xref: /linux/Documentation/security/keys/trusted-encrypted.rst (revision ca220141fa8ebae09765a242076b2b77338106b0) 
1==========================
2Trusted and Encrypted Keys
3==========================
4
5Trusted and Encrypted Keys are two new key types added to the existing kernel
6key ring service.  Both of these new types are variable length symmetric keys,
7and in both cases all keys are created in the kernel, and user space sees,
8stores, and loads only encrypted blobs.  Trusted Keys require the availability
9of a Trust Source for greater security, while Encrypted Keys can be used on any
10system. All user level blobs, are displayed and loaded in hex ASCII for
11convenience, and are integrity verified.
12
13Trusted Keys as Protected key
14=============================
15It is the secure way of keeping the keys in the kernel key-ring as Trusted-Key,
16such that:
17
18- Key-blob, an encrypted key-data, created to be stored, loaded and seen by
19  userspace.
20- Key-data, the plain-key text in the system memory, to be used by
21  kernel space only.
22
23Though key-data is not accessible to the user-space in plain-text, but it is in
24plain-text in system memory, when used in kernel space. Even though kernel-space
25attracts small surface attack, but with compromised kernel or side-channel
26attack accessing the system memory can lead to a chance of the key getting
27compromised/leaked.
28
29In order to protect the key in kernel space, the concept of "protected-keys" is
30introduced which will act as an added layer of protection. The key-data of the
31protected keys is encrypted with Key-Encryption-Key(KEK), and decrypted inside
32the trust source boundary. The plain-key text never available out-side in the
33system memory. Thus, any crypto operation that is to be executed using the
34protected key, can only be done by the trust source, which generated the
35key blob.
36
37Hence, if the protected-key is leaked or compromised, it is of no use to the
38hacker.
39
40Trusted keys as protected keys, with trust source having the capability of
41generating:
42
43- Key-Blob, to be loaded, stored and seen by user-space.
44
45Trust Source
46============
47
48A trust source provides the source of security for Trusted Keys.  This
49section lists currently supported trust sources, along with their security
50considerations.  Whether or not a trust source is sufficiently safe depends
51on the strength and correctness of its implementation, as well as the threat
52environment for a specific use case.  Since the kernel doesn't know what the
53environment is, and there is no metric of trust, it is dependent on the
54consumer of the Trusted Keys to determine if the trust source is sufficiently
55safe.
56
57  *  Root of trust for storage
58
59     (1) TPM (Trusted Platform Module: hardware device)
60
61         Rooted to Storage Root Key (SRK) which never leaves the TPM that
62         provides crypto operation to establish root of trust for storage.
63
64     (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
65
66         Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip
67         fuses and is accessible to TEE only.
68
69     (3) CAAM (Cryptographic Acceleration and Assurance Module: IP on NXP SoCs)
70
71         When High Assurance Boot (HAB) is enabled and the CAAM is in secure
72         mode, trust is rooted to the OTPMK, a never-disclosed 256-bit key
73         randomly generated and fused into each SoC at manufacturing time.
74         Otherwise, a common fixed test key is used instead.
75
76     (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
77
78         Rooted to a one-time programmable key (OTP) that is generally burnt
79         in the on-chip fuses and is accessible to the DCP encryption engine only.
80         DCP provides two keys that can be used as root of trust: the OTP key
81         and the UNIQUE key. Default is to use the UNIQUE key, but selecting
82         the OTP key can be done via a module parameter (dcp_use_otp_key).
83
84     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
85
86         Rooted to a unique, per-LPAR key, which is derived from a system-wide,
87         randomly generated LPAR root key. Both the per-LPAR keys and the LPAR
88         root key are stored in hypervisor-owned secure memory at runtime,
89         and the LPAR root key is additionally persisted in secure locations
90         such as the processor SEEPROMs and encrypted NVRAM.
91
92  *  Execution isolation
93
94     (1) TPM
95
96         Fixed set of operations running in isolated execution environment.
97
98     (2) TEE
99
100         Customizable set of operations running in isolated execution
101         environment verified via Secure/Trusted boot process.
102
103     (3) CAAM
104
105         Fixed set of operations running in isolated execution environment.
106
107     (4) DCP
108
109         Fixed set of cryptographic operations running in isolated execution
110         environment. Only basic blob key encryption is executed there.
