keys: add new trusted key-type · tjh.dev/kernel@d00a1c7

+145

Documentation/keys-trusted-encrypted.txt

··· 1 + Trusted and Encrypted Keys 2 + 3 + Trusted and Encrypted Keys are two new key types added to the existing kernel 4 + key ring service. Both of these new types are variable length symmetic keys, 5 + and in both cases all keys are created in the kernel, and user space sees, 6 + stores, and loads only encrypted blobs. Trusted Keys require the availability 7 + of a Trusted Platform Module (TPM) chip for greater security, while Encrypted 8 + Keys can be used on any system. All user level blobs, are displayed and loaded 9 + in hex ascii for convenience, and are integrity verified. 10 + 11 + Trusted Keys use a TPM both to generate and to seal the keys. Keys are sealed 12 + under a 2048 bit RSA key in the TPM, and optionally sealed to specified PCR 13 + (integrity measurement) values, and only unsealed by the TPM, if PCRs and blob 14 + integrity verifications match. A loaded Trusted Key can be updated with new 15 + (future) PCR values, so keys are easily migrated to new pcr values, such as 16 + when the kernel and initramfs are updated. The same key can have many saved 17 + blobs under different PCR values, so multiple boots are easily supported. 18 + 19 + By default, trusted keys are sealed under the SRK, which has the default 20 + authorization value (20 zeros). This can be set at takeownership time with the 21 + trouser's utility: "tpm_takeownership -u -z". 22 + 23 + Usage: 24 + keyctl add trusted name "new keylen [options]" ring 25 + keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring 26 + keyctl update key "update [options]" 27 + keyctl print keyid 28 + 29 + options: 30 + keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) 31 + keyauth= ascii hex auth for sealing key default 0x00...i 32 + (40 ascii zeros) 33 + blobauth= ascii hex auth for sealed data default 0x00... 34 + (40 ascii zeros) 35 + blobauth= ascii hex auth for sealed data default 0x00... 36 + (40 ascii zeros) 37 + pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) 38 + pcrlock= pcr number to be extended to "lock" blob 39 + migratable= 0|1 indicating permission to reseal to new PCR values, 40 + default 1 (resealing allowed) 41 + 42 + "keyctl print" returns an ascii hex copy of the sealed key, which is in standard 43 + TPM_STORED_DATA format. The key length for new keys are always in bytes. 44 + Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit 45 + within the 2048 bit SRK (RSA) keylength, with all necessary structure/padding. 46 + 47 + Encrypted keys do not depend on a TPM, and are faster, as they use AES for 48 + encryption/decryption. New keys are created from kernel generated random 49 + numbers, and are encrypted/decrypted using a specified 'master' key. The 50 + 'master' key can either be a trusted-key or user-key type. The main 51 + disadvantage of encrypted keys is that if they are not rooted in a trusted key, 52 + they are only as secure as the user key encrypting them. The master user key 53 + should therefore be loaded in as secure a way as possible, preferably early in 54 + boot. 55 + 56 + Usage: 57 + keyctl add encrypted name "new key-type:master-key-name keylen" ring 58 + keyctl add encrypted name "load hex_blob" ring 59 + keyctl update keyid "update key-type:master-key-name" 60 + 61 + where 'key-type' is either 'trusted' or 'user'. 62 + 63 + Examples of trusted and encrypted key usage: 64 + 65 + Create and save a trusted key named "kmk" of length 32 bytes: 66 + 67 + $ keyctl add trusted kmk "new 32" @u 68 + 440502848 69 + 70 + $ keyctl show 71 + Session Keyring 72 + -3 --alswrv 500 500 keyring: _ses 73 + 97833714 --alswrv 500 -1 \_ keyring: _uid.500 74 + 440502848 --alswrv 500 500 \_ trusted: kmk 75 + 76 + $ keyctl print 440502848 77 + 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915 78 + 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b 79 + 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722 80 + a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec 81 + d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d 82 + dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0 83 + f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b 84 + e4a8aea2b607ec96931e6f4d4fe563ba 85 + 86 + $ keyctl pipe 440502848 > kmk.blob 87 + 88 + Load a trusted key from the saved blob: 89 + 90 + $ keyctl add trusted kmk "load `cat kmk.blob`" @u 91 + 268728824 92 + 93 + $ keyctl print 268728824 94 + 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e915 95 + 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb0b 96 + 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c83722 97 + a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026fec 98 + d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d5d 99 + dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5ef0 100 + f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b 101 + e4a8aea2b607ec96931e6f4d4fe563ba 102 + 103 + Reseal a trusted key under new pcr values: 104 + 105 + $ keyctl update 268728824 "update pcrinfo=`cat pcr.blob`" 106 + $ keyctl print 268728824 107 + 010100000000002c0002800093c35a09b70fff26e7a98ae786c641e678ec6ffb6b46d805 108 + 77c8a6377aed9d3219c6dfec4b23ffe3000001005d37d472ac8a44023fbb3d18583a4f73 109 + d3a076c0858f6f1dcaa39ea0f119911ff03f5406df4f7f27f41da8d7194f45c9f4e00f2e 110 + df449f266253aa3f52e55c53de147773e00f0f9aca86c64d94c95382265968c354c5eab4 111 + 9638c5ae99c89de1e0997242edfb0b501744e11ff9762dfd951cffd93227cc513384e7e6 112 + e782c29435c7ec2edafaa2f4c1fe6e7a781b59549ff5296371b42133777dcc5b8b971610 113 + 94bc67ede19e43ddb9dc2baacad374a36feaf0314d700af0a65c164b7082401740e489c9 114 + 7ef6a24defe4846104209bf0c3eced7fa1a672ed5b125fc9d8cd88b476a658a4434644ef 115 + df8ae9a178e9f83ba9f08d10fa47e4226b98b0702f06b3b8 116 + 117 + Create and save an encrypted key "evm" using the above trusted key "kmk": 118 + 119 + $ keyctl add encrypted evm "new trusted:kmk 32" @u 120 + 159771175 121 + 122 + $ keyctl print 159771175 123 + trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382dbbc55 124 + be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e024717c64 125 + 5972dcb82ab2dde83376d82b2e3c09ffc 126 + 127 + $ keyctl pipe 159771175 > evm.blob 128 + 129 + Load an encrypted key "evm" from saved blob: 130 + 131 + $ keyctl add encrypted evm "load `cat evm.blob`" @u 132 + 831684262 133 + 134 + $ keyctl print 831684262 135 + trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b382dbbc55 136 + be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e024717c64 137 + 5972dcb82ab2dde83376d82b2e3c09ffc 138 + 139 + 140 + The initial consumer of trusted keys is EVM, which at boot time needs a high 141 + quality symmetric key for HMAC protection of file metadata. The use of a 142 + trusted key provides strong guarantees that the EVM key has not been 143 + compromised by a user level problem, and when sealed to specific boot PCR 144 + values, protects against boot and offline attacks. Other uses for trusted and 145 + encrypted keys, such as for disk and file encryption are anticipated.

