~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/crypto/asymmetric_keys/asym_tpm.c

Version: ~ [ linux-5.1-rc1 ] ~ [ linux-5.0.3 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.30 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.107 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.164 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.176 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.136 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.63 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0
  2 #define pr_fmt(fmt) "ASYM-TPM: "fmt
  3 #include <linux/slab.h>
  4 #include <linux/module.h>
  5 #include <linux/export.h>
  6 #include <linux/kernel.h>
  7 #include <linux/seq_file.h>
  8 #include <linux/scatterlist.h>
  9 #include <linux/tpm.h>
 10 #include <linux/tpm_command.h>
 11 #include <crypto/akcipher.h>
 12 #include <crypto/hash.h>
 13 #include <crypto/sha.h>
 14 #include <asm/unaligned.h>
 15 #include <keys/asymmetric-subtype.h>
 16 #include <keys/trusted.h>
 17 #include <crypto/asym_tpm_subtype.h>
 18 #include <crypto/public_key.h>
 19 
 20 #define TPM_ORD_FLUSHSPECIFIC   186
 21 #define TPM_ORD_LOADKEY2        65
 22 #define TPM_ORD_UNBIND          30
 23 #define TPM_ORD_SIGN            60
 24 #define TPM_LOADKEY2_SIZE               59
 25 #define TPM_FLUSHSPECIFIC_SIZE          18
 26 #define TPM_UNBIND_SIZE                 63
 27 #define TPM_SIGN_SIZE                   63
 28 
 29 #define TPM_RT_KEY                      0x00000001
 30 
 31 /*
 32  * Load a TPM key from the blob provided by userspace
 33  */
 34 static int tpm_loadkey2(struct tpm_buf *tb,
 35                         uint32_t keyhandle, unsigned char *keyauth,
 36                         const unsigned char *keyblob, int keybloblen,
 37                         uint32_t *newhandle)
 38 {
 39         unsigned char nonceodd[TPM_NONCE_SIZE];
 40         unsigned char enonce[TPM_NONCE_SIZE];
 41         unsigned char authdata[SHA1_DIGEST_SIZE];
 42         uint32_t authhandle = 0;
 43         unsigned char cont = 0;
 44         uint32_t ordinal;
 45         int ret;
 46 
 47         ordinal = htonl(TPM_ORD_LOADKEY2);
 48 
 49         /* session for loading the key */
 50         ret = oiap(tb, &authhandle, enonce);
 51         if (ret < 0) {
 52                 pr_info("oiap failed (%d)\n", ret);
 53                 return ret;
 54         }
 55 
 56         /* generate odd nonce */
 57         ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
 58         if (ret < 0) {
 59                 pr_info("tpm_get_random failed (%d)\n", ret);
 60                 return ret;
 61         }
 62 
 63         /* calculate authorization HMAC value */
 64         ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
 65                            nonceodd, cont, sizeof(uint32_t), &ordinal,
 66                            keybloblen, keyblob, 0, 0);
 67         if (ret < 0)
 68                 return ret;
 69 
 70         /* build the request buffer */
 71         INIT_BUF(tb);
 72         store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
 73         store32(tb, TPM_LOADKEY2_SIZE + keybloblen);
 74         store32(tb, TPM_ORD_LOADKEY2);
 75         store32(tb, keyhandle);
 76         storebytes(tb, keyblob, keybloblen);
 77         store32(tb, authhandle);
 78         storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 79         store8(tb, cont);
 80         storebytes(tb, authdata, SHA1_DIGEST_SIZE);
 81 
 82         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 83         if (ret < 0) {
 84                 pr_info("authhmac failed (%d)\n", ret);
 85                 return ret;
 86         }
 87 
 88         ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, keyauth,
 89                              SHA1_DIGEST_SIZE, 0, 0);
 90         if (ret < 0) {
 91                 pr_info("TSS_checkhmac1 failed (%d)\n", ret);
 92                 return ret;
 93         }
 94 
 95         *newhandle = LOAD32(tb->data, TPM_DATA_OFFSET);
 96         return 0;
 97 }
 98 
 99 /*
100  * Execute the FlushSpecific TPM command
101  */
102 static int tpm_flushspecific(struct tpm_buf *tb, uint32_t handle)
103 {
104         INIT_BUF(tb);
105         store16(tb, TPM_TAG_RQU_COMMAND);
106         store32(tb, TPM_FLUSHSPECIFIC_SIZE);
107         store32(tb, TPM_ORD_FLUSHSPECIFIC);
108         store32(tb, handle);
109         store32(tb, TPM_RT_KEY);
110 
111         return trusted_tpm_send(tb->data, MAX_BUF_SIZE);
112 }
113 
114 /*
115  * Decrypt a blob provided by userspace using a specific key handle.
