linux/security/keys/trusted.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2010 IBM Corporation
   3 *
   4 * Author:
   5 * David Safford <safford@us.ibm.com>
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation, version 2 of the License.
  10 *
  11 * See Documentation/security/keys/trusted-encrypted.rst
  12 */
  13
  14#include <crypto/hash_info.h>
  15#include <linux/uaccess.h>
  16#include <linux/module.h>
  17#include <linux/init.h>
  18#include <linux/slab.h>
  19#include <linux/parser.h>
  20#include <linux/string.h>
  21#include <linux/err.h>
  22#include <keys/user-type.h>
  23#include <keys/trusted-type.h>
  24#include <linux/key-type.h>
  25#include <linux/rcupdate.h>
  26#include <linux/crypto.h>
  27#include <crypto/hash.h>
  28#include <crypto/sha.h>
  29#include <linux/capability.h>
  30#include <linux/tpm.h>
  31#include <linux/tpm_command.h>
  32
  33#include "trusted.h"
  34
  35static const char hmac_alg[] = "hmac(sha1)";
  36static const char hash_alg[] = "sha1";
  37
  38struct sdesc {
  39        struct shash_desc shash;
  40        char ctx[];
  41};
  42
  43static struct crypto_shash *hashalg;
  44static struct crypto_shash *hmacalg;
  45
  46static struct sdesc *init_sdesc(struct crypto_shash *alg)
  47{
  48        struct sdesc *sdesc;
  49        int size;
  50
  51        size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
  52        sdesc = kmalloc(size, GFP_KERNEL);
  53        if (!sdesc)
  54                return ERR_PTR(-ENOMEM);
  55        sdesc->shash.tfm = alg;
  56        sdesc->shash.flags = 0x0;
  57        return sdesc;
  58}
  59
  60static int TSS_sha1(const unsigned char *data, unsigned int datalen,
  61                    unsigned char *digest)
  62{
  63        struct sdesc *sdesc;
  64        int ret;
  65
  66        sdesc = init_sdesc(hashalg);
  67        if (IS_ERR(sdesc)) {
  68                pr_info("trusted_key: can't alloc %s\n", hash_alg);
  69                return PTR_ERR(sdesc);
  70        }
  71
  72        ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
  73        kzfree(sdesc);
  74        return ret;
  75}
  76
  77static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
  78                       unsigned int keylen, ...)
  79{
  80        struct sdesc *sdesc;
  81        va_list argp;
  82        unsigned int dlen;
  83        unsigned char *data;
  84        int ret;
  85
  86        sdesc = init_sdesc(hmacalg);
  87        if (IS_ERR(sdesc)) {
  88                pr_info("trusted_key: can't alloc %s\n", hmac_alg);
  89                return PTR_ERR(sdesc);
  90        }
  91
  92        ret = crypto_shash_setkey(hmacalg, key, keylen);
  93        if (ret < 0)
  94                goto out;
  95        ret = crypto_shash_init(&sdesc->shash);
  96        if (ret < 0)
  97                goto out;
  98
  99        va_start(argp, keylen);
 100        for (;;) {
 101                dlen = va_arg(argp, unsigned int);
 102                if (dlen == 0)
 103                        break;
 104                data = va_arg(argp, unsigned char *);
 105                if (data == NULL) {
 106                        ret = -EINVAL;
 107                        break;
 108                }
 109                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 110                if (ret < 0)
 111                        break;
 112        }
 113        va_end(argp);
 114        if (!ret)
 115                ret = crypto_shash_final(&sdesc->shash, digest);
 116out:
 117        kzfree(sdesc);
 118        return ret;
 119}
 120
 121/*
 122 * calculate authorization info fields to send to TPM
 123 */
 124static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
 125                        unsigned int keylen, unsigned char *h1,
 126                        unsigned char *h2, unsigned char h3, ...)
 127{
 128        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 129        struct sdesc *sdesc;
 130        unsigned int dlen;
 131        unsigned char *data;
 132        unsigned char c;
 133        int ret;
 134        va_list argp;
 135
 136        sdesc = init_sdesc(hashalg);
 137        if (IS_ERR(sdesc)) {
 138                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 139                return PTR_ERR(sdesc);
 140        }
 141
 142        c = h3;
 143        ret = crypto_shash_init(&sdesc->shash);
 144        if (ret < 0)
 145                goto out;
 146        va_start(argp, h3);
 147        for (;;) {
 148                dlen = va_arg(argp, unsigned int);
 149                if (dlen == 0)
 150                        break;
 151                data = va_arg(argp, unsigned char *);
 152                if (!data) {
 153                        ret = -EINVAL;
 154                        break;
 155                }
 156                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 157                if (ret < 0)
 158                        break;
 159        }
 160        va_end(argp);
 161        if (!ret)
 162                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 163        if (!ret)
 164                ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
 165                                  paramdigest, TPM_NONCE_SIZE, h1,
 166                                  TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
 167out:
 168        kzfree(sdesc);
 169        return ret;
 170}
 171
 172/*
 173 * verify the AUTH1_COMMAND (Seal) result from TPM
 174 */
 175static int TSS_checkhmac1(unsigned char *buffer,
 176                          const uint32_t command,
 177                          const unsigned char *ononce,
 178                          const unsigned char *key,
 179                          unsigned int keylen, ...)