+31

include/keys/trusted-type.h

··· 1 + /* 2 + * Copyright (C) 2010 IBM Corporation 3 + * Author: David Safford <safford@us.ibm.com> 4 + * 5 + * This program is free software; you can redistribute it and/or modify 6 + * it under the terms of the GNU General Public License as published by 7 + * the Free Software Foundation, version 2 of the License. 8 + */ 9 + 10 + #ifndef _KEYS_TRUSTED_TYPE_H 11 + #define _KEYS_TRUSTED_TYPE_H 12 + 13 + #include <linux/key.h> 14 + #include <linux/rcupdate.h> 15 + 16 + #define MIN_KEY_SIZE 32 17 + #define MAX_KEY_SIZE 128 18 + #define MAX_BLOB_SIZE 320 19 + 20 + struct trusted_key_payload { 21 + struct rcu_head rcu; 22 + unsigned int key_len; 23 + unsigned int blob_len; 24 + unsigned char migratable; 25 + unsigned char key[MAX_KEY_SIZE + 1]; 26 + unsigned char blob[MAX_BLOB_SIZE]; 27 + }; 28 + 29 + extern struct key_type key_type_trusted; 30 + 31 + #endif /* _KEYS_TRUSTED_TYPE_H */

+28

include/linux/tpm_command.h

··· 1 + #ifndef __LINUX_TPM_COMMAND_H__ 2 + #define __LINUX_TPM_COMMAND_H__ 3 + 4 + /* 5 + * TPM Command constants from specifications at 6 + * http://www.trustedcomputinggroup.org 7 + */ 8 + 9 + /* Command TAGS */ 10 + #define TPM_TAG_RQU_COMMAND 193 11 + #define TPM_TAG_RQU_AUTH1_COMMAND 194 12 + #define TPM_TAG_RQU_AUTH2_COMMAND 195 13 + #define TPM_TAG_RSP_COMMAND 196 14 + #define TPM_TAG_RSP_AUTH1_COMMAND 197 15 + #define TPM_TAG_RSP_AUTH2_COMMAND 198 16 + 17 + /* Command Ordinals */ 18 + #define TPM_ORD_GETRANDOM 70 19 + #define TPM_ORD_OSAP 11 20 + #define TPM_ORD_OIAP 10 21 + #define TPM_ORD_SEAL 23 22 + #define TPM_ORD_UNSEAL 24 23 + 24 + /* Other constants */ 25 + #define SRKHANDLE 0x40000000 26 + #define TPM_NONCE_SIZE 20 27 + 28 + #endif

+15

security/Kconfig

··· 21 21 22 22 If you are unsure as to whether this is required, answer N. 23 23 24 + config TRUSTED_KEYS 25 + tristate "TRUSTED KEYS" 26 + depends on KEYS && TCG_TPM 27 + select CRYPTO 28 + select CRYPTO_HMAC 29 + select CRYPTO_SHA1 30 + help 31 + This option provides support for creating, sealing, and unsealing 32 + keys in the kernel. Trusted keys are random number symmetric keys, 33 + generated and RSA-sealed by the TPM. The TPM only unseals the keys, 34 + if the boot PCRs and other criteria match. Userspace will only ever 35 + see encrypted blobs. 36 + 37 + If you are unsure as to whether this is required, answer N. 38 + 24 39 config KEYS_DEBUG_PROC_KEYS 25 40 bool "Enable the /proc/keys file by which keys may be viewed" 26 41 depends on KEYS

+1

security/keys/Makefile

··· 13 13 request_key_auth.o \ 14 14 user_defined.o 15 15 16 + obj-$(CONFIG_TRUSTED_KEYS) += trusted_defined.o 16 17 obj-$(CONFIG_KEYS_COMPAT) += compat.o 17 18 obj-$(CONFIG_PROC_FS) += proc.o 18 19 obj-$(CONFIG_SYSCTL) += sysctl.o

