1/* 2 * Copyright (C) 2010 IBM Corporation 3 * 4 * Author: 5 * David Safford <safford@us.ibm.com> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation, version 2 of the License. 10 * 11 * See Documentation/security/keys-trusted-encrypted.txt 12 */ 13 14#include <linux/uaccess.h> 15#include <linux/module.h> 16#include <linux/init.h> 17#include <linux/slab.h> 18#include <linux/parser.h> 19#include <linux/string.h> 20#include <linux/err.h> 21#include <keys/user-type.h> 22#include <keys/trusted-type.h> 23#include <linux/key-type.h> 24#include <linux/rcupdate.h> 25#include <linux/crypto.h> 26#include <crypto/hash.h> 27#include <crypto/sha.h> 28#include <linux/capability.h> 29#include <linux/tpm.h> 30#include <linux/tpm_command.h> 31 32#include "trusted.h" 33 34static const char hmac_alg[] = "hmac(sha1)"; 35static const char hash_alg[] = "sha1"; 36 37struct sdesc { 38 struct shash_desc shash; 39 char ctx[]; 40}; 41 42static struct crypto_shash *hashalg; 43static struct crypto_shash *hmacalg; 44 45static struct sdesc *init_sdesc(struct crypto_shash *alg) 46{ 47 struct sdesc *sdesc; 48 int size; 49 50 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 51 sdesc = kmalloc(size, GFP_KERNEL); 52 if (!sdesc) 53 return ERR_PTR(-ENOMEM); 54 sdesc->shash.tfm = alg; 55 sdesc->shash.flags = 0x0; 56 return sdesc; 57} 58 59static int TSS_sha1(const unsigned char *data, unsigned int datalen, 60 unsigned char *digest) 61{ 62 struct sdesc *sdesc; 63 int ret; 64 65 sdesc = init_sdesc(hashalg); 66 if (IS_ERR(sdesc)) { 67 pr_info("trusted_key: can't alloc %s\n", hash_alg); 68 return PTR_ERR(sdesc); 69 } 70 71 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 72 kfree(sdesc); 73 return ret; 74} 75 76static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 77 unsigned int keylen, ...) 78{ 79 struct sdesc *sdesc; 80 va_list argp; 81 unsigned int dlen; 82 unsigned char *data; 83 int ret; 84 85 sdesc = init_sdesc(hmacalg); 86 if (IS_ERR(sdesc)) { 87 pr_info("trusted_key: can't alloc %s\n", hmac_alg); 88 return PTR_ERR(sdesc); 89 } 90 91 ret = crypto_shash_setkey(hmacalg, key, keylen); 92 if (ret < 0) 93 goto out; 94 ret = crypto_shash_init(&sdesc->shash); 95 if (ret < 0) 96 goto out; 97 98 va_start(argp, keylen); 99 for (;;) { 100 dlen = va_arg(argp, unsigned int); 101 if (dlen == 0) 102 break; 103 data = va_arg(argp, unsigned char *); 104 if (data == NULL) { 105 ret = -EINVAL; 106 break; 107 } 108 ret = crypto_shash_update(&sdesc->shash, data, dlen); 109 if (ret < 0) 110 break; 111 } 112 va_end(argp); 113 if (!ret) 114 ret = crypto_shash_final(&sdesc->shash, digest); 115out: 116 kfree(sdesc); 117 return ret; 118} 119 120/* 121 * calculate authorization info fields to send to TPM 122 */ 123static int TSS_authhmac(unsigned char *digest, const unsigned char *key, 124 unsigned int keylen, unsigned char *h1, 125 unsigned char *h2, unsigned char h3, ...) 126{ 127 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 128 struct sdesc *sdesc; 129 unsigned int dlen; 130 unsigned char *data; 131 unsigned char c; 132 int ret; 133 va_list argp; 134 135 sdesc = init_sdesc(hashalg); 136 if (IS_ERR(sdesc)) { 137 pr_info("trusted_key: can't alloc %s\n", hash_alg); 138 return PTR_ERR(sdesc); 139 } 140 141 c = h3; 142 ret = crypto_shash_init(&sdesc->shash); 143 if (ret < 0) 144 goto out; 145 va_start(argp, h3); 146 for (;;) { 147 dlen = va_arg(argp, unsigned int); 148 if (dlen == 0) 149 break; 150 data = va_arg(argp, unsigned char *); 151 if (!data) { 152 ret = -EINVAL; 153 break; 154 } 155 ret = crypto_shash_update(&sdesc->shash, data, dlen); 156 if (ret < 0) 157 break; 158 } 159 va_end(argp); 160 if (!ret) 161 ret = crypto_shash_final(&sdesc->shash, paramdigest); 162 if (!ret) 163 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 164 paramdigest, TPM_NONCE_SIZE, h1, 165 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 166out: 167 kfree(sdesc); 168 return ret; 169} 170 171/* 172 * verify the AUTH1_COMMAND (Seal) result from TPM 173 */ 174static int TSS_checkhmac1(unsigned char *buffer, 175 const uint32_t command, 176 const unsigned char *ononce, 177 const unsigned char *key, 178 unsigned int keylen, ...) 