tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / security / keys / trusted.c
at v3.2-rc2 1191 lines 29 kB view raw
1/* 2 * Copyright (C) 2010 IBM Corporation 3 * 4 * Author: 5 * David Safford <safford@us.ibm.com> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation, version 2 of the License. 10 * 11 * See Documentation/security/keys-trusted-encrypted.txt 12 */ 13 14#include <linux/uaccess.h> 15#include <linux/module.h> 16#include <linux/init.h> 17#include <linux/slab.h> 18#include <linux/parser.h> 19#include <linux/string.h> 20#include <linux/err.h> 21#include <keys/user-type.h> 22#include <keys/trusted-type.h> 23#include <linux/key-type.h> 24#include <linux/rcupdate.h> 25#include <linux/crypto.h> 26#include <crypto/hash.h> 27#include <crypto/sha.h> 28#include <linux/capability.h> 29#include <linux/tpm.h> 30#include <linux/tpm_command.h> 31 32#include "trusted.h" 33 34static const char hmac_alg[] = "hmac(sha1)"; 35static const char hash_alg[] = "sha1"; 36 37struct sdesc { 38 struct shash_desc shash; 39 char ctx[]; 40}; 41 42static struct crypto_shash *hashalg; 43static struct crypto_shash *hmacalg; 44 45static struct sdesc *init_sdesc(struct crypto_shash *alg) 46{ 47 struct sdesc *sdesc; 48 int size; 49 50 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 51 sdesc = kmalloc(size, GFP_KERNEL); 52 if (!sdesc) 53 return ERR_PTR(-ENOMEM); 54 sdesc->shash.tfm = alg; 55 sdesc->shash.flags = 0x0; 56 return sdesc; 57} 58 59static int TSS_sha1(const unsigned char *data, unsigned int datalen, 60 unsigned char *digest) 61{ 62 struct sdesc *sdesc; 63 int ret; 64 65 sdesc = init_sdesc(hashalg); 66 if (IS_ERR(sdesc)) { 67 pr_info("trusted_key: can't alloc %s\n", hash_alg); 68 return PTR_ERR(sdesc); 69 } 70 71 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 72 kfree(sdesc); 73 return ret; 74} 75 76static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 77 unsigned int keylen, ...) 78{ 79 struct sdesc *sdesc; 80 va_list argp; 81 unsigned int dlen; 82 unsigned char *data; 83 int ret; 84 85 sdesc = init_sdesc(hmacalg); 86 if (IS_ERR(sdesc)) { 87 pr_info("trusted_key: can't alloc %s\n", hmac_alg); 88 return PTR_ERR(sdesc); 89 } 90 91 ret = crypto_shash_setkey(hmacalg, key, keylen); 92 if (ret < 0) 93 goto out; 94 ret = crypto_shash_init(&sdesc->shash); 95 if (ret < 0) 96 goto out; 97 98 va_start(argp, keylen); 99 for (;;) { 100 dlen = va_arg(argp, unsigned int); 101 if (dlen == 0) 102 break; 103 data = va_arg(argp, unsigned char *); 104 if (data == NULL) { 105 ret = -EINVAL; 106 break; 107 } 108 ret = crypto_shash_update(&sdesc->shash, data, dlen); 109 if (ret < 0) 110 break; 111 } 112 va_end(argp); 113 if (!ret) 114 ret = crypto_shash_final(&sdesc->shash, digest); 115out: 116 kfree(sdesc); 117 return ret; 118} 119 120/* 121 * calculate authorization info fields to send to TPM 122 */ 123static int TSS_authhmac(unsigned char *digest, const unsigned char *key, 124 unsigned int keylen, unsigned char *h1, 125 unsigned char *h2, unsigned char h3, ...) 126{ 127 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 128 struct sdesc *sdesc; 129 unsigned int dlen; 130 unsigned char *data; 131 unsigned char c; 132 int ret; 133 va_list argp; 134 135 sdesc = init_sdesc(hashalg); 136 if (IS_ERR(sdesc)) { 137 pr_info("trusted_key: can't alloc %s\n", hash_alg); 138 return PTR_ERR(sdesc); 139 } 140 141 c = h3; 142 ret = crypto_shash_init(&sdesc->shash); 143 if (ret < 0) 144 goto out; 145 va_start(argp, h3); 146 for (;;) { 147 dlen = va_arg(argp, unsigned int); 148 if (dlen == 0) 149 break; 150 data = va_arg(argp, unsigned char *); 151 if (!data) { 152 ret = -EINVAL; 153 break; 154 } 155 ret = crypto_shash_update(&sdesc->shash, data, dlen); 156 if (ret < 0) 157 break; 158 } 159 va_end(argp); 160 if (!ret) 161 ret = crypto_shash_final(&sdesc->shash, paramdigest); 162 if (!ret) 163 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 164 paramdigest, TPM_NONCE_SIZE, h1, 165 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 166out: 167 kfree(sdesc); 168 return ret; 169} 170 171/* 172 * verify the AUTH1_COMMAND (Seal) result from TPM 173 */ 174static int TSS_checkhmac1(unsigned char *buffer, 175 const uint32_t command, 176 const unsigned char *ononce, 177 const unsigned char *key, 178 unsigned int keylen, ...) 