 180{
 181        uint32_t bufsize;
 182        uint16_t tag;
 183        uint32_t ordinal;
 184        uint32_t result;
 185        unsigned char *enonce;
 186        unsigned char *continueflag;
 187        unsigned char *authdata;
 188        unsigned char testhmac[SHA1_DIGEST_SIZE];
 189        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 190        struct sdesc *sdesc;
 191        unsigned int dlen;
 192        unsigned int dpos;
 193        va_list argp;
 194        int ret;
 195
 196        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 197        tag = LOAD16(buffer, 0);
 198        ordinal = command;
 199        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 200        if (tag == TPM_TAG_RSP_COMMAND)
 201                return 0;
 202        if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
 203                return -EINVAL;
 204        authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
 205        continueflag = authdata - 1;
 206        enonce = continueflag - TPM_NONCE_SIZE;
 207
 208        sdesc = init_sdesc(hashalg);
 209        if (IS_ERR(sdesc)) {
 210                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 211                return PTR_ERR(sdesc);
 212        }
 213        ret = crypto_shash_init(&sdesc->shash);
 214        if (ret < 0)
 215                goto out;
 216        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 217                                  sizeof result);
 218        if (ret < 0)
 219                goto out;
 220        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 221                                  sizeof ordinal);
 222        if (ret < 0)
 223                goto out;
 224        va_start(argp, keylen);
 225        for (;;) {
 226                dlen = va_arg(argp, unsigned int);
 227                if (dlen == 0)
 228                        break;
 229                dpos = va_arg(argp, unsigned int);
 230                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 231                if (ret < 0)
 232                        break;
 233        }
 234        va_end(argp);
 235        if (!ret)
 236                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 237        if (ret < 0)
 238                goto out;
 239
 240        ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
 241                          TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
 242                          1, continueflag, 0, 0);
 243        if (ret < 0)
 244                goto out;
 245
 246        if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
 247                ret = -EINVAL;
 248out:
 249        kzfree(sdesc);
 250        return ret;
 251}
 252
 253/*
 254 * verify the AUTH2_COMMAND (unseal) result from TPM
 255 */
 256static int TSS_checkhmac2(unsigned char *buffer,
 257                          const uint32_t command,
 258                          const unsigned char *ononce,
 259                          const unsigned char *key1,
 260                          unsigned int keylen1,
 261                          const unsigned char *key2,
 262                          unsigned int keylen2, ...)
 263{
 264        uint32_t bufsize;
 265        uint16_t tag;
 266        uint32_t ordinal;
 267        uint32_t result;
 268        unsigned char *enonce1;
 269        unsigned char *continueflag1;
 270        unsigned char *authdata1;
 271        unsigned char *enonce2;
 272        unsigned char *continueflag2;
 273        unsigned char *authdata2;
 274        unsigned char testhmac1[SHA1_DIGEST_SIZE];
 275        unsigned char testhmac2[SHA1_DIGEST_SIZE];
 276        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 277        struct sdesc *sdesc;
 278        unsigned int dlen;
 279        unsigned int dpos;
 280        va_list argp;
 281        int ret;
 282
 283        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 284        tag = LOAD16(buffer, 0);
 285        ordinal = command;
 286        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 287
 288        if (tag == TPM_TAG_RSP_COMMAND)
 289                return 0;
 290        if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
 291                return -EINVAL;
 292        authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
 293                        + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
 294        authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
 295        continueflag1 = authdata1 - 1;
 296        continueflag2 = authdata2 - 1;
 297        enonce1 = continueflag1 - TPM_NONCE_SIZE;
 298        enonce2 = continueflag2 - TPM_NONCE_SIZE;
 299
 300        sdesc = init_sdesc(hashalg);
 301        if (IS_ERR(sdesc)) {
 302                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 303                return PTR_ERR(sdesc);
 304        }
 305        ret = crypto_shash_init(&sdesc->shash);
 306        if (ret < 0)
 307                goto out;
 308        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 309                                  sizeof result);
 310        if (ret < 0)
 311                goto out;
 312        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 313                                  sizeof ordinal);
 314        if (ret < 0)
 315                goto out;
 316
 317        va_start(argp, keylen2);
 318        for (;;) {
 319                dlen = va_arg(argp, unsigned int);
 320                if (dlen == 0)
 321                        break;
 322                dpos = va_arg(argp, unsigned int);
 323                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 324                if (ret < 0)
 325                        break;
 326        }
 327        va_end(argp);
 328        if (!ret)
 329                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 330        if (ret < 0)
 331                goto out;
 332
 333        ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
 334                          paramdigest, TPM_NONCE_SIZE, enonce1,
 335                          TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
 336        if (ret < 0)
 337                goto out;
 338        if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
 339                ret = -EINVAL;
 340                goto out;
 341        }
 342        ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
 343                          paramdigest, TPM_NONCE_SIZE, enonce2,
 344                          TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
 345        if (ret < 0)
 346                goto out;
 347        if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
 348                ret = -EINVAL;
 349out:
 350        kzfree(sdesc);
 351        return ret;
 352}
 353
 354/*
 355 * For key specific tpm requests, we will generate and send our
 356 * own TPM command packets using the drivers send function.
