On Tue, Jan 16, 2024 at 10:39:45AM -0500, James Bottomley wrote: > On Tue, 2024-01-16 at 17:20 +0800, Gary Lin via Grub-devel wrote: > [...] > > (*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html > > (*2) https://github.com/okirch/pcr-oracle > > Just a curiosity question, but have you tested the interoperability of > pcr-oracle keys? It looks like you got the ASN header straight from > openssl_tpm2_engine, so it should all just work, but verifying that the > seal/unseal and sign_tpm2_policy commands from openssl_tpm2_engine: > > https://build.opensuse.org/package/show/security:tls/openssl_tpm2_engine > > can be used to create sealed keys for this code would nicely verify > that. > I have to admit that the interoperability is not considered since the sealed key is designed to be only valid in a short window and capped after load linux kernel. However, it'd be nice to verify the format with other programs like openssl_tpm2_engine.
My playground of grub2 is an openSUSE Tumbleweed VM and openssl_tpm2_engine is available. Will check if the key file from pcr-oracle works for openssl_tpm2_engine. THanks, Gary Lin _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