116  * The handle is a well known handle or previously loaded by e.g. LoadKey2
117  */
118 static int tpm_unbind(struct tpm_buf *tb,
119                         uint32_t keyhandle, unsigned char *keyauth,
120                         const unsigned char *blob, uint32_t bloblen,
121                         void *out, uint32_t outlen)
122 {
123         unsigned char nonceodd[TPM_NONCE_SIZE];
124         unsigned char enonce[TPM_NONCE_SIZE];
125         unsigned char authdata[SHA1_DIGEST_SIZE];
126         uint32_t authhandle = 0;
127         unsigned char cont = 0;
128         uint32_t ordinal;
129         uint32_t datalen;
130         int ret;
131 
132         ordinal = htonl(TPM_ORD_UNBIND);
133         datalen = htonl(bloblen);
134 
135         /* session for loading the key */
136         ret = oiap(tb, &authhandle, enonce);
137         if (ret < 0) {
138                 pr_info("oiap failed (%d)\n", ret);
139                 return ret;
140         }
141 
142         /* generate odd nonce */
143         ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
144         if (ret < 0) {
145                 pr_info("tpm_get_random failed (%d)\n", ret);
146                 return ret;
147         }
148 
149         /* calculate authorization HMAC value */
150         ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
151                            nonceodd, cont, sizeof(uint32_t), &ordinal,
152                            sizeof(uint32_t), &datalen,
153                            bloblen, blob, 0, 0);
154         if (ret < 0)
155                 return ret;
156 
157         /* build the request buffer */
158         INIT_BUF(tb);
159         store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
160         store32(tb, TPM_UNBIND_SIZE + bloblen);
161         store32(tb, TPM_ORD_UNBIND);
162         store32(tb, keyhandle);
163         store32(tb, bloblen);
164         storebytes(tb, blob, bloblen);
165         store32(tb, authhandle);
166         storebytes(tb, nonceodd, TPM_NONCE_SIZE);
167         store8(tb, cont);
168         storebytes(tb, authdata, SHA1_DIGEST_SIZE);
169 
170         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
171         if (ret < 0) {
172                 pr_info("authhmac failed (%d)\n", ret);
173                 return ret;
174         }
175 
176         datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
177 
178         ret = TSS_checkhmac1(tb->data, ordinal, nonceodd,
179                              keyauth, SHA1_DIGEST_SIZE,
180                              sizeof(uint32_t), TPM_DATA_OFFSET,
181                              datalen, TPM_DATA_OFFSET + sizeof(uint32_t),
182                              0, 0);
183         if (ret < 0) {
184                 pr_info("TSS_checkhmac1 failed (%d)\n", ret);
185                 return ret;
186         }
187 
188         memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
189                min(outlen, datalen));
190 
191         return datalen;
192 }
193 
194 /*
195  * Sign a blob provided by userspace (that has had the hash function applied)
196  * using a specific key handle.  The handle is assumed to have been previously
197  * loaded by e.g. LoadKey2.
198  *
199  * Note that the key signature scheme of the used key should be set to
200  * TPM_SS_RSASSAPKCS1v15_DER.  This allows the hashed input to be of any size
201  * up to key_length_in_bytes - 11 and not be limited to size 20 like the
202  * TPM_SS_RSASSAPKCS1v15_SHA1 signature scheme.
