linux/security/keys/trusted.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2010 IBM Corporation
   3 *
   4 * Author:
   5 * David Safford <safford@us.ibm.com>
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation, version 2 of the License.
  10 *
  11 * See Documentation/security/keys-trusted-encrypted.txt
  12 */
  13
  14#include <linux/uaccess.h>
  15#include <linux/module.h>
  16#include <linux/init.h>
  17#include <linux/slab.h>
  18#include <linux/parser.h>
  19#include <linux/string.h>
  20#include <linux/err.h>
  21#include <keys/user-type.h>
  22#include <keys/trusted-type.h>
  23#include <linux/key-type.h>
  24#include <linux/rcupdate.h>
  25#include <linux/crypto.h>
  26#include <crypto/hash.h>
  27#include <crypto/sha.h>
  28#include <linux/capability.h>
  29#include <linux/tpm.h>
  30#include <linux/tpm_command.h>
  31
  32#include "trusted.h"
  33
  34static const char hmac_alg[] = "hmac(sha1)";
  35static const char hash_alg[] = "sha1";
  36
  37struct sdesc {
  38        struct shash_desc shash;
  39        char ctx[];
  40};
  41
  42static struct crypto_shash *hashalg;
  43static struct crypto_shash *hmacalg;
  44
  45static struct sdesc *init_sdesc(struct crypto_shash *alg)
  46{
  47        struct sdesc *sdesc;
  48        int size;
  49
  50        size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
  51        sdesc = kmalloc(size, GFP_KERNEL);
  52        if (!sdesc)
  53                return ERR_PTR(-ENOMEM);
  54        sdesc->shash.tfm = alg;
  55        sdesc->shash.flags = 0x0;
  56        return sdesc;
  57}
  58
  59static int TSS_sha1(const unsigned char *data, unsigned int datalen,
  60                    unsigned char *digest)
  61{
  62        struct sdesc *sdesc;
  63        int ret;
  64
  65        sdesc = init_sdesc(hashalg);
  66        if (IS_ERR(sdesc)) {
  67                pr_info("trusted_key: can't alloc %s\n", hash_alg);
  68                return PTR_ERR(sdesc);
  69        }
  70
  71        ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
  72        kfree(sdesc);
  73        return ret;
  74}
  75
  76static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
  77                       unsigned int keylen, ...)
  78{
  79        struct sdesc *sdesc;
  80        va_list argp;
  81        unsigned int dlen;
  82        unsigned char *data;
  83        int ret;
  84
  85        sdesc = init_sdesc(hmacalg);
  86        if (IS_ERR(sdesc)) {
  87                pr_info("trusted_key: can't alloc %s\n", hmac_alg);
  88                return PTR_ERR(sdesc);
  89        }
  90
  91        ret = crypto_shash_setkey(hmacalg, key, keylen);
  92        if (ret < 0)
  93                goto out;
  94        ret = crypto_shash_init(&sdesc->shash);
  95        if (ret < 0)
  96                goto out;
  97
  98        va_start(argp, keylen);
  99        for (;;) {
 100                dlen = va_arg(argp, unsigned int);
 101                if (dlen == 0)
 102                        break;
 103                data = va_arg(argp, unsigned char *);
 104                if (data == NULL) {
 105                        ret = -EINVAL;
 106                        break;
 107                }
 108                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 109                if (ret < 0)
 110                        break;
 111        }
 112        va_end(argp);
 113        if (!ret)
 114                ret = crypto_shash_final(&sdesc->shash, digest);
 115out:
 116        kfree(sdesc);
 117        return ret;
 118}
 119
 120/*
 121 * calculate authorization info fields to send to TPM
 122 */
 123static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
 124                        unsigned int keylen, unsigned char *h1,
 125                        unsigned char *h2, unsigned char h3, ...)
 126{
 127        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 128        struct sdesc *sdesc;
 129        unsigned int dlen;
 130        unsigned char *data;
 131        unsigned char c;
 132        int ret;
 133        va_list argp;
 134
 135        sdesc = init_sdesc(hashalg);
 136        if (IS_ERR(sdesc)) {
 137                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 138                return PTR_ERR(sdesc);
 139        }
 140
 141        c = h3;
 142        ret = crypto_shash_init(&sdesc->shash);
 143        if (ret < 0)
 144                goto out;
 145        va_start(argp, h3);
 146        for (;;) {
 147                dlen = va_arg(argp, unsigned int);
 148                if (dlen == 0)
 149                        break;
 150                data = va_arg(argp, unsigned char *);
 151                if (!data) {
 152                        ret = -EINVAL;
 153                        break;
 154                }
 155                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 156                if (ret < 0)
 157                        break;
 158        }
 159        va_end(argp);
 160        if (!ret)
 161                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 162        if (!ret)
 163                ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
 164                                  paramdigest, TPM_NONCE_SIZE, h1,
 165                                  TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
 166out:
 167        kfree(sdesc);
 168        return ret;
 169}
 170
 171/*
 172 * verify the AUTH1_COMMAND (Seal) result from TPM
 173 */
 174static int TSS_checkhmac1(unsigned char *buffer,
 175                          const uint32_t command,
 176                          const unsigned char *ononce,
 177                          const unsigned char *key,
 178                          unsigned int keylen, ...)
