~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/trusted-keys/trusted_tpm1.c

Version: ~ [ linux-5.14-rc3 ] ~ [ linux-5.13.5 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.53 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.135 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.198 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.240 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.276 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.276 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*
  3  * Copyright (C) 2010 IBM Corporation
  4  *
  5  * Author:
  6  * David Safford <safford@us.ibm.com>
  7  *
  8  * See Documentation/security/keys/trusted-encrypted.rst
  9  */
 10 
 11 #include <crypto/hash_info.h>
 12 #include <linux/uaccess.h>
 13 #include <linux/module.h>
 14 #include <linux/init.h>
 15 #include <linux/slab.h>
 16 #include <linux/parser.h>
 17 #include <linux/string.h>
 18 #include <linux/err.h>
 19 #include <keys/user-type.h>
 20 #include <keys/trusted-type.h>
 21 #include <linux/key-type.h>
 22 #include <linux/rcupdate.h>
 23 #include <linux/crypto.h>
 24 #include <crypto/hash.h>
 25 #include <crypto/sha.h>
 26 #include <linux/capability.h>
 27 #include <linux/tpm.h>
 28 #include <linux/tpm_command.h>
 29 
 30 #include <keys/trusted_tpm.h>
 31 
 32 static const char hmac_alg[] = "hmac(sha1)";
 33 static const char hash_alg[] = "sha1";
 34 static struct tpm_chip *chip;
 35 static struct tpm_digest *digests;
 36 
 37 struct sdesc {
 38         struct shash_desc shash;
 39         char ctx[];
 40 };
 41 
 42 static struct crypto_shash *hashalg;
 43 static struct crypto_shash *hmacalg;
 44 
 45 static struct sdesc *init_sdesc(struct crypto_shash *alg)
 46 {
 47         struct sdesc *sdesc;
 48         int size;
 49 
 50         size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
 51         sdesc = kmalloc(size, GFP_KERNEL);
 52         if (!sdesc)
 53                 return ERR_PTR(-ENOMEM);
 54         sdesc->shash.tfm = alg;
 55         return sdesc;
 56 }
 57 
 58 static int TSS_sha1(const unsigned char *data, unsigned int datalen,
 59                     unsigned char *digest)
 60 {
 61         struct sdesc *sdesc;
 62         int ret;
 63 
 64         sdesc = init_sdesc(hashalg);
 65         if (IS_ERR(sdesc)) {
 66                 pr_info("trusted_key: can't alloc %s\n", hash_alg);
 67                 return PTR_ERR(sdesc);
 68         }
 69 
 70         ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
 71         kzfree(sdesc);
 72         return ret;
 73 }
 74 
 75 static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
 76                        unsigned int keylen, ...)
 77 {
 78         struct sdesc *sdesc;
 79         va_list argp;
 80         unsigned int dlen;
 81         unsigned char *data;
 82         int ret;
 83 
 84         sdesc = init_sdesc(hmacalg);
 85         if (IS_ERR(sdesc)) {
 86                 pr_info("trusted_key: can't alloc %s\n", hmac_alg);
 87                 return PTR_ERR(sdesc);
 88         }
 89 
 90         ret = crypto_shash_setkey(hmacalg, key, keylen);
 91         if (ret < 0)
 92                 goto out;
 93         ret = crypto_shash_init(&sdesc->shash);
 94         if (ret < 0)
 95                 goto out;
 96 
 97         va_start(argp, keylen);
 98         for (;;) {
 99                 dlen = va_arg(argp, unsigned int);
100                 if (dlen == 0)
101                         break;
102                 data = va_arg(argp, unsigned char *);
103                 if (data == NULL) {
104                         ret = -EINVAL;
105                         break;
106                 }
107                 ret = crypto_shash_update(&sdesc->shash, data, dlen);
108                 if (ret < 0)
109                         break;
110         }
111         va_end(argp);
112         if (!ret)
113                 ret = crypto_shash_final(&sdesc->shash, digest);
114 out:
115         kzfree(sdesc);
116         return ret;
117 }
118 
119 /*
120  * calculate authorization info fields to send to TPM
121  */
122 int TSS_authhmac(unsigned char *digest, const unsigned char *key,
123                         unsigned int keylen, unsigned char *h1,
124                         unsigned char *h2, unsigned int h3, ...)