179{ 180 uint32_t bufsize; 181 uint16_t tag; 182 uint32_t ordinal; 183 uint32_t result; 184 unsigned char *enonce; 185 unsigned char *continueflag; 186 unsigned char *authdata; 187 unsigned char testhmac[SHA1_DIGEST_SIZE]; 188 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 189 struct sdesc *sdesc; 190 unsigned int dlen; 191 unsigned int dpos; 192 va_list argp; 193 int ret; 194 195 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 196 tag = LOAD16(buffer, 0); 197 ordinal = command; 198 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 199 if (tag == TPM_TAG_RSP_COMMAND) 200 return 0; 201 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 202 return -EINVAL; 203 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 204 continueflag = authdata - 1; 205 enonce = continueflag - TPM_NONCE_SIZE; 206 207 sdesc = init_sdesc(hashalg); 208 if (IS_ERR(sdesc)) { 209 pr_info("trusted_key: can't alloc %s\n", hash_alg); 210 return PTR_ERR(sdesc); 211 } 212 ret = crypto_shash_init(&sdesc->shash); 213 if (ret < 0) 214 goto out; 215 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 216 sizeof result); 217 if (ret < 0) 218 goto out; 219 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 220 sizeof ordinal); 221 if (ret < 0) 222 goto out; 223 va_start(argp, keylen); 224 for (;;) { 225 dlen = va_arg(argp, unsigned int); 226 if (dlen == 0) 227 break; 228 dpos = va_arg(argp, unsigned int); 229 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 230 if (ret < 0) 231 break; 232 } 233 va_end(argp); 234 if (!ret) 235 ret = crypto_shash_final(&sdesc->shash, paramdigest); 236 if (ret < 0) 237 goto out; 238 239 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 240 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 241 1, continueflag, 0, 0); 242 if (ret < 0) 243 goto out; 244 245 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 246 ret = -EINVAL; 247out: 248 kfree(sdesc); 249 return ret; 250} 251 252/* 253 * verify the AUTH2_COMMAND (unseal) result from TPM 254 */ 255static int TSS_checkhmac2(unsigned char *buffer, 256 const uint32_t command, 257 const unsigned char *ononce, 258 const unsigned char *key1, 259 unsigned int keylen1, 260 const unsigned char *key2, 261 unsigned int keylen2, ...) 262{ 263 uint32_t bufsize; 264 uint16_t tag; 265 uint32_t ordinal; 266 uint32_t result; 267 unsigned char *enonce1; 268 unsigned char *continueflag1; 269 unsigned char *authdata1; 270 unsigned char *enonce2; 271 unsigned char *continueflag2; 272 unsigned char *authdata2; 273 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 274 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 275 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 276 struct sdesc *sdesc; 277 unsigned int dlen; 278 unsigned int dpos; 279 va_list argp; 280 int ret; 281 282 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 283 tag = LOAD16(buffer, 0); 284 ordinal = command; 285 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 286 287 if (tag == TPM_TAG_RSP_COMMAND) 288 return 0; 289 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 290 return -EINVAL; 291 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 292 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 293 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 294 continueflag1 = authdata1 - 1; 295 continueflag2 = authdata2 - 1; 296 enonce1 = continueflag1 - TPM_NONCE_SIZE; 297 enonce2 = continueflag2 - TPM_NONCE_SIZE; 298 299 sdesc = init_sdesc(hashalg); 300 if (IS_ERR(sdesc)) { 301 pr_info("trusted_key: can't alloc %s\n", hash_alg); 302 return PTR_ERR(sdesc); 303 } 304 ret = crypto_shash_init(&sdesc->shash); 