 179{
 180        uint32_t bufsize;
 181        uint16_t tag;
 182        uint32_t ordinal;
 183        uint32_t result;
 184        unsigned char *enonce;
 185        unsigned char *continueflag;
 186        unsigned char *authdata;
 187        unsigned char testhmac[SHA1_DIGEST_SIZE];
 188        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 189        struct sdesc *sdesc;
 190        unsigned int dlen;
 191        unsigned int dpos;
 192        va_list argp;
 193        int ret;
 194
 195        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 196        tag = LOAD16(buffer, 0);
 197        ordinal = command;
 198        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 199        if (tag == TPM_TAG_RSP_COMMAND)
 200                return 0;
 201        if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
 202                return -EINVAL;
 203        authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
 204        continueflag = authdata - 1;
 205        enonce = continueflag - TPM_NONCE_SIZE;
 206
 207        sdesc = init_sdesc(hashalg);
 208        if (IS_ERR(sdesc)) {
 209                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 210                return PTR_ERR(sdesc);
 211        }
 212        ret = crypto_shash_init(&sdesc->shash);
 213        if (ret < 0)
 214                goto out;
 215        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 216                                  sizeof result);
 217        if (ret < 0)
 218                goto out;
 219        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 220                                  sizeof ordinal);
 221        if (ret < 0)
 222                goto out;
 223        va_start(argp, keylen);
 224        for (;;) {
 225                dlen = va_arg(argp, unsigned int);
 226                if (dlen == 0)
 227                        break;
 228                dpos = va_arg(argp, unsigned int);
 229                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 230                if (ret < 0)
 231                        break;
 232        }
 233        va_end(argp);
 234        if (!ret)
 235                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 236        if (ret < 0)
 237                goto out;
 238
 239        ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
 240                          TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
 241                          1, continueflag, 0, 0);
 242        if (ret < 0)
 243                goto out;
 244
 245        if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
 246                ret = -EINVAL;
 247out:
 248        kfree(sdesc);
 249        return ret;
 250}
 251
 252/*
 253 * verify the AUTH2_COMMAND (unseal) result from TPM
 254 */
 255static int TSS_checkhmac2(unsigned char *buffer,
 256                          const uint32_t command,
 257                          const unsigned char *ononce,
 258                          const unsigned char *key1,
 259                          unsigned int keylen1,
 260                          const unsigned char *key2,
 261                          unsigned int keylen2, ...)
 262{
 263        uint32_t bufsize;
 264        uint16_t tag;
 265        uint32_t ordinal;
 266        uint32_t result;
 267        unsigned char *enonce1;
 268        unsigned char *continueflag1;
 269        unsigned char *authdata1;
 270        unsigned char *enonce2;
 271        unsigned char *continueflag2;
 272        unsigned char *authdata2;
 273        unsigned char testhmac1[SHA1_DIGEST_SIZE];
 274        unsigned char testhmac2[SHA1_DIGEST_SIZE];
 275        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 276        struct sdesc *sdesc;
 277        unsigned int dlen;
 278        unsigned int dpos;
 279        va_list argp;
 280        int ret;
 281
 282        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 283        tag = LOAD16(buffer, 0);
 284        ordinal = command;
 285        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 286
 287        if (tag == TPM_TAG_RSP_COMMAND)
 288                return 0;
 289        if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
 290                return -EINVAL;
 291        authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
 292                        + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
 293        authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
 294        continueflag1 = authdata1 - 1;
 295        continueflag2 = authdata2 - 1;
 296        enonce1 = continueflag1 - TPM_NONCE_SIZE;
 297        enonce2 = continueflag2 - TPM_NONCE_SIZE;
 298
 299        sdesc = init_sdesc(hashalg);
 300        if (IS_ERR(sdesc)) {
 301                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 302                return PTR_ERR(sdesc);
 303        }
 304        ret = crypto_shash_init(&sdesc->shash);
 305        if (ret < 0)
 306                goto out;
 307        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 308                                  sizeof result);
 309        if (ret < 0)
 310                goto out;
 311        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 312                                  sizeof ordinal);
 313        if (ret < 0)
 314                goto out;
 315
 316        va_start(argp, keylen2);
 317        for (;;) {
 318                dlen = va_arg(argp, unsigned int);
 319                if (dlen == 0)
 320                        break;
 321                dpos = va_arg(argp, unsigned int);
 322                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 323                if (ret < 0)
 324                        break;
 325        }
 326        va_end(argp);
 327        if (!ret)
 328                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 329        if (ret < 0)
 330                goto out;
 331
 332        ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
 333                          paramdigest, TPM_NONCE_SIZE, enonce1,
 334                          TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
 335        if (ret < 0)
 336                goto out;
 337        if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
 338                ret = -EINVAL;
 339                goto out;
 340        }
 341        ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
 342                          paramdigest, TPM_NONCE_SIZE, enonce2,
 343                          TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
 344        if (ret < 0)
 345                goto out;
 346        if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
 347                ret = -EINVAL;
 348out:
 349        kfree(sdesc);
 350        return ret;
 351}
 352
 353/*
 354 * For key specific tpm requests, we will generate and send our
 355 * own TPM command packets using the drivers send function.