179{ 180 uint32_t bufsize; 181 uint16_t tag; 182 uint32_t ordinal; 183 uint32_t result; 184 unsigned char *enonce; 185 unsigned char *continueflag; 186 unsigned char *authdata; 187 unsigned char testhmac[SHA1_DIGEST_SIZE]; 188 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 189 struct sdesc *sdesc; 190 unsigned int dlen; 191 unsigned int dpos; 192 va_list argp; 193 int ret; 194 195 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 196 tag = LOAD16(buffer, 0); 197 ordinal = command; 198 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 199 if (tag == TPM_TAG_RSP_COMMAND) 200 return 0; 201 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 202 return -EINVAL; 203 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 204 continueflag = authdata - 1; 205 enonce = continueflag - TPM_NONCE_SIZE; 206 207 sdesc = init_sdesc(hashalg); 208 if (IS_ERR(sdesc)) { 209 pr_info("trusted_key: can't alloc %s\n", hash_alg); 210 return PTR_ERR(sdesc); 211 } 212 ret = crypto_shash_init(&sdesc->shash); 213 if (ret < 0) 214 goto out; 215 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 216 sizeof result); 217 if (ret < 0) 218 goto out; 219 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 220 sizeof ordinal); 221 if (ret < 0) 222 goto out; 223 va_start(argp, keylen); 224 for (;;) { 225 dlen = va_arg(argp, unsigned int); 226 if (dlen == 0) 227 break; 228 dpos = va_arg(argp, unsigned int); 229 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 230 if (ret < 0) 231 break; 232 } 233 va_end(argp); 234 if (!ret) 235 ret = crypto_shash_final(&sdesc->shash, paramdigest); 236 if (ret < 0) 237 goto out; 238 239 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 240 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 241 1, continueflag, 0, 0); 242 if (ret < 0) 243 goto out; 244 245 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 246 ret = -EINVAL; 247out: 248 kfree(sdesc); 249 return ret; 250} 251 252/* 253 * verify the AUTH2_COMMAND (unseal) result from TPM 254 */ 255static int TSS_checkhmac2(unsigned char *buffer, 256 const uint32_t command, 257 const unsigned char *ononce, 258 const unsigned char *key1, 259 unsigned int keylen1, 260 const unsigned char *key2, 261 unsigned int keylen2, ...) 262{ 263 uint32_t bufsize; 264 uint16_t tag; 265 uint32_t ordinal; 266 uint32_t result; 267 unsigned char *enonce1; 268 unsigned char *continueflag1; 269 unsigned char *authdata1; 270 unsigned char *enonce2; 271 unsigned char *continueflag2; 272 unsigned char *authdata2; 273 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 274 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 275 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 276 struct sdesc *sdesc; 277 unsigned int dlen; 278 unsigned int dpos; 279 va_list argp; 280 int ret; 281 282 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 283 tag = LOAD16(buffer, 0); 284 ordinal = command; 285 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 286 287 if (tag == TPM_TAG_RSP_COMMAND) 288 return 0; 289 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 290 return -EINVAL; 291 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 292 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 293 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 294 continueflag1 = authdata1 - 1; 295 continueflag2 = authdata2 - 1; 296 enonce1 = continueflag1 - TPM_NONCE_SIZE; 297 enonce2 = continueflag2 - TPM_NONCE_SIZE; 298 299 sdesc = init_sdesc(hashalg); 300 if (IS_ERR(sdesc)) { 301 pr_info("trusted_key: can't alloc %s\n", hash_alg); 302 return PTR_ERR(sdesc); 303 } 304 ret = crypto_shash_init(&sdesc->shash); 305 if (ret < 0) 306 goto out; 307 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 308 sizeof result); 309 if (ret < 0) 310 goto out; 311 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 312 sizeof ordinal); 313 if (ret < 0) 314 goto out; 315 316 va_start(argp, keylen2); 317 for (;;) { 318 dlen = va_arg(argp, unsigned int); 319 if (dlen == 0) 320 break; 321 dpos = va_arg(argp, unsigned int); 322 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 323 if (ret < 0) 324 break; 325 } 326 va_end(argp); 327 if (!ret) 328 ret = crypto_shash_final(&sdesc->shash, paramdigest); 329 if (ret < 0) 330 goto out; 331 332 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 333 paramdigest, TPM_NONCE_SIZE, enonce1, 334 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 335 if (ret < 0) 336 goto out; 337 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 338 ret = -EINVAL; 339 goto out; 340 } 341 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 342 paramdigest, TPM_NONCE_SIZE, enonce2, 343 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 344 if (ret < 0) 345 goto out; 346 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 347 ret = -EINVAL; 348out: 349 kfree(sdesc); 350 return ret; 351} 352 353/* 354 * For key specific tpm requests, we will generate and send our 355 * own TPM command packets using the drivers send function. 356 */ 357static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd, 358 size_t buflen) 359{ 360 int rc; 361 362 dump_tpm_buf(cmd); 363 rc = tpm_send(chip_num, cmd, buflen); 364 dump_tpm_buf(cmd); 365 if (rc > 0) 366 /* Can't return positive return codes values to keyctl */ 367 rc = -EPERM; 368 return rc; 369} 370 371/* 372 * Lock a trusted key, by extending a selected PCR. 373 * 374 * Prevents a trusted key that is sealed to PCRs from being accessed. 375 * This uses the tpm driver's extend function. 376 */ 377static int pcrlock(const int pcrnum) 378{ 379 unsigned char hash[SHA1_DIGEST_SIZE]; 380 int ret; 381 382 if (!capable(CAP_SYS_ADMIN)) 383 return -EPERM; 384 ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE); 385 if (ret != SHA1_DIGEST_SIZE) 386 return ret; 387 return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0; 388} 389 390/* 391 * Create an object specific authorisation protocol (OSAP) session 392 */ 393static int osap(struct tpm_buf *tb, struct osapsess *s, 394 const unsigned char *key, uint16_t type, uint32_t handle) 395{ 396 unsigned char enonce[TPM_NONCE_SIZE]; 397 unsigned char ononce[TPM_NONCE_SIZE]; 398 int ret; 399 400 ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE); 401 if (ret != TPM_NONCE_SIZE) 402 return ret; 403 404 INIT_BUF(tb); 405 store16(tb, TPM_TAG_RQU_COMMAND); 406 store32(tb, TPM_OSAP_SIZE); 407 store32(tb, TPM_ORD_OSAP); 408 store16(tb, type); 409 store32(tb, handle); 410 storebytes(tb, ononce, TPM_NONCE_SIZE); 411 412 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 413 if (ret < 0) 414 return ret; 415 416 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 417 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 418 TPM_NONCE_SIZE); 419 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 420 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 421 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 422 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 423} 424 425/* 426 * Create an object independent authorisation protocol (oiap) session 427 */ 428static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 429{ 430 int ret; 431 432 INIT_BUF(tb); 433 store16(tb, TPM_TAG_RQU_COMMAND); 434 store32(tb, TPM_OIAP_SIZE); 435 store32(tb, TPM_ORD_OIAP); 436 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 437 if (ret < 0) 438 return ret; 439 440 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 441 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 