305 if (ret < 0) 306 goto out; 307 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 308 sizeof result); 309 if (ret < 0) 310 goto out; 311 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 312 sizeof ordinal); 313 if (ret < 0) 314 goto out; 315 316 va_start(argp, keylen2); 317 for (;;) { 318 dlen = va_arg(argp, unsigned int); 319 if (dlen == 0) 320 break; 321 dpos = va_arg(argp, unsigned int); 322 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 323 if (ret < 0) 324 break; 325 } 326 va_end(argp); 327 if (!ret) 328 ret = crypto_shash_final(&sdesc->shash, paramdigest); 329 if (ret < 0) 330 goto out; 331 332 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 333 paramdigest, TPM_NONCE_SIZE, enonce1, 334 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 335 if (ret < 0) 336 goto out; 337 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 338 ret = -EINVAL; 339 goto out; 340 } 341 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 342 paramdigest, TPM_NONCE_SIZE, enonce2, 343 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 344 if (ret < 0) 345 goto out; 346 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 347 ret = -EINVAL; 348out: 349 kfree(sdesc); 350 return ret; 351} 352 353/* 354 * For key specific tpm requests, we will generate and send our 355 * own TPM command packets using the drivers send function. 356 */ 357static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd, 358 size_t buflen) 359{ 360 int rc; 361 362 dump_tpm_buf(cmd); 363 rc = tpm_send(chip_num, cmd, buflen); 364 dump_tpm_buf(cmd); 365 if (rc > 0) 366 /* Can't return positive return codes values to keyctl */ 367 rc = -EPERM; 368 return rc; 369} 370 371/* 372 * get a random value from TPM 373 */ 374static int tpm_get_random(struct tpm_buf *tb, unsigned char *buf, uint32_t len) 375{ 376 int ret; 377 378 INIT_BUF(tb); 379 store16(tb, TPM_TAG_RQU_COMMAND); 380 store32(tb, TPM_GETRANDOM_SIZE); 381 store32(tb, TPM_ORD_GETRANDOM); 382 store32(tb, len); 383 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, sizeof tb->data); 384 if (!ret) 385 memcpy(buf, tb->data + TPM_GETRANDOM_SIZE, len); 386 return ret; 387} 388 389static int my_get_random(unsigned char *buf, int len) 390{ 391 struct tpm_buf *tb; 392 int ret; 393 394 tb = kmalloc(sizeof *tb, GFP_KERNEL); 395 if (!tb) 396 return -ENOMEM; 397 ret = tpm_get_random(tb, buf, len); 398 399 kfree(tb); 400 return ret; 401} 402 403/* 404 * Lock a trusted key, by extending a selected PCR. 405 * 406 * Prevents a trusted key that is sealed to PCRs from being accessed. 407 * This uses the tpm driver's extend function. 408 */ 409static int pcrlock(const int pcrnum) 410{ 411 unsigned char hash[SHA1_DIGEST_SIZE]; 412 int ret; 413 414 if (!capable(CAP_SYS_ADMIN)) 415 return -EPERM; 416 ret = my_get_random(hash, SHA1_DIGEST_SIZE); 417 if (ret < 0) 418 return ret; 419 return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0; 420} 421 422/* 423 * Create an object specific authorisation protocol (OSAP) session 424 */ 425static int osap(struct tpm_buf *tb, struct osapsess *s, 426 const unsigned char *key, uint16_t type, uint32_t handle) 427{ 428 unsigned char enonce[TPM_NONCE_SIZE]; 429 unsigned char ononce[TPM_NONCE_SIZE]; 430 int ret; 431 432 ret = tpm_get_random(tb, ononce, TPM_NONCE_SIZE); 433 if (ret < 0) 434 return ret; 435 436 INIT_BUF(tb); 437 store16(tb, TPM_TAG_RQU_COMMAND); 438 store32(tb, TPM_OSAP_SIZE); 439 store32(tb, TPM_ORD_OSAP); 440 store16(tb, type); 441 store32(tb, handle); 442 storebytes(tb, ononce, TPM_NONCE_SIZE); 443 444 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 445 if (ret < 0) 446 return ret; 447 448 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 449 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 450 TPM_NONCE_SIZE); 451 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 452 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 453 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 