203  */
204 static int tpm_sign(struct tpm_buf *tb,
205                     uint32_t keyhandle, unsigned char *keyauth,
206                     const unsigned char *blob, uint32_t bloblen,
207                     void *out, uint32_t outlen)
208 {
209         unsigned char nonceodd[TPM_NONCE_SIZE];
210         unsigned char enonce[TPM_NONCE_SIZE];
211         unsigned char authdata[SHA1_DIGEST_SIZE];
212         uint32_t authhandle = 0;
213         unsigned char cont = 0;
214         uint32_t ordinal;
215         uint32_t datalen;
216         int ret;
217 
218         ordinal = htonl(TPM_ORD_SIGN);
219         datalen = htonl(bloblen);
220 
221         /* session for loading the key */
222         ret = oiap(tb, &authhandle, enonce);
223         if (ret < 0) {
224                 pr_info("oiap failed (%d)\n", ret);
225                 return ret;
226         }
227 
228         /* generate odd nonce */
229         ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
230         if (ret < 0) {
231                 pr_info("tpm_get_random failed (%d)\n", ret);
232                 return ret;
233         }
234 
235         /* calculate authorization HMAC value */
236         ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
237                            nonceodd, cont, sizeof(uint32_t), &ordinal,
238                            sizeof(uint32_t), &datalen,
239                            bloblen, blob, 0, 0);
240         if (ret < 0)
241                 return ret;
242 
243         /* build the request buffer */
244         INIT_BUF(tb);
245         store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
246         store32(tb, TPM_SIGN_SIZE + bloblen);
247         store32(tb, TPM_ORD_SIGN);
248         store32(tb, keyhandle);
249         store32(tb, bloblen);
250         storebytes(tb, blob, bloblen);
251         store32(tb, authhandle);
252         storebytes(tb, nonceodd, TPM_NONCE_SIZE);
253         store8(tb, cont);
254         storebytes(tb, authdata, SHA1_DIGEST_SIZE);
255 
256         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
257         if (ret < 0) {
258                 pr_info("authhmac failed (%d)\n", ret);
259                 return ret;
260         }
261 
262         datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
263 
264         ret = TSS_checkhmac1(tb->data, ordinal, nonceodd,
265                              keyauth, SHA1_DIGEST_SIZE,
266                              sizeof(uint32_t), TPM_DATA_OFFSET,
267                              datalen, TPM_DATA_OFFSET + sizeof(uint32_t),
268                              0, 0);
269         if (ret < 0) {
270                 pr_info("TSS_checkhmac1 failed (%d)\n", ret);
271                 return ret;
272         }
273 
274         memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
275                min(datalen, outlen));
276 
277         return datalen;
278 }
279 /*
280  * Maximum buffer size for the BER/DER encoded public key.  The public key
281  * is of the form SEQUENCE { INTEGER n, INTEGER e } where n is a maximum 2048
282  * bit key and e is usually 65537
283  * The encoding overhead is:
284  * - max 4 bytes for SEQUENCE
285  *   - max 4 bytes for INTEGER n type/length
286  *     - 257 bytes of n
287  *   - max 2 bytes for INTEGER e type/length
288  *     - 3 bytes of e
289  */
290 #define PUB_KEY_BUF_SIZE (4 + 4 + 257 + 2 + 3)
291 
292 /*
293  * Provide a part of a description of the key for /proc/keys.
294  */
295 static void asym_tpm_describe(const struct key *asymmetric_key,
296                               struct seq_file *m)
297 {
298         struct tpm_key *tk = asymmetric_key->payload.data[asym_crypto];
299 
300         if (!tk)
301                 return;
302 
303         seq_printf(m, "TPM1.2/Blob");
304 }
305 
306 static void asym_tpm_destroy(void *payload0, void *payload3)
307 {
308         struct tpm_key *tk = payload0;
309 
310         if (!tk)
311                 return;
312 
313         kfree(tk->blob);
314         tk->blob_len = 0;
315 
316         kfree(tk);
317 }
318 
319 /* How many bytes will it take to encode the length */
320 static inline uint32_t definite_length(uint32_t len)
321 {
322         if (len <= 127)
323                 return 1;
324         if (len <= 255)
325                 return 2;
326         return 3;
327 }
328 
329 static inline uint8_t *encode_tag_length(uint8_t *buf, uint8_t tag,
330                                          uint32_t len)
331 {
332         *buf++ = tag;
333 
334         if (len <= 127) {
335                 buf[0] = len;
336                 return buf + 1;
337         }
338 
339         if (len <= 255) {
340                 buf[0] = 0x81;
341                 buf[1] = len;
342                 return buf + 2;
343         }
344 
345         buf[0] = 0x82;
346         put_unaligned_be16(len, buf + 1);
347         return buf + 3;
348 }
349 
350 static uint32_t derive_pub_key(const void *pub_key, uint32_t len, uint8_t *buf)
351 {
352         uint8_t *cur = buf;
353         uint32_t n_len = definite_length(len) + 1 + len + 1;
354         uint32_t e_len = definite_length(3) + 1 + 3;
355         uint8_t e[3] = { 0x01, 0x00, 0x01 };
356 
357         /* SEQUENCE */
358         cur = encode_tag_length(cur, 0x30, n_len + e_len);
359         /* INTEGER n */
360         cur = encode_tag_length(cur, 0x02, len + 1);
361         cur[0] = 0x00;
362         memcpy(cur + 1, pub_key, len);
363         cur += len + 1;
364         cur = encode_tag_length(cur, 0x02, sizeof(e));
365         memcpy(cur, e, sizeof(e));
366         cur += sizeof(e);
367 
368         return cur - buf;
369 }
370 
371 /*
372  * Determine the crypto algorithm name.