 357 */
 358static int trusted_tpm_send(unsigned char *cmd, size_t buflen)
 359{
 360        int rc;
 361
 362        dump_tpm_buf(cmd);
 363        rc = tpm_send(NULL, cmd, buflen);
 364        dump_tpm_buf(cmd);
 365        if (rc > 0)
 366                /* Can't return positive return codes values to keyctl */
 367                rc = -EPERM;
 368        return rc;
 369}
 370
 371/*
 372 * Lock a trusted key, by extending a selected PCR.
 373 *
 374 * Prevents a trusted key that is sealed to PCRs from being accessed.
 375 * This uses the tpm driver's extend function.
 376 */
 377static int pcrlock(const int pcrnum)
 378{
 379        unsigned char hash[SHA1_DIGEST_SIZE];
 380        int ret;
 381
 382        if (!capable(CAP_SYS_ADMIN))
 383                return -EPERM;
 384        ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
 385        if (ret != SHA1_DIGEST_SIZE)
 386                return ret;
 387        return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
 388}
 389
 390/*
 391 * Create an object specific authorisation protocol (OSAP) session
 392 */
 393static int osap(struct tpm_buf *tb, struct osapsess *s,
 394                const unsigned char *key, uint16_t type, uint32_t handle)
 395{
 396        unsigned char enonce[TPM_NONCE_SIZE];
 397        unsigned char ononce[TPM_NONCE_SIZE];
 398        int ret;
 399
 400        ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
 401        if (ret != TPM_NONCE_SIZE)
 402                return ret;
 403
 404        INIT_BUF(tb);
 405        store16(tb, TPM_TAG_RQU_COMMAND);
 406        store32(tb, TPM_OSAP_SIZE);
 407        store32(tb, TPM_ORD_OSAP);
 408        store16(tb, type);
 409        store32(tb, handle);
 410        storebytes(tb, ononce, TPM_NONCE_SIZE);
 411
 412        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 413        if (ret < 0)
 414                return ret;
 415
 416        s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 417        memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
 418               TPM_NONCE_SIZE);
 419        memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
 420                                  TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
 421        return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
 422                           enonce, TPM_NONCE_SIZE, ononce, 0, 0);
 423}
 424
 425/*
 426 * Create an object independent authorisation protocol (oiap) session
 427 */
 428static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
 429{
 430        int ret;
 431
 432        INIT_BUF(tb);
 433        store16(tb, TPM_TAG_RQU_COMMAND);
 434        store32(tb, TPM_OIAP_SIZE);
 435        store32(tb, TPM_ORD_OIAP);
 436        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 437        if (ret < 0)
 438                return ret;
 439
 440        *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 441        memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
 442               TPM_NONCE_SIZE);
 443        return 0;
 444}
 445
 446struct tpm_digests {
 447        unsigned char encauth[SHA1_DIGEST_SIZE];
 448        unsigned char pubauth[SHA1_DIGEST_SIZE];
 449        unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
 450        unsigned char xorhash[SHA1_DIGEST_SIZE];
 451        unsigned char nonceodd[TPM_NONCE_SIZE];
 452};
 453
 454/*
 455 * Have the TPM seal(encrypt) the trusted key, possibly based on
 456 * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
 457 */
 458static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
 459                    uint32_t keyhandle, const unsigned char *keyauth,
 460                    const unsigned char *data, uint32_t datalen,
 461                    unsigned char *blob, uint32_t *bloblen,
 462                    const unsigned char *blobauth,
 463                    const unsigned char *pcrinfo, uint32_t pcrinfosize)
 464{
 465        struct osapsess sess;
 466        struct tpm_digests *td;
 467        unsigned char cont;
 468        uint32_t ordinal;
 469        uint32_t pcrsize;
 470        uint32_t datsize;
 471        int sealinfosize;
 472        int encdatasize;
 473        int storedsize;
 474        int ret;
 475        int i;
 476
 477        /* alloc some work space for all the hashes */
 478        td = kmalloc(sizeof *td, GFP_KERNEL);
 479        if (!td)
 480                return -ENOMEM;
 481
 482        /* get session for sealing key */
 483        ret = osap(tb, &sess, keyauth, keytype, keyhandle);
 484        if (ret < 0)
 485                goto out;
 486        dump_sess(&sess);
 487
 488        /* calculate encrypted authorization value */
 489        memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
 490        memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
 491        ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
 492        if (ret < 0)
 493                goto out;
 494
 495        ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
 496        if (ret != TPM_NONCE_SIZE)
 497                goto out;
 498        ordinal = htonl(TPM_ORD_SEAL);
 499        datsize = htonl(datalen);
 500        pcrsize = htonl(pcrinfosize);
 501        cont = 0;
 502
 503        /* encrypt data authorization key */
 504        for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
 505                td->encauth[i] = td->xorhash[i] ^ blobauth[i];
 506
 507        /* calculate authorization HMAC value */
 508        if (pcrinfosize == 0) {
 509                /* no pcr info specified */
 510                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 511                                   sess.enonce, td->nonceodd, cont,
 512                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 513                                   td->encauth, sizeof(uint32_t), &pcrsize,