111         The actual key sealing/unsealing is done on main processor/kernel space.
112
113     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
114
115         Fixed set of cryptographic operations done on on-chip hardware
116         cryptographic acceleration unit NX. Keys for wrapping and unwrapping
117         are managed by PowerVM Platform KeyStore, which stores keys in an
118         isolated in-memory copy in secure hypervisor memory, as well as in a
119         persistent copy in hypervisor-encrypted NVRAM.
120
121  * Optional binding to platform integrity state
122
123     (1) TPM
124
125         Keys can be optionally sealed to specified PCR (integrity measurement)
126         values, and only unsealed by the TPM, if PCRs and blob integrity
127         verifications match. A loaded Trusted Key can be updated with new
128         (future) PCR values, so keys are easily migrated to new PCR values,
129         such as when the kernel and initramfs are updated. The same key can
130         have many saved blobs under different PCR values, so multiple boots are
131         easily supported.
132
133     (2) TEE
134
135         Relies on Secure/Trusted boot process for platform integrity. It can
136         be extended with TEE based measured boot process.
137
138     (3) CAAM
139
140         Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs
141         for platform integrity.
142
143     (4) DCP
144
145         Relies on Secure/Trusted boot process (called HAB by vendor) for
146         platform integrity.
147
148     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
149
150         Relies on secure and trusted boot process of IBM Power systems for
151         platform integrity.
152
153  *  Interfaces and APIs
154
155     (1) TPM
156
157         TPMs have well-documented, standardized interfaces and APIs.
158
159     (2) TEE
160
161         TEEs have well-documented, standardized client interface and APIs. For
162         more details refer to ``Documentation/driver-api/tee.rst``.
163
164     (3) CAAM
165
166         Interface is specific to silicon vendor.
167
168     (4) DCP
169
170         Vendor-specific API that is implemented as part of the DCP crypto driver in
171         ``drivers/crypto/mxs-dcp.c``.
172
173     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
174
175         Platform Keystore has well documented interfaces in PAPR document.
176         Refer to ``Documentation/arch/powerpc/papr_hcalls.rst``
177
178  *  Threat model
179
180     The strength and appropriateness of a particular trust source for a given
181     purpose must be assessed when using them to protect security-relevant data.
182
183
184Key Generation
185==============
186
187Trusted Keys
188------------
189
190New keys are created from random numbers. They are encrypted/decrypted using
191a child key in the storage key hierarchy. Encryption and decryption of the
192child key must be protected by a strong access control policy within the
193trust source. The random number generator in use differs according to the
194selected trust source:
195
196  *  TPM: hardware device based RNG
197
198     Keys are generated within the TPM. Strength of random numbers may vary
199     from one device manufacturer to another.
200
201  *  TEE: OP-TEE based on Arm TrustZone based RNG
202
203     RNG is customizable as per platform needs. It can either be direct output
204     from platform specific hardware RNG or a software based Fortuna CSPRNG
205     which can be seeded via multiple entropy sources.
206
207  *  CAAM: Kernel RNG
208
209     The normal kernel random number generator is used. To seed it from the
210     CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the device
211     is probed.
212
213  *  DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
214
215     The DCP hardware device itself does not provide a dedicated RNG interface,
216     so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have
217     a dedicated hardware RNG that is independent from DCP which can be enabled
218     to back the kernel RNG.
219
220   * PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
221
222     The normal kernel random number generator is used to generate keys.
223
224Users may override this by specifying ``trusted.rng=kernel`` on the kernel
225command-line to override the used RNG with the kernel's random number pool.
226
227Encrypted Keys
228--------------
229
230Encrypted keys do not depend on a trust source, and are faster, as they use AES
231for encryption/decryption. New keys are created either from kernel-generated
232random numbers or user-provided decrypted data, and are encrypted/decrypted
233using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or
234user-key type. The main disadvantage of encrypted keys is that if they are not
235rooted in a trusted key, they are only as secure as the user key encrypting
236them. The master user key should therefore be loaded in as secure a way as
237possible, preferably early in boot.
238
239
240Usage
241=====
242
243Trusted Keys usage: TPM
244-----------------------
245
246TPM 1.2: By default, trusted keys are sealed under the SRK, which has the
247default authorization value (20 bytes of 0s).  This can be set at takeownership
248time with the TrouSerS utility: "tpm_takeownership -u -z".
249
250TPM 2.0: The user must first create a storage key and make it persistent, so the
251key is available after reboot. This can be done using the following commands.
