trusted.c 28 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190
  1. /*
  2. * Copyright (C) 2010 IBM Corporation
  3. *
  4. * Author:
  5. * David Safford <safford@us.ibm.com>
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation, version 2 of the License.
  10. *
  11. * See Documentation/security/keys-trusted-encrypted.txt
  12. */
  13. #include <linux/uaccess.h>
  14. #include <linux/module.h>
  15. #include <linux/init.h>
  16. #include <linux/slab.h>
  17. #include <linux/parser.h>
  18. #include <linux/string.h>
  19. #include <linux/err.h>
  20. #include <keys/user-type.h>
  21. #include <keys/trusted-type.h>
  22. #include <linux/key-type.h>
  23. #include <linux/rcupdate.h>
  24. #include <linux/crypto.h>
  25. #include <crypto/hash.h>
  26. #include <crypto/sha.h>
  27. #include <linux/capability.h>
  28. #include <linux/tpm.h>
  29. #include <linux/tpm_command.h>
  30. #include "trusted.h"
  31. static const char hmac_alg[] = "hmac(sha1)";
  32. static const char hash_alg[] = "sha1";
  33. struct sdesc {
  34. struct shash_desc shash;
  35. char ctx[];
  36. };
  37. static struct crypto_shash *hashalg;
  38. static struct crypto_shash *hmacalg;
  39. static struct sdesc *init_sdesc(struct crypto_shash *alg)
  40. {
  41. struct sdesc *sdesc;
  42. int size;
  43. size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
  44. sdesc = kmalloc(size, GFP_KERNEL);
  45. if (!sdesc)
  46. return ERR_PTR(-ENOMEM);
  47. sdesc->shash.tfm = alg;
  48. sdesc->shash.flags = 0x0;
  49. return sdesc;
  50. }
  51. static int TSS_sha1(const unsigned char *data, unsigned int datalen,
  52. unsigned char *digest)
  53. {
  54. struct sdesc *sdesc;
  55. int ret;
  56. sdesc = init_sdesc(hashalg);
  57. if (IS_ERR(sdesc)) {
  58. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  59. return PTR_ERR(sdesc);
  60. }
  61. ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
  62. kzfree(sdesc);
  63. return ret;
  64. }
  65. static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
  66. unsigned int keylen, ...)
  67. {
  68. struct sdesc *sdesc;
  69. va_list argp;
  70. unsigned int dlen;
  71. unsigned char *data;
  72. int ret;
  73. sdesc = init_sdesc(hmacalg);
  74. if (IS_ERR(sdesc)) {
  75. pr_info("trusted_key: can't alloc %s\n", hmac_alg);
  76. return PTR_ERR(sdesc);
  77. }
  78. ret = crypto_shash_setkey(hmacalg, key, keylen);
  79. if (ret < 0)
  80. goto out;
  81. ret = crypto_shash_init(&sdesc->shash);
  82. if (ret < 0)
  83. goto out;
  84. va_start(argp, keylen);
  85. for (;;) {
  86. dlen = va_arg(argp, unsigned int);
  87. if (dlen == 0)
  88. break;
  89. data = va_arg(argp, unsigned char *);
  90. if (data == NULL) {
  91. ret = -EINVAL;
  92. break;
  93. }
  94. ret = crypto_shash_update(&sdesc->shash, data, dlen);
  95. if (ret < 0)
  96. break;
  97. }
  98. va_end(argp);
  99. if (!ret)
  100. ret = crypto_shash_final(&sdesc->shash, digest);
  101. out:
  102. kzfree(sdesc);
  103. return ret;
  104. }
  105. /*
  106. * calculate authorization info fields to send to TPM
  107. */
  108. static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
  109. unsigned int keylen, unsigned char *h1,
  110. unsigned char *h2, unsigned char h3, ...)
  111. {
  112. unsigned char paramdigest[SHA1_DIGEST_SIZE];
  113. struct sdesc *sdesc;
  114. unsigned int dlen;
  115. unsigned char *data;
  116. unsigned char c;
  117. int ret;
  118. va_list argp;
  119. sdesc = init_sdesc(hashalg);
  120. if (IS_ERR(sdesc)) {
  121. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  122. return PTR_ERR(sdesc);
  123. }
  124. c = h3;
  125. ret = crypto_shash_init(&sdesc->shash);
  126. if (ret < 0)
  127. goto out;
  128. va_start(argp, h3);
  129. for (;;) {
  130. dlen = va_arg(argp, unsigned int);
  131. if (dlen == 0)
  132. break;
  133. data = va_arg(argp, unsigned char *);
  134. if (!data) {
  135. ret = -EINVAL;
  136. break;
  137. }
  138. ret = crypto_shash_update(&sdesc->shash, data, dlen);
  139. if (ret < 0)
  140. break;
  141. }
  142. va_end(argp);
  143. if (!ret)
  144. ret = crypto_shash_final(&sdesc->shash, paramdigest);
  145. if (!ret)
  146. ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
  147. paramdigest, TPM_NONCE_SIZE, h1,
  148. TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
  149. out:
  150. kzfree(sdesc);
  151. return ret;
  152. }
  153. /*
  154. * verify the AUTH1_COMMAND (Seal) result from TPM
  155. */
  156. static int TSS_checkhmac1(unsigned char *buffer,
  157. const uint32_t command,
  158. const unsigned char *ononce,
  159. const unsigned char *key,
  160. unsigned int keylen, ...)
