tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kernel / security / keys / trusted.c
at v5.2-rc2 1298 lines 31 kB view raw
1/* 2 * Copyright (C) 2010 IBM Corporation 3 * 4 * Author: 5 * David Safford <safford@us.ibm.com> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation, version 2 of the License. 10 * 11 * See Documentation/security/keys/trusted-encrypted.rst 12 */ 13 14#include <crypto/hash_info.h> 15#include <linux/uaccess.h> 16#include <linux/module.h> 17#include <linux/init.h> 18#include <linux/slab.h> 19#include <linux/parser.h> 20#include <linux/string.h> 21#include <linux/err.h> 22#include <keys/user-type.h> 23#include <keys/trusted-type.h> 24#include <linux/key-type.h> 25#include <linux/rcupdate.h> 26#include <linux/crypto.h> 27#include <crypto/hash.h> 28#include <crypto/sha.h> 29#include <linux/capability.h> 30#include <linux/tpm.h> 31#include <linux/tpm_command.h> 32 33#include <keys/trusted.h> 34 35static const char hmac_alg[] = "hmac(sha1)"; 36static const char hash_alg[] = "sha1"; 37static struct tpm_chip *chip; 38static struct tpm_digest *digests; 39 40struct sdesc { 41 struct shash_desc shash; 42 char ctx[]; 43}; 44 45static struct crypto_shash *hashalg; 46static struct crypto_shash *hmacalg; 47 48static struct sdesc *init_sdesc(struct crypto_shash *alg) 49{ 50 struct sdesc *sdesc; 51 int size; 52 53 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 54 sdesc = kmalloc(size, GFP_KERNEL); 55 if (!sdesc) 56 return ERR_PTR(-ENOMEM); 57 sdesc->shash.tfm = alg; 58 return sdesc; 59} 60 61static int TSS_sha1(const unsigned char *data, unsigned int datalen, 62 unsigned char *digest) 63{ 64 struct sdesc *sdesc; 65 int ret; 66 67 sdesc = init_sdesc(hashalg); 68 if (IS_ERR(sdesc)) { 69 pr_info("trusted_key: can't alloc %s\n", hash_alg); 70 return PTR_ERR(sdesc); 71 } 72 73 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 74 kzfree(sdesc); 75 return ret; 76} 77 78static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 79 unsigned int keylen, ...) 80{ 81 struct sdesc *sdesc; 82 va_list argp; 83 unsigned int dlen; 84 unsigned char *data; 85 int ret; 86 87 sdesc = init_sdesc(hmacalg); 88 if (IS_ERR(sdesc)) { 89 pr_info("trusted_key: can't alloc %s\n", hmac_alg); 90 return PTR_ERR(sdesc); 91 } 92 93 ret = crypto_shash_setkey(hmacalg, key, keylen); 94 if (ret < 0) 95 goto out; 96 ret = crypto_shash_init(&sdesc->shash); 97 if (ret < 0) 98 goto out; 99 100 va_start(argp, keylen); 101 for (;;) { 102 dlen = va_arg(argp, unsigned int); 103 if (dlen == 0) 104 break; 105 data = va_arg(argp, unsigned char *); 106 if (data == NULL) { 107 ret = -EINVAL; 108 break; 109 } 110 ret = crypto_shash_update(&sdesc->shash, data, dlen); 111 if (ret < 0) 112 break; 113 } 114 va_end(argp); 115 if (!ret) 116 ret = crypto_shash_final(&sdesc->shash, digest); 117out: 118 kzfree(sdesc); 119 return ret; 120} 121 122/* 123 * calculate authorization info fields to send to TPM 124 */ 125int TSS_authhmac(unsigned char *digest, const unsigned char *key, 126 unsigned int keylen, unsigned char *h1, 127 unsigned char *h2, unsigned int h3, ...) 128{ 129 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 130 struct sdesc *sdesc; 131 unsigned int dlen; 132 unsigned char *data; 133 unsigned char c; 134 int ret; 135 va_list argp; 136 137 if (!chip) 138 return -ENODEV; 139 140 sdesc = init_sdesc(hashalg); 141 if (IS_ERR(sdesc)) { 142 pr_info("trusted_key: can't alloc %s\n", hash_alg); 143 return PTR_ERR(sdesc); 144 } 145 146 c = !!h3; 147 ret = crypto_shash_init(&sdesc->shash); 148 if (ret < 0) 149 goto out; 150 va_start(argp, h3); 151 for (;;) { 152 dlen = va_arg(argp, unsigned int); 153 if (dlen == 0) 154 break; 155 data = va_arg(argp, unsigned char *); 156 if (!data) { 157 ret = -EINVAL; 158 break; 159 } 160 ret = crypto_shash_update(&sdesc->shash, data, dlen); 161 if (ret < 0) 162 break; 163 } 164 va_end(argp); 165 if (!ret) 166 ret = crypto_shash_final(&sdesc->shash, paramdigest); 167 if (!ret) 168 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 169 paramdigest, TPM_NONCE_SIZE, h1, 170 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 171out: 172 kzfree(sdesc); 173 return ret; 174} 175EXPORT_SYMBOL_GPL(TSS_authhmac); 176 177/* 178 * verify the AUTH1_COMMAND (Seal) result from TPM 179 */ 180int TSS_checkhmac1(unsigned char *buffer, 181 const uint32_t command, 182 const unsigned char *ononce, 183 const unsigned char *key, 184 unsigned int keylen, ...) 