252
253With the IBM TSS 2 stack::
254
255  #> tsscreateprimary -hi o -st
256  Handle 80000000
257  #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
258
259Or with the Intel TSS 2 stack::
260
261  #> tpm2_createprimary --hierarchy o -G rsa2048 -c key.ctxt
262  [...]
263  #> tpm2_evictcontrol -c key.ctxt 0x81000001
264  persistentHandle: 0x81000001
265
266Usage::
267
268    keyctl add trusted name "new keylen [options]" ring
269    keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring
270    keyctl update key "update [options]"
271    keyctl print keyid
272
273    options:
274       keyhandle=    ascii hex value of sealing key
275                       TPM 1.2: default 0x40000000 (SRK)
276                       TPM 2.0: no default; must be passed every time
277       keyauth=	     ascii hex auth for sealing key default 0x00...i
278                     (40 ascii zeros)
279       blobauth=     ascii hex auth for sealed data default 0x00...
280                     (40 ascii zeros)
281       pcrinfo=	     ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
282       pcrlock=	     pcr number to be extended to "lock" blob
283       migratable=   0|1 indicating permission to reseal to new PCR values,
284                     default 1 (resealing allowed)
285       hash=         hash algorithm name as a string. For TPM 1.x the only
286                     allowed value is sha1. For TPM 2.x the allowed values
287                     are sha1, sha256, sha384, sha512 and sm3-256.
288       policydigest= digest for the authorization policy. must be calculated
289                     with the same hash algorithm as specified by the 'hash='
290                     option.
291       policyhandle= handle to an authorization policy session that defines the
292                     same policy and with the same hash algorithm as was used to
293                     seal the key.
294
295"keyctl print" returns an ascii hex copy of the sealed key, which is in standard
296TPM_STORED_DATA format.  The key length for new keys are always in bytes.
297Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
298within the 2048 bit SRK (RSA) keylength, with all necessary structure/padding.
299
300Trusted Keys usage: TEE
301-----------------------
302
303Usage::
304
305    keyctl add trusted name "new keylen" ring
306    keyctl add trusted name "load hex_blob" ring
307    keyctl print keyid
308
309"keyctl print" returns an ASCII hex copy of the sealed key, which is in format
310specific to TEE device implementation.  The key length for new keys is always
311in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
312
313Trusted Keys usage: CAAM
314------------------------
315
316Trusted Keys Usage::
317
318    keyctl add trusted name "new keylen" ring
319    keyctl add trusted name "load hex_blob" ring
320    keyctl print keyid
321
322"keyctl print" returns an ASCII hex copy of the sealed key, which is in a
323CAAM-specific format.  The key length for new keys is always in bytes.
324Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
325
326Trusted Keys as Protected Keys Usage::
327
328    keyctl add trusted name "new keylen pk [options]" ring
329    keyctl add trusted name "load hex_blob [options]" ring
330    keyctl print keyid
331
332    where, 'pk' is used to direct trust source to generate protected key.
333
334    options:
335       key_enc_algo =      For CAAM, supported enc algo are ECB(2), CCM(1).
336
337"keyctl print" returns an ASCII hex copy of the sealed key, which is in a
338CAAM-specific format.  The key length for new keys is always in bytes.
339Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
340
341Trusted Keys usage: DCP
342-----------------------
343
344Usage::
345
346    keyctl add trusted name "new keylen" ring
347    keyctl add trusted name "load hex_blob" ring
348    keyctl print keyid
349
350"keyctl print" returns an ASCII hex copy of the sealed key, which is in format
351specific to this DCP key-blob implementation.  The key length for new keys is
352always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
353
354Trusted Keys usage: PKWM
355------------------------
356
357Usage::
358
359    keyctl add trusted name "new keylen [options]" ring
360    keyctl add trusted name "load hex_blob" ring
361    keyctl print keyid
362
363    options:
364       wrap_flags=   ascii hex value of security policy requirement
365                       0x00: no secure boot requirement (default)
366                       0x01: require secure boot to be in either audit or
367                             enforced mode
368                       0x02: require secure boot to be in enforced mode
369
370"keyctl print" returns an ASCII hex copy of the sealed key, which is in format
371specific to PKWM key-blob implementation.  The key length for new keys is
372always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
373
374Encrypted Keys usage
375--------------------
376
377The decrypted portion of encrypted keys can contain either a simple symmetric
378key or a more complex structure. The format of the more complex structure is
379application specific, which is identified by 'format'.