125 {
126         unsigned char paramdigest[SHA1_DIGEST_SIZE];
127         struct sdesc *sdesc;
128         unsigned int dlen;
129         unsigned char *data;
130         unsigned char c;
131         int ret;
132         va_list argp;
133 
134         if (!chip)
135                 return -ENODEV;
136 
137         sdesc = init_sdesc(hashalg);
138         if (IS_ERR(sdesc)) {
139                 pr_info("trusted_key: can't alloc %s\n", hash_alg);
140                 return PTR_ERR(sdesc);
141         }
142 
143         c = !!h3;
144         ret = crypto_shash_init(&sdesc->shash);
145         if (ret < 0)
146                 goto out;
147         va_start(argp, h3);
148         for (;;) {
149                 dlen = va_arg(argp, unsigned int);
150                 if (dlen == 0)
151                         break;
152                 data = va_arg(argp, unsigned char *);
153                 if (!data) {
154                         ret = -EINVAL;
155                         break;
156                 }
157                 ret = crypto_shash_update(&sdesc->shash, data, dlen);
158                 if (ret < 0)
159                         break;
160         }
161         va_end(argp);
162         if (!ret)
163                 ret = crypto_shash_final(&sdesc->shash, paramdigest);
164         if (!ret)
165                 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
166                                   paramdigest, TPM_NONCE_SIZE, h1,
167                                   TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
168 out:
169         kzfree(sdesc);
170         return ret;
171 }
172 EXPORT_SYMBOL_GPL(TSS_authhmac);
173 
174 /*
175  * verify the AUTH1_COMMAND (Seal) result from TPM
176  */
177 int TSS_checkhmac1(unsigned char *buffer,
178                           const uint32_t command,
179                           const unsigned char *ononce,
180                           const unsigned char *key,
181                           unsigned int keylen, ...)
182 {
183         uint32_t bufsize;
184         uint16_t tag;
185         uint32_t ordinal;
186         uint32_t result;
187         unsigned char *enonce;
188         unsigned char *continueflag;
189         unsigned char *authdata;
190         unsigned char testhmac[SHA1_DIGEST_SIZE];
191         unsigned char paramdigest[SHA1_DIGEST_SIZE];
192         struct sdesc *sdesc;
193         unsigned int dlen;
194         unsigned int dpos;
195         va_list argp;
196         int ret;
197 
198         if (!chip)
199                 return -ENODEV;
200 
201         bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
202         tag = LOAD16(buffer, 0);
203         ordinal = command;
204         result = LOAD32N(buffer, TPM_RETURN_OFFSET);
205         if (tag == TPM_TAG_RSP_COMMAND)
206                 return 0;
207         if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
208                 return -EINVAL;
209         authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
210         continueflag = authdata - 1;
211         enonce = continueflag - TPM_NONCE_SIZE;
212 
213         sdesc = init_sdesc(hashalg);
214         if (IS_ERR(sdesc)) {
215                 pr_info("trusted_key: can't alloc %s\n", hash_alg);
216                 return PTR_ERR(sdesc);
217         }
218         ret = crypto_shash_init(&sdesc->shash);
219         if (ret < 0)
220                 goto out;
221         ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
222                                   sizeof result);
223         if (ret < 0)
224                 goto out;
225         ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
226                                   sizeof ordinal);
227         if (ret < 0)
228                 goto out;
229         va_start(argp, keylen);
230         for (;;) {
231                 dlen = va_arg(argp, unsigned int);
232                 if (dlen == 0)
233                         break;
234                 dpos = va_arg(argp, unsigned int);
235                 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
236                 if (ret < 0)
237                         break;
238         }
239         va_end(argp);
240         if (!ret)
241                 ret = crypto_shash_final(&sdesc->shash, paramdigest);
242         if (ret < 0)
243                 goto out;
244 
245         ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
246                           TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
247                           1, continueflag, 0, 0);
248         if (ret < 0)
249                 goto out;
250 
251         if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
252                 ret = -EINVAL;
253 out:
254         kzfree(sdesc);
255         return ret;
256 }
257 EXPORT_SYMBOL_GPL(TSS_checkhmac1);
258 
259 /*
260  * verify the AUTH2_COMMAND (unseal) result from TPM
261  */
262 static int TSS_checkhmac2(unsigned char *buffer,
263                           const uint32_t command,
264                           const unsigned char *ononce,
265                           const unsigned char *key1,
266                           unsigned int keylen1,
267                           const unsigned char *key2,
268                           unsigned int keylen2, ...)