185{ 186 uint32_t bufsize; 187 uint16_t tag; 188 uint32_t ordinal; 189 uint32_t result; 190 unsigned char *enonce; 191 unsigned char *continueflag; 192 unsigned char *authdata; 193 unsigned char testhmac[SHA1_DIGEST_SIZE]; 194 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 195 struct sdesc *sdesc; 196 unsigned int dlen; 197 unsigned int dpos; 198 va_list argp; 199 int ret; 200 201 if (!chip) 202 return -ENODEV; 203 204 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 205 tag = LOAD16(buffer, 0); 206 ordinal = command; 207 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 208 if (tag == TPM_TAG_RSP_COMMAND) 209 return 0; 210 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 211 return -EINVAL; 212 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 213 continueflag = authdata - 1; 214 enonce = continueflag - TPM_NONCE_SIZE; 215 216 sdesc = init_sdesc(hashalg); 217 if (IS_ERR(sdesc)) { 218 pr_info("trusted_key: can't alloc %s\n", hash_alg); 219 return PTR_ERR(sdesc); 220 } 221 ret = crypto_shash_init(&sdesc->shash); 222 if (ret < 0) 223 goto out; 224 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 225 sizeof result); 226 if (ret < 0) 227 goto out; 228 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 229 sizeof ordinal); 230 if (ret < 0) 231 goto out; 232 va_start(argp, keylen); 233 for (;;) { 234 dlen = va_arg(argp, unsigned int); 235 if (dlen == 0) 236 break; 237 dpos = va_arg(argp, unsigned int); 238 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 239 if (ret < 0) 240 break; 241 } 242 va_end(argp); 243 if (!ret) 244 ret = crypto_shash_final(&sdesc->shash, paramdigest); 245 if (ret < 0) 246 goto out; 247 248 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 249 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 250 1, continueflag, 0, 0); 251 if (ret < 0) 252 goto out; 253 254 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 255 ret = -EINVAL; 256out: 257 kzfree(sdesc); 258 return ret; 259} 260EXPORT_SYMBOL_GPL(TSS_checkhmac1); 261 262/* 263 * verify the AUTH2_COMMAND (unseal) result from TPM 264 */ 265static int TSS_checkhmac2(unsigned char *buffer, 266 const uint32_t command, 267 const unsigned char *ononce, 268 const unsigned char *key1, 269 unsigned int keylen1, 270 const unsigned char *key2, 271 unsigned int keylen2, ...) 272{ 273 uint32_t bufsize; 274 uint16_t tag; 275 uint32_t ordinal; 276 uint32_t result; 277 unsigned char *enonce1; 278 unsigned char *continueflag1; 279 unsigned char *authdata1; 280 unsigned char *enonce2; 281 unsigned char *continueflag2; 282 unsigned char *authdata2; 283 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 284 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 285 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 286 struct sdesc *sdesc; 287 unsigned int dlen; 288 unsigned int dpos; 289 va_list argp; 290 int ret; 291 292 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 293 tag = LOAD16(buffer, 0); 294 ordinal = command; 295 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 296 297 if (tag == TPM_TAG_RSP_COMMAND) 298 return 0; 299 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 300 return -EINVAL; 301 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 302 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 303 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 304 continueflag1 = authdata1 - 1; 305 continueflag2 = authdata2 - 1; 306 enonce1 = continueflag1 - TPM_NONCE_SIZE; 307 enonce2 = continueflag2 - TPM_NONCE_SIZE; 308 309 sdesc = init_sdesc(hashalg); 310 if (IS_ERR(sdesc)) { 311 pr_info("trusted_key: can't alloc %s\n", hash_alg); 312 return PTR_ERR(sdesc); 313 } 314 ret = crypto_shash_init(&sdesc->shash); 315 if (ret < 0) 316 goto out; 317 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 318 sizeof result); 319 if (ret < 0) 320 goto out; 321 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 322 sizeof ordinal); 323 if (ret < 0) 324 goto out; 325 326 va_start(argp, keylen2); 327 for (;;) { 328 dlen = va_arg(argp, unsigned int); 329 if (dlen == 0) 330 break; 