380
381Usage::
382
383    keyctl add encrypted name "new [format] key-type:master-key-name keylen"
384        ring
385    keyctl add encrypted name "new [format] key-type:master-key-name keylen
386        decrypted-data" ring
387    keyctl add encrypted name "load hex_blob" ring
388    keyctl update keyid "update key-type:master-key-name"
389
390Where::
391
392	format:= 'default | ecryptfs | enc32'
393	key-type:= 'trusted' | 'user'
394
395Examples of trusted and encrypted key usage
396-------------------------------------------
397
398Create and save a trusted key named "kmk" of length 32 bytes.
399
400Note: When using a TPM 2.0 with a persistent key with handle 0x81000001,
401append 'keyhandle=0x81000001' to statements between quotes, such as
402"new 32 keyhandle=0x81000001".
403
404::
405
406    $ keyctl add trusted kmk "new 32" @u
407    440502848
408
409    $ keyctl show
410    Session Keyring
411           -3 --alswrv    500   500  keyring: _ses
412     97833714 --alswrv    500    -1   \_ keyring: _uid.500
413    440502848 --alswrv    500   500       \_ trusted: kmk
414
415    $ keyctl print 440502848
416    0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915
417    3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b
418    27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722
419    a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec
420    d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d
421    dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0
422    f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b
423    e4a8aea2b607ec96931e6f4d4fe563ba
424
425    $ keyctl pipe 440502848 > kmk.blob
426
427Load a trusted key from the saved blob::
428
429    $ keyctl add trusted kmk "load `cat kmk.blob`" @u
430    268728824
431
432    $ keyctl print 268728824
433    0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915
434    3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b
435    27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722
436    a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec
437    d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d
438    dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0
439    f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b
440    e4a8aea2b607ec96931e6f4d4fe563ba
441
442Create and save a trusted key as protected key named "kmk" of length 32 bytes.
443
444::
445
446    $ keyctl add trusted kmk "new 32 pk key_enc_algo=1" @u
447    440502848
448
449    $ keyctl show
450    Session Keyring
451           -3 --alswrv    500   500  keyring: _ses
452     97833714 --alswrv    500    -1   \_ keyring: _uid.500
453    440502848 --alswrv    500   500       \_ trusted: kmk
454
455    $ keyctl print 440502848
456    0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915
457    3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b
458    27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722
459    a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec
460    d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d
461    dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0
462    f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b
463    e4a8aea2b607ec96931e6f4d4fe563ba
464
465    $ keyctl pipe 440502848 > kmk.blob
466
467Load a trusted key from the saved blob::
468
469    $ keyctl add trusted kmk "load `cat kmk.blob` key_enc_algo=1" @u
470    268728824
471
472    $ keyctl print 268728824
473    0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915
474    3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b
475    27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722
476    a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec
477    d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d
478    dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0
479    f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b
480    e4a8aea2b607ec96931e6f4d4fe563ba
481
482Reseal (TPM specific) a trusted key under new PCR values::
483
484    $ keyctl update 268728824 "update pcrinfo=`cat pcr.blob`"
485    $ keyctl print 268728824
486    010100000000002c0002800093c35a09b70fff26e7a98ae786c641e678ec6ffb6b46d805
487    77c8a6377aed9d3219c6dfec4b23ffe3000001005d37d472ac8a44023fbb3d18583a4f73
488    d3a076c0858f6f1dcaa39ea0f119911ff03f5406df4f7f27f41da8d7194f45c9f4e00f2e
489    df449f266253aa3f52e55c53de147773e00f0f9aca86c64d94c95382265968c354c5eab4
490    9638c5ae99c89de1e0997242edfb0b501744e11ff9762dfd951cffd93227cc513384e7e6
491    e782c29435c7ec2edafaa2f4c1fe6e7a781b59549ff5296371b42133777dcc5b8b971610
492    94bc67ede19e43ddb9dc2baacad374a36feaf0314d700af0a65c164b7082401740e489c9
493    7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef
494    df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8
495
496
497The initial consumer of trusted keys is EVM, which at boot time needs a high
498quality symmetric key for HMAC protection of file metadata. The use of a