269 {
270         uint32_t bufsize;
271         uint16_t tag;
272         uint32_t ordinal;
273         uint32_t result;
274         unsigned char *enonce1;
275         unsigned char *continueflag1;
276         unsigned char *authdata1;
277         unsigned char *enonce2;
278         unsigned char *continueflag2;
279         unsigned char *authdata2;
280         unsigned char testhmac1[SHA1_DIGEST_SIZE];
281         unsigned char testhmac2[SHA1_DIGEST_SIZE];
282         unsigned char paramdigest[SHA1_DIGEST_SIZE];
283         struct sdesc *sdesc;
284         unsigned int dlen;
285         unsigned int dpos;
286         va_list argp;
287         int ret;
288 
289         bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
290         tag = LOAD16(buffer, 0);
291         ordinal = command;
292         result = LOAD32N(buffer, TPM_RETURN_OFFSET);
293 
294         if (tag == TPM_TAG_RSP_COMMAND)
295                 return 0;
296         if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
297                 return -EINVAL;
298         authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
299                         + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
300         authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
301         continueflag1 = authdata1 - 1;
302         continueflag2 = authdata2 - 1;
303         enonce1 = continueflag1 - TPM_NONCE_SIZE;
304         enonce2 = continueflag2 - TPM_NONCE_SIZE;
305 
306         sdesc = init_sdesc(hashalg);
307         if (IS_ERR(sdesc)) {
308                 pr_info("trusted_key: can't alloc %s\n", hash_alg);
309                 return PTR_ERR(sdesc);
310         }
311         ret = crypto_shash_init(&sdesc->shash);
312         if (ret < 0)
313                 goto out;
314         ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
315                                   sizeof result);
316         if (ret < 0)
317                 goto out;
318         ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
319                                   sizeof ordinal);
320         if (ret < 0)
321                 goto out;
322 
323         va_start(argp, keylen2);
324         for (;;) {
325                 dlen = va_arg(argp, unsigned int);
326                 if (dlen == 0)
327                         break;
328                 dpos = va_arg(argp, unsigned int);
329                 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
330                 if (ret < 0)
331                         break;
332         }
333         va_end(argp);
334         if (!ret)
335                 ret = crypto_shash_final(&sdesc->shash, paramdigest);
336         if (ret < 0)
337                 goto out;
338 
339         ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
340                           paramdigest, TPM_NONCE_SIZE, enonce1,
341                           TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
342         if (ret < 0)
343                 goto out;
344         if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
345                 ret = -EINVAL;
346                 goto out;
347         }
348         ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
349                           paramdigest, TPM_NONCE_SIZE, enonce2,
350                           TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
351         if (ret < 0)
352                 goto out;
353         if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
354                 ret = -EINVAL;
355 out:
356         kzfree(sdesc);
357         return ret;
358 }
359 
360 /*
361  * For key specific tpm requests, we will generate and send our
362  * own TPM command packets using the drivers send function.
363  */
364 int trusted_tpm_send(unsigned char *cmd, size_t buflen)
365 {
366         int rc;
367 
368         if (!chip)
369                 return -ENODEV;
370 
371         dump_tpm_buf(cmd);
372         rc = tpm_send(chip, cmd, buflen);
373         dump_tpm_buf(cmd);
374         if (rc > 0)
375                 /* Can't return positive return codes values to keyctl */
376                 rc = -EPERM;
377         return rc;
378 }
379 EXPORT_SYMBOL_GPL(trusted_tpm_send);
380 
381 /*
382  * Lock a trusted key, by extending a selected PCR.
383  *
384  * Prevents a trusted key that is sealed to PCRs from being accessed.
385  * This uses the tpm driver's extend function.
386  */
387 static int pcrlock(const int pcrnum)
388 {
389         if (!capable(CAP_SYS_ADMIN))
390                 return -EPERM;
391 
392         return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0;
393 }
394 
395 /*
396  * Create an object specific authorisation protocol (OSAP) session
397  */
398 static int osap(struct tpm_buf *tb, struct osapsess *s,
399                 const unsigned char *key, uint16_t type, uint32_t handle)
400 {
401         unsigned char enonce[TPM_NONCE_SIZE];
402         unsigned char ononce[TPM_NONCE_SIZE];
403         int ret;
404 
405         ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE);
406         if (ret != TPM_NONCE_SIZE)
407                 return ret;
408 
409         tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP);
410         tpm_buf_append_u16(tb, type);
411         tpm_buf_append_u32(tb, handle);
412         tpm_buf_append(tb, ononce, TPM_NONCE_SIZE);
413 
414         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
415         if (ret < 0)
416                 return ret;
417 
418         s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
419         memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
420                TPM_NONCE_SIZE);
421         memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
422                                   TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
423         return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
424                            enonce, TPM_NONCE_SIZE, ononce, 0, 0);
425 }
426 
427 /*
428  * Create an object independent authorisation protocol (oiap) session
429  */
430 int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
431 {
432         int ret;
433 
434         if (!chip)
435                 return -ENODEV;
436 
437         tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP);
438         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
439         if (ret < 0)
440                 return ret;
441 
442         *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
443         memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
444                TPM_NONCE_SIZE);
445         return 0;
446 }
447 EXPORT_SYMBOL_GPL(oiap);
448 
449 struct tpm_digests {
450         unsigned char encauth[SHA1_DIGEST_SIZE];
451         unsigned char pubauth[SHA1_DIGEST_SIZE];