  161. {
  162. uint32_t bufsize;
  163. uint16_t tag;
  164. uint32_t ordinal;
  165. uint32_t result;
  166. unsigned char *enonce;
  167. unsigned char *continueflag;
  168. unsigned char *authdata;
  169. unsigned char testhmac[SHA1_DIGEST_SIZE];
  170. unsigned char paramdigest[SHA1_DIGEST_SIZE];
  171. struct sdesc *sdesc;
  172. unsigned int dlen;
  173. unsigned int dpos;
  174. va_list argp;
  175. int ret;
  176. bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
  177. tag = LOAD16(buffer, 0);
  178. ordinal = command;
  179. result = LOAD32N(buffer, TPM_RETURN_OFFSET);
  180. if (tag == TPM_TAG_RSP_COMMAND)
  181. return 0;
  182. if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
  183. return -EINVAL;
  184. authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
  185. continueflag = authdata - 1;
  186. enonce = continueflag - TPM_NONCE_SIZE;
  187. sdesc = init_sdesc(hashalg);
  188. if (IS_ERR(sdesc)) {
  189. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  190. return PTR_ERR(sdesc);
  191. }
  192. ret = crypto_shash_init(&sdesc->shash);
  193. if (ret < 0)
  194. goto out;
  195. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
  196. sizeof result);
  197. if (ret < 0)
  198. goto out;
  199. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
  200. sizeof ordinal);
  201. if (ret < 0)
  202. goto out;
  203. va_start(argp, keylen);
  204. for (;;) {
  205. dlen = va_arg(argp, unsigned int);
  206. if (dlen == 0)
  207. break;
  208. dpos = va_arg(argp, unsigned int);
  209. ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
  210. if (ret < 0)
  211. break;
  212. }
  213. va_end(argp);
  214. if (!ret)
  215. ret = crypto_shash_final(&sdesc->shash, paramdigest);
  216. if (ret < 0)
  217. goto out;
  218. ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
  219. TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
  220. 1, continueflag, 0, 0);
  221. if (ret < 0)
  222. goto out;
  223. if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
  224. ret = -EINVAL;
  225. out:
  226. kzfree(sdesc);
  227. return ret;
  228. }
  229. /*
  230. * verify the AUTH2_COMMAND (unseal) result from TPM
  231. */
  232. static int TSS_checkhmac2(unsigned char *buffer,
  233. const uint32_t command,
  234. const unsigned char *ononce,
  235. const unsigned char *key1,
  236. unsigned int keylen1,
  237. const unsigned char *key2,
  238. unsigned int keylen2, ...)
  239. {
  240. uint32_t bufsize;
  241. uint16_t tag;
  242. uint32_t ordinal;
  243. uint32_t result;
  244. unsigned char *enonce1;
  245. unsigned char *continueflag1;
  246. unsigned char *authdata1;
  247. unsigned char *enonce2;
  248. unsigned char *continueflag2;
  249. unsigned char *authdata2;
  250. unsigned char testhmac1[SHA1_DIGEST_SIZE];
  251. unsigned char testhmac2[SHA1_DIGEST_SIZE];
  252. unsigned char paramdigest[SHA1_DIGEST_SIZE];
  253. struct sdesc *sdesc;
  254. unsigned int dlen;
  255. unsigned int dpos;
  256. va_list argp;
  257. int ret;
  258. bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
  259. tag = LOAD16(buffer, 0);
  260. ordinal = command;
  261. result = LOAD32N(buffer, TPM_RETURN_OFFSET);
  262. if (tag == TPM_TAG_RSP_COMMAND)
  263. return 0;
  264. if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
  265. return -EINVAL;
  266. authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
  267. + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
  268. authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
  269. continueflag1 = authdata1 - 1;
  270. continueflag2 = authdata2 - 1;
  271. enonce1 = continueflag1 - TPM_NONCE_SIZE;
  272. enonce2 = continueflag2 - TPM_NONCE_SIZE;
  273. sdesc = init_sdesc(hashalg);
  274. if (IS_ERR(sdesc)) {
  275. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  276. return PTR_ERR(sdesc);
  277. }
  278. ret = crypto_shash_init(&sdesc->shash);
  279. if (ret < 0)
  280. goto out;
  281. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
  282. sizeof result);
  283. if (ret < 0)
  284. goto out;
  285. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
  286. sizeof ordinal);
  287. if (ret < 0)
  288. goto out;
  289. va_start(argp, keylen2);
  290. for (;;) {
  291. dlen = va_arg(argp, unsigned int);
  292. if (dlen == 0)
  293. break;
  294. dpos = va_arg(argp, unsigned int);
  295. ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
  296. if (ret < 0)
  297. break;
  298. }
  299. va_end(argp);
  300. if (!ret)
  301. ret = crypto_shash_final(&sdesc->shash, paramdigest);
  302. if (ret < 0)
  303. goto out;
  304. ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
  305. paramdigest, TPM_NONCE_SIZE, enonce1,
  306. TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
  307. if (ret < 0)
  308. goto out;
  309. if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
  310. ret = -EINVAL;
  311. goto out;
  312. }
  313. ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
  314. paramdigest, TPM_NONCE_SIZE, enonce2,
  315. TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
  316. if (ret < 0)
  317. goto out;
  318. if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
  319. ret = -EINVAL;
  320. out:
  321. kzfree(sdesc);
  322. return ret;
  323. }
  324. /*
  325. * For key specific tpm requests, we will generate and send our
  326. * own TPM command packets using the drivers send function.
  327. */
  328. static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
  329. size_t buflen)
  330. {
  331. int rc;
  332. dump_tpm_buf(cmd);
  333. rc = tpm_send(chip_num, cmd, buflen);
  334. dump_tpm_buf(cmd);
  335. if (rc > 0)
  336. /* Can't return positive return codes values to keyctl */
  337. rc = -EPERM;
  338. return rc;
  339. }
  340. /*
  341. * Lock a trusted key, by extending a selected PCR.
  342. *
  343. * Prevents a trusted key that is sealed to PCRs from being accessed.
  344. * This uses the tpm driver's extend function.
  345. */
  346. static int pcrlock(const int pcrnum)
  347. {
  348. unsigned char hash[SHA1_DIGEST_SIZE];
  349. int ret;
  350. if (!capable(CAP_SYS_ADMIN))
  351. return -EPERM;
  352. ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE);
  353. if (ret != SHA1_DIGEST_SIZE)
  354. return ret;
  355. return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
  356. }
  357. /*
  358. * Create an object specific authorisation protocol (OSAP) session
  359. */
  360. static int osap(struct tpm_buf *tb, struct osapsess *s,
  361. const unsigned char *key, uint16_t type, uint32_t handle)
  362. {
  363. unsigned char enonce[TPM_NONCE_SIZE];
  364. unsigned char ononce[TPM_NONCE_SIZE];
  365. int ret;
  366. ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE);
  367. if (ret != TPM_NONCE_SIZE)
  368. return ret;
  369. INIT_BUF(tb);
  370. store16(tb, TPM_TAG_RQU_COMMAND);
  371. store32(tb, TPM_OSAP_SIZE);
  372. store32(tb, TPM_ORD_OSAP);
  373. store16(tb, type);
  374. store32(tb, handle);
  375. storebytes(tb, ononce, TPM_NONCE_SIZE);
  376. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  377. if (ret < 0)
  378. return ret;
  379. s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
  380. memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
  381. TPM_NONCE_SIZE);
  382. memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
  383. TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
  384. return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
  385. enonce, TPM_NONCE_SIZE, ononce, 0, 0);
  386. }
  387. /*
  388. * Create an object independent authorisation protocol (oiap) session
  389. */
  390. static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
  391. {
  392. int ret;
  393. INIT_BUF(tb);
  394. store16(tb, TPM_TAG_RQU_COMMAND);
  395. store32(tb, TPM_OIAP_SIZE);
  396. store32(tb, TPM_ORD_OIAP);
  397. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  398. if (ret < 0)
  399. return ret;
  400. *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
  401. memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
  402. TPM_NONCE_SIZE);
  403. return 0;
  404. }
  405. struct tpm_digests {
  406. unsigned char encauth[SHA1_DIGEST_SIZE];
  407. unsigned char pubauth[SHA1_DIGEST_SIZE];
  408. unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
  409. unsigned char xorhash[SHA1_DIGEST_SIZE];
  410. unsigned char nonceodd[TPM_NONCE_SIZE];
  411. };
  412. /*
  413. * Have the TPM seal(encrypt) the trusted key, possibly based on
  414. * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
  415. */
  416. static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
  417. uint32_t keyhandle, const unsigned char *keyauth,
  418. const unsigned char *data, uint32_t datalen,
  419. unsigned char *blob, uint32_t *bloblen,
  420. const unsigned char *blobauth,
  421. const unsigned char *pcrinfo, uint32_t pcrinfosize)
  422. {
  423. struct osapsess sess;
  424. struct tpm_digests *td;
  425. unsigned char cont;
  426. uint32_t ordinal;
  427. uint32_t pcrsize;
  428. uint32_t datsize;
  429. int sealinfosize;
  430. int encdatasize;
  431. int storedsize;
  432. int ret;
  433. int i;
  434. /* alloc some work space for all the hashes */
  435. td = kmalloc(sizeof *td, GFP_KERNEL);
  436. if (!td)
  437. return -ENOMEM;
  438. /* get session for sealing key */
  439. ret = osap(tb, &sess, keyauth, keytype, keyhandle);
  440. if (ret < 0)
  441. goto out;
  442. dump_sess(&sess);
  443. /* calculate encrypted authorization value */
  444. memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
  445. memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
  446. ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
  447. if (ret < 0)
  448. goto out;
  449. ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
  450. if (ret != TPM_NONCE_SIZE)
  451. goto out;
  452. ordinal = htonl(TPM_ORD_SEAL);
  453. datsize = htonl(datalen);
  454. pcrsize = htonl(pcrinfosize);
  455. cont = 0;
  456. /* encrypt data authorization key */
  457. for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
  458. td->encauth[i] = td->xorhash[i] ^ blobauth[i];
  459. /* calculate authorization HMAC value */
  460. if (pcrinfosize == 0) {
  461. /* no pcr info specified */
  462. ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
  463. sess.enonce, td->nonceodd, cont,
  464. sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
  465. td->encauth, sizeof(uint32_t), &pcrsize,
  466. sizeof(uint32_t), &datsize, datalen, data, 0,
  467. 0);
  468. } else {
  469. /* pcr info specified */
  470. ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
  471. sess.enonce, td->nonceodd, cont,
  472. sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
  473. td->encauth, sizeof(uint32_t), &pcrsize,
  474. pcrinfosize, pcrinfo, sizeof(uint32_t),
  475. &datsize, datalen, data, 0, 0);
  476. }
  477. if (ret < 0)
  478. goto out;
  479. /* build and send the TPM request packet */
  480. INIT_BUF(tb);
  481. store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
  482. store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
  483. store32(tb, TPM_ORD_SEAL);
  484. store32(tb, keyhandle);
  485. storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
  486. store32(tb, pcrinfosize);
  487. storebytes(tb, pcrinfo, pcrinfosize);
  488. store32(tb, datalen);
  489. storebytes(tb, data, datalen);
  490. store32(tb, sess.handle);
  491. storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
  492. store8(tb, cont);
  493. storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
  494. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  495. if (ret < 0)
  496. goto out;
  497. /* calculate the size of the returned Blob */
  498. sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
  499. encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
  500. sizeof(uint32_t) + sealinfosize);
  501. storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
  502. sizeof(uint32_t) + encdatasize;
  503. /* check the HMAC in the response */
  504. ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
  505. SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
  506. 0);
  507. /* copy the returned blob to caller */
  508. if (!ret) {
  509. memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
  510. *bloblen = storedsize;
  511. }
  512. out:
  513. kzfree(td);
  514. return ret;
  515. }
  516. /*
  517. * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
  518. */
  519. static int tpm_unseal(struct tpm_buf *tb,
  520. uint32_t keyhandle, const unsigned char *keyauth,
  521. const unsigned char *blob, int bloblen,
  522. const unsigned char *blobauth,
  523. unsigned char *data, unsigned int *datalen)
  524. {
  525. unsigned char nonceodd[TPM_NONCE_SIZE];
  526. unsigned char enonce1[TPM_NONCE_SIZE];
  527. unsigned char enonce2[TPM_NONCE_SIZE];
  528. unsigned char authdata1[SHA1_DIGEST_SIZE];
  529. unsigned char authdata2[SHA1_DIGEST_SIZE];
  530. uint32_t authhandle1 = 0;
  531. uint32_t authhandle2 = 0;
  532. unsigned char cont = 0;
  533. uint32_t ordinal;
  534. uint32_t keyhndl;
  535. int ret;
  536. /* sessions for unsealing key and data */
  537. ret = oiap(tb, &authhandle1, enonce1);
  538. if (ret < 0) {
  539. pr_info("trusted_key: oiap failed (%d)\n", ret);
  540. return ret;
  541. }
  542. ret = oiap(tb, &authhandle2, enonce2);
  543. if (ret < 0) {
  544. pr_info("trusted_key: oiap failed (%d)\n", ret);
  545. return ret;
  546. }
  547. ordinal = htonl(TPM_ORD_UNSEAL);
  548. keyhndl = htonl(SRKHANDLE);
  549. ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
  550. if (ret != TPM_NONCE_SIZE) {
  551. pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
  552. return ret;
  553. }
  554. ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
  555. enonce1, nonceodd, cont, sizeof(uint32_t),
  556. &ordinal, bloblen, blob, 0, 0);
  557. if (ret < 0)
  558. return ret;
  559. ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
  560. enonce2, nonceodd, cont, sizeof(uint32_t),
  561. &ordinal, bloblen, blob, 0, 0);
  562. if (ret < 0)
  563. return ret;
  564. /* build and send TPM request packet */
  565. INIT_BUF(tb);
  566. store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
  567. store32(tb, TPM_UNSEAL_SIZE + bloblen);
  568. store32(tb, TPM_ORD_UNSEAL);
  569. store32(tb, keyhandle);
  570. storebytes(tb, blob, bloblen);
  571. store32(tb, authhandle1);
  572. storebytes(tb, nonceodd, TPM_NONCE_SIZE);
  573. store8(tb, cont);
  574. storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
  575. store32(tb, authhandle2);
  576. storebytes(tb, nonceodd, TPM_NONCE_SIZE);
  577. store8(tb, cont);
  578. storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
  579. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  580. if (ret < 0) {
  581. pr_info("trusted_key: authhmac failed (%d)\n", ret);
  582. return ret;
  583. }
  584. *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
  585. ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
  586. keyauth, SHA1_DIGEST_SIZE,
  587. blobauth, SHA1_DIGEST_SIZE,
  588. sizeof(uint32_t), TPM_DATA_OFFSET,
  589. *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
  590. 0);
  591. if (ret < 0) {
  592. pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
  593. return ret;
  594. }
  595. memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
  596. return 0;
  597. }
  598. /*
  599. * Have the TPM seal(encrypt) the symmetric key
  600. */
  601. static int key_seal(struct trusted_key_payload *p,
  602. struct trusted_key_options *o)
  603. {
  604. struct tpm_buf *tb;
  605. int ret;
  606. tb = kzalloc(sizeof *tb, GFP_KERNEL);
  607. if (!tb)
  608. return -ENOMEM;
  609. /* include migratable flag at end of sealed key */
  610. p->key[p->key_len] = p->migratable;
  611. ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
  612. p->key, p->key_len + 1, p->blob, &p->blob_len,
  613. o->blobauth, o->pcrinfo, o->pcrinfo_len);
  614. if (ret < 0)
  615. pr_info("trusted_key: srkseal failed (%d)\n", ret);
  616. kzfree(tb);
  617. return ret;
  618. }
  619. /*
  620. * Have the TPM unseal(decrypt) the symmetric key
  621. */
  622. static int key_unseal(struct trusted_key_payload *p,
  623. struct trusted_key_options *o)
  624. {
  625. struct tpm_buf *tb;
  626. int ret;
  627. tb = kzalloc(sizeof *tb, GFP_KERNEL);
  628. if (!tb)
  629. return -ENOMEM;
  630. ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
  631. o->blobauth, p->key, &p->key_len);
  632. if (ret < 0)
  633. pr_info("trusted_key: srkunseal failed (%d)\n", ret);
  634. else
  635. /* pull migratable flag out of sealed key */
  636. p->migratable = p->key[--p->key_len];
  637. kzfree(tb);
  638. return ret;
  639. }
  640. enum {
  641. Opt_err = -1,
  642. Opt_new, Opt_load, Opt_update,
  643. Opt_keyhandle, Opt_keyauth, Opt_blobauth,
  644. Opt_pcrinfo, Opt_pcrlock, Opt_migratable
  645. };
  646. static const match_table_t key_tokens = {
  647. {Opt_new, "new"},
  648. {Opt_load, "load"},
  649. {Opt_update, "update"},
  650. {Opt_keyhandle, "keyhandle=%s"},
  651. {Opt_keyauth, "keyauth=%s"},
  652. {Opt_blobauth, "blobauth=%s"},
  653. {Opt_pcrinfo, "pcrinfo=%s"},
  654. {Opt_pcrlock, "pcrlock=%s"},
  655. {Opt_migratable, "migratable=%s"},
  656. {Opt_err, NULL}
  657. };
  658. /* can have zero or more token= options */
  659. static int getoptions(char *c, struct trusted_key_payload *pay,
  660. struct trusted_key_options *opt)
  661. {
  662. substring_t args[MAX_OPT_ARGS];
  663. char *p = c;
  664. int token;
  665. int res;
  666. unsigned long handle;
  667. unsigned long lock;
  668. while ((p = strsep(&c, " \t"))) {
  669. if (*p == '\0' || *p == ' ' || *p == '\t')
  670. continue;
  671. token = match_token(p, key_tokens, args);
  672. switch (token) {
  673. case Opt_pcrinfo:
  674. opt->pcrinfo_len = strlen(args[0].from) / 2;
  675. if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
  676. return -EINVAL;
  677. res = hex2bin(opt->pcrinfo, args[0].from,
  678. opt->pcrinfo_len);
  679. if (res < 0)
  680. return -EINVAL;
  681. break;
  682. case Opt_keyhandle:
  683. res = kstrtoul(args[0].from, 16, &handle);
  684. if (res < 0)
  685. return -EINVAL;
  686. opt->keytype = SEAL_keytype;
  687. opt->keyhandle = handle;
  688. break;
  689. case Opt_keyauth:
  690. if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
  691. return -EINVAL;
  692. res = hex2bin(opt->keyauth, args[0].from,
  693. SHA1_DIGEST_SIZE);
  694. if (res < 0)
  695. return -EINVAL;
  696. break;
  697. case Opt_blobauth:
  698. if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
  699. return -EINVAL;
  700. res = hex2bin(opt->blobauth, args[0].from,
  701. SHA1_DIGEST_SIZE);
  702. if (res < 0)
  703. return -EINVAL;
  704. break;
  705. case Opt_migratable:
  706. if (*args[0].from == '0')
  707. pay->migratable = 0;
  708. else
  709. return -EINVAL;
  710. break;
  711. case Opt_pcrlock:
  712. res = kstrtoul(args[0].from, 10, &lock);
  713. if (res < 0)
  714. return -EINVAL;
  715. opt->pcrlock = lock;
  716. break;
  717. default:
  718. return -EINVAL;
  719. }
  720. }
  721. return 0;
  722. }
  723. /*
  724. * datablob_parse - parse the keyctl data and fill in the
  725. * payload and options structures
  726. *
  727. * On success returns 0, otherwise -EINVAL.
  728. */
  729. static int datablob_parse(char *datablob, struct trusted_key_payload *p,
  730. struct trusted_key_options *o)
  731. {
  732. substring_t args[MAX_OPT_ARGS];
  733. long keylen;
  734. int ret = -EINVAL;
  735. int key_cmd;
  736. char *c;
  737. /* main command */
  738. c = strsep(&datablob, " \t");
  739. if (!c)
  740. return -EINVAL;
  741. key_cmd = match_token(c, key_tokens, args);
  742. switch (key_cmd) {
  743. case Opt_new:
  744. /* first argument is key size */
  745. c = strsep(&datablob, " \t");
  746. if (!c)
  747. return -EINVAL;
  748. ret = kstrtol(c, 10, &keylen);
  749. if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
  750. return -EINVAL;
  751. p->key_len = keylen;
  752. ret = getoptions(datablob, p, o);
  753. if (ret < 0)
  754. return ret;
  755. ret = Opt_new;
  756. break;
  757. case Opt_load:
  758. /* first argument is sealed blob */
  759. c = strsep(&datablob, " \t");
  760. if (!c)
  761. return -EINVAL;
  762. p->blob_len = strlen(c) / 2;
  763. if (p->blob_len > MAX_BLOB_SIZE)
  764. return -EINVAL;
  765. ret = hex2bin(p->blob, c, p->blob_len);
  766. if (ret < 0)
  767. return -EINVAL;
  768. ret = getoptions(datablob, p, o);
  769. if (ret < 0)
  770. return ret;
  771. ret = Opt_load;
  772. break;
  773. case Opt_update:
  774. /* all arguments are options */
  775. ret = getoptions(datablob, p, o);
  776. if (ret < 0)
  777. return ret;
  778. ret = Opt_update;
  779. break;
  780. case Opt_err:
  781. return -EINVAL;
  782. break;
  783. }
  784. return ret;
  785. }
  786. static struct trusted_key_options *trusted_options_alloc(void)
  787. {
  788. struct trusted_key_options *options;
  789. int tpm2;
  790. tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
  791. if (tpm2 < 0)
  792. return NULL;
  793. options = kzalloc(sizeof *options, GFP_KERNEL);
  794. if (options) {
  795. /* set any non-zero defaults */
  796. options->keytype = SRK_keytype;
  797. if (!tpm2)
  798. options->keyhandle = SRKHANDLE;
  799. }
  800. return options;
  801. }
  802. static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
  803. {
  804. struct trusted_key_payload *p = NULL;
  805. int ret;
  806. ret = key_payload_reserve(key, sizeof *p);
  807. if (ret < 0)
  808. return p;
  809. p = kzalloc(sizeof *p, GFP_KERNEL);
  810. if (p)
  811. p->migratable = 1; /* migratable by default */
  812. return p;
  813. }
  814. /*
  815. * trusted_instantiate - create a new trusted key
  816. *
  817. * Unseal an existing trusted blob or, for a new key, get a
  818. * random key, then seal and create a trusted key-type key,
  819. * adding it to the specified keyring.
  820. *
  821. * On success, return 0. Otherwise return errno.
  822. */
  823. static int trusted_instantiate(struct key *key,
  824. struct key_preparsed_payload *prep)
  825. {
  826. struct trusted_key_payload *payload = NULL;
  827. struct trusted_key_options *options = NULL;
  828. size_t datalen = prep->datalen;
  829. char *datablob;
  830. int ret = 0;
  831. int key_cmd;
  832. size_t key_len;
  833. int tpm2;
  834. tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
  835. if (tpm2 < 0)
  836. return tpm2;
  837. if (datalen <= 0 || datalen > 32767 || !prep->data)
  838. return -EINVAL;
  839. datablob = kmalloc(datalen + 1, GFP_KERNEL);
  840. if (!datablob)
  841. return -ENOMEM;
  842. memcpy(datablob, prep->data, datalen);
  843. datablob[datalen] = '\0';
  844. options = trusted_options_alloc();
  845. if (!options) {
  846. ret = -ENOMEM;
  847. goto out;
  848. }
  849. payload = trusted_payload_alloc(key);
  850. if (!payload) {
  851. ret = -ENOMEM;
  852. goto out;
  853. }
  854. key_cmd = datablob_parse(datablob, payload, options);
  855. if (key_cmd < 0) {
  856. ret = key_cmd;
  857. goto out;
  858. }
  859. if (!options->keyhandle) {
  860. ret = -EINVAL;
  861. goto out;
  862. }
  863. dump_payload(payload);
  864. dump_options(options);
  865. switch (key_cmd) {
  866. case Opt_load:
  867. if (tpm2)
  868. ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
  869. else
  870. ret = key_unseal(payload, options);
  871. dump_payload(payload);
  872. dump_options(options);
  873. if (ret < 0)
  874. pr_info("trusted_key: key_unseal failed (%d)\n", ret);
  875. break;
  876. case Opt_new:
  877. key_len = payload->key_len;
  878. ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len);
  879. if (ret != key_len) {
  880. pr_info("trusted_key: key_create failed (%d)\n", ret);
  881. goto out;
  882. }
  883. if (tpm2)
  884. ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
  885. else
  886. ret = key_seal(payload, options);
  887. if (ret < 0)
  888. pr_info("trusted_key: key_seal failed (%d)\n", ret);
  889. break;
  890. default:
  891. ret = -EINVAL;
  892. goto out;
  893. }
  894. if (!ret && options->pcrlock)
  895. ret = pcrlock(options->pcrlock);
  896. out:
  897. kzfree(datablob);
  898. kzfree(options);
  899. if (!ret)
  900. rcu_assign_keypointer(key, payload);
  901. else
  902. kzfree(payload);
  903. return ret;
  904. }
  905. static void trusted_rcu_free(struct rcu_head *rcu)
  906. {
  907. struct trusted_key_payload *p;
  908. p = container_of(rcu, struct trusted_key_payload, rcu);
  909. kzfree(p);
  910. }
  911. /*
  912. * trusted_update - reseal an existing key with new PCR values
  913. */
  914. static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
  915. {
  916. struct trusted_key_payload *p;
  917. struct trusted_key_payload *new_p;
  918. struct trusted_key_options *new_o;
  919. size_t datalen = prep->datalen;
  920. char *datablob;
  921. int ret = 0;
  922. if (key_is_negative(key))
  923. return -ENOKEY;
  924. p = key->payload.data[0];
  925. if (!p->migratable)
  926. return -EPERM;
  927. if (datalen <= 0 || datalen > 32767 || !prep->data)
  928. return -EINVAL;
  929. datablob = kmalloc(datalen + 1, GFP_KERNEL);
  930. if (!datablob)
  931. return -ENOMEM;
  932. new_o = trusted_options_alloc();
  933. if (!new_o) {
  934. ret = -ENOMEM;
  935. goto out;
  936. }
  937. new_p = trusted_payload_alloc(key);
  938. if (!new_p) {
  939. ret = -ENOMEM;
  940. goto out;
  941. }
  942. memcpy(datablob, prep->data, datalen);
  943. datablob[datalen] = '\0';
  944. ret = datablob_parse(datablob, new_p, new_o);
  945. if (ret != Opt_update) {
  946. ret = -EINVAL;
  947. kzfree(new_p);
  948. goto out;
  949. }
  950. if (!new_o->keyhandle) {
  951. ret = -EINVAL;
  952. kzfree(new_p);
  953. goto out;
  954. }
  955. /* copy old key values, and reseal with new pcrs */
  956. new_p->migratable = p->migratable;
  957. new_p->key_len = p->key_len;
  958. memcpy(new_p->key, p->key, p->key_len);
  959. dump_payload(p);
  960. dump_payload(new_p);
  961. ret = key_seal(new_p, new_o);
  962. if (ret < 0) {
  963. pr_info("trusted_key: key_seal failed (%d)\n", ret);
  964. kzfree(new_p);
  965. goto out;
  966. }
  967. if (new_o->pcrlock) {
  968. ret = pcrlock(new_o->pcrlock);
  969. if (ret < 0) {
  970. pr_info("trusted_key: pcrlock failed (%d)\n", ret);
  971. kzfree(new_p);
  972. goto out;
  973. }
  974. }
  975. rcu_assign_keypointer(key, new_p);
  976. call_rcu(&p->rcu, trusted_rcu_free);
  977. out:
  978. kzfree(datablob);
  979. kzfree(new_o);
  980. return ret;
  981. }
  982. /*
  983. * trusted_read - copy the sealed blob data to userspace in hex.
  984. * On success, return to userspace the trusted key datablob size.
  985. */
  986. static long trusted_read(const struct key *key, char __user *buffer,
  987. size_t buflen)
  988. {
  989. struct trusted_key_payload *p;
  990. char *ascii_buf;
  991. char *bufp;
  992. int i;
  993. p = rcu_dereference_key(key);
  994. if (!p)
  995. return -EINVAL;
  996. if (buffer && buflen >= 2 * p->blob_len) {
  997. ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
  998. if (!ascii_buf)
  999. return -ENOMEM;
  1000. bufp = ascii_buf;
  1001. for (i = 0; i < p->blob_len; i++)
  1002. bufp = hex_byte_pack(bufp, p->blob[i]);
  1003. if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
  1004. kzfree(ascii_buf);
  1005. return -EFAULT;
  1006. }
  1007. kzfree(ascii_buf);
  1008. }
  1009. return 2 * p->blob_len;
  1010. }
  1011. /*
  1012. * trusted_destroy - clear and free the key's payload
  1013. */
  1014. static void trusted_destroy(struct key *key)
  1015. {
  1016. kzfree(key->payload.data[0]);
  1017. }
  1018. struct key_type key_type_trusted = {
  1019. .name = "trusted",
  1020. .instantiate = trusted_instantiate,
  1021. .update = trusted_update,
  1022. .destroy = trusted_destroy,
  1023. .describe = user_describe,
  1024. .read = trusted_read,
  1025. };
  1026. EXPORT_SYMBOL_GPL(key_type_trusted);
  1027. static void trusted_shash_release(void)
  1028. {
  1029. if (hashalg)
  1030. crypto_free_shash(hashalg);
  1031. if (hmacalg)
  1032. crypto_free_shash(hmacalg);
  1033. }
  1034. static int __init trusted_shash_alloc(void)
  1035. {
  1036. int ret;
  1037. hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
  1038. if (IS_ERR(hmacalg)) {
  1039. pr_info("trusted_key: could not allocate crypto %s\n",
  1040. hmac_alg);
  1041. return PTR_ERR(hmacalg);
  1042. }
  1043. hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
  1044. if (IS_ERR(hashalg)) {
  1045. pr_info("trusted_key: could not allocate crypto %s\n",
  1046. hash_alg);
  1047. ret = PTR_ERR(hashalg);
  1048. goto hashalg_fail;
  1049. }
  1050. return 0;
  1051. hashalg_fail:
  1052. crypto_free_shash(hmacalg);
  1053. return ret;
  1054. }
  1055. static int __init init_trusted(void)
  1056. {
  1057. int ret;
  1058. ret = trusted_shash_alloc();
  1059. if (ret < 0)
  1060. return ret;
  1061. ret = register_key_type(&key_type_trusted);
  1062. if (ret < 0)
  1063. trusted_shash_release();
  1064. return ret;
  1065. }
  1066. static void __exit cleanup_trusted(void)
  1067. {
  1068. trusted_shash_release();
  1069. unregister_key_type(&key_type_trusted);
  1070. }
  1071. late_initcall(init_trusted);
  1072. module_exit(cleanup_trusted);
  1073. MODULE_LICENSE("GPL");