 356 */
 357static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
 358                            size_t buflen)
 359{
 360        int rc;
 361
 362        dump_tpm_buf(cmd);
 363        rc = tpm_send(chip_num, cmd, buflen);
 364        dump_tpm_buf(cmd);
 365        if (rc > 0)
 366                /* Can't return positive return codes values to keyctl */
 367                rc = -EPERM;
 368        return rc;
 369}
 370
 371/*
 372 * Lock a trusted key, by extending a selected PCR.
 373 *
 374 * Prevents a trusted key that is sealed to PCRs from being accessed.
 375 * This uses the tpm driver's extend function.
 376 */
 377static int pcrlock(const int pcrnum)
 378{
 379        unsigned char hash[SHA1_DIGEST_SIZE];
 380        int ret;
 381
 382        if (!capable(CAP_SYS_ADMIN))
 383                return -EPERM;
 384        ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE);
 385        if (ret != SHA1_DIGEST_SIZE)
 386                return ret;
 387        return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
 388}
 389
 390/*
 391 * Create an object specific authorisation protocol (OSAP) session
 392 */
 393static int osap(struct tpm_buf *tb, struct osapsess *s,
 394                const unsigned char *key, uint16_t type, uint32_t handle)
 395{
 396        unsigned char enonce[TPM_NONCE_SIZE];
 397        unsigned char ononce[TPM_NONCE_SIZE];
 398        int ret;
 399
 400        ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE);
 401        if (ret != TPM_NONCE_SIZE)
 402                return ret;
 403
 404        INIT_BUF(tb);
 405        store16(tb, TPM_TAG_RQU_COMMAND);
 406        store32(tb, TPM_OSAP_SIZE);
 407        store32(tb, TPM_ORD_OSAP);
 408        store16(tb, type);
 409        store32(tb, handle);
 410        storebytes(tb, ononce, TPM_NONCE_SIZE);
 411
 412        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 413        if (ret < 0)
 414                return ret;
 415
 416        s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 417        memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
 418               TPM_NONCE_SIZE);
 419        memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
 420                                  TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
 421        return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
 422                           enonce, TPM_NONCE_SIZE, ononce, 0, 0);
 423}
 424
 425/*
 426 * Create an object independent authorisation protocol (oiap) session
 427 */
 428static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
 429{
 430        int ret;
 431
 432        INIT_BUF(tb);
 433        store16(tb, TPM_TAG_RQU_COMMAND);
 434        store32(tb, TPM_OIAP_SIZE);
 435        store32(tb, TPM_ORD_OIAP);
 436        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 437        if (ret < 0)
 438                return ret;
 439
 440        *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 441        memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
 442               TPM_NONCE_SIZE);
 443        return 0;
 444}
 445
 446struct tpm_digests {
 447        unsigned char encauth[SHA1_DIGEST_SIZE];
 448        unsigned char pubauth[SHA1_DIGEST_SIZE];
 449        unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
 450        unsigned char xorhash[SHA1_DIGEST_SIZE];
 451        unsigned char nonceodd[TPM_NONCE_SIZE];
 452};
 453
 454/*
 455 * Have the TPM seal(encrypt) the trusted key, possibly based on
 456 * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
 457 */
 458static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
 459                    uint32_t keyhandle, const unsigned char *keyauth,
 460                    const unsigned char *data, uint32_t datalen,
 461                    unsigned char *blob, uint32_t *bloblen,
 462                    const unsigned char *blobauth,
 463                    const unsigned char *pcrinfo, uint32_t pcrinfosize)
 464{
 465        struct osapsess sess;
 466        struct tpm_digests *td;
 467        unsigned char cont;
 468        uint32_t ordinal;
 469        uint32_t pcrsize;
 470        uint32_t datsize;
 471        int sealinfosize;
 472        int encdatasize;
 473        int storedsize;
 474        int ret;
 475        int i;
 476
 477        /* alloc some work space for all the hashes */
 478        td = kmalloc(sizeof *td, GFP_KERNEL);
 479        if (!td)
 480                return -ENOMEM;
 481
 482        /* get session for sealing key */
 483        ret = osap(tb, &sess, keyauth, keytype, keyhandle);
 484        if (ret < 0)
 485                goto out;
 486        dump_sess(&sess);
 487
 488        /* calculate encrypted authorization value */
 489        memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
 490        memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
 491        ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
 492        if (ret < 0)
 493                goto out;
 494
 495        ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
 496        if (ret != TPM_NONCE_SIZE)
 497                goto out;
 498        ordinal = htonl(TPM_ORD_SEAL);
 499        datsize = htonl(datalen);
 500        pcrsize = htonl(pcrinfosize);