452         unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
453         unsigned char xorhash[SHA1_DIGEST_SIZE];
454         unsigned char nonceodd[TPM_NONCE_SIZE];
455 };
456 
457 /*
458  * Have the TPM seal(encrypt) the trusted key, possibly based on
459  * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
460  */
461 static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
462                     uint32_t keyhandle, const unsigned char *keyauth,
463                     const unsigned char *data, uint32_t datalen,
464                     unsigned char *blob, uint32_t *bloblen,
465                     const unsigned char *blobauth,
466                     const unsigned char *pcrinfo, uint32_t pcrinfosize)
467 {
468         struct osapsess sess;
469         struct tpm_digests *td;
470         unsigned char cont;
471         uint32_t ordinal;
472         uint32_t pcrsize;
473         uint32_t datsize;
474         int sealinfosize;
475         int encdatasize;
476         int storedsize;
477         int ret;
478         int i;
479 
480         /* alloc some work space for all the hashes */
481         td = kmalloc(sizeof *td, GFP_KERNEL);
482         if (!td)
483                 return -ENOMEM;
484 
485         /* get session for sealing key */
486         ret = osap(tb, &sess, keyauth, keytype, keyhandle);
487         if (ret < 0)
488                 goto out;
489         dump_sess(&sess);
490 
491         /* calculate encrypted authorization value */
492         memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
493         memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
494         ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
495         if (ret < 0)
496                 goto out;
497 
498         ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
499         if (ret != TPM_NONCE_SIZE)
500                 goto out;
501         ordinal = htonl(TPM_ORD_SEAL);
502         datsize = htonl(datalen);
503         pcrsize = htonl(pcrinfosize);
504         cont = 0;
505 
506         /* encrypt data authorization key */
507         for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
508                 td->encauth[i] = td->xorhash[i] ^ blobauth[i];
509 
510         /* calculate authorization HMAC value */
511         if (pcrinfosize == 0) {
512                 /* no pcr info specified */
513                 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
514                                    sess.enonce, td->nonceodd, cont,
515                                    sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
516                                    td->encauth, sizeof(uint32_t), &pcrsize,
517                                    sizeof(uint32_t), &datsize, datalen, data, 0,
518                                    0);
519         } else {
520                 /* pcr info specified */
521                 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
522                                    sess.enonce, td->nonceodd, cont,
523                                    sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
524                                    td->encauth, sizeof(uint32_t), &pcrsize,
525                                    pcrinfosize, pcrinfo, sizeof(uint32_t),
526                                    &datsize, datalen, data, 0, 0);
527         }
528         if (ret < 0)
529                 goto out;
530 
531         /* build and send the TPM request packet */
532         tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL);
533         tpm_buf_append_u32(tb, keyhandle);
534         tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE);
535         tpm_buf_append_u32(tb, pcrinfosize);
536         tpm_buf_append(tb, pcrinfo, pcrinfosize);
537         tpm_buf_append_u32(tb, datalen);
538         tpm_buf_append(tb, data, datalen);
539         tpm_buf_append_u32(tb, sess.handle);
540         tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE);
541         tpm_buf_append_u8(tb, cont);
542         tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE);
543 
544         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
545         if (ret < 0)
546                 goto out;
547 
548         /* calculate the size of the returned Blob */
549         sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
550         encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
551                              sizeof(uint32_t) + sealinfosize);
552         storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
553             sizeof(uint32_t) + encdatasize;
554 
555         /* check the HMAC in the response */
556         ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
557                              SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
558                              0);
559 
560         /* copy the returned blob to caller */
561         if (!ret) {
562                 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
563                 *bloblen = storedsize;
564         }
565 out:
566         kzfree(td);
567         return ret;
568 }
569 
570 /*
571  * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
572  */
573 static int tpm_unseal(struct tpm_buf *tb,
574                       uint32_t keyhandle, const unsigned char *keyauth,
575                       const unsigned char *blob, int bloblen,
576                       const unsigned char *blobauth,
577                       unsigned char *data, unsigned int *datalen)
578 {
579         unsigned char nonceodd[TPM_NONCE_SIZE];
580         unsigned char enonce1[TPM_NONCE_SIZE];
581         unsigned char enonce2[TPM_NONCE_SIZE];
582         unsigned char authdata1[SHA1_DIGEST_SIZE];
583         unsigned char authdata2[SHA1_DIGEST_SIZE];
584         uint32_t authhandle1 = 0;
585         uint32_t authhandle2 = 0;
586         unsigned char cont = 0;
587         uint32_t ordinal;
588         int ret;
589 
590         /* sessions for unsealing key and data */
591         ret = oiap(tb, &authhandle1, enonce1);
592         if (ret < 0) {
593                 pr_info("trusted_key: oiap failed (%d)\n", ret);
594                 return ret;
595         }
596         ret = oiap(tb, &authhandle2, enonce2);
597         if (ret < 0) {
598                 pr_info("trusted_key: oiap failed (%d)\n", ret);
599                 return ret;
600         }
601 
602         ordinal = htonl(TPM_ORD_UNSEAL);
603         ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE);
604         if (ret != TPM_NONCE_SIZE) {
605                 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
606                 return ret;
607         }
608         ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