 514                                   sizeof(uint32_t), &datsize, datalen, data, 0,
 515                                   0);
 516        } else {
 517                /* pcr info specified */
 518                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 519                                   sess.enonce, td->nonceodd, cont,
 520                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 521                                   td->encauth, sizeof(uint32_t), &pcrsize,
 522                                   pcrinfosize, pcrinfo, sizeof(uint32_t),
 523                                   &datsize, datalen, data, 0, 0);
 524        }
 525        if (ret < 0)
 526                goto out;
 527
 528        /* build and send the TPM request packet */
 529        INIT_BUF(tb);
 530        store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
 531        store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
 532        store32(tb, TPM_ORD_SEAL);
 533        store32(tb, keyhandle);
 534        storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
 535        store32(tb, pcrinfosize);
 536        storebytes(tb, pcrinfo, pcrinfosize);
 537        store32(tb, datalen);
 538        storebytes(tb, data, datalen);
 539        store32(tb, sess.handle);
 540        storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
 541        store8(tb, cont);
 542        storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
 543
 544        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 545        if (ret < 0)
 546                goto out;
 547
 548        /* calculate the size of the returned Blob */
 549        sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
 550        encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
 551                             sizeof(uint32_t) + sealinfosize);
 552        storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
 553            sizeof(uint32_t) + encdatasize;
 554
 555        /* check the HMAC in the response */
 556        ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
 557                             SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
 558                             0);
 559
 560        /* copy the returned blob to caller */
 561        if (!ret) {
 562                memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
 563                *bloblen = storedsize;
 564        }
 565out:
 566        kzfree(td);
 567        return ret;
 568}
 569
 570/*
 571 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
 572 */
 573static int tpm_unseal(struct tpm_buf *tb,
 574                      uint32_t keyhandle, const unsigned char *keyauth,
 575                      const unsigned char *blob, int bloblen,
 576                      const unsigned char *blobauth,
 577                      unsigned char *data, unsigned int *datalen)
 578{
 579        unsigned char nonceodd[TPM_NONCE_SIZE];
 580        unsigned char enonce1[TPM_NONCE_SIZE];
 581        unsigned char enonce2[TPM_NONCE_SIZE];
 582        unsigned char authdata1[SHA1_DIGEST_SIZE];
 583        unsigned char authdata2[SHA1_DIGEST_SIZE];
 584        uint32_t authhandle1 = 0;
 585        uint32_t authhandle2 = 0;
 586        unsigned char cont = 0;
 587        uint32_t ordinal;
 588        uint32_t keyhndl;
 589        int ret;
 590
 591        /* sessions for unsealing key and data */
 592        ret = oiap(tb, &authhandle1, enonce1);
 593        if (ret < 0) {
 594                pr_info("trusted_key: oiap failed (%d)\n", ret);
 595                return ret;
 596        }
 597        ret = oiap(tb, &authhandle2, enonce2);
 598        if (ret < 0) {
 599                pr_info("trusted_key: oiap failed (%d)\n", ret);
 600                return ret;
 601        }
 602
 603        ordinal = htonl(TPM_ORD_UNSEAL);
 604        keyhndl = htonl(SRKHANDLE);
 605        ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
 606        if (ret != TPM_NONCE_SIZE) {
 607                pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
 608                return ret;
 609        }
 610        ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
 611                           enonce1, nonceodd, cont, sizeof(uint32_t),
 612                           &ordinal, bloblen, blob, 0, 0);
 613        if (ret < 0)
 614                return ret;
 615        ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
 616                           enonce2, nonceodd, cont, sizeof(uint32_t),
 617                           &ordinal, bloblen, blob, 0, 0);
 618        if (ret < 0)
 619                return ret;
 620
 621        /* build and send TPM request packet */
 622        INIT_BUF(tb);
 623        store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
 624        store32(tb, TPM_UNSEAL_SIZE + bloblen);
 625        store32(tb, TPM_ORD_UNSEAL);
 626        store32(tb, keyhandle);
 627        storebytes(tb, blob, bloblen);
 628        store32(tb, authhandle1);
 629        storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 630        store8(tb, cont);
 631        storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
 632        store32(tb, authhandle2);
 633        storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 634        store8(tb, cont);
 635        storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
 636
 637        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 638        if (ret < 0) {
 639                pr_info("trusted_key: authhmac failed (%d)\n", ret);
 640                return ret;
 641        }
 642
 643        *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
 644        ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
 645                             keyauth, SHA1_DIGEST_SIZE,
 646                             blobauth, SHA1_DIGEST_SIZE,
 647                             sizeof(uint32_t), TPM_DATA_OFFSET,