454 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 455} 456 457/* 458 * Create an object independent authorisation protocol (oiap) session 459 */ 460static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 461{ 462 int ret; 463 464 INIT_BUF(tb); 465 store16(tb, TPM_TAG_RQU_COMMAND); 466 store32(tb, TPM_OIAP_SIZE); 467 store32(tb, TPM_ORD_OIAP); 468 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 469 if (ret < 0) 470 return ret; 471 472 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 473 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 474 TPM_NONCE_SIZE); 475 return 0; 476} 477 478struct tpm_digests { 479 unsigned char encauth[SHA1_DIGEST_SIZE]; 480 unsigned char pubauth[SHA1_DIGEST_SIZE]; 481 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 482 unsigned char xorhash[SHA1_DIGEST_SIZE]; 483 unsigned char nonceodd[TPM_NONCE_SIZE]; 484}; 485 486/* 487 * Have the TPM seal(encrypt) the trusted key, possibly based on 488 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 489 */ 490static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 491 uint32_t keyhandle, const unsigned char *keyauth, 492 const unsigned char *data, uint32_t datalen, 493 unsigned char *blob, uint32_t *bloblen, 494 const unsigned char *blobauth, 495 const unsigned char *pcrinfo, uint32_t pcrinfosize) 496{ 497 struct osapsess sess; 498 struct tpm_digests *td; 499 unsigned char cont; 500 uint32_t ordinal; 501 uint32_t pcrsize; 502 uint32_t datsize; 503 int sealinfosize; 504 int encdatasize; 505 int storedsize; 506 int ret; 507 int i; 508 509 /* alloc some work space for all the hashes */ 510 td = kmalloc(sizeof *td, GFP_KERNEL); 511 if (!td) 512 return -ENOMEM; 513 514 /* get session for sealing key */ 515 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 516 if (ret < 0) 517 goto out; 518 dump_sess(&sess); 519 520 /* calculate encrypted authorization value */ 521 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 522 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 523 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 524 if (ret < 0) 525 goto out; 526 527 ret = tpm_get_random(tb, td->nonceodd, TPM_NONCE_SIZE); 528 if (ret < 0) 529 goto out; 530 ordinal = htonl(TPM_ORD_SEAL); 531 datsize = htonl(datalen); 532 pcrsize = htonl(pcrinfosize); 533 cont = 0; 534 535 /* encrypt data authorization key */ 536 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 537 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 538 539 /* calculate authorization HMAC value */ 540 if (pcrinfosize == 0) { 541 /* no pcr info specified */ 542 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 543 sess.enonce, td->nonceodd, cont, 544 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 545 td->encauth, sizeof(uint32_t), &pcrsize, 546 sizeof(uint32_t), &datsize, datalen, data, 0, 547 0); 548 } else { 549 /* pcr info specified */ 550 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 551 sess.enonce, td->nonceodd, cont, 552 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 553 td->encauth, sizeof(uint32_t), &pcrsize, 554 pcrinfosize, pcrinfo, sizeof(uint32_t), 555 &datsize, datalen, data, 0, 0); 556 } 557 if (ret < 0) 558 goto out; 559 560 /* build and send the TPM request packet */ 561 INIT_BUF(tb); 562 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); 563 store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen); 564 store32(tb, TPM_ORD_SEAL); 565 store32(tb, keyhandle); 566 storebytes(tb, td->encauth, SHA1_DIGEST_SIZE); 567 store32(tb, pcrinfosize); 568 storebytes(tb, pcrinfo, pcrinfosize); 569 store32(tb, datalen); 570 storebytes(tb, data, datalen); 571 store32(tb, sess.handle); 572 storebytes(tb, td->nonceodd, TPM_NONCE_SIZE); 573 store8(tb, cont); 574 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); 575 576 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 577 if (ret < 0) 578 goto out; 579 580 /* calculate the size of the