1========================== 2Trusted and Encrypted Keys 3========================== 4 5Trusted and Encrypted Keys are two new key types added to the existing kernel 6key ring service. Both of these new types are variable length symmetric keys, 7and in both cases all keys are created in the kernel, and user space sees, 8stores, and loads only encrypted blobs. Trusted Keys require the availability 9of a Trust Source for greater security, while Encrypted Keys can be used on any 10system. All user level blobs, are displayed and loaded in hex ASCII for 11convenience, and are integrity verified. 12 13Trusted Keys as Protected key 14============================= 15It is the secure way of keeping the keys in the kernel key-ring as Trusted-Key, 16such that: 17 18- Key-blob, an encrypted key-data, created to be stored, loaded and seen by 19 userspace. 20- Key-data, the plain-key text in the system memory, to be used by 21 kernel space only. 22 23Though key-data is not accessible to the user-space in plain-text, but it is in 24plain-text in system memory, when used in kernel space. Even though kernel-space 25attracts small surface attack, but with compromised kernel or side-channel 26attack accessing the system memory can lead to a chance of the key getting 27compromised/leaked. 28 29In order to protect the key in kernel space, the concept of "protected-keys" is 30introduced which will act as an added layer of protection. The key-data of the 31protected keys is encrypted with Key-Encryption-Key(KEK), and decrypted inside 32the trust source boundary. The plain-key text never available out-side in the 33system memory. Thus, any crypto operation that is to be executed using the 34protected key, can only be done by the trust source, which generated the 35key blob. 36 37Hence, if the protected-key is leaked or compromised, it is of no use to the 38hacker. 39 40Trusted keys as protected keys, with trust source having the capability of 41generating: 42 43- Key-Blob, to be loaded, stored and seen by user-space. 44 45Trust Source 46============ 47 48A trust source provides the source of security for Trusted Keys. This 49section lists currently supported trust sources, along with their security 50considerations. Whether or not a trust source is sufficiently safe depends 51on the strength and correctness of its implementation, as well as the threat 52environment for a specific use case. Since the kernel doesn't know what the 53environment is, and there is no metric of trust, it is dependent on the 54consumer of the Trusted Keys to determine if the trust source is sufficiently 55safe. 56 57 * Root of trust for storage 58 59 (1) TPM (Trusted Platform Module: hardware device) 60 61 Rooted to Storage Root Key (SRK) which never leaves the TPM that 62 provides crypto operation to establish root of trust for storage. 63 64 (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone) 65 66 Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip 67 fuses and is accessible to TEE only. 68 69 (3) CAAM (Cryptographic Acceleration and Assurance Module: IP on NXP SoCs) 70 71 When High Assurance Boot (HAB) is enabled and the CAAM is in secure 72 mode, trust is rooted to the OTPMK, a never-disclosed 256-bit key 73 randomly generated and fused into each SoC at manufacturing time. 74 Otherwise, a common fixed test key is used instead. 75 76 (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) 77 78 Rooted to a one-time programmable key (OTP) that is generally burnt 79 in the on-chip fuses and is accessible to the DCP encryption engine only. 80 DCP provides two keys that can be used as root of trust: the OTP key 81 and the UNIQUE key. Default is to use the UNIQUE key, but selecting 82 the OTP key can be done via a module parameter (dcp_use_otp_key). 83 84 * Execution isolation 85 86 (1) TPM 87 88 Fixed set of operations running in isolated execution environment. 89 90 (2) TEE 91 92 Customizable set of operations running in isolated execution 93 environment verified via Secure/Trusted boot process. 94 95 (3) CAAM 96 97 Fixed set of operations running in isolated execution environment. 98 99 (4) DCP 100 101 Fixed set of cryptographic operations running in isolated execution 102 environment. Only basic blob key encryption is executed there. 103 The actual key sealing/unsealing is done on main processor/kernel space. 