 648                             *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
 649                             0);
 650        if (ret < 0) {
 651                pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
 652                return ret;
 653        }
 654        memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
 655        return 0;
 656}
 657
 658/*
 659 * Have the TPM seal(encrypt) the symmetric key
 660 */
 661static int key_seal(struct trusted_key_payload *p,
 662                    struct trusted_key_options *o)
 663{
 664        struct tpm_buf *tb;
 665        int ret;
 666
 667        tb = kzalloc(sizeof *tb, GFP_KERNEL);
 668        if (!tb)
 669                return -ENOMEM;
 670
 671        /* include migratable flag at end of sealed key */
 672        p->key[p->key_len] = p->migratable;
 673
 674        ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
 675                       p->key, p->key_len + 1, p->blob, &p->blob_len,
 676                       o->blobauth, o->pcrinfo, o->pcrinfo_len);
 677        if (ret < 0)
 678                pr_info("trusted_key: srkseal failed (%d)\n", ret);
 679
 680        kzfree(tb);
 681        return ret;
 682}
 683
 684/*
 685 * Have the TPM unseal(decrypt) the symmetric key
 686 */
 687static int key_unseal(struct trusted_key_payload *p,
 688                      struct trusted_key_options *o)
 689{
 690        struct tpm_buf *tb;
 691        int ret;
 692
 693        tb = kzalloc(sizeof *tb, GFP_KERNEL);
 694        if (!tb)
 695                return -ENOMEM;
 696
 697        ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
 698                         o->blobauth, p->key, &p->key_len);
 699        if (ret < 0)
 700                pr_info("trusted_key: srkunseal failed (%d)\n", ret);
 701        else
 702                /* pull migratable flag out of sealed key */
 703                p->migratable = p->key[--p->key_len];
 704
 705        kzfree(tb);
 706        return ret;
 707}
 708
 709enum {
 710        Opt_err = -1,
 711        Opt_new, Opt_load, Opt_update,
 712        Opt_keyhandle, Opt_keyauth, Opt_blobauth,
 713        Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
 714        Opt_hash,
 715        Opt_policydigest,
 716        Opt_policyhandle,
 717};
 718
 719static const match_table_t key_tokens = {
 720        {Opt_new, "new"},
 721        {Opt_load, "load"},
 722        {Opt_update, "update"},
 723        {Opt_keyhandle, "keyhandle=%s"},
 724        {Opt_keyauth, "keyauth=%s"},
 725        {Opt_blobauth, "blobauth=%s"},
 726        {Opt_pcrinfo, "pcrinfo=%s"},
 727        {Opt_pcrlock, "pcrlock=%s"},
 728        {Opt_migratable, "migratable=%s"},
 729        {Opt_hash, "hash=%s"},
 730        {Opt_policydigest, "policydigest=%s"},
 731        {Opt_policyhandle, "policyhandle=%s"},
 732        {Opt_err, NULL}
 733};
 734
 735/* can have zero or more token= options */
 736static int getoptions(char *c, struct trusted_key_payload *pay,
 737                      struct trusted_key_options *opt)
 738{
 739        substring_t args[MAX_OPT_ARGS];
 740        char *p = c;
 741        int token;
 742        int res;
 743        unsigned long handle;
 744        unsigned long lock;
 745        unsigned long token_mask = 0;
 746        unsigned int digest_len;
 747        int i;
 748        int tpm2;
 749
 750        tpm2 = tpm_is_tpm2(NULL);
 751        if (tpm2 < 0)
 752                return tpm2;
 753
 754        opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
 755
 756        while ((p = strsep(&c, " \t"))) {
 757                if (*p == '\0' || *p == ' ' || *p == '\t')
 758                        continue;
 759                token = match_token(p, key_tokens, args);
 760                if (test_and_set_bit(token, &token_mask))
 761                        return -EINVAL;
 762
 763                switch (token) {
 764                case Opt_pcrinfo:
 765                        opt->pcrinfo_len = strlen(args[0].from) / 2;
 766                        if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
 767                                return -EINVAL;
 768                        res = hex2bin(opt->pcrinfo, args[0].from,
 769                                      opt->pcrinfo_len);
 770                        if (res < 0)
 771                                return -EINVAL;
 772                        break;
 773                case Opt_keyhandle:
 774                        res = kstrtoul(args[0].from, 16, &handle);
 775                        if (res < 0)
 776                                return -EINVAL;
 777                        opt->keytype = SEAL_keytype;
 778                        opt->keyhandle = handle;
 779                        break;
 780                case Opt_keyauth:
 781                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 782                                return -EINVAL;
 783                        res = hex2bin(opt->keyauth, args[0].from,
 784                                      SHA1_DIGEST_SIZE);
 785                        if (res < 0)
 786                                return -EINVAL;
 787                        break;
 788                case Opt_blobauth:
 789                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 790                                return -EINVAL;
 791                        res = hex2bin(opt->blobauth, args[0].from,
 792                                      SHA1_DIGEST_SIZE);
 793                        if (res < 0)
 794                                return -EINVAL;
 795                        break;
 796                case Opt_migratable:
 797                        if (*args[0].from == '0')
 798                                pay->migratable = 0;
 799                        else
 800                                return -EINVAL;
 801                        break;