+1151

security/keys/trusted_defined.c

··· 1 + /* 2 + * Copyright (C) 2010 IBM Corporation 3 + * 4 + * Author: 5 + * David Safford <safford@us.ibm.com> 6 + * 7 + * This program is free software; you can redistribute it and/or modify 8 + * it under the terms of the GNU General Public License as published by 9 + * the Free Software Foundation, version 2 of the License. 10 + * 11 + * See Documentation/keys-trusted-encrypted.txt 12 + */ 13 + 14 + #include <linux/uaccess.h> 15 + #include <linux/module.h> 16 + #include <linux/init.h> 17 + #include <linux/slab.h> 18 + #include <linux/parser.h> 19 + #include <linux/string.h> 20 + #include <keys/user-type.h> 21 + #include <keys/trusted-type.h> 22 + #include <linux/key-type.h> 23 + #include <linux/rcupdate.h> 24 + #include <linux/crypto.h> 25 + #include <crypto/hash.h> 26 + #include <crypto/sha.h> 27 + #include <linux/capability.h> 28 + #include <linux/tpm.h> 29 + #include <linux/tpm_command.h> 30 + 31 + #include "trusted_defined.h" 32 + 33 + static const char hmac_alg[] = "hmac(sha1)"; 34 + static const char hash_alg[] = "sha1"; 35 + 36 + struct sdesc { 37 + struct shash_desc shash; 38 + char ctx[]; 39 + }; 40 + 41 + static struct crypto_shash *hashalg; 42 + static struct crypto_shash *hmacalg; 43 + 44 + static struct sdesc *init_sdesc(struct crypto_shash *alg) 45 + { 46 + struct sdesc *sdesc; 47 + int size; 48 + 49 + size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 50 + sdesc = kmalloc(size, GFP_KERNEL); 51 + if (!sdesc) 52 + return ERR_PTR(-ENOMEM); 53 + sdesc->shash.tfm = alg; 54 + sdesc->shash.flags = 0x0; 55 + return sdesc; 56 + } 57 + 58 + static int TSS_sha1(const unsigned char *data, const unsigned int datalen, 59 + unsigned char *digest) 60 + { 61 + struct sdesc *sdesc; 62 + int ret; 63 + 64 + sdesc = init_sdesc(hashalg); 65 + if (IS_ERR(sdesc)) { 66 + pr_info("trusted_key: can't alloc %s\n", hash_alg); 67 + return PTR_ERR(sdesc); 68 + } 69 + 70 + ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 71 + kfree(sdesc); 72 + return ret; 73 + } 74 + 75 + static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 76 + const unsigned int keylen, ...) 77 + { 78 + struct sdesc *sdesc; 79 + va_list argp; 80 + unsigned int dlen; 81 + unsigned char *data; 82 + int ret; 83 + 84 + sdesc = init_sdesc(hmacalg); 85 + if (IS_ERR(sdesc)) { 86 + pr_info("trusted_key: can't alloc %s\n", hmac_alg); 87 + return PTR_ERR(sdesc); 88 + } 89 + 90 + ret = crypto_shash_setkey(hmacalg, key, keylen); 91 + if (ret < 0) 92 + goto out; 93 + ret = crypto_shash_init(&sdesc->shash); 94 + if (ret < 0) 95 + goto out; 96 + 97 + va_start(argp, keylen); 98 + for (;;) { 99 + dlen = va_arg(argp, unsigned int); 100 + if (dlen == 0) 101 + break; 102 + data = va_arg(argp, unsigned char *); 103 + if (data == NULL) 104 + return -EINVAL; 105 + ret = crypto_shash_update(&sdesc->shash, data, dlen); 106 + if (ret < 0) 107 + goto out; 108 + } 109 + va_end(argp); 110 + ret = crypto_shash_final(&sdesc->shash, digest); 111 + out: 112 + kfree(sdesc); 113 + return ret; 114 + } 115 + 116 + /* 117 + * calculate authorization info fields to send to TPM 118 + */ 119 + static uint32_t TSS_authhmac(unsigned char *digest, const unsigned char *key, 120 + const unsigned int keylen, unsigned char *h1, 121 + unsigned char *h2, unsigned char h3, ...) 122 + { 123 + unsigned char paramdigest[SHA1_DIGEST_SIZE]; 124 + struct sdesc *sdesc; 125 + unsigned int dlen; 126 + unsigned char *data; 127 + unsigned char c; 128 + int ret; 129 + va_list argp; 130 + 131 + sdesc = init_sdesc(hashalg); 132 + if (IS_ERR(sdesc)) { 133 + pr_info("trusted_key: can't alloc %s\n", hash_alg); 134 + return PTR_ERR(sdesc); 135 + } 136 + 137 + c = h3; 138 + ret = crypto_shash_init(&sdesc->shash); 139 + if (ret < 0) 140 + goto out; 141 + va_start(argp, h3); 142 + for (;;) { 143 + dlen = va_arg(argp, unsigned int); 144 + if (dlen == 0) 145 + break; 146 + data = va_arg(argp, unsigned char *); 147 + ret = crypto_shash_update(&sdesc->shash, data, dlen); 148 + if (ret < 0) 149 + goto out; 150 + } 151 + va_end(argp); 152 + ret = crypto_shash_final(&sdesc->shash, paramdigest); 153 + if (!ret) 154 + TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 155 + paramdigest, TPM_NONCE_SIZE, h1, 156 + TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 157 + out: 158 + kfree(sdesc); 159 + return ret; 160 + } 161 + 162 + /* 163 + * verify the AUTH1_COMMAND (Seal) result from TPM 164 + */ 165 + static uint32_t TSS_checkhmac1(unsigned char *buffer, 166 + const uint32_t command, 167 + const unsigned char *ononce, 168 + const unsigned char *key, 169 + const unsigned int keylen, ...) 170 + { 171 + uint32_t bufsize; 172 + uint16_t tag; 173 + uint32_t ordinal; 174 + uint32_t result; 175 + unsigned char *enonce; 176 + unsigned char *continueflag; 177 + unsigned char *authdata; 178 + unsigned char testhmac[SHA1_DIGEST_SIZE]; 179 + unsigned char paramdigest[SHA1_DIGEST_SIZE]; 180 + struct sdesc *sdesc; 181 + unsigned int dlen; 182 + unsigned int dpos; 183 + va_list argp; 184 + int ret; 185 + 186 + bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 187 + tag = LOAD16(buffer, 0); 188 + ordinal = command; 189 + result = LOAD32N(buffer, TPM_RETURN_OFFSET); 190 + if (tag == TPM_TAG_RSP_COMMAND) 191 + return 0; 192 + if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 193 + return -EINVAL; 194 + authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 195 + continueflag = authdata - 1; 196 + enonce = continueflag - TPM_NONCE_SIZE; 197 + 198 + sdesc = init_sdesc(hashalg); 199 + if (IS_ERR(sdesc)) { 200 + pr_info("trusted_key: can't alloc %s\n", hash_alg); 201 + return PTR_ERR(sdesc); 202 + } 203 + ret = crypto_shash_init(&sdesc->shash); 204 + if (ret < 0) 205 + goto out; 206 + ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 207 + sizeof result); 208 + if (ret < 0) 209 + goto out; 210 + ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 211 + sizeof ordinal); 212 + if (ret < 0) 213 + goto out; 214 + va_start(argp, keylen); 215 + for (;;) { 216 + dlen = va_arg(argp, unsigned int); 217 + if (dlen == 0) 218 + break; 219 + dpos = va_arg(argp, unsigned int); 220 + ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 221 + if (ret < 0) 222 + goto out; 223 + } 224 + va_end(argp); 225 + ret = crypto_shash_final(&sdesc->shash, paramdigest); 226 + if (ret < 0) 227 + goto out; 228 + ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 229 + TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 230 + 1, continueflag, 0, 0); 231 + if (ret < 0) 232 + goto out; 233 + if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 234 + ret = -EINVAL; 235 + out: 236 + kfree(sdesc); 237 + return ret; 238 + } 239 + 240 + /* 241 + * verify the AUTH2_COMMAND (unseal) result from TPM 242 + */ 243 + static uint32_t TSS_checkhmac2(unsigned char *buffer, 244 + const uint32_t command, 245 + const unsigned char *ononce, 246 + const unsigned char *key1, 247 + const unsigned int keylen1, 248 + const unsigned char *key2, 249 + const unsigned int keylen2, ...) 