 501        cont = 0;
 502
 503        /* encrypt data authorization key */
 504        for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
 505                td->encauth[i] = td->xorhash[i] ^ blobauth[i];
 506
 507        /* calculate authorization HMAC value */
 508        if (pcrinfosize == 0) {
 509                /* no pcr info specified */
 510                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 511                                   sess.enonce, td->nonceodd, cont,
 512                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 513                                   td->encauth, sizeof(uint32_t), &pcrsize,
 514                                   sizeof(uint32_t), &datsize, datalen, data, 0,
 515                                   0);
 516        } else {
 517                /* pcr info specified */
 518                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 519                                   sess.enonce, td->nonceodd, cont,
 520                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 521                                   td->encauth, sizeof(uint32_t), &pcrsize,
 522                                   pcrinfosize, pcrinfo, sizeof(uint32_t),
 523                                   &datsize, datalen, data, 0, 0);
 524        }
 525        if (ret < 0)
 526                goto out;
 527
 528        /* build and send the TPM request packet */
 529        INIT_BUF(tb);
 530        store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
 531        store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
 532        store32(tb, TPM_ORD_SEAL);
 533        store32(tb, keyhandle);
 534        storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
 535        store32(tb, pcrinfosize);
 536        storebytes(tb, pcrinfo, pcrinfosize);
 537        store32(tb, datalen);
 538        storebytes(tb, data, datalen);
 539        store32(tb, sess.handle);
 540        storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
 541        store8(tb, cont);
 542        storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
 543
 544        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 545        if (ret < 0)
 546                goto out;
 547
 548        /* calculate the size of the returned Blob */
 549        sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
 550        encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
 551                             sizeof(uint32_t) + sealinfosize);
 552        storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
 553            sizeof(uint32_t) + encdatasize;
 554
 555        /* check the HMAC in the response */
 556        ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
 557                             SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
 558                             0);
 559
 560        /* copy the returned blob to caller */
 561        if (!ret) {
 562                memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
 563                *bloblen = storedsize;
 564        }
 565out:
 566        kfree(td);
 567        return ret;
 568}
 569
 570/*
 571 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
 572 */
 573static int tpm_unseal(struct tpm_buf *tb,
 574                      uint32_t keyhandle, const unsigned char *keyauth,
 575                      const unsigned char *blob, int bloblen,
 576                      const unsigned char *blobauth,
 577                      unsigned char *data, unsigned int *datalen)
 578{
 579        unsigned char nonceodd[TPM_NONCE_SIZE];
 580        unsigned char enonce1[TPM_NONCE_SIZE];
 581        unsigned char enonce2[TPM_NONCE_SIZE];
 582        unsigned char authdata1[SHA1_DIGEST_SIZE];
 583        unsigned char authdata2[SHA1_DIGEST_SIZE];
 584        uint32_t authhandle1 = 0;
 585        uint32_t authhandle2 = 0;
 586        unsigned char cont = 0;
 587        uint32_t ordinal;
 588        uint32_t keyhndl;
 589        int ret;
 590
 591        /* sessions for unsealing key and data */
 592        ret = oiap(tb, &authhandle1, enonce1);
 593        if (ret < 0) {
 594                pr_info("trusted_key: oiap failed (%d)\n", ret);
 595                return ret;
 596        }
 597        ret = oiap(tb, &authhandle2, enonce2);
 598        if (ret < 0) {
 599                pr_info("trusted_key: oiap failed (%d)\n", ret);
 600                return ret;
 601        }
 602
 603        ordinal = htonl(TPM_ORD_UNSEAL);
 604        keyhndl = htonl(SRKHANDLE);
 605        ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
 606        if (ret != TPM_NONCE_SIZE) {
 607                pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
 608                return ret;
 609        }
 610        ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
 611                           enonce1, nonceodd, cont, sizeof(uint32_t),
 612                           &ordinal, bloblen, blob, 0, 0);
 613        if (ret < 0)
 614                return ret;
 615        ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
 616                           enonce2, nonceodd, cont, sizeof(uint32_t),
 617                           &ordinal, bloblen, blob, 0, 0);
