tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tpm: add the null key name as a sysfs export

This is the last component of encrypted tpm2 session handling that
allows us to verify from userspace that the key derived from the NULL
seed genuinely belongs to the TPM and has not been spoofed.

The procedure for doing this involves creating an attestation identity
key (which requires verification of the TPM EK certificate) and then
using that AIK to sign a certification of the Elliptic Curve key over
the NULL seed. Userspace must create this EC Key using the parameters
prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if
this is done correctly the names will match and the TPM can then run a
TPM2_Certify operation on this derived primary key using the newly
created AIK.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

James Bottomley and committed by
Jarkko Sakkinen 089e0fb3 52ce7d97

+18
+18
drivers/char/tpm/tpm-sysfs.c
··· 309 309 } 310 310 static DEVICE_ATTR_RO(tpm_version_major); 311 311 312 + #ifdef CONFIG_TCG_TPM2_HMAC 313 + static ssize_t null_name_show(struct device *dev, struct device_attribute *attr, 314 + char *buf) 315 + { 316 + struct tpm_chip *chip = to_tpm_chip(dev); 317 + int size = TPM2_NAME_SIZE; 318 + 319 + bin2hex(buf, chip->null_key_name, size); 320 + size *= 2; 321 + buf[size++] = '\n'; 322 + return size; 323 + } 324 + static DEVICE_ATTR_RO(null_name); 325 + #endif 326 + 312 327 static struct attribute *tpm1_dev_attrs[] = { 313 328 &dev_attr_pubek.attr, 314 329 &dev_attr_pcrs.attr, ··· 341 326 342 327 static struct attribute *tpm2_dev_attrs[] = { 343 328 &dev_attr_tpm_version_major.attr, 329 + #ifdef CONFIG_TCG_TPM2_HMAC 330 + &dev_attr_null_name.attr, 331 + #endif 344 332 NULL 345 333 }; 346 334