499trusted key provides strong guarantees that the EVM key has not been
500compromised by a user level problem, and when sealed to a platform integrity
501state, protects against boot and offline attacks. Create and save an
502encrypted key "evm" using the above trusted key "kmk":
503
504option 1: omitting 'format'::
505
506    $ keyctl add encrypted evm "new trusted:kmk 32" @u
507    159771175
508
509option 2: explicitly defining 'format' as 'default'::
510
511    $ keyctl add encrypted evm "new default trusted:kmk 32" @u
512    159771175
513
514    $ keyctl print 159771175
515    default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
516    82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
517    24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
518
519    $ keyctl pipe 159771175 > evm.blob
520
521Load an encrypted key "evm" from saved blob::
522
523    $ keyctl add encrypted evm "load `cat evm.blob`" @u
524    831684262
525
526    $ keyctl print 831684262
527    default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
528    82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
529    24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
530
531Instantiate an encrypted key "evm" using user-provided decrypted data::
532
533    $ evmkey=$(dd if=/dev/urandom bs=1 count=32 | xxd -c32 -p)
534    $ keyctl add encrypted evm "new default user:kmk 32 $evmkey" @u
535    794890253
536
537    $ keyctl print 794890253
538    default user:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382d
539    bbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0247
540    17c64 5972dcb82ab2dde83376d82b2e3c09ffc
541
542Other uses for trusted and encrypted keys, such as for disk and file encryption
543are anticipated.  In particular the new format 'ecryptfs' has been defined
544in order to use encrypted keys to mount an eCryptfs filesystem.  More details
545about the usage can be found in the file
546``Documentation/security/keys/ecryptfs.rst``.
547
548Another new format 'enc32' has been defined in order to support encrypted keys
549with payload size of 32 bytes. This will initially be used for nvdimm security
550but may expand to other usages that require 32 bytes payload.
551
552
553TPM 2.0 ASN.1 Key Format
554------------------------
555
556The TPM 2.0 ASN.1 key format is designed to be easily recognisable,
557even in binary form (fixing a problem we had with the TPM 1.2 ASN.1
558format) and to be extensible for additions like importable keys and
559policy::
560
561    TPMKey ::= SEQUENCE {
562        type		OBJECT IDENTIFIER
563        emptyAuth	[0] EXPLICIT BOOLEAN OPTIONAL
564        parent		INTEGER
565        pubkey		OCTET STRING
566        privkey		OCTET STRING
567    }
568
569type is what distinguishes the key even in binary form since the OID
570is provided by the TCG to be unique and thus forms a recognizable
571binary pattern at offset 3 in the key.  The OIDs currently made
572available are::
573
574    2.23.133.10.1.3 TPM Loadable key.  This is an asymmetric key (Usually
575                    RSA2048 or Elliptic Curve) which can be imported by a
576                    TPM2_Load() operation.
577
578    2.23.133.10.1.4 TPM Importable Key.  This is an asymmetric key (Usually
579                    RSA2048 or Elliptic Curve) which can be imported by a
580                    TPM2_Import() operation.
581
582    2.23.133.10.1.5 TPM Sealed Data.  This is a set of data (up to 128
583                    bytes) which is sealed by the TPM.  It usually
584                    represents a symmetric key and must be unsealed before
585                    use.
586
587The trusted key code only uses the TPM Sealed Data OID.
588
589emptyAuth is true if the key has well known authorization "".  If it
590is false or not present, the key requires an explicit authorization
591phrase.  This is used by most user space consumers to decide whether
592to prompt for a password.
593
594parent represents the parent key handle, either in the 0x81 MSO space,
595like 0x81000001 for the RSA primary storage key.  Userspace programmes
596also support specifying the primary handle in the 0x40 MSO space.  If
597this happens the Elliptic Curve variant of the primary key using the
598TCG defined template will be generated on the fly into a volatile
599object and used as the parent.  The current kernel code only supports
600the 0x81 MSO form.
601
602pubkey is the binary representation of TPM2B_PRIVATE excluding the
603initial TPM2B header, which can be reconstructed from the ASN.1 octet
604string length.
605
606privkey is the binary representation of TPM2B_PUBLIC excluding the
607initial TPM2B header which can be reconstructed from the ASN.1 octed
608string length.
609
610DCP Blob Format
611---------------
612
613.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
614   :doc: dcp blob format
615
616.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
617   :identifiers: struct dcp_blob_fmt
618