linux/security/keys/trusted.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2010 IBM Corporation
   3 *
   4 * Author:
   5 * David Safford <safford@us.ibm.com>
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation, version 2 of the License.
  10 *
  11 * See Documentation/security/keys-trusted-encrypted.txt
  12 */
  13
  14#include <crypto/hash_info.h>
  15#include <linux/uaccess.h>
  16#include <linux/module.h>
  17#include <linux/init.h>
  18#include <linux/slab.h>
  19#include <linux/parser.h>
  20#include <linux/string.h>
  21#include <linux/err.h>
  22#include <keys/user-type.h>
  23#include <keys/trusted-type.h>
  24#include <linux/key-type.h>
  25#include <linux/rcupdate.h>
  26#include <linux/crypto.h>
  27#include <crypto/hash.h>
  28#include <crypto/sha.h>
  29#include <linux/capability.h>
  30#include <linux/tpm.h>
  31#include <linux/tpm_command.h>
  32
  33#include "trusted.h"
  34
  35static const char hmac_alg[] = "hmac(sha1)";
  36static const char hash_alg[] = "sha1";
  37
  38struct sdesc {
  39        struct shash_desc shash;
  40        char ctx[];
  41};
  42
  43static struct crypto_shash *hashalg;
  44static struct crypto_shash *hmacalg;
  45
  46static struct sdesc *init_sdesc(struct crypto_shash *alg)
  47{
  48        struct sdesc *sdesc;
  49        int size;
  50
  51        size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
  52        sdesc = kmalloc(size, GFP_KERNEL);
  53        if (!sdesc)
  54                return ERR_PTR(-ENOMEM);
  55        sdesc->shash.tfm = alg;
  56        sdesc->shash.flags = 0x0;
  57        return sdesc;
  58}
  59
  60static int TSS_sha1(const unsigned char *data, unsigned int datalen,
  61                    unsigned char *digest)
  62{
  63        struct sdesc *sdesc;
  64        int ret;
  65
  66        sdesc = init_sdesc(hashalg);
  67        if (IS_ERR(sdesc)) {
  68                pr_info("trusted_key: can't alloc %s\n", hash_alg);
  69                return PTR_ERR(sdesc);
  70        }
  71
  72        ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
  73        kfree(sdesc);
  74        return ret;
  75}
  76
  77static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
  78                       unsigned int keylen, ...)
  79{
  80        struct sdesc *sdesc;
  81        va_list argp;
  82        unsigned int dlen;
  83        unsigned char *data;
  84        int ret;
  85
  86        sdesc = init_sdesc(hmacalg);
  87        if (IS_ERR(sdesc)) {
  88                pr_info("trusted_key: can't alloc %s\n", hmac_alg);
  89                return PTR_ERR(sdesc);
  90        }
  91
  92        ret = crypto_shash_setkey(hmacalg, key, keylen);
  93        if (ret < 0)
  94                goto out;
  95        ret = crypto_shash_init(&sdesc->shash);
  96        if (ret < 0)
  97                goto out;
  98
  99        va_start(argp, keylen);
 100        for (;;) {
 101                dlen = va_arg(argp, unsigned int);
 102                if (dlen == 0)
 103                        break;
 104                data = va_arg(argp, unsigned char *);
 105                if (data == NULL) {
 106                        ret = -EINVAL;
 107                        break;
 108                }
 109                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 110                if (ret < 0)
 111                        break;
 112        }
 113        va_end(argp);
 114        if (!ret)
 115                ret = crypto_shash_final(&sdesc->shash, digest);
 116out:
 117        kfree(sdesc);
 118        return ret;
 119}
 120
 121/*
 122 * calculate authorization info fields to send to TPM
 123 */
 124static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
 125                        unsigned int keylen, unsigned char *h1,
 126                        unsigned char *h2, unsigned char h3, ...)
