pivot by instead using the key name in place of using the backtick where keyctl search was inserted.
| Code: | user@hostname:~ $ sudo keyctl pipe 77506649 >/etc/keys/kmk-trusted.blob
-bash: /etc/keys/kmk-trusted.blob: Permission denied |
Since I'm not receiving a search error but instead receiving a permission denied error, I do the only thing I can think of now and chmod the directory of /etc/keys:
| Code: | user@hostname:~ $ sudo chmod -R 777 /etc/keys
user@hostname:~ $ ls -al /etc/keys
total 8
drwxrwxrwx. 2 root root 4096 Sep 18 15:52 .
drwxr-xr-x. 114 root root 4096 Sep 19 15:40 ..
user@hostname:~ $ sudo keyctl pipe 77506649 >/etc/keys/kmk-trusted.blob
keyctl_read_alloc: Permission denied |
I am no longer receiving a permission denied error from bash, but instead I am now getting a permission denied error when the key is attempting to be read, so I try to show the key and am greeted with the expected permission denied error again.
| Code: | user@hostname:~ $ keyctl show 77506649
Keyring
Unable to dump key: Permission denied |
After searching for a while, I saw on another forum where someone had linked the user and session keyring and then changed permissions of the key by using the setperm command. Here is my own attempt to do so.
| Code: | user@hostname:~ $ keyctl link @u @s
user@hostname:~ $ sudo keyctl setperm 77506649 0x3f3f0000
keyctl_setperm: Permission denied |
For some reason, even setperm cannot set permissions, which is really frustrating. I'm not sure what to do here, and I do not mean to hijack the thread, but I don't know where to post this as I can't find a forum where people are not only knowledgeable enough about this subject (myself included), but have also had this specific issue with a TPM 2.0 chip. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