returned Blob */ 581 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 582 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 583 sizeof(uint32_t) + sealinfosize); 584 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 585 sizeof(uint32_t) + encdatasize; 586 587 /* check the HMAC in the response */ 588 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 589 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 590 0); 591 592 /* copy the returned blob to caller */ 593 if (!ret) { 594 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 595 *bloblen = storedsize; 596 } 597out: 598 kfree(td); 599 return ret; 600} 601 602/* 603 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 604 */ 605static int tpm_unseal(struct tpm_buf *tb, 606 uint32_t keyhandle, const unsigned char *keyauth, 607 const unsigned char *blob, int bloblen, 608 const unsigned char *blobauth, 609 unsigned char *data, unsigned int *datalen) 610{ 611 unsigned char nonceodd[TPM_NONCE_SIZE]; 612 unsigned char enonce1[TPM_NONCE_SIZE]; 613 unsigned char enonce2[TPM_NONCE_SIZE]; 614 unsigned char authdata1[SHA1_DIGEST_SIZE]; 615 unsigned char authdata2[SHA1_DIGEST_SIZE]; 616 uint32_t authhandle1 = 0; 617 uint32_t authhandle2 = 0; 618 unsigned char cont = 0; 619 uint32_t ordinal; 620 uint32_t keyhndl; 621 int ret; 622 623 /* sessions for unsealing key and data */ 624 ret = oiap(tb, &authhandle1, enonce1); 625 if (ret < 0) { 626 pr_info("trusted_key: oiap failed (%d)\n", ret); 627 return ret; 628 } 629 ret = oiap(tb, &authhandle2, enonce2); 630 if (ret < 0) { 631 pr_info("trusted_key: oiap failed (%d)\n", ret); 632 return ret; 633 } 634 635 ordinal = htonl(TPM_ORD_UNSEAL); 636 keyhndl = htonl(SRKHANDLE); 637 ret = tpm_get_random(tb, nonceodd, TPM_NONCE_SIZE); 638 if (ret < 0) { 639 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 640 return ret; 641 } 642 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 643 enonce1, nonceodd, cont, sizeof(uint32_t), 644 &ordinal, bloblen, blob, 0, 0); 645 if (ret < 0) 646 return ret; 647 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 648 enonce2, nonceodd, cont, sizeof(uint32_t), 649 &ordinal, bloblen, blob, 0, 0); 650 if (ret < 0) 651 return ret; 652 653 /* build and send TPM request packet */ 654 INIT_BUF(tb); 655 store16(tb, TPM_TAG_RQU_AUTH2_COMMAND); 656 store32(tb, TPM_UNSEAL_SIZE + bloblen); 657 store32(tb, TPM_ORD_UNSEAL); 658 store32(tb, keyhandle); 659 storebytes(tb, blob, bloblen); 660 store32(tb, authhandle1); 661 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 662 store8(tb, cont); 663 storebytes(tb, authdata1, SHA1_DIGEST_SIZE); 664 store32(tb, authhandle2); 665 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 666 store8(tb, cont); 667 storebytes(tb, authdata2, SHA1_DIGEST_SIZE); 668 669 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 670 if (ret < 0) { 671 pr_info("trusted_key: authhmac failed (%d)\n", ret); 672 return ret; 673 } 674 675 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 676 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 677 keyauth, SHA1_DIGEST_SIZE, 678 blobauth, SHA1_DIGEST_SIZE, 679 sizeof(uint32_t), TPM_DATA_OFFSET, 680 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 681 0); 682 if (ret < 0) { 683 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 684 return ret; 685 } 686 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 687 return 0; 688} 689 690/* 691 * Have the TPM seal(encrypt) the symmetric key 692 */ 693static int key_seal(struct trusted_key_payload *p, 694 struct trusted_key_options *o) 695{ 696 struct tpm_buf *tb; 697 int ret; 698 699 tb = kzalloc(sizeof *tb, GFP_KERNEL); 700 if (!tb) 701 return -ENOMEM; 702 703 /* include migratable flag at end of sealed key */ 704 p->key[p->key_len] = p->migratable; 705 706 ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth, 707 p->key, p->key_len + 1, p->blob, &p->blob_len, 708 o->blobauth, o->pcrinfo, o->pcrinfo_len); 709 if (ret < 0) 710 pr_info("trusted_key: srkseal failed (%d)\n", ret); 711 712 kfree(tb); 713 return ret; 714} 715 716/* 717 * Have the TPM unseal(decrypt) the symmetric key 718 */ 719static int key_unseal(struct trusted_key_payload *p, 720 struct trusted_key_options *o) 721{ 722 struct tpm_buf *tb; 723 int ret; 724 725 tb = kzalloc(sizeof *tb, GFP_KERNEL); 726 if (!tb) 727 return -ENOMEM; 728 729 ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 730 o->blobauth, p->key, &p->key_len); 731 if (ret < 0) 732 pr_info("trusted_key: srkunseal failed (%d)\n", ret); 733 else 734 /* pull migratable flag out of sealed key */ 735 p->migratable = p->key[--p->key_len]; 736 737 kfree(tb); 738 return ret; 739} 740 741enum { 742 Opt_err = -1, 743 Opt_new, Opt_load, Opt_update, 744 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 745 Opt_pcrinfo, Opt_pcrlock, Opt_migratable 746}; 747 748static const match_table_t key_tokens = { 749 {Opt_new, "new"}, 750 {Opt_load, "load"}, 751 {Opt_update, "update"}, 752 {Opt_keyhandle, "keyhandle=%s"}, 753 {Opt_keyauth, "keyauth=%s"}, 754 {Opt_blobauth, "blobauth=%s"}, 755 {Opt_pcrinfo, "pcrinfo=%s"}, 756 {Opt_pcrlock, "pcrlock=%s"}, 757 {Opt_migratable, "migratable=%s"}, 758 {Opt_err, NULL} 759}; 760 761/* can have zero or more token= options */ 762static int getoptions(char *c, struct trusted_key_payload *pay, 763 struct trusted_key_options *opt) 764{ 765 substring_t args[MAX_OPT_ARGS]; 766 char *p = c; 767 int token; 768 int res; 769 unsigned long handle; 770 unsigned long lock; 771 772 while ((p = strsep(&c, " \t"))) { 773 if (*p == '\0' || *p == ' ' || *p == '\t') 774 continue; 775 token = match_token(p, key_tokens, args); 776 777 switch (token) { 778 case Opt_pcrinfo: 779 opt->pcrinfo_len = strlen(args[0].from) / 2; 780 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 781 return -EINVAL; 782 res = hex2bin(opt->pcrinfo, args[0].from, 783 opt->pcrinfo_len); 784 if (res < 0) 785 return -EINVAL; 786 break; 787 case Opt_keyhandle: 788 res = strict_strtoul(args[0].from, 16, &handle); 789 if (res < 0) 790 return -EINVAL; 791 opt->keytype = SEAL_keytype; 792 opt->keyhandle = handle; 793 break; 794 case Opt_keyauth: 795 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 796 return -EINVAL; 797 res = hex2bin(opt->keyauth, args[0].from, 798 SHA1_DIGEST_SIZE); 799 if (res < 0) 800 return -EINVAL; 801 break; 802 case Opt_blobauth: 803 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 804 return -EINVAL; 805 res = hex2bin(opt->blobauth, args[0].from, 806 SHA1_DIGEST_SIZE); 807 if (res < 0) 808 return -EINVAL; 809 break; 810 case Opt_migratable: 811 if (*args[0].from == '0') 812 pay->migratable = 0; 813 else 814 return -EINVAL; 815 break; 816 case Opt_pcrlock: 817 res = strict_strtoul(args[0].from, 10, &lock); 818 if (res < 0) 819 return -EINVAL; 820 opt->pcrlock = lock; 821 break; 822 default: 823 return -EINVAL; 824 } 825 } 826 return 0; 827} 828 829/* 830 * datablob_parse - parse the keyctl data and fill in the 831 * payload and options structures 832 * 833 * On success returns 0, otherwise -EINVAL. 834 */ 835static int datablob_parse(char *datablob, struct trusted_key_payload *p, 836 struct trusted_key_options *o) 837{ 838 substring_t args[MAX_OPT_ARGS]; 839 long keylen; 840 int ret = -EINVAL; 841 int key_cmd; 842 char *c; 843 844 /* main command */ 845 c = strsep(&datablob, " \t"); 846 if (!c) 847 return -EINVAL; 848 key_cmd = match_token(c, key_tokens, args); 849 switch (key_cmd) { 850 case Opt_new: 851 /* first argument is key size */ 852 c = strsep(&datablob, " \t"); 853 if (!c) 854 return -EINVAL; 855 ret = strict_strtol(c, 10, &keylen); 856 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 857 return -EINVAL; 858 p->key_len = keylen; 859 ret = getoptions(datablob, p, o); 860 if (ret < 0) 861 return ret; 862 ret = Opt_new; 863 break; 864 case Opt_load: 865 /* first argument is sealed blob */ 866 c = strsep(&datablob, " \t"); 867 if (!c) 