 127{
 128        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 129        struct sdesc *sdesc;
 130        unsigned int dlen;
 131        unsigned char *data;
 132        unsigned char c;
 133        int ret;
 134        va_list argp;
 135
 136        sdesc = init_sdesc(hashalg);
 137        if (IS_ERR(sdesc)) {
 138                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 139                return PTR_ERR(sdesc);
 140        }
 141
 142        c = h3;
 143        ret = crypto_shash_init(&sdesc->shash);
 144        if (ret < 0)
 145                goto out;
 146        va_start(argp, h3);
 147        for (;;) {
 148                dlen = va_arg(argp, unsigned int);
 149                if (dlen == 0)
 150                        break;
 151                data = va_arg(argp, unsigned char *);
 152                if (!data) {
 153                        ret = -EINVAL;
 154                        break;
 155                }
 156                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 157                if (ret < 0)
 158                        break;
 159        }
 160        va_end(argp);
 161        if (!ret)
 162                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 163        if (!ret)
 164                ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
 165                                  paramdigest, TPM_NONCE_SIZE, h1,
 166                                  TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
 167out:
 168        kfree(sdesc);
 169        return ret;
 170}
 171
 172/*
 173 * verify the AUTH1_COMMAND (Seal) result from TPM
 174 */
 175static int TSS_checkhmac1(unsigned char *buffer,
 176                          const uint32_t command,
 177                          const unsigned char *ononce,
 178                          const unsigned char *key,
 179                          unsigned int keylen, ...)
 180{
 181        uint32_t bufsize;
 182        uint16_t tag;
 183        uint32_t ordinal;
 184        uint32_t result;
 185        unsigned char *enonce;
 186        unsigned char *continueflag;
 187        unsigned char *authdata;
 188        unsigned char testhmac[SHA1_DIGEST_SIZE];
 189        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 190        struct sdesc *sdesc;
 191        unsigned int dlen;
 192        unsigned int dpos;
 193        va_list argp;
 194        int ret;
 195
 196        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 197        tag = LOAD16(buffer, 0);
 198        ordinal = command;
 199        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 200        if (tag == TPM_TAG_RSP_COMMAND)
 201                return 0;
 202        if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
 203                return -EINVAL;
 204        authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
 205        continueflag = authdata - 1;
 206        enonce = continueflag - TPM_NONCE_SIZE;
 207
 208        sdesc = init_sdesc(hashalg);
 209        if (IS_ERR(sdesc)) {
 210                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 211                return PTR_ERR(sdesc);
 212        }
 213        ret = crypto_shash_init(&sdesc->shash);
 214        if (ret < 0)
 215                goto out;
 216        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 217                                  sizeof result);
 218        if (ret < 0)
 219                goto out;
 220        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 221                                  sizeof ordinal);
 222        if (ret < 0)
 223                goto out;
 224        va_start(argp, keylen);
 225        for (;;) {
 226                dlen = va_arg(argp, unsigned int);
 227                if (dlen == 0)
 228                        break;
 229                dpos = va_arg(argp, unsigned int);
 230                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 231                if (ret < 0)
 232                        break;
 233        }
 234        va_end(argp);
 235        if (!ret)
 236                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 237        if (ret < 0)
 238                goto out;
 239
 240        ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
 241                          TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
 242                          1, continueflag, 0, 0);
 243        if (ret < 0)
 244                goto out;
 245
 246        if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
 247                ret = -EINVAL;
 248out:
 249        kfree(sdesc);
 250        return ret;
 251}
 252
 253/*
 254 * verify the AUTH2_COMMAND (unseal) result from TPM
 255 */
 256static int TSS_checkhmac2(unsigned char *buffer,
 257                          const uint32_t command,
 258                          const unsigned char *ononce,
 259                          const unsigned char *key1,
 260                          unsigned int keylen1,
 261                          const unsigned char *key2,
 262                          unsigned int keylen2, ...)
