tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kernel / security / keys / trusted.c
at v5.1-rc6 1299 lines 31 kB view raw
1/* 2 * Copyright (C) 2010 IBM Corporation 3 * 4 * Author: 5 * David Safford <safford@us.ibm.com> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation, version 2 of the License. 10 * 11 * See Documentation/security/keys/trusted-encrypted.rst 12 */ 13 14#include <crypto/hash_info.h> 15#include <linux/uaccess.h> 16#include <linux/module.h> 17#include <linux/init.h> 18#include <linux/slab.h> 19#include <linux/parser.h> 20#include <linux/string.h> 21#include <linux/err.h> 22#include <keys/user-type.h> 23#include <keys/trusted-type.h> 24#include <linux/key-type.h> 25#include <linux/rcupdate.h> 26#include <linux/crypto.h> 27#include <crypto/hash.h> 28#include <crypto/sha.h> 29#include <linux/capability.h> 30#include <linux/tpm.h> 31#include <linux/tpm_command.h> 32 33#include <keys/trusted.h> 34 35static const char hmac_alg[] = "hmac(sha1)"; 36static const char hash_alg[] = "sha1"; 37static struct tpm_chip *chip; 38static struct tpm_digest *digests; 39 40struct sdesc { 41 struct shash_desc shash; 42 char ctx[]; 43}; 44 45static struct crypto_shash *hashalg; 46static struct crypto_shash *hmacalg; 47 48static struct sdesc *init_sdesc(struct crypto_shash *alg) 49{ 50 struct sdesc *sdesc; 51 int size; 52 53 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 54 sdesc = kmalloc(size, GFP_KERNEL); 55 if (!sdesc) 56 return ERR_PTR(-ENOMEM); 57 sdesc->shash.tfm = alg; 58 sdesc->shash.flags = 0x0; 59 return sdesc; 60} 61 62static int TSS_sha1(const unsigned char *data, unsigned int datalen, 63 unsigned char *digest) 64{ 65 struct sdesc *sdesc; 66 int ret; 67 68 sdesc = init_sdesc(hashalg); 69 if (IS_ERR(sdesc)) { 70 pr_info("trusted_key: can't alloc %s\n", hash_alg); 71 return PTR_ERR(sdesc); 72 } 73 74 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 75 kzfree(sdesc); 76 return ret; 77} 78 79static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 80 unsigned int keylen, ...) 81{ 82 struct sdesc *sdesc; 83 va_list argp; 84 unsigned int dlen; 85 unsigned char *data; 86 int ret; 87 88 sdesc = init_sdesc(hmacalg); 89 if (IS_ERR(sdesc)) { 90 pr_info("trusted_key: can't alloc %s\n", hmac_alg); 91 return PTR_ERR(sdesc); 92 } 93 94 ret = crypto_shash_setkey(hmacalg, key, keylen); 95 if (ret < 0) 96 goto out; 97 ret = crypto_shash_init(&sdesc->shash); 98 if (ret < 0) 99 goto out; 100 101 va_start(argp, keylen); 102 for (;;) { 103 dlen = va_arg(argp, unsigned int); 104 if (dlen == 0) 105 break; 106 data = va_arg(argp, unsigned char *); 107 if (data == NULL) { 108 ret = -EINVAL; 109 break; 110 } 111 ret = crypto_shash_update(&sdesc->shash, data, dlen); 112 if (ret < 0) 113 break; 114 } 115 va_end(argp); 116 if (!ret) 117 ret = crypto_shash_final(&sdesc->shash, digest); 118out: 119 kzfree(sdesc); 120 return ret; 121} 122 123/* 124 * calculate authorization info fields to send to TPM 125 */ 126int TSS_authhmac(unsigned char *digest, const unsigned char *key, 127 unsigned int keylen, unsigned char *h1, 128 unsigned char *h2, unsigned int h3, ...) 129{ 130 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 131 struct sdesc *sdesc; 132 unsigned int dlen; 133 unsigned char *data; 134 unsigned char c; 135 int ret; 136 va_list argp; 137 138 if (!chip) 139 return -ENODEV; 140 141 sdesc = init_sdesc(hashalg); 142 if (IS_ERR(sdesc)) { 143 pr_info("trusted_key: can't alloc %s\n", hash_alg); 144 return PTR_ERR(sdesc); 145 } 146 147 c = !!h3; 148 ret = crypto_shash_init(&sdesc->shash); 149 if (ret < 0) 150 goto out; 151 va_start(argp, h3); 152 for (;;) { 153 dlen = va_arg(argp, unsigned int); 154 if (dlen == 0) 155 break; 156 data = va_arg(argp, unsigned char *); 157 if (!data) { 158 ret = -EINVAL; 159 break; 160 } 161 ret = crypto_shash_update(&sdesc->shash, data, dlen); 162 if (ret < 0) 163 break; 164 } 165 va_end(argp); 166 if (!ret) 167 ret = crypto_shash_final(&sdesc->shash, paramdigest); 168 if (!ret) 169 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 170 paramdigest, TPM_NONCE_SIZE, h1, 171 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 172out: 173 kzfree(sdesc); 174 return ret; 175} 176EXPORT_SYMBOL_GPL(TSS_authhmac); 177 178/* 179 * verify the AUTH1_COMMAND (Seal) result from TPM 180 */ 181int TSS_checkhmac1(unsigned char *buffer, 182 const uint32_t command, 183 const unsigned char *ononce, 184 const unsigned char *key, 185 unsigned int keylen, ...) 