868 return -EINVAL; 869 p->blob_len = strlen(c) / 2; 870 if (p->blob_len > MAX_BLOB_SIZE) 871 return -EINVAL; 872 ret = hex2bin(p->blob, c, p->blob_len); 873 if (ret < 0) 874 return -EINVAL; 875 ret = getoptions(datablob, p, o); 876 if (ret < 0) 877 return ret; 878 ret = Opt_load; 879 break; 880 case Opt_update: 881 /* all arguments are options */ 882 ret = getoptions(datablob, p, o); 883 if (ret < 0) 884 return ret; 885 ret = Opt_update; 886 break; 887 case Opt_err: 888 return -EINVAL; 889 break; 890 } 891 return ret; 892} 893 894static struct trusted_key_options *trusted_options_alloc(void) 895{ 896 struct trusted_key_options *options; 897 898 options = kzalloc(sizeof *options, GFP_KERNEL); 899 if (options) { 900 /* set any non-zero defaults */ 901 options->keytype = SRK_keytype; 902 options->keyhandle = SRKHANDLE; 903 } 904 return options; 905} 906 907static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 908{ 909 struct trusted_key_payload *p = NULL; 910 int ret; 911 912 ret = key_payload_reserve(key, sizeof *p); 913 if (ret < 0) 914 return p; 915 p = kzalloc(sizeof *p, GFP_KERNEL); 916 if (p) 917 p->migratable = 1; /* migratable by default */ 918 return p; 919} 920 921/* 922 * trusted_instantiate - create a new trusted key 923 * 924 * Unseal an existing trusted blob or, for a new key, get a 925 * random key, then seal and create a trusted key-type key, 926 * adding it to the specified keyring. 927 * 928 * On success, return 0. Otherwise return errno. 929 */ 930static int trusted_instantiate(struct key *key, const void *data, 931 size_t datalen) 932{ 933 struct trusted_key_payload *payload = NULL; 934 struct trusted_key_options *options = NULL; 935 char *datablob; 936 int ret = 0; 937 int key_cmd; 938 939 if (datalen <= 0 || datalen > 32767 || !data) 940 return -EINVAL; 941 942 datablob = kmalloc(datalen + 1, GFP_KERNEL); 943 if (!datablob) 944 return -ENOMEM; 945 memcpy(datablob, data, datalen); 946 datablob[datalen] = '\0'; 947 948 options = trusted_options_alloc(); 949 if (!options) { 950 ret = -ENOMEM; 951 goto out; 952 } 953 payload = trusted_payload_alloc(key); 954 if (!payload) { 955 ret = -ENOMEM; 956 goto out; 957 } 958 959 key_cmd = datablob_parse(datablob, payload, options); 960 if (key_cmd < 0) { 961 ret = key_cmd; 962 goto out; 963 } 964 965 dump_payload(payload); 966 dump_options(options); 967 968 switch (key_cmd) { 969 case Opt_load: 970 ret = key_unseal(payload, options); 971 dump_payload(payload); 972 dump_options(options); 973 if (ret < 0) 974 pr_info("trusted_key: key_unseal failed (%d)\n", ret); 975 break; 976 case Opt_new: 977 ret = my_get_random(payload->key, payload->key_len); 978 if (ret < 0) { 979 pr_info("trusted_key: key_create failed (%d)\n", ret); 980 goto out; 981 } 982 ret = key_seal(payload, options); 983 if (ret < 0) 984 pr_info("trusted_key: key_seal failed (%d)\n", ret); 985 break; 986 default: 987 ret = -EINVAL; 988 goto out; 989 } 990 if (!ret && options->pcrlock) 991 ret = pcrlock(options->pcrlock); 992out: 993 kfree(datablob); 994 kfree(options); 995 if (!ret) 996 rcu_assign_pointer(key->payload.data, payload); 997 else 998 kfree(payload); 999 return ret; 1000} 1001 1002static void trusted_rcu_free(struct rcu_head *rcu) 1003{ 1004 struct trusted_key_payload *p; 1005 1006 p = container_of(rcu, struct trusted_key_payload, rcu); 1007 memset(p->key, 0, p->key_len); 1008 kfree(p); 1009} 1010 1011/* 1012 * trusted_update - reseal an existing key with new PCR values 1013 */ 1014static int trusted_update(struct key *key, const void *data, size_t datalen) 1015{ 1016 struct trusted_key_payload *p = key->payload.data; 1017 struct trusted_key_payload *new_p; 1018 struct trusted_key_options *new_o; 1019 char *datablob; 1020 int ret = 0; 1021 1022 if (!p->migratable) 1023 return -EPERM; 1024 if (datalen <= 0 || datalen > 32767 || !data) 1025 return -EINVAL; 1026 1027 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1028 if (!datablob) 