From nobody Thu May 2 19:23:46 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VVkQQ24p0z5Jswt for ; Thu, 2 May 2024 19:24:30 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "Sectigo RSA Organization Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VVkQP22Bpz4nQM for ; Thu, 2 May 2024 19:24:29 +0000 (UTC) (envelope-from sjg@juniper.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=juniper.net header.s=PPS1017 header.b=WUWIuNHO; dkim=pass header.d=juniper.net header.s=selector1 header.b=cjQMwiqq; dmarc=pass (policy=reject) header.from=juniper.net; spf=pass (mx1.freebsd.org: domain of sjg@juniper.net designates 67.231.152.164 as permitted sender) smtp.mailfrom=sjg@juniper.net; arc=pass ("microsoft.com:s=arcselector9901:i=1") Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 442G97KB000958 for ; Thu, 2 May 2024 12:24:27 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:mime-version:content-type:content-id:date :message-id; s=PPS1017; bh=rZQqwqmgUUU3lmzT7QpsjNK0m0R90DnnhH7VC WMntyU=; b=WUWIuNHO7Q/xABngPOR2MYYUR9B9jzXHEQNmpR8jlDgXaDzRXLgh8 cFDTKoFi/n18MNj67QMS5359qXHR6X2Uu3eF6oU2s+1N/nprCof7cjTr2IcF9zYW PVS3WRh28ymN3WJUeUV4/aClB/jPt6EmLH+kAXFsUsTaQVLgQUPdKXEefF+wLcTg r5KIODKmzNZqwrkormX/3l82ebRM482pC5I4RyISC3sx5tCftWK3pt1Z6bouBzA2 rL/NtnESL1G7wwLZlj45BzJ2nw23hF+18RZmIMWJX/TvBmHVi1a47pFgXQLJh0Fs 3AZWMCoiEQ19jzao2Km7HMWnOfwvB94eA== Received: from byapr05cu005.outbound.protection.outlook.com (mail-westusazlp17011010.outbound.protection.outlook.com [40.93.1.10]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3xs0fud0dp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 02 May 2024 12:24:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DJgGn4qBF0jr2pb2Rc16DjAeFTun+kjzvRSOfKn20uqH/SXoYEujr6pLsThB78R9vZW7urbEQIg9IUpJXdlFvPO4ZUEegfJBeqQxtvSD2EfpjsEkccBO17+C7fl5QKXRcywtvAKSzk6USvxcwsdbow5RNiptFfdDxIx4QvZQlNC/w33wMnASvNx1gxVntcikhwJnRG/WhVjN4+jUq9DY3krrYFfWAQMMpaPCStcPdg3qJICV+cXDnvqedHdvWziDHx1SpHkaELmbFDiH0lB689gJ50+rxLFJ5y9KSk2l4y8R6I6jitG9b+a4oDeIpHlwPqT0gk59T1TY+RhbcKUo3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rZQqwqmgUUU3lmzT7QpsjNK0m0R90DnnhH7VCWMntyU=; b=lGFZQjCDI7ndv2Iprpr0mVPFjkMzJW9T1H4CQRxZVcu22k2WmlGoTHvG4Hq3yGqaMXLBVdJlhbqKh8kQTI53GRnRY3bugcJYkxcT4sT2EkP1OCbQnyyNnD1Ld89xa/R/C8zglP1y4vA22PTgfnkwYsUGO+gv8g19l8ur85JU8ufUhT8O2In2syWbSNY5jPHwl8iJnH8MtP891nbShAhfS+L7Hf6g7ybhaVUAsbpun6TmzOzWcccVoSJYpdJkZQgYCw04QPsw3RRl4FfmLmnxJSbSoT2Wp8mrytU27bQwxRa3n7A7pkg2JbpNIqi30UO9zVCv36rZ/0pN7iP53c5ICg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.15) smtp.rcpttodomain=freebsd.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rZQqwqmgUUU3lmzT7QpsjNK0m0R90DnnhH7VCWMntyU=; b=cjQMwiqqYZQg05g9N/ChIrG6OXBcmhpyHcm8lquyy6rq6XowaaTr68aF88bvfL7JNsAAhQmCvOINsKaJA1pnxzo22VZIfQXV5hUIK0SM0CM4yvjwnK4m+nqq53I36j6LJ2O8BdcPzgrB3cIHGJs9w4nrePIMe8Hpkz3fmsMkgIM= Received: from SN1PR12CA0072.namprd12.prod.outlook.com (2603:10b6:802:20::43) by DM4PR05MB10309.namprd05.prod.outlook.com (2603:10b6:8:b6::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.24; Thu, 2 May 2024 19:24:25 +0000 Received: from SA2PEPF000015C9.namprd03.prod.outlook.com (2603:10b6:802:20:cafe::c9) by SN1PR12CA0072.outlook.office365.com (2603:10b6:802:20::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.30 via Frontend Transport; Thu, 2 May 2024 19:24:25 +0000 X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.15) smtp.mailfrom=juniper.net; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.15 as permitted sender) Received: from p-exchfe-eqx-02.jnpr.net (66.129.239.15) by SA2PEPF000015C9.mail.protection.outlook.com (10.167.241.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.18 via Frontend Transport; Thu, 2 May 2024 19:24:24 +0000 Received: from p-exchbe-eqx-01.jnpr.net (10.104.9.14) by p-exchfe-eqx-02.jnpr.net (10.104.9.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Thu, 2 May 2024 14:24:24 -0500 Received: from p-exchbe-eqx-02.jnpr.net (10.104.9.15) by p-exchbe-eqx-01.jnpr.net (10.104.9.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Thu, 2 May 2024 14:24:24 -0500 Received: from p-mailhub01.juniper.net (10.104.20.6) by p-exchbe-eqx-02.jnpr.net (10.104.9.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4 via Frontend Transport; Thu, 2 May 2024 14:24:24 -0500 Received: from kaos.jnpr.net (kaos.jnpr.net [172.23.255.201]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 442JON1j001327 for ; Thu, 2 May 2024 12:24:23 -0700 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id A4A073116C; Thu, 2 May 2024 12:23:46 -0700 (PDT) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id A24853116A; Thu, 2 May 2024 12:23:46 -0700 (PDT) From: Simon J Gerraty To: CC: Subject: Kernel keyring support to offload TPM X-Mailer: MH-E 8.6+git; nmh 1.8; Emacs 29.3 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <34438.1714677826.1@kaos.jnpr.net> Date: Thu, 2 May 2024 12:23:46 -0700 Message-ID: <37306.1714677826@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SA2PEPF000015C9:EE_|DM4PR05MB10309:EE_ X-MS-Office365-Filtering-Correlation-Id: fdf8611b-7c89-4126-3dfc-08dc6add7a12 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|1800799015|376005|36860700004; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?zxgKB3FTXnq0R7hFRH53ityGGHVSYc+y07SInkiZs4AK+oehVoDkEOoBD0Ve?= =?us-ascii?Q?XyX6mHYGI+18t4+tr4w/FPW0WfckkQnig7Ei48iXAim3UA6MvEni3bBki3a2?= =?us-ascii?Q?elZEdl4xOUJ8iiY4/G/lcMq769REFPA1kqnzCB45UDzVV36lTVB/zUXEWyw/?= =?us-ascii?Q?mHGrLB+uQYVGRaPNfpZ0lOverYEO946tckWDDuSP/fZ1psCWZTyJPh/9htPO?= =?us-ascii?Q?6f8PFmuTjlU7EHNuFIuD8w3gbPtNRIa/jeCwl2hwm+RjWlLTbWJOg6TyEgsT?= =?us-ascii?Q?nihONnmnZM2qGmYpsC3N/TcTSSEd8DsZ25R9GJZDcF/1J2ANU4rl+UMghIS8?= =?us-ascii?Q?3p+C1A7kpn4hb3CzzTliJUmQp4FEeM3seNnvfRDLfVkDdkKpmuT0CixTpvUF?= =?us-ascii?Q?HHXQirgFPmHbax6qGKtirBP8jHRe8NJ/H9cxx3NTRa2scYdfSnvOQc5HOXrp?= =?us-ascii?Q?H9IArH/2HxJoEDRvJesseHJe06UilGr7CrpQe2i+U+F8eGiyR75Susj1RAww?= =?us-ascii?Q?2plFrGuhjdqw7Xy1nsgVNXDMP27xJzqMIelPvRFQIAQtY/JJBATBLdRcQVlc?= =?us-ascii?Q?zEB5NDNdjLRhXF4/RBLAgifisCLkYLFeJK1r+wJcdna+ZggZpEJd2qW0ld0/?= =?us-ascii?Q?UXf5dCqDEwErTnlqpTDw0p++1hJkoN7ArjlW8y8Voi2j4U62fJvJ+38FASon?= =?us-ascii?Q?A8+hLnXPd7+hhqp6/UV3XecTFIkACc38gYJEW8ZC4ynPrpZZ9J/7QxL3PVav?