 618        if (ret < 0)
 619                return ret;
 620
 621        /* build and send TPM request packet */
 622        INIT_BUF(tb);
 623        store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
 624        store32(tb, TPM_UNSEAL_SIZE + bloblen);
 625        store32(tb, TPM_ORD_UNSEAL);
 626        store32(tb, keyhandle);
 627        storebytes(tb, blob, bloblen);
 628        store32(tb, authhandle1);
 629        storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 630        store8(tb, cont);
 631        storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
 632        store32(tb, authhandle2);
 633        storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 634        store8(tb, cont);
 635        storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
 636
 637        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 638        if (ret < 0) {
 639                pr_info("trusted_key: authhmac failed (%d)\n", ret);
 640                return ret;
 641        }
 642
 643        *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
 644        ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
 645                             keyauth, SHA1_DIGEST_SIZE,
 646                             blobauth, SHA1_DIGEST_SIZE,
 647                             sizeof(uint32_t), TPM_DATA_OFFSET,
 648                             *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
 649                             0);
 650        if (ret < 0) {
 651                pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
 652                return ret;
 653        }
 654        memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
 655        return 0;
 656}
 657
 658/*
 659 * Have the TPM seal(encrypt) the symmetric key
 660 */
 661static int key_seal(struct trusted_key_payload *p,
 662                    struct trusted_key_options *o)
 663{
 664        struct tpm_buf *tb;
 665        int ret;
 666
 667        tb = kzalloc(sizeof *tb, GFP_KERNEL);
 668        if (!tb)
 669                return -ENOMEM;
 670
 671        /* include migratable flag at end of sealed key */
 672        p->key[p->key_len] = p->migratable;
 673
 674        ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
 675                       p->key, p->key_len + 1, p->blob, &p->blob_len,
 676                       o->blobauth, o->pcrinfo, o->pcrinfo_len);
 677        if (ret < 0)
 678                pr_info("trusted_key: srkseal failed (%d)\n", ret);
 679
 680        kfree(tb);
 681        return ret;
 682}
 683
 684/*
 685 * Have the TPM unseal(decrypt) the symmetric key
 686 */
 687static int key_unseal(struct trusted_key_payload *p,
 688                      struct trusted_key_options *o)
 689{
 690        struct tpm_buf *tb;
 691        int ret;
 692
 693        tb = kzalloc(sizeof *tb, GFP_KERNEL);
 694        if (!tb)
 695                return -ENOMEM;
 696
 697        ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
 698                         o->blobauth, p->key, &p->key_len);
 699        if (ret < 0)
 700                pr_info("trusted_key: srkunseal failed (%d)\n", ret);
 701        else
 702                /* pull migratable flag out of sealed key */
 703                p->migratable = p->key[--p->key_len];
 704
 705        kfree(tb);
 706        return ret;
 707}
 708
 709enum {
 710        Opt_err = -1,
 711        Opt_new, Opt_load, Opt_update,
 712        Opt_keyhandle, Opt_keyauth, Opt_blobauth,
 713        Opt_pcrinfo, Opt_pcrlock, Opt_migratable
 714};
 715
 716static const match_table_t key_tokens = {
 717        {Opt_new, "new"},
 718        {Opt_load, "load"},
 719        {Opt_update, "update"},
 720        {Opt_keyhandle, "keyhandle=%s"},
 721        {Opt_keyauth, "keyauth=%s"},
 722        {Opt_blobauth, "blobauth=%s"},
 723        {Opt_pcrinfo, "pcrinfo=%s"},
 724        {Opt_pcrlock, "pcrlock=%s"},
 725        {Opt_migratable, "migratable=%s"},
 726        {Opt_err, NULL}
 727};
 728
 729/* can have zero or more token= options */
 730static int getoptions(char *c, struct trusted_key_payload *pay,
 731                      struct trusted_key_options *opt)
 732{
 733        substring_t args[MAX_OPT_ARGS];
 734        char *p = c;
 735        int token;
 736        int res;
 737        unsigned long handle;
 738        unsigned long lock;
 739
 740        while ((p = strsep(&c, " \t"))) {
 741                if (*p == '\0' || *p == ' ' || *p == '\t')
 742                        continue;
 743                token = match_token(p, key_tokens, args);
 744
 745                switch (token) {
 746                case Opt_pcrinfo:
 747                        opt->pcrinfo_len = strlen(args[0].from) / 2;
 748                        if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
 749                                return -EINVAL;
 750                        res = hex2bin(opt->pcrinfo, args[0].from,
 751                                      opt->pcrinfo_len);
 752                        if (res < 0)
 753                                return -EINVAL;
 754                        break;
 755                case Opt_keyhandle:
 756                        res = strict_strtoul(args[0].from, 16, &handle);
 757                        if (res < 0)