104 105 * Optional binding to platform integrity state 106 107 (1) TPM 108 109 Keys can be optionally sealed to specified PCR (integrity measurement) 110 values, and only unsealed by the TPM, if PCRs and blob integrity 111 verifications match. A loaded Trusted Key can be updated with new 112 (future) PCR values, so keys are easily migrated to new PCR values, 113 such as when the kernel and initramfs are updated. The same key can 114 have many saved blobs under different PCR values, so multiple boots are 115 easily supported. 116 117 (2) TEE 118 119 Relies on Secure/Trusted boot process for platform integrity. It can 120 be extended with TEE based measured boot process. 121 122 (3) CAAM 123 124 Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs 125 for platform integrity. 126 127 (4) DCP 128 129 Relies on Secure/Trusted boot process (called HAB by vendor) for 130 platform integrity. 131 132 * Interfaces and APIs 133 134 (1) TPM 135 136 TPMs have well-documented, standardized interfaces and APIs. 137 138 (2) TEE 139 140 TEEs have well-documented, standardized client interface and APIs. For 141 more details refer to ``Documentation/driver-api/tee.rst``. 142 143 (3) CAAM 144 145 Interface is specific to silicon vendor. 146 147 (4) DCP 148 149 Vendor-specific API that is implemented as part of the DCP crypto driver in 150 ``drivers/crypto/mxs-dcp.c``. 151 152 * Threat model 153 154 The strength and appropriateness of a particular trust source for a given 155 purpose must be assessed when using them to protect security-relevant data. 156 157 158Key Generation 159============== 160 161Trusted Keys 162------------ 163 164New keys are created from random numbers. They are encrypted/decrypted using 165a child key in the storage key hierarchy. Encryption and decryption of the 166child key must be protected by a strong access control policy within the 167trust source. The random number generator in use differs according to the 168selected trust source: 169 170 * TPM: hardware device based RNG 171 172 Keys are generated within the TPM. Strength of random numbers may vary 173 from one device manufacturer to another. 174 175 * TEE: OP-TEE based on Arm TrustZone based RNG 176 177 RNG is customizable as per platform needs. It can either be direct output 178 from platform specific hardware RNG or a software based Fortuna CSPRNG 179 which can be seeded via multiple entropy sources. 180 181 * CAAM: Kernel RNG 182 183 The normal kernel random number generator is used. To seed it from the 184 CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the device 185 is probed. 186 187 * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) 188 189 The DCP hardware device itself does not provide a dedicated RNG interface, 190 so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have 191 a dedicated hardware RNG that is independent from DCP which can be enabled 192 to back the kernel RNG. 193 194Users may override this by specifying ``trusted.rng=kernel`` on the kernel 195command-line to override the used RNG with the kernel's random number pool. 196 197Encrypted Keys 198-------------- 199 200Encrypted keys do not depend on a trust source, and are faster, as they use AES 201for encryption/decryption. New keys are created either from kernel-generated 202random numbers or user-provided decrypted data, and are encrypted/decrypted 203using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or 204user-key type. The main disadvantage of encrypted keys is that if they are not 205rooted in a trusted key, they are only as secure as the user key encrypting 206them. The master user key should therefore be loaded in as secure a way as 207possible, preferably early in boot. 208 209 210Usage 211===== 212 213Trusted Keys usage: TPM 214----------------------- 215 216TPM 1.2: By default, trusted keys are sealed under the SRK, which has the 217default authorization value (20 bytes of 0s). This can be set at takeownership 218time with the TrouSerS utility: "tpm_takeownership -u -z". 219 220TPM 2.0: The user must first create a storage key and make it persistent, so the 221key is available after reboot. This can be done using the following commands. 222 223With the IBM TSS 2 stack:: 224 225 #> tsscreateprimary -hi o -st 226 Handle 80000000 227 #> tssevictcontrol -hi o -ho 80000000 -hp 81000001 228 229Or with the Intel TSS 2 stack:: 230 231 #> tpm2_createprimary --hierarchy o -G rsa2048 -c key.ctxt 232 [...] 