186{ 187 uint32_t bufsize; 188 uint16_t tag; 189 uint32_t ordinal; 190 uint32_t result; 191 unsigned char *enonce; 192 unsigned char *continueflag; 193 unsigned char *authdata; 194 unsigned char testhmac[SHA1_DIGEST_SIZE]; 195 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 196 struct sdesc *sdesc; 197 unsigned int dlen; 198 unsigned int dpos; 199 va_list argp; 200 int ret; 201 202 if (!chip) 203 return -ENODEV; 204 205 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 206 tag = LOAD16(buffer, 0); 207 ordinal = command; 208 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 209 if (tag == TPM_TAG_RSP_COMMAND) 210 return 0; 211 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 212 return -EINVAL; 213 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 214 continueflag = authdata - 1; 215 enonce = continueflag - TPM_NONCE_SIZE; 216 217 sdesc = init_sdesc(hashalg); 218 if (IS_ERR(sdesc)) { 219 pr_info("trusted_key: can't alloc %s\n", hash_alg); 220 return PTR_ERR(sdesc); 221 } 222 ret = crypto_shash_init(&sdesc->shash); 223 if (ret < 0) 224 goto out; 225 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 226 sizeof result); 227 if (ret < 0) 228 goto out; 229 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 230 sizeof ordinal); 231 if (ret < 0) 232 goto out; 233 va_start(argp, keylen); 234 for (;;) { 235 dlen = va_arg(argp, unsigned int); 236 if (dlen == 0) 237 break; 238 dpos = va_arg(argp, unsigned int); 239 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 240 if (ret < 0) 241 break; 242 } 243 va_end(argp); 244 if (!ret) 245 ret = crypto_shash_final(&sdesc->shash, paramdigest); 246 if (ret < 0) 247 goto out; 248 249 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 250 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 251 1, continueflag, 0, 0); 252 if (ret < 0) 253 goto out; 254 255 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 256 ret = -EINVAL; 257out: 258 kzfree(sdesc); 259 return ret; 260} 261EXPORT_SYMBOL_GPL(TSS_checkhmac1); 262 263/* 264 * verify the AUTH2_COMMAND (unseal) result from TPM 265 */ 266static int TSS_checkhmac2(unsigned char *buffer, 267 const uint32_t command, 268 const unsigned char *ononce, 269 const unsigned char *key1, 270 unsigned int keylen1, 271 const unsigned char *key2, 272 unsigned int keylen2, ...) 273{ 274 uint32_t bufsize; 275 uint16_t tag; 276 uint32_t ordinal; 277 uint32_t result; 278 unsigned char *enonce1; 279 unsigned char *continueflag1; 280 unsigned char *authdata1; 281 unsigned char *enonce2; 282 unsigned char *continueflag2; 283 unsigned char *authdata2; 284 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 285 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 286 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 287 struct sdesc *sdesc; 288 unsigned int dlen; 289 unsigned int dpos; 290 va_list argp; 291 int ret; 292 293 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 294 tag = LOAD16(buffer, 0); 295 ordinal = command; 296 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 297 298 if (tag == TPM_TAG_RSP_COMMAND) 299 return 0; 300 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 301 return -EINVAL; 302 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 303 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 304 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 305 continueflag1 = authdata1 - 1; 306 continueflag2 = authdata2 - 1; 307 enonce1 = continueflag1 - TPM_NONCE_SIZE; 308 enonce2 = continueflag2 - TPM_NONCE_SIZE; 309 310 sdesc = init_sdesc(hashalg); 311 if (IS_ERR(sdesc)) { 312 pr_info("trusted_key: can't alloc %s\n", hash_alg); 313 return PTR_ERR(sdesc); 314 } 315 ret = crypto_shash_init(&sdesc->shash); 316 if (ret < 0) 317 goto out; 318 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 319 sizeof result); 320 if (ret < 0) 321 goto out; 322 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 323 sizeof ordinal); 324 if (ret < 0) 325 goto out; 326 327 va_start(argp, keylen2); 328 for (;;) { 329 dlen = va_arg(argp, unsigned int); 330 if (dlen == 0) 331 break; 332 dpos = va_arg(argp, unsigned int); 333 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 334 if (ret < 0) 335 break; 336 } 337 va_end(argp); 338 if (!ret) 339 ret = crypto_shash_final(&sdesc->shash, paramdigest); 340 if (ret < 0) 341 goto out; 342 343 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 344 paramdigest, TPM_NONCE_SIZE, enonce1, 345 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 346 if (ret < 0) 347 goto out; 348 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 349 ret = -EINVAL; 350 goto out; 351 } 352 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 353 paramdigest, TPM_NONCE_SIZE, enonce2, 354 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 355 if (ret < 0) 356 goto out; 357 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 358 ret = -EINVAL; 359out: 360 kzfree(sdesc); 361 return ret; 362} 363 364/* 365 * For key specific tpm requests, we will generate and send our 366 * own TPM command packets using the drivers send function. 367 */ 368int trusted_tpm_send(unsigned char *cmd, size_t buflen) 369{ 370 int rc; 371 372 if (!chip) 373 return -ENODEV; 374 375 dump_tpm_buf(cmd); 376 rc = tpm_send(chip, cmd, buflen); 377 dump_tpm_buf(cmd); 378 if (rc > 0) 379 /* Can't return positive return codes values to keyctl */ 380 rc = -EPERM; 381 return rc; 382} 383EXPORT_SYMBOL_GPL(trusted_tpm_send); 384 385/* 386 * Lock a trusted key, by extending a selected PCR. 387 * 388 * Prevents a trusted key that is sealed to PCRs from being accessed. 389 * This uses the tpm driver's extend function. 390 */ 391static int pcrlock(const int pcrnum) 392{ 393 if (!capable(CAP_SYS_ADMIN)) 394 return -EPERM; 395 396 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0; 397} 398 399/* 400 * Create an object specific authorisation protocol (OSAP) session 401 */ 402static int osap(struct tpm_buf *tb, struct osapsess *s, 403 const unsigned char *key, uint16_t type, uint32_t handle) 404{ 405 unsigned char enonce[TPM_NONCE_SIZE]; 406 unsigned char ononce[TPM_NONCE_SIZE]; 407 int ret; 408 409 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); 410 if (ret != TPM_NONCE_SIZE) 411 return ret; 412 413 INIT_BUF(tb); 414 store16(tb, TPM_TAG_RQU_COMMAND); 415 store32(tb, TPM_OSAP_SIZE); 416 store32(tb, TPM_ORD_OSAP); 417 store16(tb, type); 418 store32(tb, handle); 419 storebytes(tb, ononce, TPM_NONCE_SIZE); 420 421 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 422 if (ret < 0) 423 return ret; 424 425 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 426 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 427 TPM_NONCE_SIZE); 428 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 429 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 430 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 431 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 432} 433 434/* 435 * Create an object independent authorisation protocol (oiap) session 436 */ 437int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 438{ 439 int ret; 440 441 if (!chip) 442 return -ENODEV; 443 444 INIT_BUF(tb); 445 store16(tb, TPM_TAG_RQU_COMMAND); 446 store32(tb, TPM_OIAP_SIZE); 447 store32(tb, TPM_ORD_OIAP); 448 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 449 if (ret < 0) 450 return ret; 451 452 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 453 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 454 TPM_NONCE_SIZE); 455 return 0; 456} 457EXPORT_SYMBOL_GPL(oiap); 458 459struct tpm_digests { 460 unsigned char encauth[SHA1_DIGEST_SIZE]; 461 unsigned char pubauth[SHA1_DIGEST_SIZE]; 462 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 463 unsigned char xorhash[SHA1_DIGEST_SIZE]; 464 unsigned char nonceodd[TPM_NONCE_SIZE]; 465}; 466 467/* 468 * Have the TPM seal(encrypt) the trusted key, possibly based on 469 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 470 */ 471static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 472 uint32_t keyhandle, const unsigned char *keyauth, 473 const unsigned char *data, uint32_t datalen, 474 unsigned char *blob, uint32_t *bloblen, 475 const unsigned char *blobauth, 476 const unsigned char *pcrinfo, uint32_t pcrinfosize) 477{ 478 struct osapsess sess; 479 struct tpm_digests *td; 480 unsigned