442 TPM_NONCE_SIZE); 443 return 0; 444} 445 446struct tpm_digests { 447 unsigned char encauth[SHA1_DIGEST_SIZE]; 448 unsigned char pubauth[SHA1_DIGEST_SIZE]; 449 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 450 unsigned char xorhash[SHA1_DIGEST_SIZE]; 451 unsigned char nonceodd[TPM_NONCE_SIZE]; 452}; 453 454/* 455 * Have the TPM seal(encrypt) the trusted key, possibly based on 456 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 457 */ 458static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 459 uint32_t keyhandle, const unsigned char *keyauth, 460 const unsigned char *data, uint32_t datalen, 461 unsigned char *blob, uint32_t *bloblen, 462 const unsigned char *blobauth, 463 const unsigned char *pcrinfo, uint32_t pcrinfosize) 464{ 465 struct osapsess sess; 466 struct tpm_digests *td; 467 unsigned char cont; 468 uint32_t ordinal; 469 uint32_t pcrsize; 470 uint32_t datsize; 471 int sealinfosize; 472 int encdatasize; 473 int storedsize; 474 int ret; 475 int i; 476 477 /* alloc some work space for all the hashes */ 478 td = kmalloc(sizeof *td, GFP_KERNEL); 479 if (!td) 480 return -ENOMEM; 481 482 /* get session for sealing key */ 483 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 484 if (ret < 0) 485 goto out; 486 dump_sess(&sess); 487 488 /* calculate encrypted authorization value */ 489 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 490 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 491 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 492 if (ret < 0) 493 goto out; 494 495 ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE); 496 if (ret != TPM_NONCE_SIZE) 497 goto out; 498 ordinal = htonl(TPM_ORD_SEAL); 499 datsize = htonl(datalen); 500 pcrsize = htonl(pcrinfosize); 501 cont = 0; 502 503 /* encrypt data authorization key */ 504 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 505 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 506 507 /* calculate authorization HMAC value */ 508 if (pcrinfosize == 0) { 509 /* no pcr info specified */ 510 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 511 sess.enonce, td->nonceodd, cont, 512 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 513 td->encauth, sizeof(uint32_t), &pcrsize, 514 sizeof(uint32_t), &datsize, datalen, data, 0, 515 0); 516 } else { 517 /* pcr info specified */ 518 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 519 sess.enonce, td->nonceodd, cont, 520 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 521 td->encauth, sizeof(uint32_t), &pcrsize, 522 pcrinfosize, pcrinfo, sizeof(uint32_t), 523 &datsize, datalen, data, 0, 0); 524 } 525 if (ret < 0) 526 goto out; 527 528 /* build and send the TPM request packet */ 529 INIT_BUF(tb); 530 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); 531 store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen); 532 store32(tb, TPM_ORD_SEAL); 533 store32(tb, keyhandle); 534 storebytes(tb, td->encauth, SHA1_DIGEST_SIZE); 535 store32(tb, pcrinfosize); 536 storebytes(tb, pcrinfo, pcrinfosize); 537 store32(tb, datalen); 538 storebytes(tb, data, datalen); 539 store32(tb, sess.handle); 540 storebytes(tb, td->nonceodd, TPM_NONCE_SIZE); 541 store8(tb, cont); 542 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); 543 544 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 545 if (ret < 0) 546 goto out; 547 548 /* calculate the size of the returned Blob */ 549 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 550 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 551 sizeof(uint32_t) + sealinfosize); 552 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 553 sizeof(uint32_t) + encdatasize; 554 555 /* check the HMAC in the response */ 556 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 557 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 558 0); 559 560 /* copy the returned blob to caller */ 561 