 802                case Opt_pcrlock:
 803                        res = kstrtoul(args[0].from, 10, &lock);
 804                        if (res < 0)
 805                                return -EINVAL;
 806                        opt->pcrlock = lock;
 807                        break;
 808                case Opt_hash:
 809                        if (test_bit(Opt_policydigest, &token_mask))
 810                                return -EINVAL;
 811                        for (i = 0; i < HASH_ALGO__LAST; i++) {
 812                                if (!strcmp(args[0].from, hash_algo_name[i])) {
 813                                        opt->hash = i;
 814                                        break;
 815                                }
 816                        }
 817                        if (i == HASH_ALGO__LAST)
 818                                return -EINVAL;
 819                        if  (!tpm2 && i != HASH_ALGO_SHA1) {
 820                                pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
 821                                return -EINVAL;
 822                        }
 823                        break;
 824                case Opt_policydigest:
 825                        digest_len = hash_digest_size[opt->hash];
 826                        if (!tpm2 || strlen(args[0].from) != (2 * digest_len))
 827                                return -EINVAL;
 828                        res = hex2bin(opt->policydigest, args[0].from,
 829                                      digest_len);
 830                        if (res < 0)
 831                                return -EINVAL;
 832                        opt->policydigest_len = digest_len;
 833                        break;
 834                case Opt_policyhandle:
 835                        if (!tpm2)
 836                                return -EINVAL;
 837                        res = kstrtoul(args[0].from, 16, &handle);
 838                        if (res < 0)
 839                                return -EINVAL;
 840                        opt->policyhandle = handle;
 841                        break;
 842                default:
 843                        return -EINVAL;
 844                }
 845        }
 846        return 0;
 847}
 848
 849/*
 850 * datablob_parse - parse the keyctl data and fill in the
 851 *                  payload and options structures
 852 *
 853 * On success returns 0, otherwise -EINVAL.
 854 */
 855static int datablob_parse(char *datablob, struct trusted_key_payload *p,
 856                          struct trusted_key_options *o)
 857{
 858        substring_t args[MAX_OPT_ARGS];
 859        long keylen;
 860        int ret = -EINVAL;
 861        int key_cmd;
 862        char *c;
 863
 864        /* main command */
 865        c = strsep(&datablob, " \t");
 866        if (!c)
 867                return -EINVAL;
 868        key_cmd = match_token(c, key_tokens, args);
 869        switch (key_cmd) {
 870        case Opt_new:
 871                /* first argument is key size */
 872                c = strsep(&datablob, " \t");
 873                if (!c)
 874                        return -EINVAL;
 875                ret = kstrtol(c, 10, &keylen);
 876                if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
 877                        return -EINVAL;
 878                p->key_len = keylen;
 879                ret = getoptions(datablob, p, o);
 880                if (ret < 0)
 881                        return ret;
 882                ret = Opt_new;
 883                break;
 884        case Opt_load:
 885                /* first argument is sealed blob */
 886                c = strsep(&datablob, " \t");
 887                if (!c)
 888                        return -EINVAL;
 889                p->blob_len = strlen(c) / 2;
 890                if (p->blob_len > MAX_BLOB_SIZE)
 891                        return -EINVAL;
 892                ret = hex2bin(p->blob, c, p->blob_len);
 893                if (ret < 0)
 894                        return -EINVAL;
 895                ret = getoptions(datablob, p, o);
 896                if (ret < 0)
 897                        return ret;
 898                ret = Opt_load;
 899                break;
 900        case Opt_update:
 901                /* all arguments are options */
 902                ret = getoptions(datablob, p, o);
 903                if (ret < 0)
 904                        return ret;
 905                ret = Opt_update;
 906                break;
 907        case Opt_err:
 908                return -EINVAL;
 909                break;
 910        }
 911        return ret;
 912}
 913
 914static struct trusted_key_options *trusted_options_alloc(void)
 915{
 916        struct trusted_key_options *options;
 917        int tpm2;
 918
 919        tpm2 = tpm_is_tpm2(NULL);
 920        if (tpm2 < 0)
 921                return NULL;
 922
 923        options = kzalloc(sizeof *options, GFP_KERNEL);
 924        if (options) {
 925                /* set any non-zero defaults */
 926                options->keytype = SRK_keytype;
 927
 928                if (!tpm2)
 929                        options->keyhandle = SRKHANDLE;
 930        }
 931        return options;
 932}
 933
 934static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
 935{
 936        struct trusted_key_payload *p = NULL;
 937        int ret;
 938
 939        ret = key_payload_reserve(key, sizeof *p);
 940        if (ret < 0)
 941                return p;
 942        p = kzalloc(sizeof *p, GFP_KERNEL);
 943        if (p)
 944                p->migratable = 1; /* migratable by default */
 945        return p;
 946}
 947
 948/*
 949 * trusted_instantiate - create a new trusted key
 950 *
 951 * Unseal an existing trusted blob or, for a new key, get a
 952 * random key, then seal and create a trusted key-type key,
 953 * adding it to the specified keyring.