609                            enonce1, nonceodd, cont, sizeof(uint32_t),
610                            &ordinal, bloblen, blob, 0, 0);
611         if (ret < 0)
612                 return ret;
613         ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
614                            enonce2, nonceodd, cont, sizeof(uint32_t),
615                            &ordinal, bloblen, blob, 0, 0);
616         if (ret < 0)
617                 return ret;
618 
619         /* build and send TPM request packet */
620         tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL);
621         tpm_buf_append_u32(tb, keyhandle);
622         tpm_buf_append(tb, blob, bloblen);
623         tpm_buf_append_u32(tb, authhandle1);
624         tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
625         tpm_buf_append_u8(tb, cont);
626         tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE);
627         tpm_buf_append_u32(tb, authhandle2);
628         tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
629         tpm_buf_append_u8(tb, cont);
630         tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE);
631 
632         ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
633         if (ret < 0) {
634                 pr_info("trusted_key: authhmac failed (%d)\n", ret);
635                 return ret;
636         }
637 
638         *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
639         ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
640                              keyauth, SHA1_DIGEST_SIZE,
641                              blobauth, SHA1_DIGEST_SIZE,
642                              sizeof(uint32_t), TPM_DATA_OFFSET,
643                              *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
644                              0);
645         if (ret < 0) {
646                 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
647                 return ret;
648         }
649         memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
650         return 0;
651 }
652 
653 /*
654  * Have the TPM seal(encrypt) the symmetric key
655  */
656 static int key_seal(struct trusted_key_payload *p,
657                     struct trusted_key_options *o)
658 {
659         struct tpm_buf tb;
660         int ret;
661 
662         ret = tpm_buf_init(&tb, 0, 0);
663         if (ret)
664                 return ret;
665 
666         /* include migratable flag at end of sealed key */
667         p->key[p->key_len] = p->migratable;
668 
669         ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth,
670                        p->key, p->key_len + 1, p->blob, &p->blob_len,
671                        o->blobauth, o->pcrinfo, o->pcrinfo_len);
672         if (ret < 0)
673                 pr_info("trusted_key: srkseal failed (%d)\n", ret);
674 
675         tpm_buf_destroy(&tb);
676         return ret;
677 }
678 
679 /*
680  * Have the TPM unseal(decrypt) the symmetric key
681  */
682 static int key_unseal(struct trusted_key_payload *p,
683                       struct trusted_key_options *o)
684 {
685         struct tpm_buf tb;
686         int ret;
687 
688         ret = tpm_buf_init(&tb, 0, 0);
689         if (ret)
690                 return ret;
691 
692         ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
693                          o->blobauth, p->key, &p->key_len);
694         if (ret < 0)
695                 pr_info("trusted_key: srkunseal failed (%d)\n", ret);
696         else
697                 /* pull migratable flag out of sealed key */
698                 p->migratable = p->key[--p->key_len];
699 
700         tpm_buf_destroy(&tb);
701         return ret;
702 }
703 
704 enum {
705         Opt_err,
706         Opt_new, Opt_load, Opt_update,
707         Opt_keyhandle, Opt_keyauth, Opt_blobauth,
708         Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
709         Opt_hash,
710         Opt_policydigest,
711         Opt_policyhandle,
712 };
713 
714 static const match_table_t key_tokens = {
715         {Opt_new, "new"},
716         {Opt_load, "load"},
717         {Opt_update, "update"},
718         {Opt_keyhandle, "keyhandle=%s"},
719         {Opt_keyauth, "keyauth=%s"},
720         {Opt_blobauth, "blobauth=%s"},
721         {Opt_pcrinfo, "pcrinfo=%s"},
722         {Opt_pcrlock, "pcrlock=%s"},
723         {Opt_migratable, "migratable=%s"},
724         {Opt_hash, "hash=%s"},
725         {Opt_policydigest, "policydigest=%s"},
726         {Opt_policyhandle, "policyhandle=%s"},
727         {Opt_err, NULL}
728 };
729 
730 /* can have zero or more token= options */
731 static int getoptions(char *c, struct trusted_key_payload *pay,
732                       struct trusted_key_options *opt)
733 {
734         substring_t args[MAX_OPT_ARGS];
735         char *p = c;
736         int token;
737         int res;
738         unsigned long handle;
739         unsigned long lock;
740         unsigned long token_mask = 0;
741         unsigned int digest_len;
742         int i;
743         int tpm2;
744 
745         tpm2 = tpm_is_tpm2(chip);
746         if (tpm2 < 0)
747                 return tpm2;
748 
749         opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
750 
751         while ((p = strsep(&c, " \t"))) {
752                 if (*p == '\0' || *p == ' ' || *p == '\t')
753                         continue;
754                 token = match_token(p, key_tokens, args);
755                 if (test_and_set_bit(token, &token_mask))
756                         return -EINVAL;
757 
758                 switch (token) {
759                 case Opt_pcrinfo:
760                         opt->pcrinfo_len = strlen(args[0].from) / 2;
761                         if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
762                                 return -EINVAL;
763                         res = hex2bin(opt->pcrinfo, args[0].from,
764                                       opt->pcrinfo_len);
765                         if (res < 0)
766                                 return -EINVAL;
767                         break;
768                 case Opt_keyhandle:
769                         res = kstrtoul(args[0].from, 16, &handle);
770                         if (res < 0)
771                                 return -EINVAL;
772                         opt->keytype = SEAL_keytype;
773                         opt->keyhandle = handle;
774                         break;
775                 case Opt_keyauth:
776                         if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
777                                 return -EINVAL;
778                         res = hex2bin(opt->keyauth, args[0].from,
779                                       SHA1_DIGEST_SIZE);
780                         if (res < 0)
781                                 return -EINVAL;
782                         break;
783                 case Opt_blobauth:
784                         if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
785                                 return -EINVAL;
786                         res = hex2bin(opt->blobauth, args[0].from,
787                                       SHA1_DIGEST_SIZE);
788                         if (res < 0)
789                                 return -EINVAL;
790                         break;
791                 case Opt_migratable:
792                         if (*args[0].from == '')
793                                 pay->migratable = 0;
794                         else
795                                 return -EINVAL;
796                         break;
797                 case Opt_pcrlock:
798                         res = kstrtoul(args[0].from, 10, &lock);
799                         if (res < 0)
800                                 return -EINVAL;
801                         opt->pcrlock = lock;
802                         break;
803                 case Opt_hash:
804                         if (test_bit(Opt_policydigest, &token_mask))
805                                 return -EINVAL;
806                         for (i = 0; i < HASH_ALGO__LAST; i++) {
807                                 if (!strcmp(args[0].from, hash_algo_name[i])) {
808                                         opt->hash = i;
809                                         break;
810                                 }
811                         }
812                         if (i == HASH_ALGO__LAST)
813                                 return -EINVAL;
814                         if  (!tpm2 && i != HASH_ALGO_SHA1) {
815                                 pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
816                                 return -EINVAL;
817                         }
818                         break;
819                 case Opt_policydigest:
820                         digest_len = hash_digest_size[opt->hash];
821                         if (!tpm2 || strlen(args[0].from) != (2 * digest_len))
822                                 return -EINVAL;
823                         res = hex2bin(opt->policydigest, args[0].from,
824                                       digest_len);
825                         if (res < 0)
826                                 return -EINVAL;
827                         opt->policydigest_len = digest_len;
828                         break;
829                 case Opt_policyhandle:
830                         if (!tpm2)
831                                 return -EINVAL;
832                         res = kstrtoul(args[0].from, 16, &handle);
833                         if (res < 0)
834                                 return -EINVAL;
835                         opt->policyhandle = handle;
836                         break;
837                 default:
838                         return -EINVAL;
839                 }
840         }
841         return 0;
842 }
843 
844 /*
845  * datablob_parse - parse the keyctl data and fill in the
846  *                  payload and options structures
847  *
848  * On success returns 0, otherwise -EINVAL.
849  */
850 static int datablob_parse(char *datablob, struct trusted_key_payload *p,
851                           struct trusted_key_options *o)
852 {
853         substring_t args[MAX_OPT_ARGS];
854         long keylen;
855         int ret = -EINVAL;
856         int key_cmd;
857         char *c;
858 
859         /* main command */
860         c = strsep(&datablob, " \t");
861         if (!c)
862                 return -EINVAL;
863         key_cmd = match_token(c, key_tokens, args);
864         switch (key_cmd) {
865         case Opt_new:
866                 /* first argument is key size */
867                 c = strsep(&datablob, " \t");
868                 if (!c)
869                         return -EINVAL;
870                 ret = kstrtol(c, 10, &keylen);
871                 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
872                         return -EINVAL;
873                 p->key_len = keylen;
874                 ret = getoptions(datablob, p, o);
875                 if (ret < 0)
876                         return ret;
877                 ret = Opt_new;
878                 break;
879         case Opt_load:
880                 /* first argument is sealed blob */
881                 c = strsep(&datablob, " \t");
882                 if (!c)
883                         return -EINVAL;
884                 p->blob_len = strlen(c) / 2;
885                 if (p->blob_len > MAX_BLOB_SIZE)
886                         return -EINVAL;
887                 ret = hex2bin(p->blob, c, p->blob_len);
888                 if (ret < 0)
889                         return -EINVAL;
890                 ret = getoptions(datablob, p, o);
891                 if (ret < 0)
892                         return ret;
893                 ret = Opt_load;
894                 break;
895         case Opt_update:
896                 /* all arguments are options */
897                 ret = getoptions(datablob, p, o);
898                 if (ret < 0)
899                         return ret;
900                 ret = Opt_update;
901                 break;
902         case Opt_err:
903                 return -EINVAL;
904                 break;
905         }
906         return ret;
907 }
908 
909 static struct trusted_key_options *trusted_options_alloc(void)
910 {
911         struct trusted_key_options *options;
912         int tpm2;
913 
914         tpm2 = tpm_is_tpm2(chip);
915         if (tpm2 < 0)
916                 return NULL;
917 
918         options = kzalloc(sizeof *options, GFP_KERNEL);
919         if (options) {
920                 /* set any non-zero defaults */
921                 options->keytype = SRK_keytype;
922 
923                 if (!tpm2)
924                         options->keyhandle = SRKHANDLE;
925         }
926         return options;
927 }
928 
929 static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
930 {
931         struct trusted_key_payload *p = NULL;
932         int ret;
933 
934         ret = key_payload_reserve(key, sizeof *p);
935         if (ret < 0)
936                 return p;
937         p = kzalloc(sizeof *p, GFP_KERNEL);
938         if (p)
939                 p->migratable = 1; /* migratable by default */
940         return p;
941 }
942 
943 /*
944  * trusted_instantiate - create a new trusted key
945  *
946  * Unseal an existing trusted blob or, for a new key, get a
947  * random key, then seal and create a trusted key-type key,
948  * adding it to the specified keyring.