 263{
 264        uint32_t bufsize;
 265        uint16_t tag;
 266        uint32_t ordinal;
 267        uint32_t result;
 268        unsigned char *enonce1;
 269        unsigned char *continueflag1;
 270        unsigned char *authdata1;
 271        unsigned char *enonce2;
 272        unsigned char *continueflag2;
 273        unsigned char *authdata2;
 274        unsigned char testhmac1[SHA1_DIGEST_SIZE];
 275        unsigned char testhmac2[SHA1_DIGEST_SIZE];
 276        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 277        struct sdesc *sdesc;
 278        unsigned int dlen;
 279        unsigned int dpos;
 280        va_list argp;
 281        int ret;
 282
 283        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 284        tag = LOAD16(buffer, 0);
 285        ordinal = command;
 286        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 287
 288        if (tag == TPM_TAG_RSP_COMMAND)
 289                return 0;
 290        if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
 291                return -EINVAL;
 292        authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
 293                        + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
 294        authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
 295        continueflag1 = authdata1 - 1;
 296        continueflag2 = authdata2 - 1;
 297        enonce1 = continueflag1 - TPM_NONCE_SIZE;
 298        enonce2 = continueflag2 - TPM_NONCE_SIZE;
 299
 300        sdesc = init_sdesc(hashalg);
 301        if (IS_ERR(sdesc)) {
 302                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 303                return PTR_ERR(sdesc);
 304        }
 305        ret = crypto_shash_init(&sdesc->shash);
 306        if (ret < 0)
 307                goto out;
 308        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 309                                  sizeof result);
 310        if (ret < 0)
 311                goto out;
 312        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 313                                  sizeof ordinal);
 314        if (ret < 0)
 315                goto out;
 316
 317        va_start(argp, keylen2);
 318        for (;;) {
 319                dlen = va_arg(argp, unsigned int);
 320                if (dlen == 0)
 321                        break;
 322                dpos = va_arg(argp, unsigned int);
 323                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 324                if (ret < 0)
 325                        break;
 326        }
 327        va_end(argp);
 328        if (!ret)
 329                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 330        if (ret < 0)
 331                goto out;
 332
 333        ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
 334                          paramdigest, TPM_NONCE_SIZE, enonce1,
 335                          TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
 336        if (ret < 0)
 337                goto out;
 338        if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
 339                ret = -EINVAL;
 340                goto out;
 341        }
 342        ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
 343                          paramdigest, TPM_NONCE_SIZE, enonce2,
 344                          TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
 345        if (ret < 0)
 346                goto out;
 347        if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
 348                ret = -EINVAL;
 349out:
 350        kfree(sdesc);
 351        return ret;
 352}
 353
 354/*
 355 * For key specific tpm requests, we will generate and send our
 356 * own TPM command packets using the drivers send function.
 357 */
 358static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
 359                            size_t buflen)
 360{
 361        int rc;
 362
 363        dump_tpm_buf(cmd);
 364        rc = tpm_send(chip_num, cmd, buflen);
 365        dump_tpm_buf(cmd);
 366        if (rc > 0)
 367                /* Can't return positive return codes values to keyctl */
 368                rc = -EPERM;
 369        return rc;
 370}
 371
 372/*
 373 * Lock a trusted key, by extending a selected PCR.
 374 *
 375 * Prevents a trusted key that is sealed to PCRs from being accessed.
 376 * This uses the tpm driver's extend function.
 377 */
 378static int pcrlock(const int pcrnum)
 379{
 380        unsigned char hash[SHA1_DIGEST_SIZE];
 381        int ret;
 382
 383        if (!capable(CAP_SYS_ADMIN))
 384                return -EPERM;
 385        ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE);
 386        if (ret != SHA1_DIGEST_SIZE)
 387                return ret;
 388        return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
 389}
 390
 391/*
 392 * Create an object specific authorisation protocol (OSAP) session
 393 */
 394static int osap(struct tpm_buf *tb, struct osapsess *s,
 395                const unsigned char *key, uint16_t type, uint32_t handle)
 396{
 397        unsigned char enonce[TPM_NONCE_SIZE];
 398        unsigned char ononce[TPM_NONCE_SIZE];
 399        int ret;
 400
 401        ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE);
 402        if (ret != TPM_NONCE_SIZE)
 403                return ret;
 404
 405        INIT_BUF(tb);
 406        store16(tb, TPM_TAG_RQU_COMMAND);
 407        store32(tb, TPM_OSAP_SIZE);
 408        store32(tb, TPM_ORD_OSAP);
 409        store16(tb, type);
 410        store32(tb, handle);
 411        storebytes(tb, ononce, TPM_NONCE_SIZE);
 412
 413        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 414        if (ret < 0)
 415                return ret;
 416
 417        s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 418        memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
 419               TPM_NONCE_SIZE);
 420        memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