 954 *
 955 * On success, return 0. Otherwise return errno.
 956 */
 957static int trusted_instantiate(struct key *key,
 958                               struct key_preparsed_payload *prep)
 959{
 960        struct trusted_key_payload *payload = NULL;
 961        struct trusted_key_options *options = NULL;
 962        size_t datalen = prep->datalen;
 963        char *datablob;
 964        int ret = 0;
 965        int key_cmd;
 966        size_t key_len;
 967        int tpm2;
 968
 969        tpm2 = tpm_is_tpm2(NULL);
 970        if (tpm2 < 0)
 971                return tpm2;
 972
 973        if (datalen <= 0 || datalen > 32767 || !prep->data)
 974                return -EINVAL;
 975
 976        datablob = kmalloc(datalen + 1, GFP_KERNEL);
 977        if (!datablob)
 978                return -ENOMEM;
 979        memcpy(datablob, prep->data, datalen);
 980        datablob[datalen] = '\0';
 981
 982        options = trusted_options_alloc();
 983        if (!options) {
 984                ret = -ENOMEM;
 985                goto out;
 986        }
 987        payload = trusted_payload_alloc(key);
 988        if (!payload) {
 989                ret = -ENOMEM;
 990                goto out;
 991        }
 992
 993        key_cmd = datablob_parse(datablob, payload, options);
 994        if (key_cmd < 0) {
 995                ret = key_cmd;
 996                goto out;
 997        }
 998
 999        if (!options->keyhandle) {
1000                ret = -EINVAL;
1001                goto out;
1002        }
1003
1004        dump_payload(payload);
1005        dump_options(options);
1006
1007        switch (key_cmd) {
1008        case Opt_load:
1009                if (tpm2)
1010                        ret = tpm_unseal_trusted(NULL, payload, options);
1011                else
1012                        ret = key_unseal(payload, options);
1013                dump_payload(payload);
1014                dump_options(options);
1015                if (ret < 0)
1016                        pr_info("trusted_key: key_unseal failed (%d)\n", ret);
1017                break;
1018        case Opt_new:
1019                key_len = payload->key_len;
1020                ret = tpm_get_random(NULL, payload->key, key_len);
1021                if (ret != key_len) {
1022                        pr_info("trusted_key: key_create failed (%d)\n", ret);
1023                        goto out;
1024                }
1025                if (tpm2)
1026                        ret = tpm_seal_trusted(NULL, payload, options);
1027                else
1028                        ret = key_seal(payload, options);
1029                if (ret < 0)
1030                        pr_info("trusted_key: key_seal failed (%d)\n", ret);
1031                break;
1032        default:
1033                ret = -EINVAL;
1034                goto out;
1035        }
1036        if (!ret && options->pcrlock)
1037                ret = pcrlock(options->pcrlock);
1038out:
1039        kzfree(datablob);
1040        kzfree(options);
1041        if (!ret)
1042                rcu_assign_keypointer(key, payload);
1043        else
1044                kzfree(payload);
1045        return ret;
1046}
1047
1048static void trusted_rcu_free(struct rcu_head *rcu)
1049{
1050        struct trusted_key_payload *p;
1051
1052        p = container_of(rcu, struct trusted_key_payload, rcu);
1053        kzfree(p);
1054}
1055
1056/*
1057 * trusted_update - reseal an existing key with new PCR values
1058 */
1059static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
1060{
1061        struct trusted_key_payload *p;
1062        struct trusted_key_payload *new_p;
1063        struct trusted_key_options *new_o;
1064        size_t datalen = prep->datalen;
1065        char *datablob;
1066        int ret = 0;
1067
1068        if (key_is_negative(key))
1069                return -ENOKEY;
1070        p = key->payload.data[0];
1071        if (!p->migratable)
1072                return -EPERM;
1073        if (datalen <= 0 || datalen > 32767 || !prep->data)
1074                return -EINVAL;
1075
1076        datablob = kmalloc(datalen + 1, GFP_KERNEL);
1077        if (!datablob)
1078                return -ENOMEM;
1079        new_o = trusted_options_alloc();
1080        if (!new_o) {
1081                ret = -ENOMEM;
1082                goto out;
1083        }
1084        new_p = trusted_payload_alloc(key);
1085        if (!new_p) {
1086                ret = -ENOMEM;
1087                goto out;
1088        }
1089
1090        memcpy(datablob, prep->data, datalen);
1091        datablob[datalen] = '\0';
1092        ret = datablob_parse(datablob, new_p, new_o);