373  */
374 static int determine_akcipher(const char *encoding, const char *hash_algo,
375                               char alg_name[CRYPTO_MAX_ALG_NAME])
376 {
377         if (strcmp(encoding, "pkcs1") == 0) {
378                 if (!hash_algo) {
379                         strcpy(alg_name, "pkcs1pad(rsa)");
380                         return 0;
381                 }
382 
383                 if (snprintf(alg_name, CRYPTO_MAX_ALG_NAME, "pkcs1pad(rsa,%s)",
384                              hash_algo) >= CRYPTO_MAX_ALG_NAME)
385                         return -EINVAL;
386 
387                 return 0;
388         }
389 
390         if (strcmp(encoding, "raw") == 0) {
391                 strcpy(alg_name, "rsa");
392                 return 0;
393         }
394 
395         return -ENOPKG;
396 }
397 
398 /*
399  * Query information about a key.
400  */
401 static int tpm_key_query(const struct kernel_pkey_params *params,
402                          struct kernel_pkey_query *info)
403 {
404         struct tpm_key *tk = params->key->payload.data[asym_crypto];
405         int ret;
406         char alg_name[CRYPTO_MAX_ALG_NAME];
407         struct crypto_akcipher *tfm;
408         uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
409         uint32_t der_pub_key_len;
410         int len;
411 
412         /* TPM only works on private keys, public keys still done in software */
413         ret = determine_akcipher(params->encoding, params->hash_algo, alg_name);
414         if (ret < 0)
415                 return ret;
416 
417         tfm = crypto_alloc_akcipher(alg_name, 0, 0);
418         if (IS_ERR(tfm))
419                 return PTR_ERR(tfm);
420 
421         der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
422                                          der_pub_key);
423 
424         ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
425         if (ret < 0)
426                 goto error_free_tfm;
427 
428         len = crypto_akcipher_maxsize(tfm);
429 
430         info->key_size = tk->key_len;
431         info->max_data_size = tk->key_len / 8;
432         info->max_sig_size = len;
433         info->max_enc_size = len;
434         info->max_dec_size = tk->key_len / 8;
435 
436         info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT |
437                               KEYCTL_SUPPORTS_DECRYPT |
438                               KEYCTL_SUPPORTS_VERIFY |
439                               KEYCTL_SUPPORTS_SIGN;
440 
441         ret = 0;
442 error_free_tfm:
443         crypto_free_akcipher(tfm);
444         pr_devel("<==%s() = %d\n", __func__, ret);
445         return ret;
446 }
447 
448 /*
449  * Encryption operation is performed with the public key.  Hence it is done
450  * in software
451  */
452 static int tpm_key_encrypt(struct tpm_key *tk,
453                            struct kernel_pkey_params *params,
454                            const void *in, void *out)
455 {
456         char alg_name[CRYPTO_MAX_ALG_NAME];
457         struct crypto_akcipher *tfm;
458         struct akcipher_request *req;
459         struct crypto_wait cwait;
460         struct scatterlist in_sg, out_sg;
461         uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
462         uint32_t der_pub_key_len;
463         int ret;
464 
465         pr_devel("==>%s()\n", __func__);
466 
467         ret = determine_akcipher(params->encoding, params->hash_algo, alg_name);
468         if (ret < 0)
469                 return ret;
470 
471         tfm = crypto_alloc_akcipher(alg_name, 0, 0);
472         if (IS_ERR(tfm))
473                 return PTR_ERR(tfm);
474 
475         der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
476                                          der_pub_key);
477 
478         ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
479         if (ret < 0)
480                 goto error_free_tfm;
481 
482         req = akcipher_request_alloc(tfm, GFP_KERNEL);
483         if (!req)
484                 goto error_free_tfm;
485 
486         sg_init_one(&in_sg, in, params->in_len);
487         sg_init_one(&out_sg, out, params->out_len);
488         akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len,
489                                    params->out_len);
490         crypto_init_wait(&cwait);
491         akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
492                                       CRYPTO_TFM_REQ_MAY_SLEEP,
493                                       crypto_req_done, &cwait);
494 
495         ret = crypto_akcipher_encrypt(req);
496         ret = crypto_wait_req(ret, &cwait);
497 
498         if (ret == 0)
499                 ret = req->dst_len;
500 
501         akcipher_request_free(req);
502 error_free_tfm:
503         crypto_free_akcipher(tfm);
504         pr_devel("<==%s() = %d\n", __func__, ret);
505         return ret;
506 }
507 
508 /*
509  * Decryption operation is performed with the private key in the TPM.