233 #> tpm2_evictcontrol -c key.ctxt 0x81000001 234 persistentHandle: 0x81000001 235 236Usage:: 237 238 keyctl add trusted name "new keylen [options]" ring 239 keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring 240 keyctl update key "update [options]" 241 keyctl print keyid 242 243 options: 244 keyhandle= ascii hex value of sealing key 245 TPM 1.2: default 0x40000000 (SRK) 246 TPM 2.0: no default; must be passed every time 247 keyauth= ascii hex auth for sealing key default 0x00...i 248 (40 ascii zeros) 249 blobauth= ascii hex auth for sealed data default 0x00... 250 (40 ascii zeros) 251 pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) 252 pcrlock= pcr number to be extended to "lock" blob 253 migratable= 0|1 indicating permission to reseal to new PCR values, 254 default 1 (resealing allowed) 255 hash= hash algorithm name as a string. For TPM 1.x the only 256 allowed value is sha1. For TPM 2.x the allowed values 257 are sha1, sha256, sha384, sha512 and sm3-256. 258 policydigest= digest for the authorization policy. must be calculated 259 with the same hash algorithm as specified by the 'hash=' 260 option. 261 policyhandle= handle to an authorization policy session that defines the 262 same policy and with the same hash algorithm as was used to 263 seal the key. 264 265"keyctl print" returns an ascii hex copy of the sealed key, which is in standard 266TPM_STORED_DATA format. The key length for new keys are always in bytes. 267Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit 268within the 2048 bit SRK (RSA) keylength, with all necessary structure/padding. 269 270Trusted Keys usage: TEE 271----------------------- 272 273Usage:: 274 275 keyctl add trusted name "new keylen" ring 276 keyctl add trusted name "load hex_blob" ring 277 keyctl print keyid 278 279"keyctl print" returns an ASCII hex copy of the sealed key, which is in format 280specific to TEE device implementation. The key length for new keys is always 281in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 282 283Trusted Keys usage: CAAM 284------------------------ 285 286Trusted Keys Usage:: 287 288 keyctl add trusted name "new keylen" ring 289 keyctl add trusted name "load hex_blob" ring 290 keyctl print keyid 291 292"keyctl print" returns an ASCII hex copy of the sealed key, which is in a 293CAAM-specific format. The key length for new keys is always in bytes. 294Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 295 296Trusted Keys as Protected Keys Usage:: 297 298 keyctl add trusted name "new keylen pk [options]" ring 299 keyctl add trusted name "load hex_blob [options]" ring 300 keyctl print keyid 301 302 where, 'pk' is used to direct trust source to generate protected key. 303 304 options: 305 key_enc_algo = For CAAM, supported enc algo are ECB(2), CCM(1). 306 307"keyctl print" returns an ASCII hex copy of the sealed key, which is in a 308CAAM-specific format. The key length for new keys is always in bytes. 309Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 310 311Trusted Keys usage: DCP 312----------------------- 313 314Usage:: 315 316 keyctl add trusted name "new keylen" ring 317 keyctl add trusted name "load hex_blob" ring 318 keyctl print keyid 319 320"keyctl print" returns an ASCII hex copy of the sealed key, which is in format 321specific to this DCP key-blob implementation. The key length for new keys is 322always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 323 324Encrypted Keys usage 325-------------------- 326 327The decrypted portion of encrypted keys can contain either a simple symmetric 328key or a more complex structure. The format of the more complex structure is 329application specific, which is identified by 'format'. 330 331Usage:: 332 333 keyctl add encrypted name "new [format] key-type:master-key-name keylen" 334 ring 335 keyctl add encrypted name "new [format] key-type:master-key-name keylen 336 decrypted-data" ring 337 keyctl add encrypted name "load hex_blob" ring 338 keyctl update keyid "update key-type:master-key-name" 339 340Where:: 341 342 format:= 'default | ecryptfs | enc32' 343 key-type:= 'trusted' | 'user' 344 345Examples of trusted and encrypted key usage 346------------------------------------------- 347 348Create and save a trusted key named "kmk" of length 32 bytes. 