331 dpos = va_arg(argp, unsigned int); 332 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 333 if (ret < 0) 334 break; 335 } 336 va_end(argp); 337 if (!ret) 338 ret = crypto_shash_final(&sdesc->shash, paramdigest); 339 if (ret < 0) 340 goto out; 341 342 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 343 paramdigest, TPM_NONCE_SIZE, enonce1, 344 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 345 if (ret < 0) 346 goto out; 347 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 348 ret = -EINVAL; 349 goto out; 350 } 351 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 352 paramdigest, TPM_NONCE_SIZE, enonce2, 353 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 354 if (ret < 0) 355 goto out; 356 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 357 ret = -EINVAL; 358out: 359 kzfree(sdesc); 360 return ret; 361} 362 363/* 364 * For key specific tpm requests, we will generate and send our 365 * own TPM command packets using the drivers send function. 366 */ 367int trusted_tpm_send(unsigned char *cmd, size_t buflen) 368{ 369 int rc; 370 371 if (!chip) 372 return -ENODEV; 373 374 dump_tpm_buf(cmd); 375 rc = tpm_send(chip, cmd, buflen); 376 dump_tpm_buf(cmd); 377 if (rc > 0) 378 /* Can't return positive return codes values to keyctl */ 379 rc = -EPERM; 380 return rc; 381} 382EXPORT_SYMBOL_GPL(trusted_tpm_send); 383 384/* 385 * Lock a trusted key, by extending a selected PCR. 386 * 387 * Prevents a trusted key that is sealed to PCRs from being accessed. 388 * This uses the tpm driver's extend function. 389 */ 390static int pcrlock(const int pcrnum) 391{ 392 if (!capable(CAP_SYS_ADMIN)) 393 return -EPERM; 394 395 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0; 396} 397 398/* 399 * Create an object specific authorisation protocol (OSAP) session 400 */ 401static int osap(struct tpm_buf *tb, struct osapsess *s, 402 const unsigned char *key, uint16_t type, uint32_t handle) 403{ 404 unsigned char enonce[TPM_NONCE_SIZE]; 405 unsigned char ononce[TPM_NONCE_SIZE]; 406 int ret; 407 408 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); 409 if (ret != TPM_NONCE_SIZE) 410 return ret; 411 412 INIT_BUF(tb); 413 store16(tb, TPM_TAG_RQU_COMMAND); 414 store32(tb, TPM_OSAP_SIZE); 415 store32(tb, TPM_ORD_OSAP); 416 store16(tb, type); 417 store32(tb, handle); 418 storebytes(tb, ononce, TPM_NONCE_SIZE); 419 420 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 421 if (ret < 0) 422 return ret; 423 424 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 425 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 426 TPM_NONCE_SIZE); 427 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 428 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 429 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 430 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 431} 432 433/* 434 * Create an object independent authorisation protocol (oiap) session 435 */ 436int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 437{ 438 int ret; 439 440 if (!chip) 441 return -ENODEV; 442 443 INIT_BUF(tb); 444 store16(tb, TPM_TAG_RQU_COMMAND); 445 store32(tb, TPM_OIAP_SIZE); 446 store32(tb, TPM_ORD_OIAP); 447 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 448 if (ret < 0) 449 return ret; 450 451 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 452 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 453 TPM_NONCE_SIZE); 454 return 0; 455} 456EXPORT_SYMBOL_GPL(oiap); 457 458struct tpm_digests { 459 unsigned char encauth[SHA1_DIGEST_SIZE]; 460 unsigned char pubauth[SHA1_DIGEST_SIZE]; 461 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 462 unsigned char xorhash[SHA1_DIGEST_SIZE]; 463 unsigned char nonceodd[TPM_NONCE_SIZE]; 464}; 465 466/* 467 * Have the TPM seal(encrypt) the trusted key, possibly based on 468 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 469 */ 470static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 471 uint32_t keyhandle, const unsigned char *keyauth, 472 const unsigned char *data, uint32_t datalen, 473 unsigned char *blob, uint32_t *bloblen, 474 const unsigned char *blobauth, 475 const unsigned char *pcrinfo, uint32_t pcrinfosize) 476{ 477 struct osapsess sess; 478 struct tpm_digests *td; 479 unsigned char cont; 480 