510  */
511 static int tpm_key_decrypt(struct tpm_key *tk,
512                            struct kernel_pkey_params *params,
513                            const void *in, void *out)
514 {
515         struct tpm_buf *tb;
516         uint32_t keyhandle;
517         uint8_t srkauth[SHA1_DIGEST_SIZE];
518         uint8_t keyauth[SHA1_DIGEST_SIZE];
519         int r;
520 
521         pr_devel("==>%s()\n", __func__);
522 
523         if (params->hash_algo)
524                 return -ENOPKG;
525 
526         if (strcmp(params->encoding, "pkcs1"))
527                 return -ENOPKG;
528 
529         tb = kzalloc(sizeof(*tb), GFP_KERNEL);
530         if (!tb)
531                 return -ENOMEM;
532 
533         /* TODO: Handle a non-all zero SRK authorization */
534         memset(srkauth, 0, sizeof(srkauth));
535 
536         r = tpm_loadkey2(tb, SRKHANDLE, srkauth,
537                                 tk->blob, tk->blob_len, &keyhandle);
538         if (r < 0) {
539                 pr_devel("loadkey2 failed (%d)\n", r);
540                 goto error;
541         }
542 
543         /* TODO: Handle a non-all zero key authorization */
544         memset(keyauth, 0, sizeof(keyauth));
545 
546         r = tpm_unbind(tb, keyhandle, keyauth,
547                        in, params->in_len, out, params->out_len);
548         if (r < 0)
549                 pr_devel("tpm_unbind failed (%d)\n", r);
550 
551         if (tpm_flushspecific(tb, keyhandle) < 0)
552                 pr_devel("flushspecific failed (%d)\n", r);
553 
554 error:
555         kzfree(tb);
556         pr_devel("<==%s() = %d\n", __func__, r);
557         return r;
558 }
559 
560 /*
561  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
562  */
563 static const u8 digest_info_md5[] = {
564         0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
565         0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
566         0x05, 0x00, 0x04, 0x10
567 };
568 
569 static const u8 digest_info_sha1[] = {
570         0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
571         0x2b, 0x0e, 0x03, 0x02, 0x1a,
572         0x05, 0x00, 0x04, 0x14
573 };
574 
575 static const u8 digest_info_rmd160[] = {
576         0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
577         0x2b, 0x24, 0x03, 0x02, 0x01,
578         0x05, 0x00, 0x04, 0x14
579 };
580 
581 static const u8 digest_info_sha224[] = {
582         0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
583         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
584         0x05, 0x00, 0x04, 0x1c
585 };
586 
587 static const u8 digest_info_sha256[] = {
588         0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
589         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
590         0x05, 0x00, 0x04, 0x20
591 };
592 
593 static const u8 digest_info_sha384[] = {
594         0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
595         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
596         0x05, 0x00, 0x04, 0x30
597 };
598 
599 static const u8 digest_info_sha512[] = {
600         0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
601         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
602         0x05, 0x00, 0x04, 0x40
603 };
604 
605 static const struct asn1_template {
606         const char      *name;
607         const u8        *data;
608         size_t          size;
609 } asn1_templates[] = {
610 #define _(X) { #X, digest_info_##X, sizeof(digest_info_##X) }
611         _(md5),
612         _(sha1),
613         _(rmd160),
614         _(sha256),
615         _(sha384),
616         _(sha512),
617         _(sha224),
618         { NULL }
619 #undef _
620 };
621 
622 static const struct asn1_template *lookup_asn1(const char *name)
623 {
624         const struct asn1_template *p;
625 
626         for (p = asn1_templates; p->name; p++)
627                 if (strcmp(name, p->name) == 0)
628                         return p;
629         return NULL;
630 }
631 
632 /*
633  * Sign operation is performed with the private key in the TPM.