250 + { 251 + uint32_t bufsize; 252 + uint16_t tag; 253 + uint32_t ordinal; 254 + uint32_t result; 255 + unsigned char *enonce1; 256 + unsigned char *continueflag1; 257 + unsigned char *authdata1; 258 + unsigned char *enonce2; 259 + unsigned char *continueflag2; 260 + unsigned char *authdata2; 261 + unsigned char testhmac1[SHA1_DIGEST_SIZE]; 262 + unsigned char testhmac2[SHA1_DIGEST_SIZE]; 263 + unsigned char paramdigest[SHA1_DIGEST_SIZE]; 264 + struct sdesc *sdesc; 265 + unsigned int dlen; 266 + unsigned int dpos; 267 + va_list argp; 268 + int ret; 269 + 270 + bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 271 + tag = LOAD16(buffer, 0); 272 + ordinal = command; 273 + result = LOAD32N(buffer, TPM_RETURN_OFFSET); 274 + 275 + if (tag == TPM_TAG_RSP_COMMAND) 276 + return 0; 277 + if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 278 + return -EINVAL; 279 + authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 280 + + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 281 + authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 282 + continueflag1 = authdata1 - 1; 283 + continueflag2 = authdata2 - 1; 284 + enonce1 = continueflag1 - TPM_NONCE_SIZE; 285 + enonce2 = continueflag2 - TPM_NONCE_SIZE; 286 + 287 + sdesc = init_sdesc(hashalg); 288 + if (IS_ERR(sdesc)) { 289 + pr_info("trusted_key: can't alloc %s\n", hash_alg); 290 + return PTR_ERR(sdesc); 291 + } 292 + ret = crypto_shash_init(&sdesc->shash); 293 + if (ret < 0) 294 + goto out; 295 + ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 296 + sizeof result); 297 + if (ret < 0) 298 + goto out; 299 + ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 300 + sizeof ordinal); 301 + if (ret < 0) 302 + goto out; 303 + 304 + va_start(argp, keylen2); 305 + for (;;) { 306 + dlen = va_arg(argp, unsigned int); 307 + if (dlen == 0) 308 + break; 309 + dpos = va_arg(argp, unsigned int); 310 + ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 311 + if (ret < 0) 312 + goto out; 313 + } 314 + ret = crypto_shash_final(&sdesc->shash, paramdigest); 315 + if (ret < 0) 316 + goto out; 317 + 318 + ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 319 + paramdigest, TPM_NONCE_SIZE, enonce1, 320 + TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 321 + if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 322 + ret = -EINVAL; 323 + goto out; 324 + } 325 + ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 326 + paramdigest, TPM_NONCE_SIZE, enonce2, 327 + TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 328 + if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 329 + ret = -EINVAL; 330 + out: 331 + kfree(sdesc); 332 + return ret; 333 + } 334 + 335 + /* 336 + * For key specific tpm requests, we will generate and send our 337 + * own TPM command packets using the drivers send function. 338 + */ 339 + static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd, 340 + size_t buflen) 341 + { 342 + int rc; 343 + 344 + dump_tpm_buf(cmd); 345 + rc = tpm_send(chip_num, cmd, buflen); 346 + dump_tpm_buf(cmd); 347 + if (rc > 0) 348 + /* Can't return positive return codes values to keyctl */ 349 + rc = -EPERM; 350 + return rc; 351 + } 352 + 353 + /* 354 + * get a random value from TPM 355 + */ 356 + static int tpm_get_random(struct tpm_buf *tb, unsigned char *buf, uint32_t len) 357 + { 358 + int ret; 359 + 360 + INIT_BUF(tb); 361 + store16(tb, TPM_TAG_RQU_COMMAND); 362 + store32(tb, TPM_GETRANDOM_SIZE); 363 + store32(tb, TPM_ORD_GETRANDOM); 364 + store32(tb, len); 365 + ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, sizeof tb->data); 366 + memcpy(buf, tb->data + TPM_GETRANDOM_SIZE, len); 367 + 368 + return ret; 369 + } 370 + 371 + static int my_get_random(unsigned char *buf, int len) 372 + { 373 + struct tpm_buf *tb; 374 + int ret; 375 + 376 + tb = kzalloc(sizeof *tb, GFP_KERNEL); 377 + if (!tb) 378 + return -ENOMEM; 379 + ret = tpm_get_random(tb, buf, len); 380 + 381 + kfree(tb); 382 + return ret; 383 + } 384 + 385 + /* 386 + * Lock a trusted key, by extending a selected PCR. 387 + * 388 + * Prevents a trusted key that is sealed to PCRs from being accessed. 389 + * This uses the tpm driver's extend function. 390 + */ 391 + static int pcrlock(const int pcrnum) 392 + { 393 + unsigned char hash[SHA1_DIGEST_SIZE]; 394 + 395 + if (!capable(CAP_SYS_ADMIN)) 396 + return -EPERM; 397 + my_get_random(hash, SHA1_DIGEST_SIZE); 398 + return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0; 399 + } 400 + 401 + /* 402 + * Create an object specific authorisation protocol (OSAP) session 403 + */ 404 + static int osap(struct tpm_buf *tb, struct osapsess *s, 405 + const unsigned char *key, const uint16_t type, 406 + const uint32_t handle) 407 + { 408 + unsigned char enonce[TPM_NONCE_SIZE]; 409 + unsigned char ononce[TPM_NONCE_SIZE]; 410 + int ret; 411 + 412 + ret = tpm_get_random(tb, ononce, TPM_NONCE_SIZE); 413 + if (ret < 0) 414 + return ret; 415 + 416 + INIT_BUF(tb); 417 + store16(tb, TPM_TAG_RQU_COMMAND); 418 + store32(tb, TPM_OSAP_SIZE); 419 + store32(tb, TPM_ORD_OSAP); 420 + store16(tb, type); 421 + store32(tb, handle); 422 + storebytes(tb, ononce, TPM_NONCE_SIZE); 423 + 424 + ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 425 + if (ret < 0) 426 + return ret; 427 + 428 + s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 429 + memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 430 + TPM_NONCE_SIZE); 431 + memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 432 + TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 433 + ret = TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 434 + enonce, TPM_NONCE_SIZE, ononce, 0, 0); 435 + return ret; 436 + } 437 + 438 + /* 439 + * Create an object independent authorisation protocol (oiap) session 440 + */ 441 + static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 442 + { 443 + int ret; 444 + 445 + INIT_BUF(tb); 446 + store16(tb, TPM_TAG_RQU_COMMAND); 447 + store32(tb, TPM_OIAP_SIZE); 448 + store32(tb, TPM_ORD_OIAP); 449 + ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 450 + if (ret < 0) 451 + return ret; 452 + 453 + *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 454 + memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 455 + TPM_NONCE_SIZE); 456 + return ret; 457 + } 458 + 459 + struct tpm_digests { 460 + unsigned char encauth[SHA1_DIGEST_SIZE]; 461 + unsigned char pubauth[SHA1_DIGEST_SIZE]; 462 + unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 463 + unsigned char xorhash[SHA1_DIGEST_SIZE]; 464 + unsigned char nonceodd[TPM_NONCE_SIZE]; 465 + }; 466 + 467 + /* 468 + * Have the TPM seal(encrypt) the trusted key, possibly based on 469 + * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 470 + */ 471 + static int tpm_seal(struct tpm_buf *tb, const uint16_t keytype, 472 + const uint32_t keyhandle, const unsigned char *keyauth, 473 + const unsigned char *data, const uint32_t datalen, 474 + unsigned char *blob, uint32_t *bloblen, 475 + const unsigned char *blobauth, 476 + const unsigned char *pcrinfo, const uint32_t pcrinfosize) 477 + { 478 + struct osapsess sess; 479 + struct tpm_digests *td; 480 + unsigned char cont; 481 + uint32_t ordinal; 482 + uint32_t pcrsize; 483 + uint32_t datsize; 484 + int sealinfosize; 485 + int encdatasize; 486 + int storedsize; 487 + int ret; 488 + int i; 489 + 490 + /* alloc some work space for all the hashes */ 491 + td = kmalloc(sizeof *td, GFP_KERNEL); 492 + if (!td) 493 + return -ENOMEM; 494 + 495 + /* get session for sealing key */ 496 + ret = osap(tb, &sess, keyauth, keytype, keyhandle); 497 + if (ret < 0) 498 + return ret; 499 + dump_sess(&sess); 500 + 501 + /* calculate encrypted authorization value */ 502 + memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 503 + memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 504 + ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 505 + if (ret < 0) 506 + return ret; 507 + 508 + ret = tpm_get_random(tb, td->nonceodd, TPM_NONCE_SIZE); 509 + if (ret < 0) 510 + return ret; 511 + ordinal = htonl(TPM_ORD_SEAL); 512 + datsize = htonl(datalen); 513 + pcrsize = htonl(pcrinfosize); 514 + cont = 0; 515 + 516 + /* encrypt data authorization key */ 517 + for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 518 + td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 519 + 520 + /* calculate authorization HMAC value */ 521 + if (pcrinfosize == 0) { 522 + /* no pcr info specified */ 523 + TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 524 + sess.enonce, td->nonceodd, cont, sizeof(uint32_t), 525 + &ordinal, SHA1_DIGEST_SIZE, td->encauth, 526 + sizeof(uint32_t), &pcrsize, sizeof(uint32_t), 527 + &datsize, datalen, data, 0, 0); 528 + } else { 529 + /* pcr info specified */ 530 + TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 531 + sess.enonce, td->nonceodd, cont, sizeof(uint32_t), 532 + &ordinal, SHA1_DIGEST_SIZE, td->encauth, 533 + sizeof(uint32_t), &pcrsize, pcrinfosize, 534 + pcrinfo, sizeof(uint32_t), &datsize, datalen, 535 + data, 0, 0); 536 + } 537 + 538 + /* build and send the TPM request packet */ 539 + INIT_BUF(tb); 540 + store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); 541 + store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen); 542 + store32(tb, TPM_ORD_SEAL); 543 + store32(tb, keyhandle); 544 + storebytes(tb, td->encauth, SHA1_DIGEST_SIZE); 545 + store32(tb, pcrinfosize); 546 + storebytes(tb, pcrinfo, pcrinfosize); 547 + store32(tb, datalen); 548 + storebytes(tb, data, datalen); 549 + store32(tb, sess.handle); 550 + storebytes(tb, td->nonceodd, TPM_NONCE_SIZE); 551 + store8(tb, cont); 552 + storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); 553 + 554 + ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 555 + if (ret < 0) 556 + return ret; 557 + 558 + /* calculate the size of the returned Blob */ 559 + sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 560 + encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 561 + sizeof(uint32_t) + sealinfosize); 562 + storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 563 + sizeof(uint32_t) + encdatasize; 564 + 565 + /* check the HMAC in the response */ 566 + ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 567 + SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 568 + 0); 569 + 570 + /* copy the returned blob to caller */ 571 + memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 572 + *bloblen = storedsize; 573 + return ret; 574 + } 575 + 576 + /* 577 + * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 578 + */ 579 + static int tpm_unseal(struct tpm_buf *tb, 580 + const uint32_t keyhandle, const unsigned char *keyauth, 581 + const unsigned char *blob, const int bloblen, 582 + const unsigned char *blobauth, 583 + unsigned char *data, unsigned int *datalen) 584 + { 585 + unsigned char nonceodd[TPM_NONCE_SIZE]; 586 + unsigned char enonce1[TPM_NONCE_SIZE]; 587 + unsigned char enonce2[TPM_NONCE_SIZE]; 588 + unsigned char authdata1[SHA1_DIGEST_SIZE]; 589 + unsigned char authdata2[SHA1_DIGEST_SIZE]; 590 + uint32_t authhandle1 = 0; 591 + uint32_t authhandle2 = 0; 592 + unsigned char cont = 0; 593 + uint32_t ordinal; 594 + uint32_t keyhndl; 595 + int ret; 596 + 597 + /* sessions for unsealing key and data */ 598 + ret = oiap(tb, &authhandle1, enonce1); 599 + if (ret < 0) { 600 + pr_info("trusted_key: oiap failed (%d)\n", ret); 601 + return ret; 602 + } 603 + ret = oiap(tb, &authhandle2, enonce2); 604 + if (ret < 0) { 605 + pr_info("trusted_key: oiap failed (%d)\n", ret); 606 + return ret; 607 + } 608 + 609 + ordinal = htonl(TPM_ORD_UNSEAL); 610 + keyhndl = htonl(SRKHANDLE); 611 + ret = tpm_get_random(tb, nonceodd, TPM_NONCE_SIZE); 612 + if (ret < 0) { 613 + pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 614 + return ret; 615 + } 616 + TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 617 + enonce1, nonceodd, cont, sizeof(uint32_t), 618 + &ordinal, bloblen, blob, 0, 0); 619 + TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 620 + enonce2, nonceodd, cont, sizeof(uint32_t), 621 + &ordinal, bloblen, blob, 0, 0); 622 + 623 + /* build and send TPM request packet */ 624 + INIT_BUF(tb); 625 + store16(tb, TPM_TAG_RQU_AUTH2_COMMAND); 626 + store32(tb, TPM_UNSEAL_SIZE + bloblen); 627 + store32(tb, TPM_ORD_UNSEAL); 628 + store32(tb, keyhandle); 629 + storebytes(tb, blob, bloblen); 630 + store32(tb, authhandle1); 631 + storebytes(tb, nonceodd, TPM_NONCE_SIZE); 632 + store8(tb, cont); 633 + storebytes(tb, authdata1, SHA1_DIGEST_SIZE); 634 + store32(tb, authhandle2); 635 + storebytes(tb, nonceodd, TPM_NONCE_SIZE); 636 + store8(tb, cont); 637 + storebytes(tb, authdata2, SHA1_DIGEST_SIZE); 638 + 639 + ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 640 + if (ret < 0) { 641 + pr_info("trusted_key: authhmac failed (%d)\n", ret); 642 + return ret; 643 + } 644 + 645 + *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 646 + ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 647 + keyauth, SHA1_DIGEST_SIZE, 648 + blobauth, SHA1_DIGEST_SIZE, 649 + sizeof(uint32_t), TPM_DATA_OFFSET, 650 + *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 651 + 0); 652 + if (ret < 0) 653 + pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 654 + memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 655 + return ret; 656 + } 657 + 658 + /* 659 + * Have the TPM seal(encrypt) the symmetric key 660 + */ 661 + static int key_seal(struct trusted_key_payload *p, 662 + struct trusted_key_options *o) 663 + { 664 + struct tpm_buf *tb; 665 + int ret; 666 + 667 + tb = kzalloc(sizeof *tb, GFP_KERNEL); 668 + if (!tb) 669 + return -ENOMEM; 670 + 671 + /* include migratable flag at end of sealed key */ 672 + p->key[p->key_len] = p->migratable; 673 + 674 + ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth, 675 + p->key, p->key_len + 1, p->blob, &p->blob_len, 676 + o->blobauth, o->pcrinfo, o->pcrinfo_len); 677 + if (ret < 0) 678 + pr_info("trusted_key: srkseal failed (%d)\n", ret); 679 + 680 + kfree(tb); 681 + return ret; 682 + } 683 + 684 + /* 685 + * Have the TPM unseal(decrypt) the symmetric key 686 + */ 687 + static int key_unseal(struct trusted_key_payload *p, 688 + struct trusted_key_options *o) 689 + { 690 + struct tpm_buf *tb; 691 + int ret; 692 + 693 + tb = kzalloc(sizeof *tb, GFP_KERNEL); 694 + if (!tb) 695 + return -ENOMEM; 696 + 697 + ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 698 + o->blobauth, p->key, &p->key_len); 699 + /* pull migratable flag out of sealed key */ 700 + p->migratable = p->key[--p->key_len]; 701 + 702 + if (ret < 0) 703 + pr_info("trusted_key: srkunseal failed (%d)\n", ret); 704 + 705 + kfree(tb); 706 + return ret; 707 + } 708 + 709 + enum { 710 + Opt_err = -1, 711 + Opt_new, Opt_load, Opt_update, 712 + Opt_keyhandle, Opt_keyauth, Opt_blobauth, 713 + Opt_pcrinfo, Opt_pcrlock, Opt_migratable 714 + }; 715 + 716 + static const match_table_t key_tokens = { 717 + {Opt_new, "new"}, 718 + {Opt_load, "load"}, 719 + {Opt_update, "update"}, 720 + {Opt_keyhandle, "keyhandle=%s"}, 721 + {Opt_keyauth, "keyauth=%s"}, 722 + {Opt_blobauth, "blobauth=%s"}, 723 + {Opt_pcrinfo, "pcrinfo=%s"}, 724 + {Opt_pcrlock, "pcrlock=%s"}, 725 + {Opt_migratable, "migratable=%s"}, 726 + {Opt_err, NULL} 727 + }; 728 + 729 + /* can have zero or more token= options */ 730 + static int getoptions(char *c, struct trusted_key_payload *pay, 731 + struct trusted_key_options *opt) 732 + { 733 + substring_t args[MAX_OPT_ARGS]; 734 + char *p = c; 735 + int token; 736 + int res; 737 + unsigned long handle; 738 + unsigned long lock; 739 + 740 + while ((p = strsep(&c, " \t"))) { 741 + if (*p == '\0' || *p == ' ' || *p == '\t') 742 + continue; 743 + token = match_token(p, key_tokens, args); 744 + 745 + switch (token) { 746 + case Opt_pcrinfo: 747 + opt->pcrinfo_len = strlen(args[0].from) / 2; 748 + if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 749 + return -EINVAL; 750 + hex2bin(opt->pcrinfo, args[0].from, opt->pcrinfo_len); 751 + break; 752 + case Opt_keyhandle: 753 + res = strict_strtoul(args[0].from, 16, &handle); 754 + if (res < 0) 755 + return -EINVAL; 756 + opt->keytype = SEAL_keytype; 757 + opt->keyhandle = handle; 758 + break; 759 + case Opt_keyauth: 760 + if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 761 + return -EINVAL; 762 + hex2bin(opt->keyauth, args[0].from, SHA1_DIGEST_SIZE); 763 + break; 764 + case Opt_blobauth: 765 + if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 766 + return -EINVAL; 767 + hex2bin(opt->blobauth, args[0].from, SHA1_DIGEST_SIZE); 768 + break; 769 + case Opt_migratable: 770 + if (*args[0].from == '0') 771 + pay->migratable = 0; 772 + else 773 + return -EINVAL; 774 + break; 775 + case Opt_pcrlock: 776 + res = strict_strtoul(args[0].from, 10, &lock); 777 + if (res < 0) 778 + return -EINVAL; 779 + opt->pcrlock = lock; 780 + break; 781 + default: 782 + return -EINVAL; 783 + } 784 + } 785 + return 0; 786 + } 787 + 788 + /* 789 + * datablob_parse - parse the keyctl data and fill in the 790 + * payload and options structures 791 + * 792 + * On success returns 0, otherwise -EINVAL. 793 + */ 794 + static int datablob_parse(char *datablob, struct trusted_key_payload *p, 795 + struct trusted_key_options *o) 796 + { 797 + substring_t args[MAX_OPT_ARGS]; 798 + long keylen; 799 + int ret = -EINVAL; 800 + int key_cmd; 801 + char *c; 802 + 803 + /* main command */ 804 + c = strsep(&datablob, " \t"); 805 + if (!c) 806 + return -EINVAL; 807 + key_cmd = match_token(c, key_tokens, args); 808 + switch (key_cmd) { 809 + case Opt_new: 810 + /* first argument is key size */ 811 + c = strsep(&datablob, " \t"); 812 + if (!c) 813 + return -EINVAL; 814 + ret = strict_strtol(c, 10, &keylen); 815 + if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 816 + return -EINVAL; 817 + p->key_len = keylen; 818 + ret = getoptions(datablob, p, o); 819 + if (ret < 0) 820 + return ret; 821 + ret = Opt_new; 822 + break; 823 + case Opt_load: 824 + /* first argument is sealed blob */ 825 + c = strsep(&datablob, " \t"); 826 + if (!c) 827 + return -EINVAL; 828 + p->blob_len = strlen(c) / 2; 829 + if (p->blob_len > MAX_BLOB_SIZE) 830 + return -EINVAL; 831 + hex2bin(p->blob, c, p->blob_len); 832 + ret = getoptions(datablob, p, o); 833 + if (ret < 0) 834 + return ret; 835 + ret = Opt_load; 836 + break; 837 + case Opt_update: 838 + /* all arguments are options */ 839 + ret = getoptions(datablob, p, o); 840 + if (ret < 0) 841 + return ret; 842 + ret = Opt_update; 843 + break; 844 + case Opt_err: 845 + return -EINVAL; 846 + break; 847 + } 848 + return ret; 849 + } 850 + 851 + static struct trusted_key_options *trusted_options_alloc(void) 852 + { 853 + struct trusted_key_options *options; 854 + 855 + options = kzalloc(sizeof *options, GFP_KERNEL); 856 + if (!options) 857 + return options; 858 + 859 + /* set any non-zero defaults */ 860 + options->keytype = SRK_keytype; 861 + options->keyhandle = SRKHANDLE; 862 + return options; 863 + } 864 + 865 + static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 866 + { 867 + struct trusted_key_payload *p = NULL; 868 + int ret; 869 + 870 + ret = key_payload_reserve(key, sizeof *p); 871 + if (ret < 0) 872 + return p; 873 + p = kzalloc(sizeof *p, GFP_KERNEL); 874 + 875 + /* migratable by default */ 876 + p->migratable = 1; 877 + return p; 878 + } 879 + 880 + /* 881 + * trusted_instantiate - create a new trusted key 882 + * 883 + * Unseal an existing trusted blob or, for a new key, get a 884 + * random key, then seal and create a trusted key-type key, 885 + * adding it to the specified keyring. 886 + * 887 + * On success, return 0. Otherwise return errno. 