 421                                  TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
 422        return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
 423                           enonce, TPM_NONCE_SIZE, ononce, 0, 0);
 424}
 425
 426/*
 427 * Create an object independent authorisation protocol (oiap) session
 428 */
 429static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
 430{
 431        int ret;
 432
 433        INIT_BUF(tb);
 434        store16(tb, TPM_TAG_RQU_COMMAND);
 435        store32(tb, TPM_OIAP_SIZE);
 436        store32(tb, TPM_ORD_OIAP);
 437        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 438        if (ret < 0)
 439                return ret;
 440
 441        *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 442        memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
 443               TPM_NONCE_SIZE);
 444        return 0;
 445}
 446
 447struct tpm_digests {
 448        unsigned char encauth[SHA1_DIGEST_SIZE];
 449        unsigned char pubauth[SHA1_DIGEST_SIZE];
 450        unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
 451        unsigned char xorhash[SHA1_DIGEST_SIZE];
 452        unsigned char nonceodd[TPM_NONCE_SIZE];
 453};
 454
 455/*
 456 * Have the TPM seal(encrypt) the trusted key, possibly based on
 457 * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
 458 */
 459static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
 460                    uint32_t keyhandle, const unsigned char *keyauth,
 461                    const unsigned char *data, uint32_t datalen,
 462                    unsigned char *blob, uint32_t *bloblen,
 463                    const unsigned char *blobauth,
 464                    const unsigned char *pcrinfo, uint32_t pcrinfosize)
 465{
 466        struct osapsess sess;
 467        struct tpm_digests *td;
 468        unsigned char cont;
 469        uint32_t ordinal;
 470        uint32_t pcrsize;
 471        uint32_t datsize;
 472        int sealinfosize;
 473        int encdatasize;
 474        int storedsize;
 475        int ret;
 476        int i;
 477
 478        /* alloc some work space for all the hashes */
 479        td = kmalloc(sizeof *td, GFP_KERNEL);
 480        if (!td)
 481                return -ENOMEM;
 482
 483        /* get session for sealing key */
 484        ret = osap(tb, &sess, keyauth, keytype, keyhandle);
 485        if (ret < 0)
 486                goto out;
 487        dump_sess(&sess);
 488
 489        /* calculate encrypted authorization value */
 490        memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
 491        memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
 492        ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
 493        if (ret < 0)
 494                goto out;
 495
 496        ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
 497        if (ret != TPM_NONCE_SIZE)
 498                goto out;
 499        ordinal = htonl(TPM_ORD_SEAL);
 500        datsize = htonl(datalen);
 501        pcrsize = htonl(pcrinfosize);
 502        cont = 0;
 503
 504        /* encrypt data authorization key */
 505        for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
 506                td->encauth[i] = td->xorhash[i] ^ blobauth[i];
 507
 508        /* calculate authorization HMAC value */
 509        if (pcrinfosize == 0) {
 510                /* no pcr info specified */
 511                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 512                                   sess.enonce, td->nonceodd, cont,
 513                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 514                                   td->encauth, sizeof(uint32_t), &pcrsize,
 515                                   sizeof(uint32_t), &datsize, datalen, data, 0,
 516                                   0);
 517        } else {
 518                /* pcr info specified */
 519                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 520                                   sess.enonce, td->nonceodd, cont,
 521                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 522                                   td->encauth, sizeof(uint32_t), &pcrsize,
 523                                   pcrinfosize, pcrinfo, sizeof(uint32_t),
 524                                   &datsize, datalen, data, 0, 0);
 525        }
 526        if (ret < 0)
 527                goto out;
 528
 529        /* build and send the TPM request packet */
 530        INIT_BUF(tb);
 531        store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
 532        store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
 533        store32(tb, TPM_ORD_SEAL);
 534        store32(tb, keyhandle);
 535        storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
 536        store32(tb, pcrinfosize);
 537        storebytes(tb, pcrinfo, pcrinfosize);
 538        store32(tb, datalen);
 539        storebytes(tb, data, datalen);
 540        store32(tb, sess.handle);
 541        storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
 542        store8(tb, cont);
 543        storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
 544
 545        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 546        if (ret < 0)
 547                goto out;
 548
 549        /* calculate the size of the returned Blob */
 550        sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
 551        encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
 552                             sizeof(uint32_t) + sealinfosize);
 553        storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
 554            sizeof(uint32_t) + encdatasize;
 555
 556        /* check the HMAC in the response */
 557        ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
 558                             SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
 559                             0);
 560
 561        /* copy the returned blob to caller */
 562        if (!ret) {