634  */
635 static int tpm_key_sign(struct tpm_key *tk,
636                         struct kernel_pkey_params *params,
637                         const void *in, void *out)
638 {
639         struct tpm_buf *tb;
640         uint32_t keyhandle;
641         uint8_t srkauth[SHA1_DIGEST_SIZE];
642         uint8_t keyauth[SHA1_DIGEST_SIZE];
643         void *asn1_wrapped = NULL;
644         uint32_t in_len = params->in_len;
645         int r;
646 
647         pr_devel("==>%s()\n", __func__);
648 
649         if (strcmp(params->encoding, "pkcs1"))
650                 return -ENOPKG;
651 
652         if (params->hash_algo) {
653                 const struct asn1_template *asn1 =
654                                                 lookup_asn1(params->hash_algo);
655 
656                 if (!asn1)
657                         return -ENOPKG;
658 
659                 /* request enough space for the ASN.1 template + input hash */
660                 asn1_wrapped = kzalloc(in_len + asn1->size, GFP_KERNEL);
661                 if (!asn1_wrapped)
662                         return -ENOMEM;
663 
664                 /* Copy ASN.1 template, then the input */
665                 memcpy(asn1_wrapped, asn1->data, asn1->size);
666                 memcpy(asn1_wrapped + asn1->size, in, in_len);
667 
668                 in = asn1_wrapped;
669                 in_len += asn1->size;
670         }
671 
672         if (in_len > tk->key_len / 8 - 11) {
673                 r = -EOVERFLOW;
674                 goto error_free_asn1_wrapped;
675         }
676 
677         r = -ENOMEM;
678         tb = kzalloc(sizeof(*tb), GFP_KERNEL);
679         if (!tb)
680                 goto error_free_asn1_wrapped;
681 
682         /* TODO: Handle a non-all zero SRK authorization */
683         memset(srkauth, 0, sizeof(srkauth));
684 
685         r = tpm_loadkey2(tb, SRKHANDLE, srkauth,
686                          tk->blob, tk->blob_len, &keyhandle);
687         if (r < 0) {
688                 pr_devel("loadkey2 failed (%d)\n", r);
689                 goto error_free_tb;
690         }
691 
692         /* TODO: Handle a non-all zero key authorization */
693         memset(keyauth, 0, sizeof(keyauth));
694 
695         r = tpm_sign(tb, keyhandle, keyauth, in, in_len, out, params->out_len);
696         if (r < 0)
697                 pr_devel("tpm_sign failed (%d)\n", r);
698 
699         if (tpm_flushspecific(tb, keyhandle) < 0)
700                 pr_devel("flushspecific failed (%d)\n", r);
701 
702 error_free_tb:
703         kzfree(tb);
704 error_free_asn1_wrapped:
705         kfree(asn1_wrapped);
706         pr_devel("<==%s() = %d\n", __func__, r);
707         return r;
708 }
709 
710 /*
711  * Do encryption, decryption and signing ops.
712  */
713 static int tpm_key_eds_op(struct kernel_pkey_params *params,
714                           const void *in, void *out)
715 {
716         struct tpm_key *tk = params->key->payload.data[asym_crypto];
717         int ret = -EOPNOTSUPP;
718 
719         /* Perform the encryption calculation. */
720         switch (params->op) {
721         case kernel_pkey_encrypt:
722                 ret = tpm_key_encrypt(tk, params, in, out);
723                 break;
724         case kernel_pkey_decrypt:
725                 ret = tpm_key_decrypt(tk, params, in, out);
726                 break;
727         case kernel_pkey_sign:
728                 ret = tpm_key_sign(tk, params, in, out);
729                 break;
730         default:
731                 BUG();
732         }
733 
734         return ret;
735 }
736 
737 /*
738  * Verify a signature using a public key.