1093        if (ret != Opt_update) {
1094                ret = -EINVAL;
1095                kzfree(new_p);
1096                goto out;
1097        }
1098
1099        if (!new_o->keyhandle) {
1100                ret = -EINVAL;
1101                kzfree(new_p);
1102                goto out;
1103        }
1104
1105        /* copy old key values, and reseal with new pcrs */
1106        new_p->migratable = p->migratable;
1107        new_p->key_len = p->key_len;
1108        memcpy(new_p->key, p->key, p->key_len);
1109        dump_payload(p);
1110        dump_payload(new_p);
1111
1112        ret = key_seal(new_p, new_o);
1113        if (ret < 0) {
1114                pr_info("trusted_key: key_seal failed (%d)\n", ret);
1115                kzfree(new_p);
1116                goto out;
1117        }
1118        if (new_o->pcrlock) {
1119                ret = pcrlock(new_o->pcrlock);
1120                if (ret < 0) {
1121                        pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1122                        kzfree(new_p);
1123                        goto out;
1124                }
1125        }
1126        rcu_assign_keypointer(key, new_p);
1127        call_rcu(&p->rcu, trusted_rcu_free);
1128out:
1129        kzfree(datablob);
1130        kzfree(new_o);
1131        return ret;
1132}
1133
1134/*
1135 * trusted_read - copy the sealed blob data to userspace in hex.
1136 * On success, return to userspace the trusted key datablob size.
1137 */
1138static long trusted_read(const struct key *key, char __user *buffer,
1139                         size_t buflen)
1140{
1141        const struct trusted_key_payload *p;
1142        char *ascii_buf;
1143        char *bufp;
1144        int i;
1145
1146        p = dereference_key_locked(key);
1147        if (!p)
1148                return -EINVAL;
1149
1150        if (buffer && buflen >= 2 * p->blob_len) {
1151                ascii_buf = kmalloc_array(2, p->blob_len, GFP_KERNEL);
1152                if (!ascii_buf)
1153                        return -ENOMEM;
1154
1155                bufp = ascii_buf;
1156                for (i = 0; i < p->blob_len; i++)
1157                        bufp = hex_byte_pack(bufp, p->blob[i]);
1158                if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
1159                        kzfree(ascii_buf);
1160                        return -EFAULT;
1161                }
1162                kzfree(ascii_buf);
1163        }
1164        return 2 * p->blob_len;
1165}
1166
1167/*
1168 * trusted_destroy - clear and free the key's payload
1169 */
1170static void trusted_destroy(struct key *key)
1171{
1172        kzfree(key->payload.data[0]);
1173}
1174
1175struct key_type key_type_trusted = {
1176        .name = "trusted",
1177        .instantiate = trusted_instantiate,
1178        .update = trusted_update,
1179        .destroy = trusted_destroy,
1180        .describe = user_describe,
1181        .read = trusted_read,
1182};
1183
1184EXPORT_SYMBOL_GPL(key_type_trusted);
1185
1186static void trusted_shash_release(void)
1187{
1188        if (hashalg)
1189                crypto_free_shash(hashalg);
1190        if (hmacalg)
1191                crypto_free_shash(hmacalg);
1192}
1193
1194static int __init trusted_shash_alloc(void)
1195{
1196        int ret;
1197
1198        hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
1199        if (IS_ERR(hmacalg)) {
1200                pr_info("trusted_key: could not allocate crypto %s\n",
1201                        hmac_alg);
1202                return PTR_ERR(hmacalg);
1203        }
1204
1205        hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
1206        if (IS_ERR(hashalg)) {
1207                pr_info("trusted_key: could not allocate crypto %s\n",
1208                        hash_alg);
1209                ret = PTR_ERR(hashalg);
1210                goto hashalg_fail;
1211        }
1212
1213        return 0;
1214
1215hashalg_fail:
1216        crypto_free_shash(hmacalg);
1217        return ret;
1218}
1219
1220static int __init init_trusted(void)
1221{
1222        int ret;
1223
1224        ret = trusted_shash_alloc();
1225        if (ret < 0)
1226                return ret;
1227        ret = register_key_type(&key_type_trusted);
1228        if (ret < 0)
1229                trusted_shash_release();
1230        return ret;
1231}
1232
1233static void __exit cleanup_trusted(void)
1234{
1235        trusted_shash_release();
1236        unregister_key_type(&key_type_trusted);
1237}
1238
1239late_initcall(init_trusted);
1240module_exit(cleanup_trusted);
1241
1242MODULE_LICENSE("GPL");
1243