349 350Note: When using a TPM 2.0 with a persistent key with handle 0x81000001, 351append 'keyhandle=0x81000001' to statements between quotes, such as 352"new 32 keyhandle=0x81000001". 353 354:: 355 356 $ keyctl add trusted kmk "new 32" @u 357 440502848 358 359 $ keyctl show 360 Session Keyring 361 -3 --alswrv 500 500 keyring: _ses 362 97833714 --alswrv 500 -1 \_ keyring: _uid.500 363 440502848 --alswrv 500 500 \_ trusted: kmk 364 365 $ keyctl print 440502848 366 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915 367 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b 368 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722 369 a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec 370 d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d 371 dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0 372 f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b 373 e4a8aea2b607ec96931e6f4d4fe563ba 374 375 $ keyctl pipe 440502848 > kmk.blob 376 377Load a trusted key from the saved blob:: 378 379 $ keyctl add trusted kmk "load `cat kmk.blob`" @u 380 268728824 381 382 $ keyctl print 268728824 383 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915 384 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b 385 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722 386 a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec 387 d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d 388 dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0 389 f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b 390 e4a8aea2b607ec96931e6f4d4fe563ba 391 392Create and save a trusted key as protected key named "kmk" of length 32 bytes. 393 394:: 395 396 $ keyctl add trusted kmk "new 32 pk key_enc_algo=1" @u 397 440502848 398 399 $ keyctl show 400 Session Keyring 401 -3 --alswrv 500 500 keyring: _ses 402 97833714 --alswrv 500 -1 \_ keyring: _uid.500 403 440502848 --alswrv 500 500 \_ trusted: kmk 404 405 $ keyctl print 440502848 406 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915 407 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b 408 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722 409 a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec 410 d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d 411 dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0 412 f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b 413 e4a8aea2b607ec96931e6f4d4fe563ba 414 415 $ keyctl pipe 440502848 > kmk.blob 416 417Load a trusted key from the saved blob:: 418 419 $ keyctl add trusted kmk "load `cat kmk.blob` key_enc_algo=1" @u 420 268728824 421 422 $ keyctl print 268728824 423 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915 424 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b 425 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722 426 a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec 427 d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d 428 dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0 429 f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b 430 e4a8aea2b607ec96931e6f4d4fe563ba 431 432Reseal (TPM specific) a trusted key under new PCR values:: 433 434 $ keyctl update 268728824 "update pcrinfo=`cat pcr.blob`" 435 $ keyctl print 268728824 436 010100000000002c0002800093c35a09b70fff26e7a98ae786c641e678ec6ffb6b46d805 437 77c8a6377aed9d3219c6dfec4b23ffe3000001005d37d472ac8a44023fbb3d18583a4f73 438 d3a076c0858f6f1dcaa39ea0f119911ff03f5406df4f7f27f41da8d7194f45c9f4e00f2e 439 df449f266253aa3f52e55c53de147773e00f0f9aca86c64d94c95382265968c354c5eab4 440 9638c5ae99c89de1e0997242edfb0b501744e11ff9762dfd951cffd93227cc513384e7e6 441 e782c29435c7ec2edafaa2f4c1fe6e7a781b59549ff5296371b42133777dcc5b8b971610 442 94bc67ede19e43ddb9dc2baacad374a36feaf0314d700af0a65c164b7082401740e489c9 443 7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef 444 df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8 445 446 447The initial consumer of trusted keys is EVM, which at boot time needs a high 448quality symmetric key for HMAC protection of file metadata. The use of a 449trusted key provides strong guarantees that the EVM key has not been 450compromised by a user level problem, and when sealed to a platform integrity 451state, protects against boot and offline attacks. Create and save an 452encrypted key "evm" using the above trusted key "kmk": 453 454option 1: omitting 'format':: 455 456 $ keyctl add encrypted evm "new trusted:kmk 32" @u 457 159771175 458 459option 2: explicitly defining 'format' as 'default':: 460 461 $ keyctl add encrypted evm "new default trusted:kmk 32" @u 462 159771175 463 464 $ keyctl print 159771175 465 default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3 466 82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0 467 24717c64 5972dcb82ab2dde83376d82b2e3c09ffc 468 469 $ keyctl pipe 159771175 > evm.blob 470 471Load an encrypted key "evm" from saved blob:: 472 473 $ keyctl add encrypted evm "load `cat evm.blob`" @u 474 831684262 475 476 $ keyctl print 831684262 477 default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3 478 82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0 479 24717c64 5972dcb82ab2dde83376d82b2e3c09ffc 480 481Instantiate an encrypted key "evm" using user-provided decrypted data:: 482 483 $ evmkey=$(dd if=/dev/urandom bs=1 count=32 | xxd -c32 -p) 484 $ keyctl add encrypted evm "new default user:kmk 32 $evmkey" @u 485 794890253 486 487 $ keyctl print 794890253 488 default user:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382d 489 bbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0247 490 17c64 5972dcb82ab2dde83376d82b2e3c09ffc 491 492Other uses for trusted and encrypted keys, such as for disk and file encryption 493are anticipated. In particular the new format 'ecryptfs' has been defined 494in order to use encrypted keys to mount an eCryptfs filesystem. More details 495about the usage can be found in the file 496``Documentation/security/keys/ecryptfs.rst``. 497 498Another new format 'enc32' has been defined in order to support encrypted keys 499with payload size of 32 bytes. This will initially be used for nvdimm security 500but may expand to other usages that require 32 bytes payload. 501 502 503TPM 2.0 ASN.1 Key Format 504------------------------ 505 506The TPM 2.0 ASN.1 key format is designed to be easily recognisable, 507even in binary form (fixing a problem we had with the TPM 1.2 ASN.1 508format) and to be extensible for additions like importable keys and 509policy:: 510 511 TPMKey ::= SEQUENCE { 512 type OBJECT IDENTIFIER 513 emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL 514 parent INTEGER 515 pubkey OCTET STRING 516 privkey OCTET STRING 517 } 518 519type is what distinguishes the key even in binary form since the OID 520is provided by the TCG to be unique and thus forms a recognizable 521binary pattern at offset 3 in the key. The OIDs currently made 522available are:: 523 524 2.23.133.10.1.3 TPM Loadable key. This is an asymmetric key (Usually 525 RSA2048 or Elliptic Curve) which can be imported by a 526 TPM2_Load() operation. 527 528 2.23.133.10.1.4 TPM Importable Key. This is an asymmetric key (Usually 529 RSA2048 or Elliptic Curve) which can be imported by a 530 TPM2_Import() operation. 531 532 2.23.133.10.1.5 TPM Sealed Data. This is a set of data (up to 128 533 bytes) which is sealed by the TPM. It usually 534 represents a symmetric key and must be unsealed before 535 use. 536 537The trusted key code only uses the TPM Sealed Data OID. 538 539emptyAuth is true if the key has well known authorization "". If it 540is false or not present, the key requires an explicit authorization 541phrase. This is used by most user space consumers to decide whether 542to prompt for a password. 543 544parent represents the parent key handle, either in the 0x81 MSO space, 545like 0x81000001 for the RSA primary storage key. Userspace programmes 546also support specifying the primary handle in the 0x40 MSO space. If 547this happens the Elliptic Curve variant of the primary key using the 548TCG defined template will be generated on the fly into a volatile 549object and used as the parent. The current kernel code only supports 550the 0x81 MSO form. 551 552pubkey is the binary representation of TPM2B_PRIVATE excluding the 553initial TPM2B header, which can be reconstructed from the ASN.1 octet 554string length. 555 556privkey is the binary representation of TPM2B_PUBLIC excluding the 557initial TPM2B header which can be reconstructed from the ASN.1 octed 558string length. 559 560DCP Blob Format 561--------------- 562 563.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c 564 :doc: dcp blob format 565 566.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c 567 :identifiers: struct dcp_blob_fmt 568