739  */
740 static int tpm_key_verify_signature(const struct key *key,
741                                     const struct public_key_signature *sig)
742 {
743         const struct tpm_key *tk = key->payload.data[asym_crypto];
744         struct crypto_wait cwait;
745         struct crypto_akcipher *tfm;
746         struct akcipher_request *req;
747         struct scatterlist sig_sg, digest_sg;
748         char alg_name[CRYPTO_MAX_ALG_NAME];
749         uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
750         uint32_t der_pub_key_len;
751         void *output;
752         unsigned int outlen;
753         int ret;
754 
755         pr_devel("==>%s()\n", __func__);
756 
757         BUG_ON(!tk);
758         BUG_ON(!sig);
759         BUG_ON(!sig->s);
760 
761         if (!sig->digest)
762                 return -ENOPKG;
763 
764         ret = determine_akcipher(sig->encoding, sig->hash_algo, alg_name);
765         if (ret < 0)
766                 return ret;
767 
768         tfm = crypto_alloc_akcipher(alg_name, 0, 0);
769         if (IS_ERR(tfm))
770                 return PTR_ERR(tfm);
771 
772         der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
773                                          der_pub_key);
774 
775         ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
776         if (ret < 0)
777                 goto error_free_tfm;
778 
779         ret = -ENOMEM;
780         req = akcipher_request_alloc(tfm, GFP_KERNEL);
781         if (!req)
782                 goto error_free_tfm;
783 
784         ret = -ENOMEM;
785         outlen = crypto_akcipher_maxsize(tfm);
786         output = kmalloc(outlen, GFP_KERNEL);
787         if (!output)
788                 goto error_free_req;
789 
790         sg_init_one(&sig_sg, sig->s, sig->s_size);
791         sg_init_one(&digest_sg, output, outlen);
792         akcipher_request_set_crypt(req, &sig_sg, &digest_sg, sig->s_size,
793                                    outlen);
794         crypto_init_wait(&cwait);
795         akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
796                                       CRYPTO_TFM_REQ_MAY_SLEEP,
797                                       crypto_req_done, &cwait);
798 
799         /* Perform the verification calculation.  This doesn't actually do the
800          * verification, but rather calculates the hash expected by the
801          * signature and returns that to us.
802          */
803         ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
804         if (ret)
805                 goto out_free_output;
806 
807         /* Do the actual verification step. */
808         if (req->dst_len != sig->digest_size ||
809             memcmp(sig->digest, output, sig->digest_size) != 0)
810                 ret = -EKEYREJECTED;
811 
812 out_free_output:
813         kfree(output);
814 error_free_req:
815         akcipher_request_free(req);
816 error_free_tfm:
817         crypto_free_akcipher(tfm);
818         pr_devel("<==%s() = %d\n", __func__, ret);
819         if (WARN_ON_ONCE(ret > 0))
820                 ret = -EINVAL;
821         return ret;
822 }
823 
824 /*
825  * Parse enough information out of TPM_KEY structure:
826  * TPM_STRUCT_VER -> 4 bytes
827  * TPM_KEY_USAGE -> 2 bytes
828  * TPM_KEY_FLAGS -> 4 bytes
829  * TPM_AUTH_DATA_USAGE -> 1 byte
830  * TPM_KEY_PARMS -> variable
831  * UINT32 PCRInfoSize -> 4 bytes
832  * BYTE* -> PCRInfoSize bytes
833  * TPM_STORE_PUBKEY
834  * UINT32 encDataSize;
835  * BYTE* -> encDataSize;
836  *
837  * TPM_KEY_PARMS:
838  * TPM_ALGORITHM_ID -> 4 bytes
839  * TPM_ENC_SCHEME -> 2 bytes
840  * TPM_SIG_SCHEME -> 2 bytes
841  * UINT32 parmSize -> 4 bytes
842  * BYTE* -> variable
843  */
844 static int extract_key_parameters(struct tpm_key *tk)
845 {
846         const void *cur = tk->blob;
847         uint32_t len = tk->blob_len;
848         const void *pub_key;
849         uint32_t sz;
850         uint32_t key_len;
851 
852         if (len < 11)
853                 return -EBADMSG;