949  *
950  * On success, return 0. Otherwise return errno.
951  */
952 static int trusted_instantiate(struct key *key,
953                                struct key_preparsed_payload *prep)
954 {
955         struct trusted_key_payload *payload = NULL;
956         struct trusted_key_options *options = NULL;
957         size_t datalen = prep->datalen;
958         char *datablob;
959         int ret = 0;
960         int key_cmd;
961         size_t key_len;
962         int tpm2;
963 
964         tpm2 = tpm_is_tpm2(chip);
965         if (tpm2 < 0)
966                 return tpm2;
967 
968         if (datalen <= 0 || datalen > 32767 || !prep->data)
969                 return -EINVAL;
970 
971         datablob = kmalloc(datalen + 1, GFP_KERNEL);
972         if (!datablob)
973                 return -ENOMEM;
974         memcpy(datablob, prep->data, datalen);
975         datablob[datalen] = '\0';
976 
977         options = trusted_options_alloc();
978         if (!options) {
979                 ret = -ENOMEM;
980                 goto out;
981         }
982         payload = trusted_payload_alloc(key);
983         if (!payload) {
984                 ret = -ENOMEM;
985                 goto out;
986         }
987 
988         key_cmd = datablob_parse(datablob, payload, options);
989         if (key_cmd < 0) {
990                 ret = key_cmd;
991                 goto out;
992         }
993 
994         if (!options->keyhandle) {
995                 ret = -EINVAL;
996                 goto out;
997         }
998 
999         dump_payload(payload);
1000         dump_options(options);
1001 
1002         switch (key_cmd) {
1003         case Opt_load:
1004                 if (tpm2)
1005                         ret = tpm2_unseal_trusted(chip, payload, options);
1006                 else
1007                         ret = key_unseal(payload, options);
1008                 dump_payload(payload);
1009                 dump_options(options);
1010                 if (ret < 0)
1011                         pr_info("trusted_key: key_unseal failed (%d)\n", ret);
1012                 break;
1013         case Opt_new:
1014                 key_len = payload->key_len;
1015                 ret = tpm_get_random(chip, payload->key, key_len);
1016                 if (ret != key_len) {
1017                         pr_info("trusted_key: key_create failed (%d)\n", ret);
1018                         goto out;
1019                 }
1020                 if (tpm2)
1021                         ret = tpm2_seal_trusted(chip, payload, options);
1022                 else
1023                         ret = key_seal(payload, options);
1024                 if (ret < 0)
1025                         pr_info("trusted_key: key_seal failed (%d)\n", ret);
1026                 break;
1027         default:
1028                 ret = -EINVAL;
1029                 goto out;
1030         }
1031         if (!ret && options->pcrlock)
1032                 ret = pcrlock(options->pcrlock);
1033 out:
1034         kzfree(datablob);
1035         kzfree(options);
1036         if (!ret)
1037                 rcu_assign_keypointer(key, payload);
1038         else
1039                 kzfree(payload);
1040         return ret;
1041 }
1042 
1043 static void trusted_rcu_free(struct rcu_head *rcu)
1044 {
1045         struct trusted_key_payload *p;
1046 
1047         p = container_of(rcu, struct trusted_key_payload, rcu);
1048         kzfree(p);
1049 }
1050 
1051 /*
1052  * trusted_update - reseal an existing key with new PCR values
1053  */
1054 static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
1055 {
1056         struct trusted_key_payload *p;
1057         struct trusted_key_payload *new_p;
1058         struct trusted_key_options *new_o;
1059         size_t datalen = prep->datalen;
1060         char *datablob;
1061         int ret = 0;
1062 
1063         if (key_is_negative(key))
1064                 return -ENOKEY;
1065         p = key->payload.data[0];
1066         if (!p->migratable)
1067                 return -EPERM;
1068         if (datalen <= 0 || datalen > 32767 || !prep->data)
1069                 return -EINVAL;
1070 
1071         datablob = kmalloc(datalen + 1, GFP_KERNEL);
1072         if (!datablob)
1073                 return -ENOMEM;
1074         new_o = trusted_options_alloc();
1075         if (!new_o) {
1076                 ret = -ENOMEM;
1077                 goto out;
1078         }
1079         new_p = trusted_payload_alloc(key);
1080         if (!new_p) {
1081                 ret = -ENOMEM;
1082                 goto out;
1083         }
1084 
1085         memcpy(datablob, prep->data, datalen);
1086         datablob[datalen] = '\0';
1087         ret = datablob_parse(datablob, new_p, new_o);
1088         if (ret != Opt_update) {
1089                 ret = -EINVAL;
1090                 kzfree(new_p);
1091                 goto out;
1092         }
1093 
1094         if (!new_o->keyhandle) {
1095                 ret = -EINVAL;
1096                 kzfree(new_p);
1097                 goto out;
1098         }
1099 
1100         /* copy old key values, and reseal with new pcrs */
1101         new_p->migratable = p->migratable;
1102         new_p->key_len = p->key_len;
1103         memcpy(new_p->key, p->key, p->key_len);
1104         dump_payload(p);
1105         dump_payload(new_p);
1106 
1107         ret = key_seal(new_p, new_o);
1108         if (ret < 0) {
1109                 pr_info("trusted_key: key_seal failed (%d)\n", ret);
1110                 kzfree(new_p);
1111                 goto out;
1112         }
1113         if (new_o->pcrlock) {
1114                 ret = pcrlock(new_o->pcrlock);
1115                 if (ret < 0) {
1116                         pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1117                         kzfree(new_p);
1118                         goto out;
1119                 }
1120         }
1121         rcu_assign_keypointer(key, new_p);
1122         call_rcu(&p->rcu, trusted_rcu_free);
1123 out:
1124         kzfree(datablob);
1125         kzfree(new_o);
1126         return ret;
1127 }
1128 
1129 /*
1130  * trusted_read - copy the sealed blob data to userspace in hex.