uint32_t ordinal; 481 uint32_t pcrsize; 482 uint32_t datsize; 483 int sealinfosize; 484 int encdatasize; 485 int storedsize; 486 int ret; 487 int i; 488 489 /* alloc some work space for all the hashes */ 490 td = kmalloc(sizeof *td, GFP_KERNEL); 491 if (!td) 492 return -ENOMEM; 493 494 /* get session for sealing key */ 495 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 496 if (ret < 0) 497 goto out; 498 dump_sess(&sess); 499 500 /* calculate encrypted authorization value */ 501 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 502 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 503 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 504 if (ret < 0) 505 goto out; 506 507 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); 508 if (ret != TPM_NONCE_SIZE) 509 goto out; 510 ordinal = htonl(TPM_ORD_SEAL); 511 datsize = htonl(datalen); 512 pcrsize = htonl(pcrinfosize); 513 cont = 0; 514 515 /* encrypt data authorization key */ 516 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 517 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 518 519 /* calculate authorization HMAC value */ 520 if (pcrinfosize == 0) { 521 /* no pcr info specified */ 522 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 523 sess.enonce, td->nonceodd, cont, 524 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 525 td->encauth, sizeof(uint32_t), &pcrsize, 526 sizeof(uint32_t), &datsize, datalen, data, 0, 527 0); 528 } else { 529 /* pcr info specified */ 530 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 531 sess.enonce, td->nonceodd, cont, 532 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 533 td->encauth, sizeof(uint32_t), &pcrsize, 534 pcrinfosize, pcrinfo, sizeof(uint32_t), 535 &datsize, datalen, data, 0, 0); 536 } 537 if (ret < 0) 538 goto out; 539 540 /* build and send the TPM request packet */ 541 INIT_BUF(tb); 542 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); 543 store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen); 544 store32(tb, TPM_ORD_SEAL); 545 store32(tb, keyhandle); 546 storebytes(tb, td->encauth, SHA1_DIGEST_SIZE); 547 store32(tb, pcrinfosize); 548 storebytes(tb, pcrinfo, pcrinfosize); 549 store32(tb, datalen); 550 storebytes(tb, data, datalen); 551 store32(tb, sess.handle); 552 storebytes(tb, td->nonceodd, TPM_NONCE_SIZE); 553 store8(tb, cont); 554 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); 555 556 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 557 if (ret < 0) 558 goto out; 559 560 /* calculate the size of the returned Blob */ 561 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 562 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 563 sizeof(uint32_t) + sealinfosize); 564 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 565 sizeof(uint32_t) + encdatasize; 566 567 /* check the HMAC in the response */ 568 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 569 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 570 0); 571 572 /* copy the returned blob to caller */ 573 if (!ret) { 574 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 575 *bloblen = storedsize; 576 } 577out: 578 kzfree(td); 579 return ret; 580} 581 582/* 583 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 584 */ 585static int tpm_unseal(struct tpm_buf *tb, 586 uint32_t keyhandle, const unsigned char *keyauth, 587 const unsigned char *blob, int bloblen, 588 const unsigned char *blobauth, 589 unsigned char *data, unsigned int *datalen) 590{ 591 unsigned char nonceodd[TPM_NONCE_SIZE]; 592 unsigned char enonce1[TPM_NONCE_SIZE]; 593 unsigned char enonce2[TPM_NONCE_SIZE]; 594 unsigned char authdata1[SHA1_DIGEST_SIZE]; 595 unsigned char authdata2[SHA1_DIGEST_SIZE]; 596 uint32_t authhandle1 = 0; 597 uint32_t authhandle2 = 0; 598 unsigned char cont = 0; 599 uint32_t ordinal; 600 uint32_t keyhndl; 601 int ret; 602 603 /* sessions for unsealing key and data */ 604 ret = oiap(tb, &authhandle1, enonce1); 605 if (ret < 0) { 606 pr_info("trusted_key: oiap failed (%d)\n", ret); 607 return ret; 608 } 609 ret = oiap(tb, &authhandle2, enonce2); 610 if (ret < 0) { 611 pr_info("trusted_key: oiap failed (%d)\n", ret); 612 return ret; 613 } 614 615 ordinal = htonl(TPM_ORD_UNSEAL); 616 keyhndl = htonl(SRKHANDLE); 617 