 563                memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
 564                *bloblen = storedsize;
 565        }
 566out:
 567        kfree(td);
 568        return ret;
 569}
 570
 571/*
 572 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
 573 */
 574static int tpm_unseal(struct tpm_buf *tb,
 575                      uint32_t keyhandle, const unsigned char *keyauth,
 576                      const unsigned char *blob, int bloblen,
 577                      const unsigned char *blobauth,
 578                      unsigned char *data, unsigned int *datalen)
 579{
 580        unsigned char nonceodd[TPM_NONCE_SIZE];
 581        unsigned char enonce1[TPM_NONCE_SIZE];
 582        unsigned char enonce2[TPM_NONCE_SIZE];
 583        unsigned char authdata1[SHA1_DIGEST_SIZE];
 584        unsigned char authdata2[SHA1_DIGEST_SIZE];
 585        uint32_t authhandle1 = 0;
 586        uint32_t authhandle2 = 0;
 587        unsigned char cont = 0;
 588        uint32_t ordinal;
 589        uint32_t keyhndl;
 590        int ret;
 591
 592        /* sessions for unsealing key and data */
 593        ret = oiap(tb, &authhandle1, enonce1);
 594        if (ret < 0) {
 595                pr_info("trusted_key: oiap failed (%d)\n", ret);
 596                return ret;
 597        }
 598        ret = oiap(tb, &authhandle2, enonce2);
 599        if (ret < 0) {
 600                pr_info("trusted_key: oiap failed (%d)\n", ret);
 601                return ret;
 602        }
 603
 604        ordinal = htonl(TPM_ORD_UNSEAL);
 605        keyhndl = htonl(SRKHANDLE);
 606        ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
 607        if (ret != TPM_NONCE_SIZE) {
 608                pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
 609                return ret;
 610        }
 611        ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
 612                           enonce1, nonceodd, cont, sizeof(uint32_t),
 613                           &ordinal, bloblen, blob, 0, 0);
 614        if (ret < 0)
 615                return ret;
 616        ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
 617                           enonce2, nonceodd, cont, sizeof(uint32_t),
 618                           &ordinal, bloblen, blob, 0, 0);
 619        if (ret < 0)
 620                return ret;
 621
 622        /* build and send TPM request packet */
 623        INIT_BUF(tb);
 624        store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
 625        store32(tb, TPM_UNSEAL_SIZE + bloblen);
 626        store32(tb, TPM_ORD_UNSEAL);
 627        store32(tb, keyhandle);
 628        storebytes(tb, blob, bloblen);
 629        store32(tb, authhandle1);
 630        storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 631        store8(tb, cont);
 632        storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
 633        store32(tb, authhandle2);
 634        storebytes(tb, nonceodd, TPM_NONCE_SIZE);
 635        store8(tb, cont);
 636        storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
 637
 638        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
 639        if (ret < 0) {
 640                pr_info("trusted_key: authhmac failed (%d)\n", ret);
 641                return ret;
 642        }
 643
 644        *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
 645        ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
 646                             keyauth, SHA1_DIGEST_SIZE,
 647                             blobauth, SHA1_DIGEST_SIZE,
 648                             sizeof(uint32_t), TPM_DATA_OFFSET,
 649                             *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
 650                             0);
 651        if (ret < 0) {
 652                pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
 653                return ret;
 654        }
 655        memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
 656        return 0;
 657}
 658
 659/*
 660 * Have the TPM seal(encrypt) the symmetric key
 661 */
 662static int key_seal(struct trusted_key_payload *p,
 663                    struct trusted_key_options *o)
 664{
 665        struct tpm_buf *tb;
 666        int ret;
 667
 668        tb = kzalloc(sizeof *tb, GFP_KERNEL);
 669        if (!tb)
 670                return -ENOMEM;
 671
 672        /* include migratable flag at end of sealed key */
 673        p->key[p->key_len] = p->migratable;
 674
 675        ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
 676                       p->key, p->key_len + 1, p->blob, &p->blob_len,
 677                       o->blobauth, o->pcrinfo, o->pcrinfo_len);
 678        if (ret < 0)
 679                pr_info("trusted_key: srkseal failed (%d)\n", ret);
 680
 681        kfree(tb);
 682        return ret;
 683}
 684
 685/*
 686 * Have the TPM unseal(decrypt) the symmetric key
 687 */
 688static int key_unseal(struct trusted_key_payload *p,
 689                      struct trusted_key_options *o)
 690{
 691        struct tpm_buf *tb;
 692        int ret;
 693
 694        tb = kzalloc(sizeof *tb, GFP_KERNEL);
 695        if (!tb)
 696                return -ENOMEM;
 697
 698        ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
 699                         o->blobauth, p->key, &p->key_len);
 700        if (ret < 0)
 701                pr_info("trusted_key: srkunseal failed (%d)\n", ret);
 702        else
 703                /* pull migratable flag out of sealed key */
 704                p->migratable = p->key[--p->key_len];
 705
 706        kfree(tb);
 707        return ret;
 708}
 709
 710enum {
 711        Opt_err = -1,
 712        Opt_new, Opt_load, Opt_update,
 713        Opt_keyhandle, Opt_keyauth, Opt_blobauth,
 714        Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
 715        Opt_hash,
 716        Opt_policydigest,
 717        Opt_policyhandle,
 718};
 719
 720static const match_table_t key_tokens = {
 721        {Opt_new, "new"},