if (!ret) { 562 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 563 *bloblen = storedsize; 564 } 565out: 566 kfree(td); 567 return ret; 568} 569 570/* 571 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 572 */ 573static int tpm_unseal(struct tpm_buf *tb, 574 uint32_t keyhandle, const unsigned char *keyauth, 575 const unsigned char *blob, int bloblen, 576 const unsigned char *blobauth, 577 unsigned char *data, unsigned int *datalen) 578{ 579 unsigned char nonceodd[TPM_NONCE_SIZE]; 580 unsigned char enonce1[TPM_NONCE_SIZE]; 581 unsigned char enonce2[TPM_NONCE_SIZE]; 582 unsigned char authdata1[SHA1_DIGEST_SIZE]; 583 unsigned char authdata2[SHA1_DIGEST_SIZE]; 584 uint32_t authhandle1 = 0; 585 uint32_t authhandle2 = 0; 586 unsigned char cont = 0; 587 uint32_t ordinal; 588 uint32_t keyhndl; 589 int ret; 590 591 /* sessions for unsealing key and data */ 592 ret = oiap(tb, &authhandle1, enonce1); 593 if (ret < 0) { 594 pr_info("trusted_key: oiap failed (%d)\n", ret); 595 return ret; 596 } 597 ret = oiap(tb, &authhandle2, enonce2); 598 if (ret < 0) { 599 pr_info("trusted_key: oiap failed (%d)\n", ret); 600 return ret; 601 } 602 603 ordinal = htonl(TPM_ORD_UNSEAL); 604 keyhndl = htonl(SRKHANDLE); 605 ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE); 606 if (ret != TPM_NONCE_SIZE) { 607 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 608 return ret; 609 } 610 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 611 enonce1, nonceodd, cont, sizeof(uint32_t), 612 &ordinal, bloblen, blob, 0, 0); 613 if (ret < 0) 614 return ret; 615 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 616 enonce2, nonceodd, cont, sizeof(uint32_t), 617 &ordinal, bloblen, blob, 0, 0); 618 if (ret < 0) 619 return ret; 620 621 /* build and send TPM request packet */ 622 INIT_BUF(tb); 623 store16(tb, TPM_TAG_RQU_AUTH2_COMMAND); 624 store32(tb, TPM_UNSEAL_SIZE + bloblen); 625 store32(tb, TPM_ORD_UNSEAL); 626 store32(tb, keyhandle); 627 storebytes(tb, blob, bloblen); 628 store32(tb, authhandle1); 629 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 630 store8(tb, cont); 631 storebytes(tb, authdata1, SHA1_DIGEST_SIZE); 632 store32(tb, authhandle2); 633 storebytes(tb, nonceodd, TPM_NONCE_SIZE); 634 store8(tb, cont); 635 storebytes(tb, authdata2, SHA1_DIGEST_SIZE); 636 637 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 638 if (ret < 0) { 639 pr_info("trusted_key: authhmac failed (%d)\n", ret); 640 return ret; 641 } 642 643 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 644 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 645 keyauth, SHA1_DIGEST_SIZE, 646 blobauth, SHA1_DIGEST_SIZE, 647 sizeof(uint32_t), TPM_DATA_OFFSET, 648 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 649 0); 650 if (ret < 0) { 651 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 652 return ret; 653 } 654 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 655 return 0; 656} 657 658/* 659 * Have the TPM seal(encrypt) the symmetric key 660 */ 661static int key_seal(struct trusted_key_payload *p, 662 struct trusted_key_options *o) 663{ 664 struct tpm_buf *tb; 665 int ret; 666 667 tb = kzalloc(sizeof *tb, GFP_KERNEL); 668 if (!tb) 669 return -ENOMEM; 670 671 /* include migratable flag at end of sealed key */ 672 p->key[p->key_len] = p->migratable; 673 674 ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth, 675 p->key, p->key_len + 1, p->blob, &p->blob_len, 676 o->blobauth, o->pcrinfo, o->pcrinfo_len); 677 if (ret < 0) 678 pr_info("trusted_key: srkseal failed (%d)\n", ret); 679 680 kfree(tb); 681 return ret; 682} 683 684/* 685 * Have the TPM unseal(decrypt) the symmetric key 686 */ 687static int key_unseal(struct trusted_key_payload *p, 688 struct trusted_key_options *o) 689{ 690 struct tpm_buf *tb; 691 int ret; 692 693 tb = kzalloc(sizeof *tb, GFP_KERNEL); 694 if (!tb) 695 return -ENOMEM; 696 697 ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 698 o->blobauth, p->key, &p->key_len); 699 if (ret < 0) 700 pr_info("trusted_key: srkunseal failed (%d)\n", ret); 701 else 702 /* pull migratable flag out of sealed key */ 703 p->migratable = p->key[--p->key_len]; 704 705 kfree(tb); 706 return ret; 707} 708 709enum { 710 Opt_err = -1, 711 Opt_new, Opt_load, Opt_update, 712 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 713 Opt_pcrinfo, Opt_pcrlock, Opt_migratable 714}; 715 716static const match_table_t key_tokens = { 717 {Opt_new, "new"}, 718 {Opt_load, "load"}, 719 {Opt_update, "update"}, 720 {Opt_keyhandle, "keyhandle=%s"}, 721 {Opt_keyauth, "keyauth=%s"}, 722 {Opt_blobauth, "blobauth=%s"}, 723 {Opt_pcrinfo, "pcrinfo=%s"}, 724 {Opt_pcrlock, "pcrlock=%s"}, 725 {Opt_migratable, "migratable=%s"}, 726 {Opt_err, NULL} 727}; 728 729/* can have zero or more token= options */ 730static int getoptions(char *c, struct trusted_key_payload *pay, 731 struct trusted_key_options *opt) 732{ 733 substring_t args[MAX_OPT_ARGS]; 734 char *p = c; 735 int token; 736 int res; 737 unsigned long handle; 738 unsigned long lock; 739 740 while ((p = strsep(&c, " \t"))) { 741 if (*p == '\0' || *p == ' ' || *p == '\t') 742 continue; 743 token = match_token(p, key_tokens, args); 744 745 switch (token) { 746 case Opt_pcrinfo: 747 opt->pcrinfo_len = strlen(args[0].from) / 2; 748 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 749 return -EINVAL; 750 res = hex2bin(opt->pcrinfo, args[0].from, 751 opt->pcrinfo_len); 752 if (res < 0) 753 return -EINVAL; 754 break; 755 case Opt_keyhandle: 756 res = kstrtoul(args[0].from, 16, &handle); 757 if (res < 0) 758 return -EINVAL; 759 opt->keytype = SEAL_keytype; 760 opt->keyhandle = handle; 761 break; 762 case Opt_keyauth: 763 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 764 return -EINVAL; 765 res = hex2bin(opt->keyauth, args[0].from, 766 SHA1_DIGEST_SIZE); 767 if (res < 0) 768 return -EINVAL; 769 break; 770 case Opt_blobauth: 771 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 772 return -EINVAL; 773 res = hex2bin(opt->blobauth, args[0].from, 774 SHA1_DIGEST_SIZE); 775 if (res < 0) 776 return -EINVAL; 777 break; 778 case Opt_migratable: 779 if (*args[0].from == '0') 780 pay->migratable = 0; 781 else 782 return -EINVAL; 783 break; 784 case Opt_pcrlock: 785 res = kstrtoul(args[0].from, 10, &lock); 786 if (res < 0) 787 return -EINVAL; 788 opt->pcrlock = lock; 789 break; 790 default: 791 return -EINVAL; 792 } 793 } 794 return 0; 795} 796 797/* 798 * datablob_parse - parse the keyctl data and fill in the 799 * payload and options structures 800 * 801 * On success returns 0, otherwise -EINVAL. 802 */ 803static int datablob_parse(char *datablob, struct trusted_key_payload *p, 804 struct trusted_key_options *o) 805{ 806 substring_t args[MAX_OPT_ARGS]; 807 long keylen; 808 int ret = -EINVAL; 809 int key_cmd; 810 char *c; 811 812 /* main command */ 813 c = strsep(&datablob, " \t"); 814 if (!c) 815 return -EINVAL; 816 key_cmd = match_token(c, key_tokens, args); 817 switch (key_cmd) { 818 case Opt_new: 819 /* first argument is key size */ 820 c = strsep(&datablob, " \t"); 821 if (!c) 822 return -EINVAL; 823 ret = kstrtol(c, 10, &keylen); 824 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 825 return -EINVAL; 826 p->key_len = keylen; 827 ret = getoptions(datablob, p, o); 828 if (ret < 0) 829 return ret; 830 ret = Opt_new; 831 break; 832 case Opt_load: 833 /* first argument is sealed blob */ 834 c = strsep(&datablob, " \t"); 835 if (!c) 836 return -EINVAL; 837 p->blob_len = strlen(c) / 2; 838 if (p->blob_len > MAX_BLOB_SIZE) 839 return -EINVAL; 840 ret = hex2bin(p->blob, c, p->blob_len); 841 if (ret < 0) 842 return -EINVAL; 843 ret = getoptions(datablob, p, o); 844 if (ret < 0) 845 return ret; 846 ret = Opt_load; 847 break; 848 case Opt_update: 849 /* all arguments are