char cont; 481 uint32_t ordinal; 482 uint32_t pcrsize; 483 uint32_t datsize; 484 int sealinfosize; 485 int encdatasize; 486 int storedsize; 487 int ret; 488 int i; 489 490 /* alloc some work space for all the hashes */ 491 td = kmalloc(sizeof *td, GFP_KERNEL); 492 if (!td) 493 return -ENOMEM; 494 495 /* get session for sealing key */ 496 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 497 if (ret < 0) 498 goto out; 499 dump_sess(&sess); 500 501 /* calculate encrypted authorization value */ 502 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 503 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 504 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 505 if (ret < 0) 506 goto out; 507 508 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); 509 if (ret != TPM_NONCE_SIZE) 510 goto out; 511 ordinal = htonl(TPM_ORD_SEAL); 512 datsize = htonl(datalen); 513 pcrsize = htonl(pcrinfosize); 514 cont = 0; 515 516 /* encrypt data authorization key */ 517 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 518 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 519 520 /* calculate authorization HMAC value */ 521 if (pcrinfosize == 0) { 522 /* no pcr info specified */ 523 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 524 sess.enonce, td->nonceodd, cont, 525 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 526 td->encauth, sizeof(uint32_t), &pcrsize, 527 sizeof(uint32_t), &datsize, datalen, data, 0, 528 0); 529 } else { 530 /* pcr info specified */ 531 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 532 sess.enonce, td->nonceodd, cont, 533 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 534 td->encauth, sizeof(uint32_t), &pcrsize, 535 pcrinfosize, pcrinfo, sizeof(uint32_t), 536 &datsize, datalen, data, 0, 0); 537 } 538 if (ret < 0) 539 goto out; 540 541 /* build and send the TPM request packet */ 542 INIT_BUF(tb); 543 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); 544 store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen); 545 store32(tb, TPM_ORD_SEAL); 546 store32(tb, keyhandle); 547 storebytes(tb, td->encauth, SHA1_DIGEST_SIZE); 548 store32(tb, pcrinfosize); 549 storebytes(tb, pcrinfo, pcrinfosize); 550 store32(tb, datalen); 551 storebytes(tb, data, datalen); 552 store32(tb, sess.handle); 553 storebytes(tb, td->nonceodd, TPM_NONCE_SIZE); 554 store8(tb, cont); 555 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); 556 557 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 558 if (ret < 0) 559 goto out; 560 561 /* calculate the size of the returned Blob */ 562 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 563 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 564 sizeof(uint32_t) + sealinfosize); 565 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 566 sizeof(uint32_t) + encdatasize; 567 568 /* check the HMAC in the response */ 569 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 570 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 571 0); 572 573 /* copy the returned blob to caller */ 574 if (!ret) { 575 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 576 *bloblen = storedsize; 577 } 578out: 579 kzfree(td); 580 return ret; 581} 582 583/* 584 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 585 */ 586static int tpm_unseal(struct tpm_buf *tb, 587 uint32_t keyhandle, const unsigned char *keyauth, 588 const unsigned char *blob, int bloblen, 589 const unsigned char *blobauth, 590 unsigned char *data, unsigned int *datalen) 591{ 592 unsigned char nonceodd[TPM_NONCE_SIZE]; 593 unsigned char enonce1[TPM_NONCE_SIZE]; 594 unsigned char enonce2[TPM_NONCE_SIZE]; 595 unsigned char authdata1[SHA1_DIGEST_SIZE]; 596 unsigned char authdata2[SHA1_DIGEST_SIZE]; 597 uint32_t authhandle1 = 0; 598 uint32_t authhandle2 = 0; 599 unsigned char cont = 0; 600 uint32_t ordinal; 601 uint32_t keyhndl; 602 int ret; 603 604 /* sessions for unsealing key and data */ 605 ret = oiap(tb, &authhandle1, enonce1); 606 if (ret < 0) { 607 pr_info("trusted_key: oiap failed (%d)\n", ret); 608 return ret; 609 } 610 ret = oiap(tb, &authhandle2, enonce2); 611 if (ret < 0) { 612 pr_info("trusted_key: oiap failed (%d)\n", ret); 613 return ret; 614 } 615 616 ordinal = htonl(TPM_ORD_UNSEAL); 617 keyhndl = htonl(SRKHANDLE); 