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); 618 if (ret != TPM_NONCE_SIZE) { 619 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 620 return ret; 621 } 622 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 623 enonce1, nonceodd, cont, sizeof(uint32_t), 624 &ordinal, bloblen, blob, 0, 0); 625 if (ret < 0) 626 return ret; 627 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 628 enonce2, nonceodd, cont, sizeof(uint32_t), 629 &ordinal, bloblen, blob, 0, 0); 630 if (ret < 0) 631 return ret; 632 633 /* build and send TPM request packet */ 634 INIT_BUF(tb); 635 store16(tb, TPM_TAG_RQU_AUTH2_COMMAND); 636 store32(tb, TPM_UNSEAL_SIZE + bloblen); 637 store32(tb, TPM_ORD_UNSEAL); 638 store32(tb, keyhandle); 639 storebytes(tb, blob, bloblen); 640 store32(tb, authhandle1); 641 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 642 store8(tb, cont); 643 storebytes(tb, authdata1, SHA1_DIGEST_SIZE); 644 store32(tb, authhandle2); 645 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 646 store8(tb, cont); 647 storebytes(tb, authdata2, SHA1_DIGEST_SIZE); 648 649 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 650 if (ret < 0) { 651 pr_info("trusted_key: authhmac failed (%d)\n", ret); 652 return ret; 653 } 654 655 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 656 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 657 keyauth, SHA1_DIGEST_SIZE, 658 blobauth, SHA1_DIGEST_SIZE, 659 sizeof(uint32_t), TPM_DATA_OFFSET, 660 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 661 0); 662 if (ret < 0) { 663 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 664 return ret; 665 } 666 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 667 return 0; 668} 669 670/* 671 * Have the TPM seal(encrypt) the symmetric key 672 */ 673static int key_seal(struct trusted_key_payload *p, 674 struct trusted_key_options *o) 675{ 676 struct tpm_buf *tb; 677 int ret; 678 679 tb = kzalloc(sizeof *tb, GFP_KERNEL); 680 if (!tb) 681 return -ENOMEM; 682 683 /* include migratable flag at end of sealed key */ 684 p->key[p->key_len] = p->migratable; 685 686 ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth, 687 p->key, p->key_len + 1, p->blob, &p->blob_len, 688 o->blobauth, o->pcrinfo, o->pcrinfo_len); 689 if (ret < 0) 690 pr_info("trusted_key: srkseal failed (%d)\n", ret); 691 692 kzfree(tb); 693 return ret; 694} 695 696/* 697 * Have the TPM unseal(decrypt) the symmetric key 698 */ 699static int key_unseal(struct trusted_key_payload *p, 700 struct trusted_key_options *o) 701{ 702 struct tpm_buf *tb; 703 int ret; 704 705 tb = kzalloc(sizeof *tb, GFP_KERNEL); 706 if (!tb) 707 return -ENOMEM; 708 709 ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 710 o->blobauth, p->key, &p->key_len); 711 if (ret < 0) 712 pr_info("trusted_key: srkunseal failed (%d)\n", ret); 713 else 714 /* pull migratable flag out of sealed key */ 715 p->migratable = p->key[--p->key_len]; 716 717 kzfree(tb); 718 return ret; 719} 720 721enum { 722 Opt_err, 723 Opt_new, Opt_load, Opt_update, 724 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 725 Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 726 Opt_hash, 727 Opt_policydigest, 728 Opt_policyhandle, 729}; 730 731static const match_table_t key_tokens = { 732 {Opt_new, "new"}, 733 {Opt_load, "load"}, 734 {Opt_update, "update"}, 735 {Opt_keyhandle, "keyhandle=%s"}, 736 {Opt_keyauth, "keyauth=%s"}, 737 {Opt_blobauth, "blobauth=%s"}, 738 {Opt_pcrinfo, "pcrinfo=%s"}, 739 {Opt_pcrlock, "pcrlock=%s"}, 740 {Opt_migratable, "migratable=%s"}, 741 {Opt_hash, "hash=%s"}, 742 {Opt_policydigest, "policydigest=%s"}, 743 {Opt_policyhandle, "policyhandle=%s"}, 744 {Opt_err, NULL} 745}; 746 747/* can have zero or more token= options */ 748static int getoptions(char *c, struct trusted_key_payload *pay, 749 struct trusted_key_options *opt) 750{ 751 substring_t args[MAX_OPT_ARGS]; 752 char *p = c; 753 int token; 754 int res; 755 unsigned long handle; 756 unsigned long lock; 757 unsigned long token_mask = 0; 758 unsigned int digest_len; 759 int i; 760 int tpm2; 761 762 tpm2 = tpm_is_tpm2(chip); 763 if (tpm2 < 0) 764 return tpm2; 765 766 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 767 768 while ((p = strsep(&c, " \t"))) { 769 if (*p == '\0' || *p == ' ' || *p == '\t') 770 continue; 771 token = match_token(p, key_tokens, args); 772 if (test_and_set_bit(token, &token_mask)) 773 return -EINVAL; 774 775 switch (token) { 776 case Opt_pcrinfo: 777 opt->pcrinfo_len = strlen(args[0].from) / 2; 778 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 779 return -EINVAL; 780 res = hex2bin(opt->pcrinfo, args[0].from, 781 opt->pcrinfo_len); 782 if (res < 0) 783 return -EINVAL; 784 break; 785 case Opt_keyhandle: 786 res = kstrtoul(args[0].from, 16, &handle); 787 if (res < 0) 788 return -EINVAL; 789 opt->keytype = SEAL_keytype; 790 opt->keyhandle = handle; 791 break; 792 case Opt_keyauth: 793 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 794 return -EINVAL; 795 res = hex2bin(opt->keyauth, args[0].from, 796 SHA1_DIGEST_SIZE); 797 if (res < 0) 798 return -EINVAL; 799 break; 800 case Opt_blobauth: 801 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 802 return -EINVAL; 803 res = hex2bin(opt->blobauth, args[0].from, 804 SHA1_DIGEST_SIZE); 805 if (res < 0) 806 return -EINVAL; 807 break; 808 case Opt_migratable: 809 if (*args[0].from == '0') 810 pay->migratable = 0; 811 else 812 return -EINVAL; 813 break; 814 case Opt_pcrlock: 815 res = kstrtoul(args[0].from, 10, &lock); 816 if (res < 0) 817 return -EINVAL; 818 opt->pcrlock = lock; 819 break; 820 case Opt_hash: 821 if (test_bit(Opt_policydigest, &token_mask)) 822 return -EINVAL; 823 for (i = 0; i < HASH_ALGO__LAST; i++) { 824 if (!strcmp(args[0].from, hash_algo_name[i])) { 825 opt->hash = i; 826 break; 827 } 828 } 829 if (i == HASH_ALGO__LAST) 830 return -EINVAL; 831 if (!tpm2 && i != HASH_ALGO_SHA1) { 832 pr_info("trusted_key: TPM 1.x only supports SHA-1.\n"); 833 return -EINVAL; 834 } 835 break; 836 case Opt_policydigest: 837 digest_len = hash_digest_size[opt->hash]; 838 if (!tpm2 || strlen(args[0].from) != (2 * digest_len)) 839 return -EINVAL; 840 res = hex2bin(opt->policydigest, args[0].from, 841 digest_len); 842 if (res < 0) 843 return -EINVAL; 844 opt->policydigest_len = digest_len; 845 break; 846 case Opt_policyhandle: 847 if (!tpm2) 848 return -EINVAL; 849 res = kstrtoul(args[0].from, 16, &handle); 850 if (res < 0) 851 return -EINVAL; 852 opt->policyhandle = handle; 853 break; 854 default: 855 return -EINVAL; 856 } 857 } 858 return 0; 859} 860 861/* 862 * datablob_parse - parse the keyctl data and fill in the 863 * payload and options structures 864 * 865 * On success returns 0, otherwise -EINVAL. 866 */ 867static int datablob_parse(char *datablob, struct trusted_key_payload *p, 868 struct trusted_key_options *o) 869{ 870 substring_t args[MAX_OPT_ARGS]; 871 long keylen; 872 int ret = -EINVAL; 873 int key_cmd; 874 char *c; 875 876 /* main command */ 877 c = strsep(&datablob, " \t"); 878 if (!c) 879 return -EINVAL; 880 key_cmd = match_token(c, key_tokens, args); 881 switch (key_cmd) { 882 case Opt_new: 883 /* first argument is key size */ 884 c = strsep(&datablob, " \t"); 885 if (!c) 886 return -EINVAL; 887 ret = kstrtol(c, 10, &keylen); 888 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 889 return -EINVAL; 890 p->key_len = keylen; 891 ret = getoptions(datablob, p, o); 892 if (ret < 0) 893 return ret; 894 ret = Opt_new; 895 break; 896 case Opt_load: 897 /* first argument is sealed blob */ 898 c = strsep(&datablob, " \t"); 899 if (!c) 900 return -EINVAL; 901 p->blob_len = strlen(c) / 2; 902 if (p->blob_len > MAX_BLOB_SIZE) 903 return -EINVAL; 904 ret = hex2bin(p->blob, c, p->blob_len); 905 if (ret < 0) 906 return -EINVAL; 907 ret = getoptions(datablob, p, o); 908 if (ret < 0) 909 return ret; 910 ret = Opt_load; 911 break; 912 case Opt_update: 913 /* all arguments are options */ 914 ret = getoptions(datablob, p, o); 915 if (ret < 0) 916 return ret; 917 ret = Opt_update; 918 break; 919 case Opt_err: 920 return -EINVAL; 921 break; 922 } 923 return ret; 924} 925 926static struct trusted_key_options *trusted_options_alloc(void) 927{ 928 struct trusted_key_options *options; 929 int tpm2; 930 931 tpm2 = tpm_is_tpm2(chip); 932 if (tpm2 < 0) 933 return NULL; 934 935 options = kzalloc(sizeof *options, GFP_KERNEL); 936 if (options) { 937 /* set any non-zero defaults */ 938 options->keytype = SRK_keytype; 939 940 if (!tpm2) 941 options->keyhandle = SRKHANDLE; 942 } 943 return options; 944} 945 946static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 947{ 948 struct trusted_key_payload *p = NULL; 949 int ret; 950 951 ret = key_payload_reserve(key, sizeof *p); 952 if (ret < 0) 953 return p; 954 p = kzalloc(sizeof *p, GFP_KERNEL); 955 if (p) 956 p->migratable = 1; /* migratable by default */ 957 return p; 958} 959 960/* 961 * trusted_instantiate - create a new trusted key 962 * 963 * Unseal an existing trusted blob or, for a new key, get a 964 * random key, then seal and create a trusted key-type key, 965 * adding it to the specified keyring. 