 722        {Opt_load, "load"},
 723        {Opt_update, "update"},
 724        {Opt_keyhandle, "keyhandle=%s"},
 725        {Opt_keyauth, "keyauth=%s"},
 726        {Opt_blobauth, "blobauth=%s"},
 727        {Opt_pcrinfo, "pcrinfo=%s"},
 728        {Opt_pcrlock, "pcrlock=%s"},
 729        {Opt_migratable, "migratable=%s"},
 730        {Opt_hash, "hash=%s"},
 731        {Opt_policydigest, "policydigest=%s"},
 732        {Opt_policyhandle, "policyhandle=%s"},
 733        {Opt_err, NULL}
 734};
 735
 736/* can have zero or more token= options */
 737static int getoptions(char *c, struct trusted_key_payload *pay,
 738                      struct trusted_key_options *opt)
 739{
 740        substring_t args[MAX_OPT_ARGS];
 741        char *p = c;
 742        int token;
 743        int res;
 744        unsigned long handle;
 745        unsigned long lock;
 746        unsigned long token_mask = 0;
 747        unsigned int digest_len;
 748        int i;
 749        int tpm2;
 750
 751        tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
 752        if (tpm2 < 0)
 753                return tpm2;
 754
 755        opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
 756
 757        while ((p = strsep(&c, " \t"))) {
 758                if (*p == '\0' || *p == ' ' || *p == '\t')
 759                        continue;
 760                token = match_token(p, key_tokens, args);
 761                if (test_and_set_bit(token, &token_mask))
 762                        return -EINVAL;
 763
 764                switch (token) {
 765                case Opt_pcrinfo:
 766                        opt->pcrinfo_len = strlen(args[0].from) / 2;
 767                        if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
 768                                return -EINVAL;
 769                        res = hex2bin(opt->pcrinfo, args[0].from,
 770                                      opt->pcrinfo_len);
 771                        if (res < 0)
 772                                return -EINVAL;
 773                        break;
 774                case Opt_keyhandle:
 775                        res = kstrtoul(args[0].from, 16, &handle);
 776                        if (res < 0)
 777                                return -EINVAL;
 778                        opt->keytype = SEAL_keytype;
 779                        opt->keyhandle = handle;
 780                        break;
 781                case Opt_keyauth:
 782                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 783                                return -EINVAL;
 784                        res = hex2bin(opt->keyauth, args[0].from,
 785                                      SHA1_DIGEST_SIZE);
 786                        if (res < 0)
 787                                return -EINVAL;
 788                        break;
 789                case Opt_blobauth:
 790                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 791                                return -EINVAL;
 792                        res = hex2bin(opt->blobauth, args[0].from,
 793                                      SHA1_DIGEST_SIZE);
 794                        if (res < 0)
 795                                return -EINVAL;
 796                        break;
 797                case Opt_migratable:
 798                        if (*args[0].from == '0')
 799                                pay->migratable = 0;
 800                        else
 801                                return -EINVAL;
 802                        break;
 803                case Opt_pcrlock:
 804                        res = kstrtoul(args[0].from, 10, &lock);
 805                        if (res < 0)
 806                                return -EINVAL;
 807                        opt->pcrlock = lock;
 808                        break;
 809                case Opt_hash:
 810                        if (test_bit(Opt_policydigest, &token_mask))
 811                                return -EINVAL;
 812                        for (i = 0; i < HASH_ALGO__LAST; i++) {
 813                                if (!strcmp(args[0].from, hash_algo_name[i])) {
 814                                        opt->hash = i;
 815                                        break;
 816                                }
 817                        }
 818                        if (i == HASH_ALGO__LAST)
 819                                return -EINVAL;
 820                        if  (!tpm2 && i != HASH_ALGO_SHA1) {
 821                                pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
 822                                return -EINVAL;
 823                        }
 824                        break;
 825                case Opt_policydigest:
 826                        digest_len = hash_digest_size[opt->hash];
 827                        if (!tpm2 || strlen(args[0].from) != (2 * digest_len))
 828                                return -EINVAL;
 829                        res = hex2bin(opt->policydigest, args[0].from,
 830                                      digest_len);
 831                        if (res < 0)
 832                                return -EINVAL;
 833                        opt->policydigest_len = digest_len;
 834                        break;
 835                case Opt_policyhandle:
 836                        if (!tpm2)
 837                                return -EINVAL;
 838                        res = kstrtoul(args[0].from, 16, &handle);
 839                        if (res < 0)
 840                                return -EINVAL;
 841                        opt->policyhandle = handle;
 842                        break;
 843                default:
 844                        return -EINVAL;
 845                }
 846        }
 847        return 0;
 848}
 849
 850/*
 851 * datablob_parse - parse the keyctl data and fill in the
 852 *                  payload and options structures
 853 *
 854 * On success returns 0, otherwise -EINVAL.