1131  * On success, return to userspace the trusted key datablob size.
1132  */
1133 static long trusted_read(const struct key *key, char *buffer,
1134                          size_t buflen)
1135 {
1136         const struct trusted_key_payload *p;
1137         char *bufp;
1138         int i;
1139 
1140         p = dereference_key_locked(key);
1141         if (!p)
1142                 return -EINVAL;
1143 
1144         if (buffer && buflen >= 2 * p->blob_len) {
1145                 bufp = buffer;
1146                 for (i = 0; i < p->blob_len; i++)
1147                         bufp = hex_byte_pack(bufp, p->blob[i]);
1148         }
1149         return 2 * p->blob_len;
1150 }
1151 
1152 /*
1153  * trusted_destroy - clear and free the key's payload
1154  */
1155 static void trusted_destroy(struct key *key)
1156 {
1157         kzfree(key->payload.data[0]);
1158 }
1159 
1160 struct key_type key_type_trusted = {
1161         .name = "trusted",
1162         .instantiate = trusted_instantiate,
1163         .update = trusted_update,
1164         .destroy = trusted_destroy,
1165         .describe = user_describe,
1166         .read = trusted_read,
1167 };
1168 
1169 EXPORT_SYMBOL_GPL(key_type_trusted);
1170 
1171 static void trusted_shash_release(void)
1172 {
1173         if (hashalg)
1174                 crypto_free_shash(hashalg);
1175         if (hmacalg)
1176                 crypto_free_shash(hmacalg);
1177 }
1178 
1179 static int __init trusted_shash_alloc(void)
1180 {
1181         int ret;
1182 
1183         hmacalg = crypto_alloc_shash(hmac_alg, 0, 0);
1184         if (IS_ERR(hmacalg)) {
1185                 pr_info("trusted_key: could not allocate crypto %s\n",
1186                         hmac_alg);
1187                 return PTR_ERR(hmacalg);
1188         }
1189 
1190         hashalg = crypto_alloc_shash(hash_alg, 0, 0);
1191         if (IS_ERR(hashalg)) {
1192                 pr_info("trusted_key: could not allocate crypto %s\n",
1193                         hash_alg);
1194                 ret = PTR_ERR(hashalg);
1195                 goto hashalg_fail;
1196         }
1197 
1198         return 0;
1199 
1200 hashalg_fail:
1201         crypto_free_shash(hmacalg);
1202         return ret;
1203 }
1204 
1205 static int __init init_digests(void)
1206 {
1207         int i;
1208 
1209         digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests),
1210                           GFP_KERNEL);
1211         if (!digests)
1212                 return -ENOMEM;
1213 
1214         for (i = 0; i < chip->nr_allocated_banks; i++)
1215                 digests[i].alg_id = chip->allocated_banks[i].alg_id;
1216 
1217         return 0;
1218 }
1219 
1220 static int __init init_trusted(void)
1221 {
1222         int ret;
1223 
1224         /* encrypted_keys.ko depends on successful load of this module even if
1225          * TPM is not used.
1226          */
1227         chip = tpm_default_chip();
1228         if (!chip)
1229                 return 0;
1230 
1231         ret = init_digests();
1232         if (ret < 0)
1233                 goto err_put;
1234         ret = trusted_shash_alloc();
1235         if (ret < 0)
1236                 goto err_free;
1237         ret = register_key_type(&key_type_trusted);
1238         if (ret < 0)
1239                 goto err_release;
1240         return 0;
1241 err_release:
1242         trusted_shash_release();
1243 err_free:
1244         kfree(digests);
1245 err_put:
1246         put_device(&chip->dev);
1247         return ret;
1248 }
1249 
1250 static void __exit cleanup_trusted(void)
1251 {
1252         if (chip) {
1253                 put_device(&chip->dev);
1254                 kfree(digests);
1255                 trusted_shash_release();
1256                 unregister_key_type(&key_type_trusted);
1257         }
1258 }
1259 
1260 late_initcall(init_trusted);
1261 module_exit(cleanup_trusted);
1262 
1263 MODULE_LICENSE("GPL");
1264 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp