trusted.c 28 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163
  1. /*
  2. * Copyright (C) 2010 IBM Corporation
  3. *
  4. * Author:
  5. * David Safford <safford@us.ibm.com>
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation, version 2 of the License.
  10. *
  11. * See Documentation/security/keys-trusted-encrypted.txt
  12. */
  13. #include <linux/uaccess.h>
  14. #include <linux/module.h>
  15. #include <linux/init.h>
  16. #include <linux/slab.h>
  17. #include <linux/parser.h>
  18. #include <linux/string.h>
  19. #include <linux/err.h>
  20. #include <keys/user-type.h>
  21. #include <keys/trusted-type.h>
  22. #include <linux/key-type.h>
  23. #include <linux/rcupdate.h>
  24. #include <linux/crypto.h>
  25. #include <crypto/hash.h>
  26. #include <crypto/sha.h>
  27. #include <linux/capability.h>
  28. #include <linux/tpm.h>
  29. #include <linux/tpm_command.h>
  30. #include "trusted.h"
  31. static const char hmac_alg[] = "hmac(sha1)";
  32. static const char hash_alg[] = "sha1";
  33. struct sdesc {
  34. struct shash_desc shash;
  35. char ctx[];
  36. };
  37. static struct crypto_shash *hashalg;
  38. static struct crypto_shash *hmacalg;
  39. static struct sdesc *init_sdesc(struct crypto_shash *alg)
  40. {
  41. struct sdesc *sdesc;
  42. int size;
  43. size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
  44. sdesc = kmalloc(size, GFP_KERNEL);
  45. if (!sdesc)
  46. return ERR_PTR(-ENOMEM);
  47. sdesc->shash.tfm = alg;
  48. sdesc->shash.flags = 0x0;
  49. return sdesc;
  50. }
  51. static int TSS_sha1(const unsigned char *data, unsigned int datalen,
  52. unsigned char *digest)
  53. {
  54. struct sdesc *sdesc;
  55. int ret;
  56. sdesc = init_sdesc(hashalg);
  57. if (IS_ERR(sdesc)) {
  58. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  59. return PTR_ERR(sdesc);
  60. }
  61. ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
  62. kfree(sdesc);
  63. return ret;
  64. }
  65. static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
  66. unsigned int keylen, ...)
  67. {
  68. struct sdesc *sdesc;
  69. va_list argp;
  70. unsigned int dlen;
  71. unsigned char *data;
  72. int ret;
  73. sdesc = init_sdesc(hmacalg);
  74. if (IS_ERR(sdesc)) {
  75. pr_info("trusted_key: can't alloc %s\n", hmac_alg);
  76. return PTR_ERR(sdesc);
  77. }
  78. ret = crypto_shash_setkey(hmacalg, key, keylen);
  79. if (ret < 0)
  80. goto out;
  81. ret = crypto_shash_init(&sdesc->shash);
  82. if (ret < 0)
  83. goto out;
  84. va_start(argp, keylen);
  85. for (;;) {
  86. dlen = va_arg(argp, unsigned int);
  87. if (dlen == 0)
  88. break;
  89. data = va_arg(argp, unsigned char *);
  90. if (data == NULL) {
  91. ret = -EINVAL;
  92. break;
  93. }
  94. ret = crypto_shash_update(&sdesc->shash, data, dlen);
  95. if (ret < 0)
  96. break;
  97. }
  98. va_end(argp);
  99. if (!ret)
  100. ret = crypto_shash_final(&sdesc->shash, digest);
  101. out:
  102. kfree(sdesc);
  103. return ret;
  104. }
  105. /*
  106. * calculate authorization info fields to send to TPM
  107. */
  108. static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
  109. unsigned int keylen, unsigned char *h1,
  110. unsigned char *h2, unsigned char h3, ...)
  111. {
  112. unsigned char paramdigest[SHA1_DIGEST_SIZE];
  113. struct sdesc *sdesc;
  114. unsigned int dlen;
  115. unsigned char *data;
  116. unsigned char c;
  117. int ret;
  118. va_list argp;
  119. sdesc = init_sdesc(hashalg);
  120. if (IS_ERR(sdesc)) {
  121. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  122. return PTR_ERR(sdesc);
  123. }
  124. c = h3;
  125. ret = crypto_shash_init(&sdesc->shash);
  126. if (ret < 0)
  127. goto out;
  128. va_start(argp, h3);
  129. for (;;) {
  130. dlen = va_arg(argp, unsigned int);
  131. if (dlen == 0)
  132. break;
  133. data = va_arg(argp, unsigned char *);
  134. if (!data) {
  135. ret = -EINVAL;
  136. break;
  137. }
  138. ret = crypto_shash_update(&sdesc->shash, data, dlen);
  139. if (ret < 0)
  140. break;
  141. }
  142. va_end(argp);
  143. if (!ret)
  144. ret = crypto_shash_final(&sdesc->shash, paramdigest);
  145. if (!ret)
  146. ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
  147. paramdigest, TPM_NONCE_SIZE, h1,
  148. TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
  149. out:
  150. kfree(sdesc);
  151. return ret;
  152. }
  153. /*
  154. * verify the AUTH1_COMMAND (Seal) result from TPM
  155. */
  156. static int TSS_checkhmac1(unsigned char *buffer,
  157. const uint32_t command,
  158. const unsigned char *ononce,
  159. const unsigned char *key,
  160. unsigned int keylen, ...)
  161. {
  162. uint32_t bufsize;
  163. uint16_t tag;
  164. uint32_t ordinal;
  165. uint32_t result;
  166. unsigned char *enonce;
  167. unsigned char *continueflag;
  168. unsigned char *authdata;
  169. unsigned char testhmac[SHA1_DIGEST_SIZE];
  170. unsigned char paramdigest[SHA1_DIGEST_SIZE];
  171. struct sdesc *sdesc;
  172. unsigned int dlen;
  173. unsigned int dpos;
  174. va_list argp;
  175. int ret;
  176. bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
  177. tag = LOAD16(buffer, 0);
  178. ordinal = command;
  179. result = LOAD32N(buffer, TPM_RETURN_OFFSET);
  180. if (tag == TPM_TAG_RSP_COMMAND)
  181. return 0;
  182. if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
  183. return -EINVAL;
  184. authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
  185. continueflag = authdata - 1;
  186. enonce = continueflag - TPM_NONCE_SIZE;
  187. sdesc = init_sdesc(hashalg);
  188. if (IS_ERR(sdesc)) {
  189. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  190. return PTR_ERR(sdesc);
  191. }
  192. ret = crypto_shash_init(&sdesc->shash);
  193. if (ret < 0)
  194. goto out;
  195. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
  196. sizeof result);
  197. if (ret < 0)
  198. goto out;
  199. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
  200. sizeof ordinal);
  201. if (ret < 0)
  202. goto out;
  203. va_start(argp, keylen);
  204. for (;;) {
  205. dlen = va_arg(argp, unsigned int);
  206. if (dlen == 0)
  207. break;
  208. dpos = va_arg(argp, unsigned int);
  209. ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
  210. if (ret < 0)
  211. break;
  212. }
  213. va_end(argp);
  214. if (!ret)
  215. ret = crypto_shash_final(&sdesc->shash, paramdigest);
  216. if (ret < 0)
  217. goto out;
  218. ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
  219. TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
  220. 1, continueflag, 0, 0);
  221. if (ret < 0)
  222. goto out;
  223. if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
  224. ret = -EINVAL;
  225. out:
  226. kfree(sdesc);
  227. return ret;
  228. }
  229. /*
  230. * verify the AUTH2_COMMAND (unseal) result from TPM
  231. */
  232. static int TSS_checkhmac2(unsigned char *buffer,
  233. const uint32_t command,
  234. const unsigned char *ononce,
  235. const unsigned char *key1,
  236. unsigned int keylen1,
  237. const unsigned char *key2,
  238. unsigned int keylen2, ...)
  239. {
  240. uint32_t bufsize;
  241. uint16_t tag;
  242. uint32_t ordinal;
  243. uint32_t result;
  244. unsigned char *enonce1;
  245. unsigned char *continueflag1;
  246. unsigned char *authdata1;
  247. unsigned char *enonce2;
  248. unsigned char *continueflag2;
  249. unsigned char *authdata2;
  250. unsigned char testhmac1[SHA1_DIGEST_SIZE];
  251. unsigned char testhmac2[SHA1_DIGEST_SIZE];
  252. unsigned char paramdigest[SHA1_DIGEST_SIZE];
  253. struct sdesc *sdesc;
  254. unsigned int dlen;
  255. unsigned int dpos;
  256. va_list argp;
  257. int ret;
  258. bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
  259. tag = LOAD16(buffer, 0);
  260. ordinal = command;
  261. result = LOAD32N(buffer, TPM_RETURN_OFFSET);
  262. if (tag == TPM_TAG_RSP_COMMAND)
  263. return 0;
  264. if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
  265. return -EINVAL;
  266. authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
  267. + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
  268. authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
  269. continueflag1 = authdata1 - 1;
  270. continueflag2 = authdata2 - 1;
  271. enonce1 = continueflag1 - TPM_NONCE_SIZE;
  272. enonce2 = continueflag2 - TPM_NONCE_SIZE;
  273. sdesc = init_sdesc(hashalg);
  274. if (IS_ERR(sdesc)) {
  275. pr_info("trusted_key: can't alloc %s\n", hash_alg);
  276. return PTR_ERR(sdesc);
  277. }
  278. ret = crypto_shash_init(&sdesc->shash);
  279. if (ret < 0)
  280. goto out;
  281. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
  282. sizeof result);
  283. if (ret < 0)
  284. goto out;
  285. ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
  286. sizeof ordinal);
  287. if (ret < 0)
  288. goto out;
  289. va_start(argp, keylen2);
  290. for (;;) {
  291. dlen = va_arg(argp, unsigned int);
  292. if (dlen == 0)
  293. break;
  294. dpos = va_arg(argp, unsigned int);
  295. ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
  296. if (ret < 0)
  297. break;
  298. }
  299. va_end(argp);
  300. if (!ret)
  301. ret = crypto_shash_final(&sdesc->shash, paramdigest);
  302. if (ret < 0)
  303. goto out;
  304. ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
  305. paramdigest, TPM_NONCE_SIZE, enonce1,
  306. TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
  307. if (ret < 0)
  308. goto out;
  309. if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
  310. ret = -EINVAL;
  311. goto out;
  312. }
  313. ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
  314. paramdigest, TPM_NONCE_SIZE, enonce2,
  315. TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
  316. if (ret < 0)
  317. goto out;
  318. if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
  319. ret = -EINVAL;
  320. out:
  321. kfree(sdesc);
  322. return ret;
  323. }
  324. /*
  325. * For key specific tpm requests, we will generate and send our
  326. * own TPM command packets using the drivers send function.
  327. */
  328. static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
  329. size_t buflen)
  330. {
  331. int rc;
  332. dump_tpm_buf(cmd);
  333. rc = tpm_send(chip_num, cmd, buflen);
  334. dump_tpm_buf(cmd);
  335. if (rc > 0)
  336. /* Can't return positive return codes values to keyctl */
  337. rc = -EPERM;
  338. return rc;
  339. }
  340. /*
  341. * Lock a trusted key, by extending a selected PCR.
  342. *
  343. * Prevents a trusted key that is sealed to PCRs from being accessed.
  344. * This uses the tpm driver's extend function.
  345. */
  346. static int pcrlock(const int pcrnum)
  347. {
  348. unsigned char hash[SHA1_DIGEST_SIZE];
  349. int ret;
  350. if (!capable(CAP_SYS_ADMIN))
  351. return -EPERM;
  352. ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE);
  353. if (ret != SHA1_DIGEST_SIZE)
  354. return ret;
  355. return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
  356. }
  357. /*
  358. * Create an object specific authorisation protocol (OSAP) session
  359. */
  360. static int osap(struct tpm_buf *tb, struct osapsess *s,
  361. const unsigned char *key, uint16_t type, uint32_t handle)
  362. {
  363. unsigned char enonce[TPM_NONCE_SIZE];
  364. unsigned char ononce[TPM_NONCE_SIZE];
  365. int ret;
  366. ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE);
  367. if (ret != TPM_NONCE_SIZE)
  368. return ret;
  369. INIT_BUF(tb);
  370. store16(tb, TPM_TAG_RQU_COMMAND);
  371. store32(tb, TPM_OSAP_SIZE);
  372. store32(tb, TPM_ORD_OSAP);
  373. store16(tb, type);
  374. store32(tb, handle);
  375. storebytes(tb, ononce, TPM_NONCE_SIZE);
  376. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  377. if (ret < 0)
  378. return ret;
  379. s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
  380. memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
  381. TPM_NONCE_SIZE);
  382. memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
  383. TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
  384. return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
  385. enonce, TPM_NONCE_SIZE, ononce, 0, 0);
  386. }
  387. /*
  388. * Create an object independent authorisation protocol (oiap) session
  389. */
  390. static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
  391. {
  392. int ret;
  393. INIT_BUF(tb);
  394. store16(tb, TPM_TAG_RQU_COMMAND);
  395. store32(tb, TPM_OIAP_SIZE);
  396. store32(tb, TPM_ORD_OIAP);
  397. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  398. if (ret < 0)
  399. return ret;
  400. *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
  401. memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
  402. TPM_NONCE_SIZE);
  403. return 0;
  404. }
  405. struct tpm_digests {
  406. unsigned char encauth[SHA1_DIGEST_SIZE];
  407. unsigned char pubauth[SHA1_DIGEST_SIZE];
  408. unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
  409. unsigned char xorhash[SHA1_DIGEST_SIZE];
  410. unsigned char nonceodd[TPM_NONCE_SIZE];
  411. };
  412. /*
  413. * Have the TPM seal(encrypt) the trusted key, possibly based on
  414. * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
  415. */
  416. static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
  417. uint32_t keyhandle, const unsigned char *keyauth,
  418. const unsigned char *data, uint32_t datalen,
  419. unsigned char *blob, uint32_t *bloblen,
  420. const unsigned char *blobauth,
  421. const unsigned char *pcrinfo, uint32_t pcrinfosize)
  422. {
  423. struct osapsess sess;
  424. struct tpm_digests *td;
  425. unsigned char cont;
  426. uint32_t ordinal;
  427. uint32_t pcrsize;
  428. uint32_t datsize;
  429. int sealinfosize;
  430. int encdatasize;
  431. int storedsize;
  432. int ret;
  433. int i;
  434. /* alloc some work space for all the hashes */
  435. td = kmalloc(sizeof *td, GFP_KERNEL);
  436. if (!td)
  437. return -ENOMEM;
  438. /* get session for sealing key */
  439. ret = osap(tb, &sess, keyauth, keytype, keyhandle);
  440. if (ret < 0)
  441. goto out;
  442. dump_sess(&sess);
  443. /* calculate encrypted authorization value */
  444. memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
  445. memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
  446. ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
  447. if (ret < 0)
  448. goto out;
  449. ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
  450. if (ret != TPM_NONCE_SIZE)
  451. goto out;
  452. ordinal = htonl(TPM_ORD_SEAL);
  453. datsize = htonl(datalen);
  454. pcrsize = htonl(pcrinfosize);
  455. cont = 0;
  456. /* encrypt data authorization key */
  457. for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
  458. td->encauth[i] = td->xorhash[i] ^ blobauth[i];
  459. /* calculate authorization HMAC value */
  460. if (pcrinfosize == 0) {
  461. /* no pcr info specified */
  462. ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
  463. sess.enonce, td->nonceodd, cont,
  464. sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
  465. td->encauth, sizeof(uint32_t), &pcrsize,
  466. sizeof(uint32_t), &datsize, datalen, data, 0,
  467. 0);
  468. } else {
  469. /* pcr info specified */
  470. ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
  471. sess.enonce, td->nonceodd, cont,
  472. sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
  473. td->encauth, sizeof(uint32_t), &pcrsize,
  474. pcrinfosize, pcrinfo, sizeof(uint32_t),
  475. &datsize, datalen, data, 0, 0);
  476. }
  477. if (ret < 0)
  478. goto out;
  479. /* build and send the TPM request packet */
  480. INIT_BUF(tb);
  481. store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
  482. store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
  483. store32(tb, TPM_ORD_SEAL);
  484. store32(tb, keyhandle);
  485. storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
  486. store32(tb, pcrinfosize);
  487. storebytes(tb, pcrinfo, pcrinfosize);
  488. store32(tb, datalen);
  489. storebytes(tb, data, datalen);
  490. store32(tb, sess.handle);
  491. storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
  492. store8(tb, cont);
  493. storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
  494. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  495. if (ret < 0)
  496. goto out;
  497. /* calculate the size of the returned Blob */
  498. sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
  499. encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
  500. sizeof(uint32_t) + sealinfosize);
  501. storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
  502. sizeof(uint32_t) + encdatasize;
  503. /* check the HMAC in the response */
  504. ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
  505. SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
  506. 0);
  507. /* copy the returned blob to caller */
  508. if (!ret) {
  509. memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
  510. *bloblen = storedsize;
  511. }
  512. out:
  513. kfree(td);
  514. return ret;
  515. }
  516. /*
  517. * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
  518. */
  519. static int tpm_unseal(struct tpm_buf *tb,
  520. uint32_t keyhandle, const unsigned char *keyauth,
  521. const unsigned char *blob, int bloblen,
  522. const unsigned char *blobauth,
  523. unsigned char *data, unsigned int *datalen)
  524. {
  525. unsigned char nonceodd[TPM_NONCE_SIZE];
  526. unsigned char enonce1[TPM_NONCE_SIZE];
  527. unsigned char enonce2[TPM_NONCE_SIZE];
  528. unsigned char authdata1[SHA1_DIGEST_SIZE];
  529. unsigned char authdata2[SHA1_DIGEST_SIZE];
  530. uint32_t authhandle1 = 0;
  531. uint32_t authhandle2 = 0;
  532. unsigned char cont = 0;
  533. uint32_t ordinal;
  534. uint32_t keyhndl;
  535. int ret;
  536. /* sessions for unsealing key and data */
  537. ret = oiap(tb, &authhandle1, enonce1);
  538. if (ret < 0) {
  539. pr_info("trusted_key: oiap failed (%d)\n", ret);
  540. return ret;
  541. }
  542. ret = oiap(tb, &authhandle2, enonce2);
  543. if (ret < 0) {
  544. pr_info("trusted_key: oiap failed (%d)\n", ret);
  545. return ret;
  546. }
  547. ordinal = htonl(TPM_ORD_UNSEAL);
  548. keyhndl = htonl(SRKHANDLE);
  549. ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
  550. if (ret != TPM_NONCE_SIZE) {
  551. pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
  552. return ret;
  553. }
  554. ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
  555. enonce1, nonceodd, cont, sizeof(uint32_t),
  556. &ordinal, bloblen, blob, 0, 0);
  557. if (ret < 0)
  558. return ret;
  559. ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
  560. enonce2, nonceodd, cont, sizeof(uint32_t),
  561. &ordinal, bloblen, blob, 0, 0);
  562. if (ret < 0)
  563. return ret;
  564. /* build and send TPM request packet */
  565. INIT_BUF(tb);
  566. store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
  567. store32(tb, TPM_UNSEAL_SIZE + bloblen);
  568. store32(tb, TPM_ORD_UNSEAL);
  569. store32(tb, keyhandle);
  570. storebytes(tb, blob, bloblen);
  571. store32(tb, authhandle1);
  572. storebytes(tb, nonceodd, TPM_NONCE_SIZE);
  573. store8(tb, cont);
  574. storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
  575. store32(tb, authhandle2);
  576. storebytes(tb, nonceodd, TPM_NONCE_SIZE);
  577. store8(tb, cont);
  578. storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
  579. ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
  580. if (ret < 0) {
  581. pr_info("trusted_key: authhmac failed (%d)\n", ret);
  582. return ret;
  583. }
  584. *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
  585. ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
  586. keyauth, SHA1_DIGEST_SIZE,
  587. blobauth, SHA1_DIGEST_SIZE,
  588. sizeof(uint32_t), TPM_DATA_OFFSET,
  589. *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
  590. 0);
  591. if (ret < 0) {
  592. pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
  593. return ret;
  594. }
  595. memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
  596. return 0;
  597. }
  598. /*
  599. * Have the TPM seal(encrypt) the symmetric key
  600. */
  601. static int key_seal(struct trusted_key_payload *p,
  602. struct trusted_key_options *o)
  603. {
  604. struct tpm_buf *tb;
  605. int ret;
  606. tb = kzalloc(sizeof *tb, GFP_KERNEL);
  607. if (!tb)
  608. return -ENOMEM;
  609. /* include migratable flag at end of sealed key */
  610. p->key[p->key_len] = p->migratable;
  611. ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
  612. p->key, p->key_len + 1, p->blob, &p->blob_len,
  613. o->blobauth, o->pcrinfo, o->pcrinfo_len);
  614. if (ret < 0)
  615. pr_info("trusted_key: srkseal failed (%d)\n", ret);
  616. kfree(tb);
  617. return ret;
  618. }
  619. /*
  620. * Have the TPM unseal(decrypt) the symmetric key
  621. */
  622. static int key_unseal(struct trusted_key_payload *p,
  623. struct trusted_key_options *o)
  624. {
  625. struct tpm_buf *tb;
  626. int ret;
  627. tb = kzalloc(sizeof *tb, GFP_KERNEL);
  628. if (!tb)
  629. return -ENOMEM;
  630. ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
  631. o->blobauth, p->key, &p->key_len);
  632. if (ret < 0)
  633. pr_info("trusted_key: srkunseal failed (%d)\n", ret);
  634. else
  635. /* pull migratable flag out of sealed key */
  636. p->migratable = p->key[--p->key_len];
  637. kfree(tb);
  638. return ret;
  639. }
  640. enum {
  641. Opt_err = -1,
  642. Opt_new, Opt_load, Opt_update,
  643. Opt_keyhandle, Opt_keyauth, Opt_blobauth,
  644. Opt_pcrinfo, Opt_pcrlock, Opt_migratable
  645. };
  646. static const match_table_t key_tokens = {
  647. {Opt_new, "new"},
  648. {Opt_load, "load"},
  649. {Opt_update, "update"},
  650. {Opt_keyhandle, "keyhandle=%s"},
  651. {Opt_keyauth, "keyauth=%s"},
  652. {Opt_blobauth, "blobauth=%s"},
  653. {Opt_pcrinfo, "pcrinfo=%s"},
  654. {Opt_pcrlock, "pcrlock=%s"},
  655. {Opt_migratable, "migratable=%s"},
  656. {Opt_err, NULL}
  657. };
  658. /* can have zero or more token= options */
  659. static int getoptions(char *c, struct trusted_key_payload *pay,
  660. struct trusted_key_options *opt)
  661. {
  662. substring_t args[MAX_OPT_ARGS];
  663. char *p = c;
  664. int token;
  665. int res;
  666. unsigned long handle;
  667. unsigned long lock;
  668. while ((p = strsep(&c, " \t"))) {
  669. if (*p == '\0' || *p == ' ' || *p == '\t')
  670. continue;
  671. token = match_token(p, key_tokens, args);
  672. switch (token) {
  673. case Opt_pcrinfo:
  674. opt->pcrinfo_len = strlen(args[0].from) / 2;
  675. if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
  676. return -EINVAL;
  677. res = hex2bin(opt->pcrinfo, args[0].from,
  678. opt->pcrinfo_len);
  679. if (res < 0)
  680. return -EINVAL;
  681. break;
  682. case Opt_keyhandle:
  683. res = kstrtoul(args[0].from, 16, &handle);
  684. if (res < 0)
  685. return -EINVAL;
  686. opt->keytype = SEAL_keytype;
  687. opt->keyhandle = handle;
  688. break;
  689. case Opt_keyauth:
  690. if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
  691. return -EINVAL;
  692. res = hex2bin(opt->keyauth, args[0].from,
  693. SHA1_DIGEST_SIZE);
  694. if (res < 0)
  695. return -EINVAL;
  696. break;
  697. case Opt_blobauth:
  698. if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
  699. return -EINVAL;
  700. res = hex2bin(opt->blobauth, args[0].from,
  701. SHA1_DIGEST_SIZE);
  702. if (res < 0)
  703. return -EINVAL;
  704. break;
  705. case Opt_migratable:
  706. if (*args[0].from == '0')
  707. pay->migratable = 0;
  708. else
  709. return -EINVAL;
  710. break;
  711. case Opt_pcrlock:
  712. res = kstrtoul(args[0].from, 10, &lock);
  713. if (res < 0)
  714. return -EINVAL;
  715. opt->pcrlock = lock;
  716. break;
  717. default:
  718. return -EINVAL;
  719. }
  720. }
  721. return 0;
  722. }
  723. /*
  724. * datablob_parse - parse the keyctl data and fill in the
  725. * payload and options structures
  726. *
  727. * On success returns 0, otherwise -EINVAL.
  728. */
  729. static int datablob_parse(char *datablob, struct trusted_key_payload *p,
  730. struct trusted_key_options *o)
  731. {
  732. substring_t args[MAX_OPT_ARGS];
  733. long keylen;
  734. int ret = -EINVAL;
  735. int key_cmd;
  736. char *c;
  737. /* main command */
  738. c = strsep(&datablob, " \t");
  739. if (!c)
  740. return -EINVAL;
  741. key_cmd = match_token(c, key_tokens, args);
  742. switch (key_cmd) {
  743. case Opt_new:
  744. /* first argument is key size */
  745. c = strsep(&datablob, " \t");
  746. if (!c)
  747. return -EINVAL;
  748. ret = kstrtol(c, 10, &keylen);
  749. if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
  750. return -EINVAL;
  751. p->key_len = keylen;
  752. ret = getoptions(datablob, p, o);
  753. if (ret < 0)
  754. return ret;
  755. ret = Opt_new;
  756. break;
  757. case Opt_load:
  758. /* first argument is sealed blob */
  759. c = strsep(&datablob, " \t");
  760. if (!c)
  761. return -EINVAL;
  762. p->blob_len = strlen(c) / 2;
  763. if (p->blob_len > MAX_BLOB_SIZE)
  764. return -EINVAL;
  765. ret = hex2bin(p->blob, c, p->blob_len);
  766. if (ret < 0)
  767. return -EINVAL;
  768. ret = getoptions(datablob, p, o);
  769. if (ret < 0)
  770. return ret;
  771. ret = Opt_load;
  772. break;
  773. case Opt_update:
  774. /* all arguments are options */
  775. ret = getoptions(datablob, p, o);
  776. if (ret < 0)
  777. return ret;
  778. ret = Opt_update;
  779. break;
  780. case Opt_err:
  781. return -EINVAL;
  782. break;
  783. }
  784. return ret;
  785. }
  786. static struct trusted_key_options *trusted_options_alloc(void)
  787. {
  788. struct trusted_key_options *options;
  789. options = kzalloc(sizeof *options, GFP_KERNEL);
  790. if (options) {
  791. /* set any non-zero defaults */
  792. options->keytype = SRK_keytype;
  793. options->keyhandle = SRKHANDLE;
  794. }
  795. return options;
  796. }
  797. static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
  798. {
  799. struct trusted_key_payload *p = NULL;
  800. int ret;
  801. ret = key_payload_reserve(key, sizeof *p);
  802. if (ret < 0)
  803. return p;
  804. p = kzalloc(sizeof *p, GFP_KERNEL);
  805. if (p)
  806. p->migratable = 1; /* migratable by default */
  807. return p;
  808. }
  809. /*
  810. * trusted_instantiate - create a new trusted key
  811. *
  812. * Unseal an existing trusted blob or, for a new key, get a
  813. * random key, then seal and create a trusted key-type key,
  814. * adding it to the specified keyring.
  815. *
  816. * On success, return 0. Otherwise return errno.
  817. */
  818. static int trusted_instantiate(struct key *key,
  819. struct key_preparsed_payload *prep)
  820. {
  821. struct trusted_key_payload *payload = NULL;
  822. struct trusted_key_options *options = NULL;
  823. size_t datalen = prep->datalen;
  824. char *datablob;
  825. int ret = 0;
  826. int key_cmd;
  827. size_t key_len;
  828. if (datalen <= 0 || datalen > 32767 || !prep->data)
  829. return -EINVAL;
  830. datablob = kmalloc(datalen + 1, GFP_KERNEL);
  831. if (!datablob)
  832. return -ENOMEM;
  833. memcpy(datablob, prep->data, datalen);
  834. datablob[datalen] = '\0';
  835. options = trusted_options_alloc();
  836. if (!options) {
  837. ret = -ENOMEM;
  838. goto out;
  839. }
  840. payload = trusted_payload_alloc(key);
  841. if (!payload) {
  842. ret = -ENOMEM;
  843. goto out;
  844. }
  845. key_cmd = datablob_parse(datablob, payload, options);
  846. if (key_cmd < 0) {
  847. ret = key_cmd;
  848. goto out;
  849. }
  850. dump_payload(payload);
  851. dump_options(options);
  852. switch (key_cmd) {
  853. case Opt_load:
  854. ret = key_unseal(payload, options);
  855. dump_payload(payload);
  856. dump_options(options);
  857. if (ret < 0)
  858. pr_info("trusted_key: key_unseal failed (%d)\n", ret);
  859. break;
  860. case Opt_new:
  861. key_len = payload->key_len;
  862. ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len);
  863. if (ret != key_len) {
  864. pr_info("trusted_key: key_create failed (%d)\n", ret);
  865. goto out;
  866. }
  867. ret = key_seal(payload, options);
  868. if (ret < 0)
  869. pr_info("trusted_key: key_seal failed (%d)\n", ret);
  870. break;
  871. default:
  872. ret = -EINVAL;
  873. goto out;
  874. }
  875. if (!ret && options->pcrlock)
  876. ret = pcrlock(options->pcrlock);
  877. out:
  878. kfree(datablob);
  879. kfree(options);
  880. if (!ret)
  881. rcu_assign_keypointer(key, payload);
  882. else
  883. kfree(payload);
  884. return ret;
  885. }
  886. static void trusted_rcu_free(struct rcu_head *rcu)
  887. {
  888. struct trusted_key_payload *p;
  889. p = container_of(rcu, struct trusted_key_payload, rcu);
  890. memset(p->key, 0, p->key_len);
  891. kfree(p);
  892. }
  893. /*
  894. * trusted_update - reseal an existing key with new PCR values
  895. */
  896. static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
  897. {
  898. struct trusted_key_payload *p = key->payload.data;
  899. struct trusted_key_payload *new_p;
  900. struct trusted_key_options *new_o;
  901. size_t datalen = prep->datalen;
  902. char *datablob;
  903. int ret = 0;
  904. if (!p->migratable)
  905. return -EPERM;
  906. if (datalen <= 0 || datalen > 32767 || !prep->data)
  907. return -EINVAL;
  908. datablob = kmalloc(datalen + 1, GFP_KERNEL);
  909. if (!datablob)
  910. return -ENOMEM;
  911. new_o = trusted_options_alloc();
  912. if (!new_o) {
  913. ret = -ENOMEM;
  914. goto out;
  915. }
  916. new_p = trusted_payload_alloc(key);
  917. if (!new_p) {
  918. ret = -ENOMEM;
  919. goto out;
  920. }
  921. memcpy(datablob, prep->data, datalen);
  922. datablob[datalen] = '\0';
  923. ret = datablob_parse(datablob, new_p, new_o);
  924. if (ret != Opt_update) {
  925. ret = -EINVAL;
  926. kfree(new_p);
  927. goto out;
  928. }
  929. /* copy old key values, and reseal with new pcrs */
  930. new_p->migratable = p->migratable;
  931. new_p->key_len = p->key_len;
  932. memcpy(new_p->key, p->key, p->key_len);
  933. dump_payload(p);
  934. dump_payload(new_p);
  935. ret = key_seal(new_p, new_o);
  936. if (ret < 0) {
  937. pr_info("trusted_key: key_seal failed (%d)\n", ret);
  938. kfree(new_p);
  939. goto out;
  940. }
  941. if (new_o->pcrlock) {
  942. ret = pcrlock(new_o->pcrlock);
  943. if (ret < 0) {
  944. pr_info("trusted_key: pcrlock failed (%d)\n", ret);
  945. kfree(new_p);
  946. goto out;
  947. }
  948. }
  949. rcu_assign_keypointer(key, new_p);
  950. call_rcu(&p->rcu, trusted_rcu_free);
  951. out:
  952. kfree(datablob);
  953. kfree(new_o);
  954. return ret;
  955. }
  956. /*
  957. * trusted_read - copy the sealed blob data to userspace in hex.
  958. * On success, return to userspace the trusted key datablob size.
  959. */
  960. static long trusted_read(const struct key *key, char __user *buffer,
  961. size_t buflen)
  962. {
  963. struct trusted_key_payload *p;
  964. char *ascii_buf;
  965. char *bufp;
  966. int i;
  967. p = rcu_dereference_key(key);
  968. if (!p)
  969. return -EINVAL;
  970. if (!buffer || buflen <= 0)
  971. return 2 * p->blob_len;
  972. ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
  973. if (!ascii_buf)
  974. return -ENOMEM;
  975. bufp = ascii_buf;
  976. for (i = 0; i < p->blob_len; i++)
  977. bufp = hex_byte_pack(bufp, p->blob[i]);
  978. if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
  979. kfree(ascii_buf);
  980. return -EFAULT;
  981. }
  982. kfree(ascii_buf);
  983. return 2 * p->blob_len;
  984. }
  985. /*
  986. * trusted_destroy - before freeing the key, clear the decrypted data
  987. */
  988. static void trusted_destroy(struct key *key)
  989. {
  990. struct trusted_key_payload *p = key->payload.data;
  991. if (!p)
  992. return;
  993. memset(p->key, 0, p->key_len);
  994. kfree(key->payload.data);
  995. }
  996. struct key_type key_type_trusted = {
  997. .name = "trusted",
  998. .instantiate = trusted_instantiate,
  999. .update = trusted_update,
  1000. .destroy = trusted_destroy,
  1001. .describe = user_describe,
  1002. .read = trusted_read,
  1003. };
  1004. EXPORT_SYMBOL_GPL(key_type_trusted);
  1005. static void trusted_shash_release(void)
  1006. {
  1007. if (hashalg)
  1008. crypto_free_shash(hashalg);
  1009. if (hmacalg)
  1010. crypto_free_shash(hmacalg);
  1011. }
  1012. static int __init trusted_shash_alloc(void)
  1013. {
  1014. int ret;
  1015. hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
  1016. if (IS_ERR(hmacalg)) {
  1017. pr_info("trusted_key: could not allocate crypto %s\n",
  1018. hmac_alg);
  1019. return PTR_ERR(hmacalg);
  1020. }
  1021. hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
  1022. if (IS_ERR(hashalg)) {
  1023. pr_info("trusted_key: could not allocate crypto %s\n",
  1024. hash_alg);
  1025. ret = PTR_ERR(hashalg);
  1026. goto hashalg_fail;
  1027. }
  1028. return 0;
  1029. hashalg_fail:
  1030. crypto_free_shash(hmacalg);
  1031. return ret;
  1032. }
  1033. static int __init init_trusted(void)
  1034. {
  1035. int ret;
  1036. ret = trusted_shash_alloc();
  1037. if (ret < 0)
  1038. return ret;
  1039. ret = register_key_type(&key_type_trusted);
  1040. if (ret < 0)
  1041. trusted_shash_release();
  1042. return ret;
  1043. }
  1044. static void __exit cleanup_trusted(void)
  1045. {
  1046. trusted_shash_release();
  1047. unregister_key_type(&key_type_trusted);
  1048. }
  1049. late_initcall(init_trusted);
  1050. module_exit(cleanup_trusted);
  1051. MODULE_LICENSE("GPL");