966 * 967 * On success, return 0. Otherwise return errno. 968 */ 969static int trusted_instantiate(struct key *key, 970 struct key_preparsed_payload *prep) 971{ 972 struct trusted_key_payload *payload = NULL; 973 struct trusted_key_options *options = NULL; 974 size_t datalen = prep->datalen; 975 char *datablob; 976 int ret = 0; 977 int key_cmd; 978 size_t key_len; 979 int tpm2; 980 981 tpm2 = tpm_is_tpm2(chip); 982 if (tpm2 < 0) 983 return tpm2; 984 985 if (datalen <= 0 || datalen > 32767 || !prep->data) 986 return -EINVAL; 987 988 datablob = kmalloc(datalen + 1, GFP_KERNEL); 989 if (!datablob) 990 return -ENOMEM; 991 memcpy(datablob, prep->data, datalen); 992 datablob[datalen] = '\0'; 993 994 options = trusted_options_alloc(); 995 if (!options) { 996 ret = -ENOMEM; 997 goto out; 998 } 999 payload = trusted_payload_alloc(key); 1000 if (!payload) { 1001 ret = -ENOMEM; 1002 goto out; 1003 } 1004 1005 key_cmd = datablob_parse(datablob, payload, options); 1006 if (key_cmd < 0) { 1007 ret = key_cmd; 1008 goto out; 1009 } 1010 1011 if (!options->keyhandle) { 1012 ret = -EINVAL; 1013 goto out; 1014 } 1015 1016 dump_payload(payload); 1017 dump_options(options); 1018 1019 switch (key_cmd) { 1020 case Opt_load: 1021 if (tpm2) 1022 ret = tpm_unseal_trusted(chip, payload, options); 1023 else 1024 ret = key_unseal(payload, options); 1025 dump_payload(payload); 1026 dump_options(options); 1027 if (ret < 0) 1028 pr_info("trusted_key: key_unseal failed (%d)\n", ret); 1029 break; 1030 case Opt_new: 1031 key_len = payload->key_len; 1032 ret = tpm_get_random(chip, payload->key, key_len); 1033 if (ret != key_len) { 1034 pr_info("trusted_key: key_create failed (%d)\n", ret); 1035 goto out; 1036 } 1037 if (tpm2) 1038 ret = tpm_seal_trusted(chip, payload, options); 1039 else 1040 ret = key_seal(payload, options); 1041 if (ret < 0) 1042 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1043 break; 1044 default: 1045 ret = -EINVAL; 1046 goto out; 1047 } 1048 if (!ret && options->pcrlock) 1049 ret = pcrlock(options->pcrlock); 1050out: 1051 kzfree(datablob); 1052 kzfree(options); 1053 if (!ret) 1054 rcu_assign_keypointer(key, payload); 1055 else 1056 kzfree(payload); 1057 return ret; 1058} 1059 1060static void trusted_rcu_free(struct rcu_head *rcu) 1061{ 1062 struct trusted_key_payload *p; 1063 1064 p = container_of(rcu, struct trusted_key_payload, rcu); 1065 kzfree(p); 1066} 1067 1068/* 1069 * trusted_update - reseal an existing key with new PCR values 1070 */ 1071static int trusted_update(struct key *key, struct key_preparsed_payload *prep) 1072{ 1073 struct trusted_key_payload *p; 1074 struct trusted_key_payload *new_p; 1075 struct trusted_key_options *new_o; 1076 size_t datalen = prep->datalen; 1077 char *datablob; 1078 int ret = 0; 1079 1080 if (key_is_negative(key)) 1081 return -ENOKEY; 1082 p = key->payload.data[0]; 1083 if (!p->migratable) 1084 return -EPERM; 1085 if (datalen <= 0 || datalen > 32767 || !prep->data) 1086 return -EINVAL; 1087 1088 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1089 if (!datablob) 1090 return -ENOMEM; 1091 new_o = trusted_options_alloc(); 1092 if (!new_o) { 1093 ret = -ENOMEM; 1094 goto out; 1095 } 1096 new_p = trusted_payload_alloc(key); 1097 if (!new_p) { 1098 ret = -ENOMEM; 1099 goto out; 1100 } 1101 1102 memcpy(datablob, prep->data, datalen); 1103 datablob[datalen] = '\0'; 1104 ret = datablob_parse(datablob, new_p, new_o); 1105 if (ret != Opt_update) { 1106 ret = -EINVAL; 1107 kzfree(new_p); 1108 goto out; 1109 } 1110 1111 if (!new_o->keyhandle) { 1112 ret = -EINVAL; 1113 kzfree(new_p); 1114 goto out; 1115 } 1116 1117 /* copy old key values, and reseal with new pcrs */ 1118 