888 + */ 889 + static int trusted_instantiate(struct key *key, const void *data, 890 + const size_t datalen) 891 + { 892 + struct trusted_key_payload *payload = NULL; 893 + struct trusted_key_options *options = NULL; 894 + char *datablob; 895 + int ret = 0; 896 + int key_cmd; 897 + 898 + if (datalen <= 0 || datalen > 32767 || !data) 899 + return -EINVAL; 900 + 901 + datablob = kmalloc(datalen + 1, GFP_KERNEL); 902 + if (!datablob) 903 + return -ENOMEM; 904 + memcpy(datablob, data, datalen); 905 + datablob[datalen] = '\0'; 906 + 907 + options = trusted_options_alloc(); 908 + if (!options) { 909 + ret = -ENOMEM; 910 + goto out; 911 + } 912 + payload = trusted_payload_alloc(key); 913 + if (!payload) { 914 + ret = -ENOMEM; 915 + goto out; 916 + } 917 + 918 + key_cmd = datablob_parse(datablob, payload, options); 919 + if (key_cmd < 0) { 920 + ret = key_cmd; 921 + goto out; 922 + } 923 + 924 + dump_payload(payload); 925 + dump_options(options); 926 + 927 + switch (key_cmd) { 928 + case Opt_load: 929 + ret = key_unseal(payload, options); 930 + dump_payload(payload); 931 + dump_options(options); 932 + if (ret < 0) 933 + pr_info("trusted_key: key_unseal failed (%d)\n", ret); 934 + break; 935 + case Opt_new: 936 + ret = my_get_random(payload->key, payload->key_len); 937 + if (ret < 0) { 938 + pr_info("trusted_key: key_create failed (%d)\n", ret); 939 + goto out; 940 + } 941 + ret = key_seal(payload, options); 942 + if (ret < 0) 943 + pr_info("trusted_key: key_seal failed (%d)\n", ret); 944 + break; 945 + default: 946 + ret = -EINVAL; 947 + goto out; 948 + } 949 + if (!ret && options->pcrlock) 950 + ret = pcrlock(options->pcrlock); 951 + out: 952 + kfree(datablob); 953 + kfree(options); 954 + if (!ret) 955 + rcu_assign_pointer(key->payload.data, payload); 956 + else 957 + kfree(payload); 958 + return ret; 959 + } 960 + 961 + static void trusted_rcu_free(struct rcu_head *rcu) 962 + { 963 + struct trusted_key_payload *p; 964 + 965 + p = container_of(rcu, struct trusted_key_payload, rcu); 966 + memset(p->key, 0, p->key_len); 967 + kfree(p); 968 + } 969 + 970 + /* 971 + * trusted_update - reseal an existing key with new PCR values 972 + */ 973 + static int trusted_update(struct key *key, const void *data, 974 + const size_t datalen) 975 + { 976 + struct trusted_key_payload *p = key->payload.data; 977 + struct trusted_key_payload *new_p; 978 + struct trusted_key_options *new_o; 979 + char *datablob; 980 + int ret = 0; 981 + 982 + if (!p->migratable) 983 + return -EPERM; 984 + if (datalen <= 0 || datalen > 32767 || !data) 985 + return -EINVAL; 986 + 987 + datablob = kmalloc(datalen + 1, GFP_KERNEL); 988 + if (!datablob) 989 + return -ENOMEM; 990 + new_o = trusted_options_alloc(); 991 + if (!new_o) { 992 + ret = -ENOMEM; 993 + goto out; 994 + } 995 + new_p = trusted_payload_alloc(key); 996 + if (!new_p) { 997 + ret = -ENOMEM; 998 + goto out; 999 + } 1000 + 1001 + memcpy(datablob, data, datalen); 1002 + datablob[datalen] = '\0'; 1003 + ret = datablob_parse(datablob, new_p, new_o); 1004 + if (ret != Opt_update) { 1005 + ret = -EINVAL; 1006 + goto out; 1007 + } 1008 + /* copy old key values, and reseal with new pcrs */ 1009 + new_p->migratable = p->migratable; 1010 + new_p->key_len = p->key_len; 1011 + memcpy(new_p->key, p->key, p->key_len); 1012 + dump_payload(p); 1013 + dump_payload(new_p); 1014 + 1015 + ret = key_seal(new_p, new_o); 1016 + if (ret < 0) { 1017 + pr_info("trusted_key: key_seal failed (%d)\n", ret); 1018 + kfree(new_p); 1019 + goto out; 1020 + } 1021 + if (new_o->pcrlock) { 1022 + ret = pcrlock(new_o->pcrlock); 1023 + if (ret < 0) { 1024 + pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1025 + kfree(new_p); 1026 + goto out; 1027 + } 1028 + } 1029 + rcu_assign_pointer(key->payload.data, new_p); 1030 + call_rcu(&p->rcu, trusted_rcu_free); 1031 + out: 1032 + kfree(datablob); 1033 + kfree(new_o); 1034 + return ret; 1035 + } 1036 + 1037 + /* 1038 + * trusted_read - copy the sealed blob data to userspace in hex. 1039 + * On success, return to userspace the trusted key datablob size. 1040 + */ 1041 + static long trusted_read(const struct key *key, char __user *buffer, 1042 + size_t buflen) 1043 + { 1044 + struct trusted_key_payload *p; 1045 + char *ascii_buf; 1046 + char *bufp; 1047 + int i; 1048 + 1049 + p = rcu_dereference_protected(key->payload.data, 1050 + rwsem_is_locked(&((struct key *)key)->sem)); 1051 + if (!p) 1052 + return -EINVAL; 1053 + if (!buffer || buflen <= 0) 1054 + return 2 * p->blob_len; 1055 + ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL); 1056 + if (!ascii_buf) 1057 + return -ENOMEM; 1058 + 1059 + bufp = ascii_buf; 1060 + for (i = 0; i < p->blob_len; i++) 1061 + bufp = pack_hex_byte(bufp, p->blob[i]); 1062 + if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) { 1063 + kfree(ascii_buf); 1064 + return -EFAULT; 1065 + } 1066 + kfree(ascii_buf); 1067 + return 2 * p->blob_len; 1068 + } 1069 + 1070 + /* 1071 + * trusted_destroy - before freeing the key, clear the decrypted data 1072 + */ 1073 + static void trusted_destroy(struct key *key) 1074 + { 1075 + struct trusted_key_payload *p = key->payload.data; 1076 + 1077 + if (!p) 1078 + return; 1079 + memset(p->key, 0, p->key_len); 1080 + kfree(key->payload.data); 1081 + } 1082 + 1083 + struct key_type key_type_trusted = { 1084 + .name = "trusted", 1085 + .instantiate = trusted_instantiate, 1086 + .update = trusted_update, 1087 + .match = user_match, 1088 + .destroy = trusted_destroy, 1089 + .describe = user_describe, 1090 + .read = trusted_read, 1091 + }; 1092 + 1093 + EXPORT_SYMBOL_GPL(key_type_trusted); 1094 + 1095 + static void trusted_shash_release(void) 1096 + { 1097 + if (hashalg) 1098 + crypto_free_shash(hashalg); 1099 + if (hmacalg) 1100 + crypto_free_shash(hmacalg); 1101 + } 1102 + 1103 + static int __init trusted_shash_alloc(void) 1104 + { 1105 + int ret; 1106 + 1107 + hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC); 1108 + if (IS_ERR(hmacalg)) { 1109 + pr_info("trusted_key: could not allocate crypto %s\n", 1110 + hmac_alg); 1111 + return PTR_ERR(hmacalg); 1112 + } 1113 + 1114 + hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC); 1115 + if (IS_ERR(hashalg)) { 1116 + pr_info("trusted_key: could not allocate crypto %s\n", 1117 + hash_alg); 1118 + ret = PTR_ERR(hashalg); 1119 + goto hashalg_fail; 1120 + } 1121 + 1122 + return 0; 1123 + 1124 + hashalg_fail: 1125 + crypto_free_shash(hmacalg); 1126 + return ret; 1127 + } 1128 + 1129 + static int __init init_trusted(void) 1130 + { 1131 + int ret; 1132 + 1133 + ret = trusted_shash_alloc(); 1134 + if (ret < 0) 1135 + return ret; 1136 + ret = register_key_type(&key_type_trusted); 1137 + if (ret < 0) 1138 + trusted_shash_release(); 1139 + return ret; 1140 + } 1141 + 1142 + static void __exit cleanup_trusted(void) 1143 + { 1144 + trusted_shash_release(); 1145 + unregister_key_type(&key_type_trusted); 1146 + } 1147 + 1148 + late_initcall(init_trusted); 1149 + module_exit(cleanup_trusted); 1150 + 1151 + MODULE_LICENSE("GPL");

