security/keys/trusted-encrypted.rst

2 Trusted and Encrypted Keys
5 Trusted and Encrypted Keys are two new key types added to the existing kernel
8 stores, and loads only encrypted blobs.  Trusted Keys require the availability
17 A trust source provides the source of security for Trusted Keys.  This
23 consumer of the Trusted Keys to determine if the trust source is sufficiently
28      (1) TPM (Trusted Platform Module: hardware device)
33      (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
54          environment verified via Secure/Trusted boot process.
66          verifications match. A loaded Trusted Key can be updated with new
74          Relies on Secure/Trusted boot process for platform integrity. It can
106 Trusted Keys
132 Users may override this by specifying ``trusted.rng=kernel`` on the kernel
141 using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or
143 rooted in a trusted key, they are only as secure as the user key encrypting
151 Trusted Keys usage: TPM
154 TPM 1.2: By default, trusted keys are sealed under the SRK, which has the
176     keyctl add trusted name "new keylen [options]" ring
177     keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring
205 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
208 Trusted Keys usage: TEE
213     keyctl add trusted name "new keylen" ring
214     keyctl add trusted name "load hex_blob" ring
219 in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
221 Trusted Keys usage: CAAM
226     keyctl add trusted name "new keylen" ring
227     keyctl add trusted name "load hex_blob" ring
232 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
253 	key-type:= 'trusted' | 'user'
255 Examples of trusted and encrypted key usage
258 Create and save a trusted key named "kmk" of length 32 bytes.
266     $ keyctl add trusted kmk "new 32" @u
273     440502848 --alswrv    500   500       \_ trusted: kmk
287 Load a trusted key from the saved blob::
289     $ keyctl add trusted kmk "load `cat kmk.blob`" @u
302 Reseal (TPM specific) a trusted key under new PCR values::
317 The initial consumer of trusted keys is EVM, which at boot time needs a high
319 trusted key provides strong guarantees that the EVM key has not been
322 encrypted key "evm" using the above trusted key "kmk":
326     $ keyctl add encrypted evm "new trusted:kmk 32" @u
331     $ keyctl add encrypted evm "new default trusted:kmk 32" @u
335     default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
347     default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
362 Other uses for trusted and encrypted keys, such as for disk and file encryption
407 The trusted key code only uses the TPM Sealed Data OID.