618 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); 619 if (ret != TPM_NONCE_SIZE) { 620 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 621 return ret; 622 } 623 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 624 enonce1, nonceodd, cont, sizeof(uint32_t), 625 &ordinal, bloblen, blob, 0, 0); 626 if (ret < 0) 627 return ret; 628 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 629 enonce2, nonceodd, cont, sizeof(uint32_t), 630 &ordinal, bloblen, blob, 0, 0); 631 if (ret < 0) 632 return ret; 633 634 /* build and send TPM request packet */ 635 INIT_BUF(tb); 636 store16(tb, TPM_TAG_RQU_AUTH2_COMMAND); 637 store32(tb, TPM_UNSEAL_SIZE + bloblen); 638 store32(tb, TPM_ORD_UNSEAL); 639 store32(tb, keyhandle); 640 storebytes(tb, blob, bloblen); 641 store32(tb, authhandle1); 642 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 643 store8(tb, cont); 644 storebytes(tb, authdata1, SHA1_DIGEST_SIZE); 645 store32(tb, authhandle2); 646 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 647 store8(tb, cont); 648 storebytes(tb, authdata2, SHA1_DIGEST_SIZE); 649 650 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 651 if (ret < 0) { 652 pr_info("trusted_key: authhmac failed (%d)\n", ret); 653 return ret; 654 } 655 656 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 657 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 658 keyauth, SHA1_DIGEST_SIZE, 659 blobauth, SHA1_DIGEST_SIZE, 660 sizeof(uint32_t), TPM_DATA_OFFSET, 661 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 662 0); 663 if (ret < 0) { 664 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 665 return ret; 666 } 667 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 668 return 0; 669} 670 671/* 672 * Have the TPM seal(encrypt) the symmetric key 673 */ 674static int key_seal(struct trusted_key_payload *p, 675 struct trusted_key_options *o) 676{ 677 struct tpm_buf *tb; 678 int ret; 679 680 tb = kzalloc(sizeof *tb, GFP_KERNEL); 681 if (!tb) 682 return -ENOMEM; 683 684 /* include migratable flag at end of sealed key */ 685 p->key[p->key_len] = p->migratable; 686 687 ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth, 688 p->key, p->key_len + 1, p->blob, &p->blob_len, 689 o->blobauth, o->pcrinfo, o->pcrinfo_len); 690 if (ret < 0) 691 pr_info("trusted_key: srkseal failed (%d)\n", ret); 692 693 kzfree(tb); 694 return ret; 695} 696 697/* 698 * Have the TPM unseal(decrypt) the symmetric key 699 */ 700static int key_unseal(struct trusted_key_payload *p, 701 struct trusted_key_options *o) 702{ 703 struct tpm_buf *tb; 704 int ret; 705 706 tb = kzalloc(sizeof *tb, GFP_KERNEL); 707 if (!tb) 708 return -ENOMEM; 709 710 ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 711 o->blobauth, p->key, &p->key_len); 712 if (ret < 0) 713 pr_info("trusted_key: srkunseal failed (%d)\n", ret); 714 else 715 /* pull migratable flag out of sealed key */ 716 p->migratable = p->key[--p->key_len]; 717 718 kzfree(tb); 719 return ret; 720} 721 722enum { 723 Opt_err, 724 Opt_new, Opt_load, Opt_update, 725 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 726 Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 727 Opt_hash, 728 Opt_policydigest, 729 Opt_policyhandle, 730}; 731 732static const match_table_t key_tokens = { 733 {Opt_new, "new"}, 734 {Opt_load, "load"}, 735 {Opt_update, "update"}, 736 {Opt_keyhandle, "keyhandle=%s"}, 737 {Opt_keyauth, "keyauth=%s"}, 738 {Opt_blobauth, "blobauth=%s"}, 739 {Opt_pcrinfo, "pcrinfo=%s"}, 740 {Opt_pcrlock, "pcrlock=%s"}, 741 {Opt_migratable, "migratable=%s"}, 742 {Opt_hash, "hash=%s"}, 743 {Opt_policydigest, "policydigest=%s"}, 744 {Opt_policyhandle, "policyhandle=%s"}, 745 {Opt_err, NULL} 746}; 747 748/* can have zero or more token= options */ 749static int getoptions(char *c, struct trusted_key_payload *pay, 750 struct trusted_key_options *opt) 751{ 752 substring_t args[MAX_OPT_ARGS]; 753 char *p = c; 754 int token; 755 int res; 756 unsigned long handle; 757 unsigned long lock; 758 unsigned long token_mask = 0; 759 unsigned int digest_len; 760 int i; 761 int tpm2; 762 763 tpm2 = tpm_is_tpm2(chip); 764 if (tpm2 < 0) 765 return tpm2; 766 767 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 768 769 while ((p = strsep(&c, " \t"))) { 770 if (*p == '\0' || *p == ' ' || *p == '\t') 771 continue; 772 token = match_token(p, key_tokens, args); 773 if (test_and_set_bit(token, &token_mask)) 774 return -EINVAL; 775 776 switch (token) { 777 case Opt_pcrinfo: 778 opt->pcrinfo_len = strlen(args[0].from) / 2; 779 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 780 return -EINVAL; 781 res = hex2bin(opt->pcrinfo, args[0].from, 782 opt->pcrinfo_len); 783 if (res < 0) 784 return -EINVAL; 785 break; 786 case Opt_keyhandle: 787 res = kstrtoul(args[0].from, 16, &handle); 788 if (res < 0) 789 return -EINVAL; 790 opt->keytype = SEAL_keytype; 791 opt->keyhandle = handle; 792 break; 793 case Opt_keyauth: 794 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 795 return -EINVAL; 796 res = hex2bin(opt->keyauth, args[0].from, 797 SHA1_DIGEST_SIZE); 798 if (res < 0) 799 return -EINVAL; 800 break; 801 case Opt_blobauth: 802 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 803 return -EINVAL; 804 res = hex2bin(opt->blobauth, args[0].from, 805 SHA1_DIGEST_SIZE); 806 if (res < 0) 807 return -EINVAL; 808 break; 809 case Opt_migratable: 810 if (*args[0].from == '0') 811 pay->migratable = 0; 812 else 813 return -EINVAL; 814 break; 815 case Opt_pcrlock: 816 res = kstrtoul(args[0].from, 10, &lock); 817 if (res < 0) 818 return -EINVAL; 819 opt->pcrlock = lock; 820 break; 821 case Opt_hash: 822 if (test_bit(Opt_policydigest, &token_mask)) 823 return -EINVAL; 824 for (i = 0; i < HASH_ALGO__LAST; i++) { 825 if (!strcmp(args[0].from, hash_algo_name[i])) { 826 opt->hash = i; 827 break; 828 } 829 } 830 if (i == HASH_ALGO__LAST) 831 return -EINVAL; 832 if (!tpm2 && i != HASH_ALGO_SHA1) { 833 pr_info("trusted_key: TPM 1.x only supports SHA-1.\n"); 834 return -EINVAL; 835 } 836 break; 837 case Opt_policydigest: 838 digest_len = hash_digest_size[opt->hash]; 839 if (!tpm2 || strlen(args[0].from) != (2 * digest_len)) 840 return -EINVAL; 841 res = hex2bin(opt->policydigest, args[0].from, 842 digest_len); 843 if (res < 0) 844 return -EINVAL; 845 opt->policydigest_len = digest_len; 846 break; 847 case Opt_policyhandle: 848 if (!tpm2) 849 return -EINVAL; 850 res = kstrtoul(args[0].from, 16, &handle); 851 if (res < 0) 852 return -EINVAL; 853 opt->policyhandle = handle; 854 break; 855 default: 856 return -EINVAL; 857 } 858 } 859 return 0; 860} 861 862/* 863 * datablob_parse - parse the keyctl data and fill in the 864 * payload and options structures 865 * 866 * On success returns 0, otherwise -EINVAL. 867 */ 868static int datablob_parse(char *datablob, struct trusted_key_payload *p, 869 struct trusted_key_options *o) 870{ 871 substring_t args[MAX_OPT_ARGS]; 872 long keylen; 873 int ret = -EINVAL; 874 int key_cmd; 875 char *c; 876 877 /* main command */ 878 c = strsep(&datablob, " \t"); 879 if (!c) 880 return -EINVAL; 881 key_cmd = match_token(c, key_tokens, args); 882 switch (key_cmd) { 883 case Opt_new: 884 /* first argument is key size */ 885 c = strsep(&datablob, " \t"); 886 if (!c) 887 return -EINVAL; 888 ret = kstrtol(c, 10, &keylen); 889 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 890 return -EINVAL; 891 p->key_len = keylen; 892 ret = getoptions(datablob, p, o); 893 if (ret < 0) 894 return ret; 895 ret = Opt_new; 896 break; 897 case Opt_load: 898 /* first argument is sealed blob */ 899 c = strsep(&datablob, " \t"); 900 if (!c) 901 return -EINVAL; 902 p->blob_len = strlen(c) / 2; 903 if (p->blob_len > MAX_BLOB_SIZE) 904 return -EINVAL; 905 ret = hex2bin(p->blob, c, p->blob_len); 906 if (ret < 0) 907 return -EINVAL; 908 ret = getoptions(datablob, p, o); 909 if (ret < 0) 910 return ret; 911 ret = Opt_load; 912 break; 913 case Opt_update: 914 /* all arguments are options */ 915 ret = getoptions(datablob, p, o); 916 if (ret < 0) 917 return ret; 918 ret = Opt_update; 919 break; 920 case Opt_err: 921 return -EINVAL; 922 break; 923 } 924 return ret; 925} 926 927static struct trusted_key_options *trusted_options_alloc(void) 928{ 929 struct trusted_key_options *options; 930 int tpm2; 931 932 tpm2 = tpm_is_tpm2(chip); 933 if (tpm2 < 0) 934 return NULL; 935 936 options = kzalloc(sizeof *options, GFP_KERNEL); 937 if (options) { 938 /* set any non-zero defaults */ 939 options->keytype = SRK_keytype; 940 941 if (!tpm2) 942 options->keyhandle = SRKHANDLE; 943 } 944 return options; 945} 946 947static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 948{ 949 struct trusted_key_payload *p = NULL; 950 int ret; 951 952 ret = key_payload_reserve(key, sizeof *p); 953 if (ret < 0) 954 return p; 955 p = kzalloc(sizeof *p, GFP_KERNEL); 956 if (p) 957 p->migratable = 1; /* migratable by default */ 958 return p; 959} 960 961/* 962 * trusted_instantiate - create a new trusted key 963 * 964 * Unseal an existing trusted blob or, for a new key, get a 965 * random key, then seal and create a trusted key-type key, 966 * adding it to the specified keyring. 