 758                                return -EINVAL;
 759                        opt->keytype = SEAL_keytype;
 760                        opt->keyhandle = handle;
 761                        break;
 762                case Opt_keyauth:
 763                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 764                                return -EINVAL;
 765                        res = hex2bin(opt->keyauth, args[0].from,
 766                                      SHA1_DIGEST_SIZE);
 767                        if (res < 0)
 768                                return -EINVAL;
 769                        break;
 770                case Opt_blobauth:
 771                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 772                                return -EINVAL;
 773                        res = hex2bin(opt->blobauth, args[0].from,
 774                                      SHA1_DIGEST_SIZE);
 775                        if (res < 0)
 776                                return -EINVAL;
 777                        break;
 778                case Opt_migratable:
 779                        if (*args[0].from == '0')
 780                                pay->migratable = 0;
 781                        else
 782                                return -EINVAL;
 783                        break;
 784                case Opt_pcrlock:
 785                        res = strict_strtoul(args[0].from, 10, &lock);
 786                        if (res < 0)
 787                                return -EINVAL;
 788                        opt->pcrlock = lock;
 789                        break;
 790                default:
 791                        return -EINVAL;
 792                }
 793        }
 794        return 0;
 795}
 796
 797/*
 798 * datablob_parse - parse the keyctl data and fill in the
 799 *                  payload and options structures
 800 *
 801 * On success returns 0, otherwise -EINVAL.
 802 */
 803static int datablob_parse(char *datablob, struct trusted_key_payload *p,
 804                          struct trusted_key_options *o)
 805{
 806        substring_t args[MAX_OPT_ARGS];
 807        long keylen;
 808        int ret = -EINVAL;
 809        int key_cmd;
 810        char *c;
 811
 812        /* main command */
 813        c = strsep(&datablob, " \t");
 814        if (!c)
 815                return -EINVAL;
 816        key_cmd = match_token(c, key_tokens, args);
 817        switch (key_cmd) {
 818        case Opt_new:
 819                /* first argument is key size */
 820                c = strsep(&datablob, " \t");
 821                if (!c)
 822                        return -EINVAL;
 823                ret = strict_strtol(c, 10, &keylen);
 824                if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
 825                        return -EINVAL;
 826                p->key_len = keylen;
 827                ret = getoptions(datablob, p, o);
 828                if (ret < 0)
 829                        return ret;
 830                ret = Opt_new;
 831                break;
 832        case Opt_load:
 833                /* first argument is sealed blob */
 834                c = strsep(&datablob, " \t");
 835                if (!c)
 836                        return -EINVAL;
 837                p->blob_len = strlen(c) / 2;
 838                if (p->blob_len > MAX_BLOB_SIZE)
 839                        return -EINVAL;
 840                ret = hex2bin(p->blob, c, p->blob_len);
 841                if (ret < 0)
 842                        return -EINVAL;
 843                ret = getoptions(datablob, p, o);
 844                if (ret < 0)
 845                        return ret;
 846                ret = Opt_load;
 847                break;
 848        case Opt_update:
 849                /* all arguments are options */
 850                ret = getoptions(datablob, p, o);
 851                if (ret < 0)
 852                        return ret;
 853                ret = Opt_update;
 854                break;
 855        case Opt_err:
 856                return -EINVAL;
 857                break;
 858        }
 859        return ret;
 860}
 861
 862static struct trusted_key_options *trusted_options_alloc(void)
 863{
 864        struct trusted_key_options *options;
 865
 866        options = kzalloc(sizeof *options, GFP_KERNEL);
 867        if (options) {
 868                /* set any non-zero defaults */
 869                options->keytype = SRK_keytype;
 870                options->keyhandle = SRKHANDLE;
 871        }
 872        return options;
 873}
 874
 875static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
 876{
 877        struct trusted_key_payload *p = NULL;
 878        int ret;
 879
 880        ret = key_payload_reserve(key, sizeof *p);
 881        if (ret < 0)
 882                return p;
 883        p = kzalloc(sizeof *p, GFP_KERNEL);
 884        if (p)
 885                p->migratable = 1; /* migratable by default */
 886        return p;
 887}
 888
 889/*
 890 * trusted_instantiate - create a new trusted key
 891 *
 892 * Unseal an existing trusted blob or, for a new key, get a
 893 * random key, then seal and create a trusted key-type key,
 894 * adding it to the specified keyring.