= =?us-ascii?Q?5in5E5QEUN8OyPg+fpUSw3xRN2WWMJHYprTDHWOP6x6mYjmTfGqWTHaBFMSO?= =?us-ascii?Q?3ejdLt8ZNwO/wCJvlcIozkJ3gF4Czs+Dj6qm4t4kDbzZNvawcDATBURMJug6?= =?us-ascii?Q?FIiYS/Lh4tApcHplQwvD4KfIhqa/KMWuHybjb0JlnRess/yR5egePNk8U2Vj?= =?us-ascii?Q?l4slrO03R8fJEE3jLswbmnWBaWSQnhuUAXKCmxoDSiXSCH+qCphSeXivZf/5?= =?us-ascii?Q?QvbnFDRZ8VYN+ULBTOfn7Abm6iuVJqmUzH+UiRsbAAwy28p7qncH9W0muFRz?= =?us-ascii?Q?RmKLhtZh5i+MJpADNIhXNiIg0JZ8kcpUIGc5mzoqYIcdEAbOkOjfdEIUPkfj?= =?us-ascii?Q?U8YeLMP0qNdcctXklBFaCA52Ha75alrpHRHvGhPq73YgWcOayG9bW7n/GUWR?= =?us-ascii?Q?tMvhqLX4DKO/QzBIvNGqRJ6beY92Z4L0HhEXUrFVv1tpeJjMy0nYMwH1tbSK?= =?us-ascii?Q?poiSEBAGmlZnx69NYLnIob62BjF+k4+hmrS+s+JAH0EGapLaGubE7PqbIuni?= =?us-ascii?Q?wUM9cuJWbiHKCbqyd7qkMrPN?= X-Forefront-Antispam-Report: CIP:66.129.239.15;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:p-exchfe-eqx-02.jnpr.net;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(1800799015)(376005)(36860700004);DIR:OUT;SFP:1102; X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2024 19:24:24.7319 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fdf8611b-7c89-4126-3dfc-08dc6add7a12 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4;Ip=[66.129.239.15];Helo=[p-exchfe-eqx-02.jnpr.net] X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF000015C9.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR05MB10309 X-Proofpoint-GUID: CD6tB3xodlZu43Revt-U6vF4TU_Podkx X-Proofpoint-ORIG-GUID: CD6tB3xodlZu43Revt-U6vF4TU_Podkx X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1011,Hydra:6.0.650,FMLib:17.11.176.26 definitions=2024-05-02_11,2024-05-02_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 spamscore=0 suspectscore=0 bulkscore=0 clxscore=1011 impostorscore=0 malwarescore=0 mlxlogscore=359 mlxscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2404010003 definitions=main-2405020127 X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[juniper.net,reject]; R_DKIM_ALLOW(-0.20)[juniper.net:s=PPS1017,juniper.net:s=selector1]; R_SPF_ALLOW(-0.20)[+ip4:67.231.152.164]; RCVD_IN_DNSWL_LOW(-0.10)[67.231.152.164:from]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:22843, ipnet:67.231.152.0/24, country:US]; MIME_TRACE(0.00)[0:+]; FREEFALL_USER(0.00)[sjg]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[juniper.net:+]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_SEVEN(0.00)[11] X-Rspamd-Queue-Id: 4VVkQP22Bpz4nQM We have a need for a kernel keyring or similar functionality to allow offloading crypto operations from a TPM. The basic idea is a master keyring key wrapped by TPM. The TPM needs to unwrap it before it can be used, but that is all the TPM needs to do. This would likely need to be done frequently - at least in FIPS mode we cannot leave idle keys unprotected in memory. The encrypted keyring would not count, so we still reduce load on the TPM. The folk looking for this have done a proof of concept on Linux leveraging https://docs.kernel.org/security/keys/core.html but we need similar for FreeBSD. Wondering who else might be interested, and even better if someone is already working on something similar. Thanks --sjg