967 * 968 * On success, return 0. Otherwise return errno. 969 */ 970static int trusted_instantiate(struct key *key, 971 struct key_preparsed_payload *prep) 972{ 973 struct trusted_key_payload *payload = NULL; 974 struct trusted_key_options *options = NULL; 975 size_t datalen = prep->datalen; 976 char *datablob; 977 int ret = 0; 978 int key_cmd; 979 size_t key_len; 980 int tpm2; 981 982 tpm2 = tpm_is_tpm2(chip); 983 if (tpm2 < 0) 984 return tpm2; 985 986 if (datalen <= 0 || datalen > 32767 || !prep->data) 987 return -EINVAL; 988 989 datablob = kmalloc(datalen + 1, GFP_KERNEL); 990 if (!datablob) 991 return -ENOMEM; 992 memcpy(datablob, prep->data, datalen); 993 datablob[datalen] = '\0'; 994 995 options = trusted_options_alloc(); 996 if (!options) { 997 ret = -ENOMEM; 998 goto out; 999 } 1000 payload = trusted_payload_alloc(key); 1001 if (!payload) { 1002 ret = -ENOMEM; 1003 goto out; 1004 } 1005 1006 key_cmd = datablob_parse(datablob, payload, options); 1007 if (key_cmd < 0) { 1008 ret = key_cmd; 1009 goto out; 1010 } 1011 1012 if (!options->keyhandle) { 1013 ret = -EINVAL; 1014 goto out; 1015 } 1016 1017 dump_payload(payload); 1018 dump_options(options); 1019 1020 switch (key_cmd) { 1021 case Opt_load: 1022 if (tpm2) 1023 ret = tpm_unseal_trusted(chip, payload, options); 1024 else 1025 ret = key_unseal(payload, options); 1026 dump_payload(payload); 1027 dump_options(options); 1028 if (ret < 0) 1029 pr_info("trusted_key: key_unseal failed (%d)\n", ret); 1030 break; 1031 case Opt_new: 1032 key_len = payload->key_len; 1033 ret = tpm_get_random(chip, payload->key, key_len); 1034 if (ret != key_len) { 1035 pr_info("trusted_key: key_create failed (%d)\n", ret); 1036 goto out; 1037 } 1038 if (tpm2) 1039 ret = tpm_seal_trusted(chip, payload, options); 1040 else 1041 ret = key_seal(payload, options); 1042 if (ret < 0) 1043 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1044 break; 1045 default: 1046 ret = -EINVAL; 1047 goto out; 1048 } 1049 if (!ret && options->pcrlock) 1050 ret = pcrlock(options->pcrlock); 1051out: 1052 kzfree(datablob); 1053 kzfree(options); 1054 if (!ret) 1055 rcu_assign_keypointer(key, payload); 1056 else 1057 kzfree(payload); 1058 return ret; 1059} 1060 1061static void trusted_rcu_free(struct rcu_head *rcu) 1062{ 1063 struct trusted_key_payload *p; 1064 1065 p = container_of(rcu, struct trusted_key_payload, rcu); 1066 kzfree(p); 1067} 1068 1069/* 1070 * trusted_update - reseal an existing key with new PCR values 1071 */ 1072static int trusted_update(struct key *key, struct key_preparsed_payload *prep) 1073{ 1074 struct trusted_key_payload *p; 1075 struct trusted_key_payload *new_p; 1076 struct trusted_key_options *new_o; 1077 size_t datalen = prep->datalen; 1078 char *datablob; 1079 int ret = 0; 1080 1081 if (key_is_negative(key)) 1082 return -ENOKEY; 1083 p = key->payload.data[0]; 1084 if (!p->migratable) 1085 return -EPERM; 1086 if (datalen <= 0 || datalen > 32767 || !prep->data) 1087 return -EINVAL; 1088 1089 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1090 if (!datablob) 1091 return -ENOMEM; 1092 new_o = trusted_options_alloc(); 1093 if (!new_o) { 1094 ret = -ENOMEM; 1095 goto out; 1096 } 1097 new_p = trusted_payload_alloc(key); 1098 if (!new_p) { 1099 ret = -ENOMEM; 1100 goto out; 1101 } 1102 1103 memcpy(datablob, prep->data, datalen); 1104 datablob[datalen] = '\0'; 1105 ret = datablob_parse(datablob, new_p, new_o); 1106 if (ret != Opt_update) { 1107 ret = -EINVAL; 1108 kzfree(new_p); 1109 goto out; 1110 } 1111 1112 if (!new_o->keyhandle) { 1113 ret = -EINVAL; 1114 kzfree(new_p); 1115 goto out; 1116 } 1117 1118 /* copy old key values, and reseal with new pcrs */ 1119 