1029 return -ENOMEM; 1030 new_o = trusted_options_alloc(); 1031 if (!new_o) { 1032 ret = -ENOMEM; 1033 goto out; 1034 } 1035 new_p = trusted_payload_alloc(key); 1036 if (!new_p) { 1037 ret = -ENOMEM; 1038 goto out; 1039 } 1040 1041 memcpy(datablob, data, datalen); 1042 datablob[datalen] = '\0'; 1043 ret = datablob_parse(datablob, new_p, new_o); 1044 if (ret != Opt_update) { 1045 ret = -EINVAL; 1046 kfree(new_p); 1047 goto out; 1048 } 1049 /* copy old key values, and reseal with new pcrs */ 1050 new_p->migratable = p->migratable; 1051 new_p->key_len = p->key_len; 1052 memcpy(new_p->key, p->key, p->key_len); 1053 dump_payload(p); 1054 dump_payload(new_p); 1055 1056 ret = key_seal(new_p, new_o); 1057 if (ret < 0) { 1058 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1059 kfree(new_p); 1060 goto out; 1061 } 1062 if (new_o->pcrlock) { 1063 ret = pcrlock(new_o->pcrlock); 1064 if (ret < 0) { 1065 pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1066 kfree(new_p); 1067 goto out; 1068 } 1069 } 1070 rcu_assign_pointer(key->payload.data, new_p); 1071 call_rcu(&p->rcu, trusted_rcu_free); 1072out: 1073 kfree(datablob); 1074 kfree(new_o); 1075 return ret; 1076} 1077 1078/* 1079 * trusted_read - copy the sealed blob data to userspace in hex. 1080 * On success, return to userspace the trusted key datablob size. 1081 */ 1082static long trusted_read(const struct key *key, char __user *buffer, 1083 size_t buflen) 1084{ 1085 struct trusted_key_payload *p; 1086 char *ascii_buf; 1087 char *bufp; 1088 int i; 1089 1090 p = rcu_dereference_key(key); 1091 if (!p) 1092 return -EINVAL; 1093 if (!buffer || buflen <= 0) 1094 return 2 * p->blob_len; 1095 ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL); 1096 if (!ascii_buf) 1097 return -ENOMEM; 1098 1099 bufp = ascii_buf; 1100 for (i = 0; i < p->blob_len; i++) 1101 bufp = hex_byte_pack(bufp, p->blob[i]); 1102 if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) { 1103 kfree(ascii_buf); 1104 return -EFAULT; 1105 } 1106 kfree(ascii_buf); 1107 return 2 * p->blob_len; 1108} 1109 1110/* 1111 * trusted_destroy - before freeing the key, clear the decrypted data 1112 */ 1113static void trusted_destroy(struct key *key) 1114{ 1115 struct trusted_key_payload *p = key->payload.data; 1116 1117 if (!p) 1118 return; 1119 memset(p->key, 0, p->key_len); 1120 kfree(key->payload.data); 1121} 1122 1123struct key_type key_type_trusted = { 1124 .name = "trusted", 1125 .instantiate = trusted_instantiate, 1126 .update = trusted_update, 1127 .match = user_match, 1128 .destroy = trusted_destroy, 1129 .describe = user_describe, 1130 .read = trusted_read, 1131}; 1132 1133EXPORT_SYMBOL_GPL(key_type_trusted); 1134 1135static void trusted_shash_release(void) 1136{ 1137 if (hashalg) 1138 crypto_free_shash(hashalg); 1139 if (hmacalg) 1140 crypto_free_shash(hmacalg); 1141} 1142 1143static int __init trusted_shash_alloc(void) 1144{ 1145 int ret; 1146 1147 hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC); 1148 if (IS_ERR(hmacalg)) { 1149 pr_info("trusted_key: could not allocate crypto %s\n", 1150 hmac_alg); 1151 return PTR_ERR(hmacalg); 1152 } 1153 1154 hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC); 1155 if (IS_ERR(hashalg)) { 1156 pr_info("trusted_key: could not allocate crypto %s\n", 1157 hash_alg); 1158 ret = PTR_ERR(hashalg); 1159 goto hashalg_fail; 1160 } 1161 1162 return 0; 1163 1164hashalg_fail: 1165 crypto_free_shash(hmacalg); 1166 return ret; 1167} 1168 1169static int __init init_trusted(void) 1170{ 1171 int ret; 1172 1173 ret = trusted_shash_alloc(); 1174 if (ret < 0) 1175 return ret; 1176 ret = register_key_type(&key_type_trusted); 1177 if (ret < 0) 1178 trusted_shash_release(); 1179 return ret; 1180} 1181 1182static void __exit cleanup_trusted(void) 1183{ 1184 trusted_shash_release(); 1185 unregister_key_type(&key_type_trusted); 1186} 1187 1188late_initcall(init_trusted); 1189module_exit(cleanup_trusted); 1190 1191MODULE_LICENSE("GPL");