new_p->migratable = p->migratable; 1119 new_p->key_len = p->key_len; 1120 memcpy(new_p->key, p->key, p->key_len); 1121 dump_payload(p); 1122 dump_payload(new_p); 1123 1124 ret = key_seal(new_p, new_o); 1125 if (ret < 0) { 1126 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1127 kzfree(new_p); 1128 goto out; 1129 } 1130 if (new_o->pcrlock) { 1131 ret = pcrlock(new_o->pcrlock); 1132 if (ret < 0) { 1133 pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1134 kzfree(new_p); 1135 goto out; 1136 } 1137 } 1138 rcu_assign_keypointer(key, new_p); 1139 call_rcu(&p->rcu, trusted_rcu_free); 1140out: 1141 kzfree(datablob); 1142 kzfree(new_o); 1143 return ret; 1144} 1145 1146/* 1147 * trusted_read - copy the sealed blob data to userspace in hex. 1148 * On success, return to userspace the trusted key datablob size. 1149 */ 1150static long trusted_read(const struct key *key, char __user *buffer, 1151 size_t buflen) 1152{ 1153 const struct trusted_key_payload *p; 1154 char *ascii_buf; 1155 char *bufp; 1156 int i; 1157 1158 p = dereference_key_locked(key); 1159 if (!p) 1160 return -EINVAL; 1161 1162 if (buffer && buflen >= 2 * p->blob_len) { 1163 ascii_buf = kmalloc_array(2, p->blob_len, GFP_KERNEL); 1164 if (!ascii_buf) 1165 return -ENOMEM; 1166 1167 bufp = ascii_buf; 1168 for (i = 0; i < p->blob_len; i++) 1169 bufp = hex_byte_pack(bufp, p->blob[i]); 1170 if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) { 1171 kzfree(ascii_buf); 1172 return -EFAULT; 1173 } 1174 kzfree(ascii_buf); 1175 } 1176 return 2 * p->blob_len; 1177} 1178 1179/* 1180 * trusted_destroy - clear and free the key's payload 1181 */ 1182static void trusted_destroy(struct key *key) 1183{ 1184 kzfree(key->payload.data[0]); 1185} 1186 1187struct key_type key_type_trusted = { 1188 .name = "trusted", 1189 .instantiate = trusted_instantiate, 1190 .update = trusted_update, 1191 .destroy = trusted_destroy, 1192 .describe = user_describe, 1193 .read = trusted_read, 1194}; 1195 1196EXPORT_SYMBOL_GPL(key_type_trusted); 1197 1198static void trusted_shash_release(void) 1199{ 1200 if (hashalg) 1201 crypto_free_shash(hashalg); 1202 if (hmacalg) 1203 crypto_free_shash(hmacalg); 1204} 1205 1206static int __init trusted_shash_alloc(void) 1207{ 1208 int ret; 1209 1210 hmacalg = crypto_alloc_shash(hmac_alg, 0, 0); 1211 if (IS_ERR(hmacalg)) { 1212 pr_info("trusted_key: could not allocate crypto %s\n", 1213 hmac_alg); 1214 return PTR_ERR(hmacalg); 1215 } 1216 1217 hashalg = crypto_alloc_shash(hash_alg, 0, 0); 1218 if (IS_ERR(hashalg)) { 1219 pr_info("trusted_key: could not allocate crypto %s\n", 1220 hash_alg); 1221 ret = PTR_ERR(hashalg); 1222 goto hashalg_fail; 1223 } 1224 1225 return 0; 1226 1227hashalg_fail: 1228 crypto_free_shash(hmacalg); 1229 return ret; 1230} 1231 1232static int __init init_digests(void) 1233{ 1234 u8 digest[TPM_MAX_DIGEST_SIZE]; 1235 int ret; 1236 int i; 1237 1238 ret = tpm_get_random(chip, digest, TPM_MAX_DIGEST_SIZE); 1239 if (ret < 0) 1240 return ret; 1241 if (ret < TPM_MAX_DIGEST_SIZE) 1242 return -EFAULT; 1243 1244 digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), 1245 GFP_KERNEL); 1246 if (!digests) 1247 return -ENOMEM; 1248 1249 for (i = 0; i < chip->nr_allocated_banks; i++) 1250 memcpy(digests[i].digest, digest, TPM_MAX_DIGEST_SIZE); 1251 1252 return 0; 1253} 1254 1255static int __init init_trusted(void) 1256{ 1257 int ret; 1258 1259 /* encrypted_keys.ko depends on successful load of this module even if 1260 * TPM is not used. 1261 */ 1262 chip = tpm_default_chip(); 1263 if (!chip) 1264 return 0; 1265 1266 ret = init_digests(); 1267 if (ret < 0) 1268 goto err_put; 1269 ret = trusted_shash_alloc(); 1270 if (ret < 0) 1271 goto err_free; 1272 ret = register_key_type(&key_type_trusted); 1273 if (ret < 0) 1274 goto err_release; 1275 return 0; 1276err_release: 1277 trusted_shash_release(); 1278err_free: 1279 kfree(digests); 1280err_put: 1281 put_device(&chip->dev); 1282 return ret; 1283} 1284 1285static void __exit cleanup_trusted(void) 1286{ 1287 if (chip) { 1288 put_device(&chip->dev); 1289 kfree(digests); 1290 trusted_shash_release(); 1291 unregister_key_type(&key_type_trusted); 1292 } 1293} 1294 1295late_initcall(init_trusted); 1296module_exit(cleanup_trusted); 1297 1298MODULE_LICENSE("GPL");