new_p->migratable = p->migratable; 1120 new_p->key_len = p->key_len; 1121 memcpy(new_p->key, p->key, p->key_len); 1122 dump_payload(p); 1123 dump_payload(new_p); 1124 1125 ret = key_seal(new_p, new_o); 1126 if (ret < 0) { 1127 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1128 kzfree(new_p); 1129 goto out; 1130 } 1131 if (new_o->pcrlock) { 1132 ret = pcrlock(new_o->pcrlock); 1133 if (ret < 0) { 1134 pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1135 kzfree(new_p); 1136 goto out; 1137 } 1138 } 1139 rcu_assign_keypointer(key, new_p); 1140 call_rcu(&p->rcu, trusted_rcu_free); 1141out: 1142 kzfree(datablob); 1143 kzfree(new_o); 1144 return ret; 1145} 1146 1147/* 1148 * trusted_read - copy the sealed blob data to userspace in hex. 1149 * On success, return to userspace the trusted key datablob size. 1150 */ 1151static long trusted_read(const struct key *key, char __user *buffer, 1152 size_t buflen) 1153{ 1154 const struct trusted_key_payload *p; 1155 char *ascii_buf; 1156 char *bufp; 1157 int i; 1158 1159 p = dereference_key_locked(key); 1160 if (!p) 1161 return -EINVAL; 1162 1163 if (buffer && buflen >= 2 * p->blob_len) { 1164 ascii_buf = kmalloc_array(2, p->blob_len, GFP_KERNEL); 1165 if (!ascii_buf) 1166 return -ENOMEM; 1167 1168 bufp = ascii_buf; 1169 for (i = 0; i < p->blob_len; i++) 1170 bufp = hex_byte_pack(bufp, p->blob[i]); 1171 if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) { 1172 kzfree(ascii_buf); 1173 return -EFAULT; 1174 } 1175 kzfree(ascii_buf); 1176 } 1177 return 2 * p->blob_len; 1178} 1179 1180/* 1181 * trusted_destroy - clear and free the key's payload 1182 */ 1183static void trusted_destroy(struct key *key) 1184{ 1185 kzfree(key->payload.data[0]); 1186} 1187 1188struct key_type key_type_trusted = { 1189 .name = "trusted", 1190 .instantiate = trusted_instantiate, 1191 .update = trusted_update, 1192 .destroy = trusted_destroy, 1193 .describe = user_describe, 1194 .read = trusted_read, 1195}; 1196 1197EXPORT_SYMBOL_GPL(key_type_trusted); 1198 1199static void trusted_shash_release(void) 1200{ 1201 if (hashalg) 1202 crypto_free_shash(hashalg); 1203 if (hmacalg) 1204 crypto_free_shash(hmacalg); 1205} 1206 1207static int __init trusted_shash_alloc(void) 1208{ 1209 int ret; 1210 1211 hmacalg = crypto_alloc_shash(hmac_alg, 0, 0); 1212 if (IS_ERR(hmacalg)) { 1213 pr_info("trusted_key: could not allocate crypto %s\n", 1214 hmac_alg); 1215 return PTR_ERR(hmacalg); 1216 } 1217 1218 hashalg = crypto_alloc_shash(hash_alg, 0, 0); 1219 if (IS_ERR(hashalg)) { 1220 pr_info("trusted_key: could not allocate crypto %s\n", 1221 hash_alg); 1222 ret = PTR_ERR(hashalg); 1223 goto hashalg_fail; 1224 } 1225 1226 return 0; 1227 1228hashalg_fail: 1229 crypto_free_shash(hmacalg); 1230 return ret; 1231} 1232 1233static int __init init_digests(void) 1234{ 1235 u8 digest[TPM_MAX_DIGEST_SIZE]; 1236 int ret; 1237 int i; 1238 1239 ret = tpm_get_random(chip, digest, TPM_MAX_DIGEST_SIZE); 1240 if (ret < 0) 1241 return ret; 1242 if (ret < TPM_MAX_DIGEST_SIZE) 1243 return -EFAULT; 1244 1245 digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), 1246 GFP_KERNEL); 1247 if (!digests) 1248 return -ENOMEM; 1249 1250 for (i = 0; i < chip->nr_allocated_banks; i++) 1251 memcpy(digests[i].digest, digest, TPM_MAX_DIGEST_SIZE); 1252 1253 return 0; 1254} 1255 1256static int __init init_trusted(void) 1257{ 1258 int ret; 1259 1260 /* encrypted_keys.ko depends on successful load of this module even if 1261 * TPM is not used. 1262 */ 1263 chip = tpm_default_chip(); 1264 if (!chip) 1265 return 0; 1266 1267 ret = init_digests(); 1268 if (ret < 0) 1269 goto err_put; 1270 ret = trusted_shash_alloc(); 1271 if (ret < 0) 1272 goto err_free; 1273 ret = register_key_type(&key_type_trusted); 1274 if (ret < 0) 1275 goto err_release; 1276 return 0; 1277err_release: 1278 trusted_shash_release(); 1279err_free: 1280 kfree(digests); 1281err_put: 1282 put_device(&chip->dev); 1283 return ret; 1284} 1285 1286static void __exit cleanup_trusted(void) 1287{ 1288 if (chip) { 1289 put_device(&chip->dev); 1290 kfree(digests); 1291 trusted_shash_release(); 1292 unregister_key_type(&key_type_trusted); 1293 } 1294} 1295 1296late_initcall(init_trusted); 1297module_exit(cleanup_trusted); 1298 1299MODULE_LICENSE("GPL");