 895 *
 896 * On success, return 0. Otherwise return errno.
 897 */
 898static int trusted_instantiate(struct key *key,
 899                               struct key_preparsed_payload *prep)
 900{
 901        struct trusted_key_payload *payload = NULL;
 902        struct trusted_key_options *options = NULL;
 903        size_t datalen = prep->datalen;
 904        char *datablob;
 905        int ret = 0;
 906        int key_cmd;
 907        size_t key_len;
 908
 909        if (datalen <= 0 || datalen > 32767 || !prep->data)
 910                return -EINVAL;
 911
 912        datablob = kmalloc(datalen + 1, GFP_KERNEL);
 913        if (!datablob)
 914                return -ENOMEM;
 915        memcpy(datablob, prep->data, datalen);
 916        datablob[datalen] = '\0';
 917
 918        options = trusted_options_alloc();
 919        if (!options) {
 920                ret = -ENOMEM;
 921                goto out;
 922        }
 923        payload = trusted_payload_alloc(key);
 924        if (!payload) {
 925                ret = -ENOMEM;
 926                goto out;
 927        }
 928
 929        key_cmd = datablob_parse(datablob, payload, options);
 930        if (key_cmd < 0) {
 931                ret = key_cmd;
 932                goto out;
 933        }
 934
 935        dump_payload(payload);
 936        dump_options(options);
 937
 938        switch (key_cmd) {
 939        case Opt_load:
 940                ret = key_unseal(payload, options);
 941                dump_payload(payload);
 942                dump_options(options);
 943                if (ret < 0)
 944                        pr_info("trusted_key: key_unseal failed (%d)\n", ret);
 945                break;
 946        case Opt_new:
 947                key_len = payload->key_len;
 948                ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len);
 949                if (ret != key_len) {
 950                        pr_info("trusted_key: key_create failed (%d)\n", ret);
 951                        goto out;
 952                }
 953                ret = key_seal(payload, options);
 954                if (ret < 0)
 955                        pr_info("trusted_key: key_seal failed (%d)\n", ret);
 956                break;
 957        default:
 958                ret = -EINVAL;
 959                goto out;
 960        }
 961        if (!ret && options->pcrlock)
 962                ret = pcrlock(options->pcrlock);
 963out:
 964        kfree(datablob);
 965        kfree(options);
 966        if (!ret)
 967                rcu_assign_keypointer(key, payload);
 968        else
 969                kfree(payload);
 970        return ret;
 971}
 972
 973static void trusted_rcu_free(struct rcu_head *rcu)
 974{
 975        struct trusted_key_payload *p;
 976
 977        p = container_of(rcu, struct trusted_key_payload, rcu);
 978        memset(p->key, 0, p->key_len);
 979        kfree(p);
 980}
 981
 982/*
 983 * trusted_update - reseal an existing key with new PCR values
 984 */
 985static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 986{
 987        struct trusted_key_payload *p = key->payload.data;
 988        struct trusted_key_payload *new_p;
 989        struct trusted_key_options *new_o;
 990        size_t datalen = prep->datalen;
 991        char *datablob;
 992        int ret = 0;
 993
 994        if (!p->migratable)
 995                return -EPERM;
 996        if (datalen <= 0 || datalen > 32767 || !prep->data)
 997                return -EINVAL;
 998
 999        datablob = kmalloc(datalen + 1, GFP_KERNEL);
1000        if (!datablob)
1001                return -ENOMEM;
1002        new_o = trusted_options_alloc();
1003        if (!new_o) {
1004                ret = -ENOMEM;
1005                goto out;
1006        }
1007        new_p = trusted_payload_alloc(key);
1008        if (!new_p) {
1009                ret = -ENOMEM;
1010                goto out;
1011        }
1012
1013        memcpy(datablob, prep->data, datalen);
1014        datablob[datalen] = '\0';
1015        ret = datablob_parse(datablob, new_p, new_o);
1016        if (ret != Opt_update) {
1017                ret = -EINVAL;
1018                kfree(new_p);
1019                goto out;
1020        }
1021        /* copy old key values, and reseal with new pcrs */
1022        new_p->migratable = p->migratable;
1023        new_p->key_len = p->key_len;
1024        memcpy(new_p->key, p->key, p->key_len);
1025        dump_payload(p);
1026        dump_payload(new_p);
1027
1028        ret = key_seal(new_p, new_o);
1029        if (ret < 0) {
1030                pr_info("trusted_key: key_seal failed (%d)\n", ret);
1031                kfree(new_p);
1032                goto out;
1033        }
1034        if (new_o->pcrlock) {
1035                ret = pcrlock(new_o->pcrlock);
1036                if (ret < 0) {
1037                        pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1038                        kfree(new_p);
1039                        goto out;
1040                }
1041        }
1042        rcu_assign_keypointer(key, new_p);
1043        call_rcu(&p->rcu, trusted_rcu_free);
1044out:
1045        kfree(datablob);
1046        kfree(new_o);
1047        return ret;
1048}
1049
1050/*
1051 * trusted_read - copy the sealed blob data to userspace in hex.
1052 * On success, return to userspace the trusted key datablob size.
1053 */
1054static long trusted_read(const struct key *key, char __user *buffer,
1055                         size_t buflen)
1056{
1057        struct trusted_key_payload *p;
1058        char *ascii_buf;
1059        char *bufp;
1060        int i;
1061
1062        p = rcu_dereference_key(key);
1063        if (!p)
1064                return -EINVAL;
1065        if (!buffer || buflen <= 0)
1066                return 2 * p->blob_len;
1067        ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
1068        if (!ascii_buf)
1069                return -ENOMEM;
1070
1071        bufp = ascii_buf;
1072        for (i = 0; i < p->blob_len; i++)
1073                bufp = hex_byte_pack(bufp, p->blob[i]);
1074        if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
1075                kfree(ascii_buf);
1076                return -EFAULT;
1077        }
1078        kfree(ascii_buf);
1079        return 2 * p->blob_len;
1080}
1081
1082/*
1083 * trusted_destroy - before freeing the key, clear the decrypted data
1084 */
1085static void trusted_destroy(struct key *key)
1086{
1087        struct trusted_key_payload *p = key->payload.data;
1088
1089        if (!p)
1090                return;
1091        memset(p->key, 0, p->key_len);
1092        kfree(key->payload.data);
1093}
1094
1095struct key_type key_type_trusted = {
1096        .name = "trusted",
1097        .instantiate = trusted_instantiate,
1098        .update = trusted_update,
1099        .match = user_match,
1100        .destroy = trusted_destroy,
1101        .describe = user_describe,
1102        .read = trusted_read,
1103};
1104
1105EXPORT_SYMBOL_GPL(key_type_trusted);
1106
1107static void trusted_shash_release(void)
1108{
1109        if (hashalg)
1110                crypto_free_shash(hashalg);
1111        if (hmacalg)
1112                crypto_free_shash(hmacalg);
1113}
1114
1115static int __init trusted_shash_alloc(void)
1116{
1117        int ret;
1118
1119        hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
1120        if (IS_ERR(hmacalg)) {
1121                pr_info("trusted_key: could not allocate crypto %s\n",
1122                        hmac_alg);
1123                return PTR_ERR(hmacalg);
1124        }
1125
1126        hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
1127        if (IS_ERR(hashalg)) {
1128                pr_info("trusted_key: could not allocate crypto %s\n",
1129                        hash_alg);
1130                ret = PTR_ERR(hashalg);
1131                goto hashalg_fail;
1132        }
1133
1134        return 0;
1135
1136hashalg_fail:
1137        crypto_free_shash(hmacalg);
1138        return ret;
1139}
1140
1141static int __init init_trusted(void)
1142{
1143        int ret;
1144
1145        ret = trusted_shash_alloc();
1146        if (ret < 0)
1147                return ret;
1148        ret = register_key_type(&key_type_trusted);
1149        if (ret < 0)
1150                trusted_shash_release();
1151        return ret;
1152}
1153
1154static void __exit cleanup_trusted(void)
1155{
1156        trusted_shash_release();
1157        unregister_key_type(&key_type_trusted);
1158}
1159
1160late_initcall(init_trusted);
1161module_exit(cleanup_trusted);
1162
1163MODULE_LICENSE("GPL");
1164
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.