 855 */
 856static int datablob_parse(char *datablob, struct trusted_key_payload *p,
 857                          struct trusted_key_options *o)
 858{
 859        substring_t args[MAX_OPT_ARGS];
 860        long keylen;
 861        int ret = -EINVAL;
 862        int key_cmd;
 863        char *c;
 864
 865        /* main command */
 866        c = strsep(&datablob, " \t");
 867        if (!c)
 868                return -EINVAL;
 869        key_cmd = match_token(c, key_tokens, args);
 870        switch (key_cmd) {
 871        case Opt_new:
 872                /* first argument is key size */
 873                c = strsep(&datablob, " \t");
 874                if (!c)
 875                        return -EINVAL;
 876                ret = kstrtol(c, 10, &keylen);
 877                if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
 878                        return -EINVAL;
 879                p->key_len = keylen;
 880                ret = getoptions(datablob, p, o);
 881                if (ret < 0)
 882                        return ret;
 883                ret = Opt_new;
 884                break;
 885        case Opt_load:
 886                /* first argument is sealed blob */
 887                c = strsep(&datablob, " \t");
 888                if (!c)
 889                        return -EINVAL;
 890                p->blob_len = strlen(c) / 2;
 891                if (p->blob_len > MAX_BLOB_SIZE)
 892                        return -EINVAL;
 893                ret = hex2bin(p->blob, c, p->blob_len);
 894                if (ret < 0)
 895                        return -EINVAL;
 896                ret = getoptions(datablob, p, o);
 897                if (ret < 0)
 898                        return ret;
 899                ret = Opt_load;
 900                break;
 901        case Opt_update:
 902                /* all arguments are options */
 903                ret = getoptions(datablob, p, o);
 904                if (ret < 0)
 905                        return ret;
 906                ret = Opt_update;
 907                break;
 908        case Opt_err:
 909                return -EINVAL;
 910                break;
 911        }
 912        return ret;
 913}
 914
 915static struct trusted_key_options *trusted_options_alloc(void)
 916{
 917        struct trusted_key_options *options;
 918        int tpm2;
 919
 920        tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
 921        if (tpm2 < 0)
 922                return NULL;
 923
 924        options = kzalloc(sizeof *options, GFP_KERNEL);
 925        if (options) {
 926                /* set any non-zero defaults */
 927                options->keytype = SRK_keytype;
 928
 929                if (!tpm2)
 930                        options->keyhandle = SRKHANDLE;
 931        }
 932        return options;
 933}
 934
 935static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
 936{
 937        struct trusted_key_payload *p = NULL;
 938        int ret;
 939
 940        ret = key_payload_reserve(key, sizeof *p);
 941        if (ret < 0)
 942                return p;
 943        p = kzalloc(sizeof *p, GFP_KERNEL);
 944        if (p)
 945                p->migratable = 1; /* migratable by default */
 946        return p;
 947}
 948
 949/*
 950 * trusted_instantiate - create a new trusted key
 951 *
 952 * Unseal an existing trusted blob or, for a new key, get a
 953 * random key, then seal and create a trusted key-type key,
 954 * adding it to the specified keyring.
 955 *
 956 * On success, return 0. Otherwise return errno.