options */ 850 ret = getoptions(datablob, p, o); 851 if (ret < 0) 852 return ret; 853 ret = Opt_update; 854 break; 855 case Opt_err: 856 return -EINVAL; 857 break; 858 } 859 return ret; 860} 861 862static struct trusted_key_options *trusted_options_alloc(void) 863{ 864 struct trusted_key_options *options; 865 866 options = kzalloc(sizeof *options, GFP_KERNEL); 867 if (options) { 868 /* set any non-zero defaults */ 869 options->keytype = SRK_keytype; 870 options->keyhandle = SRKHANDLE; 871 } 872 return options; 873} 874 875static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 876{ 877 struct trusted_key_payload *p = NULL; 878 int ret; 879 880 ret = key_payload_reserve(key, sizeof *p); 881 if (ret < 0) 882 return p; 883 p = kzalloc(sizeof *p, GFP_KERNEL); 884 if (p) 885 p->migratable = 1; /* migratable by default */ 886 return p; 887} 888 889/* 890 * trusted_instantiate - create a new trusted key 891 * 892 * Unseal an existing trusted blob or, for a new key, get a 893 * random key, then seal and create a trusted key-type key, 894 * adding it to the specified keyring. 895 * 896 * On success, return 0. Otherwise return errno. 897 */ 898static int trusted_instantiate(struct key *key, 899 struct key_preparsed_payload *prep) 900{ 901 struct trusted_key_payload *payload = NULL; 902 struct trusted_key_options *options = NULL; 903 size_t datalen = prep->datalen; 904 char *datablob; 905 int ret = 0; 906 int key_cmd; 907 size_t key_len; 908 909 if (datalen <= 0 || datalen > 32767 || !prep->data) 910 return -EINVAL; 911 912 datablob = kmalloc(datalen + 1, GFP_KERNEL); 913 if (!datablob) 914 return -ENOMEM; 915 memcpy(datablob, prep->data, datalen); 916 datablob[datalen] = '\0'; 917 918 options = trusted_options_alloc(); 919 if (!options) { 920 ret = -ENOMEM; 921 goto out; 922 } 923 payload = trusted_payload_alloc(key); 924 if (!payload) { 925 ret = -ENOMEM; 926 goto out; 927 } 928 929 key_cmd = datablob_parse(datablob, payload, options); 930 if (key_cmd < 0) { 931 ret = key_cmd; 932 goto out; 933 } 934 935 dump_payload(payload); 936 dump_options(options); 937 938 switch (key_cmd) { 939 case Opt_load: 940 ret = key_unseal(payload, options); 941 dump_payload(payload); 942 dump_options(options); 943 if (ret < 0) 944 pr_info("trusted_key: key_unseal failed (%d)\n", ret); 945 break; 946 case Opt_new: 947 key_len = payload->key_len; 948 ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len); 949 if (ret != key_len) { 950 pr_info("trusted_key: key_create failed (%d)\n", ret); 951 goto out; 952 } 953 ret = key_seal(payload, options); 954 if (ret < 0) 955 pr_info("trusted_key: key_seal failed (%d)\n", ret); 956 break; 957 default: 958 ret = -EINVAL; 959 goto out; 960 } 961 if (!ret && options->pcrlock) 962 ret = pcrlock(options->pcrlock); 963out: 964 kfree(datablob); 965 kfree(options); 966 if (!ret) 967 rcu_assign_keypointer(key, payload); 968 else 969 kfree(payload); 970 return ret; 971} 972 973static void trusted_rcu_free(struct rcu_head *rcu) 974{ 975 struct trusted_key_payload *p; 976 977 p = container_of(rcu, struct trusted_key_payload, rcu); 978 memset(p->key, 0, p->key_len); 979 kfree(p); 980} 981 982/* 983 * trusted_update - reseal an existing key with new PCR values 984 */ 985static int trusted_update(struct key *key, struct key_preparsed_payload *prep) 986{ 987 struct trusted_key_payload *p; 988 struct trusted_key_payload *new_p; 989 struct trusted_key_options *new_o; 990 size_t datalen = prep->datalen; 991 char *datablob; 992 int ret = 0; 993 994 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 995 return -ENOKEY; 996 p = key->payload.data; 997 if (!p->migratable) 998 return -EPERM; 999 if (datalen <= 0 || datalen > 32767 || !prep->data) 1000 return -EINVAL; 1001 1002 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1003 if (!datablob) 1004 return -ENOMEM; 1005 new_o = trusted_options_alloc(); 