854 
855         /* Ensure this is a legacy key */
856         if (get_unaligned_be16(cur + 4) != 0x0015)
857                 return -EBADMSG;
858 
859         /* Skip to TPM_KEY_PARMS */
860         cur += 11;
861         len -= 11;
862 
863         if (len < 12)
864                 return -EBADMSG;
865 
866         /* Make sure this is an RSA key */
867         if (get_unaligned_be32(cur) != 0x00000001)
868                 return -EBADMSG;
869 
870         /* Make sure this is TPM_ES_RSAESPKCSv15 encoding scheme */
871         if (get_unaligned_be16(cur + 4) != 0x0002)
872                 return -EBADMSG;
873 
874         /* Make sure this is TPM_SS_RSASSAPKCS1v15_DER signature scheme */
875         if (get_unaligned_be16(cur + 6) != 0x0003)
876                 return -EBADMSG;
877 
878         sz = get_unaligned_be32(cur + 8);
879         if (len < sz + 12)
880                 return -EBADMSG;
881 
882         /* Move to TPM_RSA_KEY_PARMS */
883         len -= 12;
884         cur += 12;
885 
886         /* Grab the RSA key length */
887         key_len = get_unaligned_be32(cur);
888 
889         switch (key_len) {
890         case 512:
891         case 1024:
892         case 1536:
893         case 2048:
894                 break;
895         default:
896                 return -EINVAL;
897         }
898 
899         /* Move just past TPM_KEY_PARMS */
900         cur += sz;
901         len -= sz;
902 
903         if (len < 4)
904                 return -EBADMSG;
905 
906         sz = get_unaligned_be32(cur);
907         if (len < 4 + sz)
908                 return -EBADMSG;
909 
910         /* Move to TPM_STORE_PUBKEY */
911         cur += 4 + sz;
912         len -= 4 + sz;
913 
914         /* Grab the size of the public key, it should jive with the key size */
915         sz = get_unaligned_be32(cur);
916         if (sz > 256)
917                 return -EINVAL;
918 
919         pub_key = cur + 4;
920 
921         tk->key_len = key_len;
922         tk->pub_key = pub_key;
923         tk->pub_key_len = sz;
924 
925         return 0;
926 }
927 
928 /* Given the blob, parse it and load it into the TPM */
929 struct tpm_key *tpm_key_create(const void *blob, uint32_t blob_len)
930 {
931         int r;
932         struct tpm_key *tk;
933 
934         r = tpm_is_tpm2(NULL);
935         if (r < 0)
936                 goto error;
937 
938         /* We don't support TPM2 yet */
939         if (r > 0) {
940                 r = -ENODEV;
941                 goto error;
942         }
943 
944         r = -ENOMEM;
945         tk = kzalloc(sizeof(struct tpm_key), GFP_KERNEL);
946         if (!tk)
947                 goto error;
948 
949         tk->blob = kmemdup(blob, blob_len, GFP_KERNEL);
950         if (!tk->blob)
951                 goto error_memdup;
952 
953         tk->blob_len = blob_len;
954 
955         r = extract_key_parameters(tk);
956         if (r < 0)
957                 goto error_extract;
958 
959         return tk;
960 
961 error_extract:
962         kfree(tk->blob);
963         tk->blob_len = 0;
964 error_memdup:
965         kfree(tk);
966 error:
967         return ERR_PTR(r);
968 }
969 EXPORT_SYMBOL_GPL(tpm_key_create);
970 
971 /*
972  * TPM-based asymmetric key subtype
973  */
974 struct asymmetric_key_subtype asym_tpm_subtype = {
975         .owner                  = THIS_MODULE,
976         .name                   = "asym_tpm",
977         .name_len               = sizeof("asym_tpm") - 1,
978         .describe               = asym_tpm_describe,
979         .destroy                = asym_tpm_destroy,
980         .query                  = tpm_key_query,
981         .eds_op                 = tpm_key_eds_op,
982         .verify_signature       = tpm_key_verify_signature,
983 };
984 EXPORT_SYMBOL_GPL(asym_tpm_subtype);
985 
986 MODULE_DESCRIPTION("TPM based asymmetric key subtype");
987 MODULE_AUTHOR("Intel Corporation");
988 MODULE_LICENSE("GPL v2");
989 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp