# [SOLVED] IMA, EVM, TPM, and keyctl

## salahx

I'm currently experimenting with TPM hardware via virtual machines using swtpm and qemu, and the main machine has a real TPM on it. I'm tying to create keys for EVM, but neither the Gentoo Wiki examples nor the offical ones work as far as creating the EVM key from a TPM.

These are the commands they tell you to run: 

```
modprobe trusted

modprobe encrypted

keyctl add trusted kmk-trusted "new 32" @u

keyctl pipe `keyctl search @u trusted kmk-trusted` > /etc/keys/kmk-trusted.blob

keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u

keyctl pipe `keyctl search @u encrypted evm-key` > /etc/keys/evm-trusted.blob
```

The first key, "kmk-trusted" saved normally (it took a little work under systemd, however - I had to "keyctl link @u @s" to get it to work). However, the last command fails with "keyctl_read_alloc: Operation not supported", on both the virtual TPM and on a real one. 

The non-TPM version works, however:

```
modprobe encrypted

keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u

keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob

keyctl add encrypted evm-key "new user:kmk-user 32" @u

keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-user.blob
```

I want to do the first example: Create a TPM key that will be used to encrypt the EVM key. How do I make this work?Last edited by salahx on Wed Feb 13, 2019 4:40 am; edited 1 time in total

----------

## salahx

SOLVED! Its WAS a kernel bug, not me. However, its only triggered when the "trusted" module is modular and the "encrypted" module is built in. One I made them both built-in , it worked! I had to analyze the source code of the Linux kernel which took me a while but i finally figured it out

The problem appears to be in /usr/src/linux/security/keys/encrypted-keys/encrypted.h:

```

#if defined(CONFIG_TRUSTED_KEYS) || \

  (defined(CONFIG_TRUSTED_KEYS_MODULE) && defined(CONFIG_ENCRYPTED_KEYS_MODULE))

extern struct key *request_trusted_key(const char *trusted_desc,

                                       const u8 **master_key, size_t *master_keylen);

#else

static inline struct key *request_trusted_key(const char *trusted_desc,

                                              const u8 **master_key,

                                              size_t *master_keylen)

{

        return ERR_PTR(-EOPNOTSUPP);

}

#endif

```

The first #if covers the case where the "trusted" is built in, or both "trusted" and "encrypted" are built as modules, but not "encrypted" built-in and "trusted" as a module. Now whether or not the problem is simple as changing the #if will require some experimentation.

----------

## glassman

I know this is solved, and salahx has been kind enough to reply in a private message about how to use this on a TPM 2.0 chip, but I'm receiving some error messages that I'm not quite sure how to work out. I'm following a guide on sourceforge for IMA/EVM, and I'm in the Creating Trusted and EVM Encrypted Keys section that can be found here: https://sourceforge.net/p/linux-ima/wiki/Home/#creating-trusted-and-evm-encrypted-keys.

I start with the first few commands, but I am immediately greeted with an error when using keyctl pipe, after making a new key in the trusted keyring:

```
user@hostname:~ $ sudo modprobe trusted encrypted

user@hostname:~ $ sudo keyctl add trusted kmk-trusted "new 32 keyhandle=0x81010001" @u

77506649

user@hostname~ $ sudo keyctl pipe `keyctl search @u trusted kmk-trusted` >/etc/keys/kmk-trusted.blob

keyctl_search: Required key not available

-bash: /etc/keys/kmk-trusted.blob: Permission denied
```

Since I'm also getting a search error, I then pivot by instead using the key name in place of using the backtick where keyctl search was inserted.

```
user@hostname:~ $ sudo keyctl pipe 77506649 >/etc/keys/kmk-trusted.blob

-bash: /etc/keys/kmk-trusted.blob: Permission denied
```

Since I'm not receiving a search error but instead receiving a permission denied error, I do the only thing I can think of now and chmod the directory of /etc/keys:

```
user@hostname:~ $ sudo chmod -R 777 /etc/keys

user@hostname:~ $ ls -al /etc/keys

total 8

drwxrwxrwx.   2 root root 4096 Sep 18 15:52 .

drwxr-xr-x. 114 root root 4096 Sep 19 15:40 ..

user@hostname:~ $ sudo keyctl pipe 77506649 >/etc/keys/kmk-trusted.blob

keyctl_read_alloc: Permission denied
```

I am no longer receiving a permission denied error from bash, but instead I am now getting a permission denied error when the key is attempting to be read, so I try to show the key and am greeted with the expected permission denied error again.

```
user@hostname:~ $ keyctl show 77506649

Keyring

Unable to dump key: Permission denied
```

After searching for a while, I saw on another forum where someone had linked the user and session keyring and then changed permissions of the key by using the setperm command. Here is my own attempt to do so.

```
user@hostname:~ $ keyctl link @u @s

user@hostname:~ $ sudo keyctl setperm 77506649 0x3f3f0000

keyctl_setperm: Permission denied
```

For some reason, even setperm cannot set permissions, which is really frustrating. I'm not sure what to do here, and I do not mean to hijack the thread, but I don't know where to post this as I can't find a forum where people are not only knowledgeable enough about this subject (myself included), but have also had this specific issue with a TPM 2.0 chip.

----------