1006 if (!new_o) { 1007 ret = -ENOMEM; 1008 goto out; 1009 } 1010 new_p = trusted_payload_alloc(key); 1011 if (!new_p) { 1012 ret = -ENOMEM; 1013 goto out; 1014 } 1015 1016 memcpy(datablob, prep->data, datalen); 1017 datablob[datalen] = '\0'; 1018 ret = datablob_parse(datablob, new_p, new_o); 1019 if (ret != Opt_update) { 1020 ret = -EINVAL; 1021 kfree(new_p); 1022 goto out; 1023 } 1024 /* copy old key values, and reseal with new pcrs */ 1025 new_p->migratable = p->migratable; 1026 new_p->key_len = p->key_len; 1027 memcpy(new_p->key, p->key, p->key_len); 1028 dump_payload(p); 1029 dump_payload(new_p); 1030 1031 ret = key_seal(new_p, new_o); 1032 if (ret < 0) { 1033 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1034 kfree(new_p); 1035 goto out; 1036 } 1037 if (new_o->pcrlock) { 1038 ret = pcrlock(new_o->pcrlock); 1039 if (ret < 0) { 1040 pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1041 kfree(new_p); 1042 goto out; 1043 } 1044 } 1045 rcu_assign_keypointer(key, new_p); 1046 call_rcu(&p->rcu, trusted_rcu_free); 1047out: 1048 kfree(datablob); 1049 kfree(new_o); 1050 return ret; 1051} 1052 1053/* 1054 * trusted_read - copy the sealed blob data to userspace in hex. 1055 * On success, return to userspace the trusted key datablob size. 1056 */ 1057static long trusted_read(const struct key *key, char __user *buffer, 1058 size_t buflen) 1059{ 1060 struct trusted_key_payload *p; 1061 char *ascii_buf; 1062 char *bufp; 1063 int i; 1064 1065 p = rcu_dereference_key(key); 1066 if (!p) 1067 return -EINVAL; 1068 if (!buffer || buflen <= 0) 1069 return 2 * p->blob_len; 1070 ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL); 1071 if (!ascii_buf) 1072 return -ENOMEM; 1073 1074 bufp = ascii_buf; 1075 for (i = 0; i < p->blob_len; i++) 1076 bufp = hex_byte_pack(bufp, p->blob[i]); 1077 if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) { 1078 kfree(ascii_buf); 1079 return -EFAULT; 1080 } 1081 kfree(ascii_buf); 1082 return 2 * p->blob_len; 1083} 1084 1085/* 1086 * trusted_destroy - before freeing the key, clear the decrypted data 1087 */ 1088static void trusted_destroy(struct key *key) 1089{ 1090 struct trusted_key_payload *p = key->payload.data; 1091 1092 if (!p) 1093 return; 1094 memset(p->key, 0, p->key_len); 1095 kfree(key->payload.data); 1096} 1097 1098struct key_type key_type_trusted = { 1099 .name = "trusted", 1100 .instantiate = trusted_instantiate, 1101 .update = trusted_update, 1102 .destroy = trusted_destroy, 1103 .describe = user_describe, 1104 .read = trusted_read, 1105}; 1106 1107EXPORT_SYMBOL_GPL(key_type_trusted); 1108 1109static void trusted_shash_release(void) 1110{ 1111 if (hashalg) 1112 crypto_free_shash(hashalg); 1113 if (hmacalg) 1114 crypto_free_shash(hmacalg); 1115} 1116 1117static int __init trusted_shash_alloc(void) 1118{ 1119 int ret; 1120 1121 hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC); 1122 if (IS_ERR(hmacalg)) { 1123 pr_info("trusted_key: could not allocate crypto %s\n", 1124 hmac_alg); 1125 return PTR_ERR(hmacalg); 1126 } 1127 1128 hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC); 1129 if (IS_ERR(hashalg)) { 1130 pr_info("trusted_key: could not allocate crypto %s\n", 1131 hash_alg); 1132 ret = PTR_ERR(hashalg); 1133 goto hashalg_fail; 1134 } 1135 1136 return 0; 1137 1138hashalg_fail: 1139 crypto_free_shash(hmacalg); 1140 return ret; 1141} 1142 1143static int __init init_trusted(void) 1144{ 1145 int ret; 1146 1147 ret = trusted_shash_alloc(); 1148 if (ret < 0) 1149 return ret; 1150 ret = register_key_type(&key_type_trusted); 1151 if (ret < 0) 1152 trusted_shash_release(); 1153 return ret; 1154} 1155 1156static void __exit cleanup_trusted(void) 1157{ 1158 trusted_shash_release(); 1159 unregister_key_type(&key_type_trusted); 1160} 1161 1162late_initcall(init_trusted); 1163module_exit(cleanup_trusted); 1164 1165MODULE_LICENSE("GPL"); 1166