Would be nice if there was more lean openssl like command-line tool that would all that openssl, keyctl and tpm2-tools does in this test:
Remarks:
Would be nice if with one command at least I could get a DER blob with the binding to the machine where it is run and then use keyctl. Head hurts watching that script dump. I’m surprised that I got it working at all.
My #CI hack can do kernel CI in any possible runner: https://gitlab.com/jarkkojs/linux-tpmdd-test
It builds #BuildRoot environment and runs tests inside it. Probably this something more infrastructural, dunno have not checked :-)
I.e.
git clone https://gitlab.com/jarkkojs/linux-tpmdd-test.git
cd linux-tpmdd-test
cmake -Bbuild && make -Cbuild buildroot-prepare
make -Cbuild/buildroot/build
build/buildroot/build/images/run-tests.sh
It uses TCL’s (in)famous expect to check the output and uses socat and UNIX socket for communications with appropriate QEMU options. And yeah it supports also TPM chips so can be made to boot up modern #systemd installation (have not done so but might in future).
Runner’s ISA does not matter as everything is built up from ground, including toolchain so supports both x86 and ARM although the build itself is x86 ATM. Essentially it can run tests exactly how I would run them on desktop.
[$] What's next for the SLUB allocator https://lwn.net/Articles/974138/ #LWN
Also decrypt works:
# echo "abcdefg" > plaintext.txt
#
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
# keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
tpm2_key_rsa: parent: 0x81000001
tpm2_key_rsa: key: 0x80000001
# cat decrypted.dat
cat decrypted.dat
abcdefg
Basic smoke test that TPM2 RSA asymmetric must pass to be usable:
tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256
Found the reason for -EINVAL in parsing: tpm2_key: OID is "2.23.133.10.1.3" which is not TPMSealedData
https://lore.kernel.org/linux-integrity/D1DMTJYL7TFC.3J3FM36K06ECD@kernel.org/