+134

security/keys/trusted_defined.h

··· 1 + #ifndef __TRUSTED_KEY_H 2 + #define __TRUSTED_KEY_H 3 + 4 + /* implementation specific TPM constants */ 5 + #define MAX_PCRINFO_SIZE 64 6 + #define MAX_BUF_SIZE 512 7 + #define TPM_GETRANDOM_SIZE 14 8 + #define TPM_OSAP_SIZE 36 9 + #define TPM_OIAP_SIZE 10 10 + #define TPM_SEAL_SIZE 87 11 + #define TPM_UNSEAL_SIZE 104 12 + #define TPM_SIZE_OFFSET 2 13 + #define TPM_RETURN_OFFSET 6 14 + #define TPM_DATA_OFFSET 10 15 + 16 + #define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset])) 17 + #define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset]) 18 + #define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset])) 19 + 20 + struct tpm_buf { 21 + int len; 22 + unsigned char data[MAX_BUF_SIZE]; 23 + }; 24 + 25 + #define INIT_BUF(tb) (tb->len = 0) 26 + 27 + struct osapsess { 28 + uint32_t handle; 29 + unsigned char secret[SHA1_DIGEST_SIZE]; 30 + unsigned char enonce[TPM_NONCE_SIZE]; 31 + }; 32 + 33 + /* discrete values, but have to store in uint16_t for TPM use */ 34 + enum { 35 + SEAL_keytype = 1, 36 + SRK_keytype = 4 37 + }; 38 + 39 + struct trusted_key_options { 40 + uint16_t keytype; 41 + uint32_t keyhandle; 42 + unsigned char keyauth[SHA1_DIGEST_SIZE]; 43 + unsigned char blobauth[SHA1_DIGEST_SIZE]; 44 + uint32_t pcrinfo_len; 45 + unsigned char pcrinfo[MAX_PCRINFO_SIZE]; 46 + int pcrlock; 47 + }; 48 + 49 + #define TPM_DEBUG 0 50 + 51 + #if TPM_DEBUG 52 + static inline void dump_options(struct trusted_key_options *o) 53 + { 54 + pr_info("trusted_key: sealing key type %d\n", o->keytype); 55 + pr_info("trusted_key: sealing key handle %0X\n", o->keyhandle); 56 + pr_info("trusted_key: pcrlock %d\n", o->pcrlock); 57 + pr_info("trusted_key: pcrinfo %d\n", o->pcrinfo_len); 58 + print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE, 59 + 16, 1, o->pcrinfo, o->pcrinfo_len, 0); 60 + } 61 + 62 + static inline void dump_payload(struct trusted_key_payload *p) 63 + { 64 + pr_info("trusted_key: key_len %d\n", p->key_len); 65 + print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE, 66 + 16, 1, p->key, p->key_len, 0); 67 + pr_info("trusted_key: bloblen %d\n", p->blob_len); 68 + print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE, 69 + 16, 1, p->blob, p->blob_len, 0); 70 + pr_info("trusted_key: migratable %d\n", p->migratable); 71 + } 72 + 73 + static inline void dump_sess(struct osapsess *s) 74 + { 75 + print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE, 76 + 16, 1, &s->handle, 4, 0); 77 + pr_info("trusted-key: secret:\n"); 78 + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 79 + 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0); 80 + pr_info("trusted-key: enonce:\n"); 81 + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 82 + 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0); 83 + } 84 + 85 + static inline void dump_tpm_buf(unsigned char *buf) 86 + { 87 + int len; 88 + 89 + pr_info("\ntrusted-key: tpm buffer\n"); 90 + len = LOAD32(buf, TPM_SIZE_OFFSET); 91 + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0); 92 + } 93 + #else 94 + static inline void dump_options(struct trusted_key_options *o) 95 + { 96 + } 97 + 98 + static inline void dump_payload(struct trusted_key_payload *p) 99 + { 100 + } 101 + 102 + static inline void dump_sess(struct osapsess *s) 103 + { 104 + } 105 + 106 + static inline void dump_tpm_buf(unsigned char *buf) 107 + { 108 + } 109 + #endif 110 + 111 + static inline void store8(struct tpm_buf *buf, const unsigned char value) 112 + { 113 + buf->data[buf->len++] = value; 114 + } 115 + 116 + static inline void store16(struct tpm_buf *buf, const uint16_t value) 117 + { 118 + *(uint16_t *) & buf->data[buf->len] = htons(value); 119 + buf->len += sizeof value; 120 + } 121 + 122 + static inline void store32(struct tpm_buf *buf, const uint32_t value) 123 + { 124 + *(uint32_t *) & buf->data[buf->len] = htonl(value); 125 + buf->len += sizeof value; 126 + } 127 + 128 + static inline void storebytes(struct tpm_buf *buf, const unsigned char *in, 129 + const int len) 130 + { 131 + memcpy(buf->data + buf->len, in, len); 132 + buf->len += len; 133 + } 134 + #endif