 957 */
 958static int trusted_instantiate(struct key *key,
 959                               struct key_preparsed_payload *prep)
 960{
 961        struct trusted_key_payload *payload = NULL;
 962        struct trusted_key_options *options = NULL;
 963        size_t datalen = prep->datalen;
 964        char *datablob;
 965        int ret = 0;
 966        int key_cmd;
 967        size_t key_len;
 968        int tpm2;
 969
 970        tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
 971        if (tpm2 < 0)
 972                return tpm2;
 973
 974        if (datalen <= 0 || datalen > 32767 || !prep->data)
 975                return -EINVAL;
 976
 977        datablob = kmalloc(datalen + 1, GFP_KERNEL);
 978        if (!datablob)
 979                return -ENOMEM;
 980        memcpy(datablob, prep->data, datalen);
 981        datablob[datalen] = '\0';
 982
 983        options = trusted_options_alloc();
 984        if (!options) {
 985                ret = -ENOMEM;
 986                goto out;
 987        }
 988        payload = trusted_payload_alloc(key);
 989        if (!payload) {
 990                ret = -ENOMEM;
 991                goto out;
 992        }
 993
 994        key_cmd = datablob_parse(datablob, payload, options);
 995        if (key_cmd < 0) {
 996                ret = key_cmd;
 997                goto out;
 998        }
 999
1000        if (!options->keyhandle) {
1001                ret = -EINVAL;
1002                goto out;
1003        }
1004
1005        dump_payload(payload);
1006        dump_options(options);
1007
1008        switch (key_cmd) {
1009        case Opt_load:
1010                if (tpm2)
1011                        ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
1012                else
1013                        ret = key_unseal(payload, options);
1014                dump_payload(payload);
1015                dump_options(options);
1016                if (ret < 0)
1017                        pr_info("trusted_key: key_unseal failed (%d)\n", ret);
1018                break;
1019        case Opt_new:
1020                key_len = payload->key_len;
1021                ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len);
1022                if (ret != key_len) {
1023                        pr_info("trusted_key: key_create failed (%d)\n", ret);
1024                        goto out;
1025                }
1026                if (tpm2)
1027                        ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
1028                else
1029                        ret = key_seal(payload, options);
1030                if (ret < 0)
1031                        pr_info("trusted_key: key_seal failed (%d)\n", ret);
1032                break;
1033        default:
1034                ret = -EINVAL;
1035                goto out;
1036        }
1037        if (!ret && options->pcrlock)
1038                ret = pcrlock(options->pcrlock);
1039out:
1040        kfree(datablob);
1041        kfree(options);
1042        if (!ret)
1043                rcu_assign_keypointer(key, payload);
1044        else
1045                kfree(payload);
1046        return ret;
1047}
1048
1049static void trusted_rcu_free(struct rcu_head *rcu)
1050{
1051        struct trusted_key_payload *p;
1052
1053        p = container_of(rcu, struct trusted_key_payload, rcu);
1054        memset(p->key, 0, p->key_len);
1055        kfree(p);
1056}
1057
1058/*
1059 * trusted_update - reseal an existing key with new PCR values
1060 */
1061static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
1062{
1063        struct trusted_key_payload *p;
1064        struct trusted_key_payload *new_p;
1065        struct trusted_key_options *new_o;
1066        size_t datalen = prep->datalen;
1067        char *datablob;
1068        int ret = 0;
1069
1070        if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
1071                return -ENOKEY;
1072        p = key->payload.data[0];
1073        if (!p->migratable)
1074                return -EPERM;
1075        if (datalen <= 0 || datalen > 32767 || !prep->data)
1076                return -EINVAL;
1077
1078        datablob = kmalloc(datalen + 1, GFP_KERNEL);
1079        if (!datablob)
1080                return -ENOMEM;
1081        new_o = trusted_options_alloc();
1082        if (!new_o) {
1083                ret = -ENOMEM;
1084                goto out;
1085        }
1086        new_p = trusted_payload_alloc(key);
1087        if (!new_p) {
1088                ret = -ENOMEM;
1089                goto out;
1090        }
1091
1092        memcpy(datablob, prep->data, datalen);
1093        datablob[datalen] = '\0';
1094        ret = datablob_parse(datablob, new_p, new_o);
1095        if (ret != Opt_update) {
1096                ret = -EINVAL;
1097                kfree(new_p);
1098                goto out;
1099        }
1100
1101        if (!new_o->keyhandle) {
1102                ret = -EINVAL;
1103                kfree(new_p);
1104                goto out;
1105        }
1106
1107        /* copy old key values, and reseal with new pcrs */
1108        new_p->migratable = p->migratable;
1109        new_p->key_len = p->key_len;
1110        memcpy(new_p->key, p->key, p->key_len);
1111        dump_payload(p);
1112        dump_payload(new_p);
1113
1114        ret = key_seal(new_p, new_o);
1115        if (ret < 0) {
1116                pr_info("trusted_key: key_seal failed (%d)\n", ret);
1117                kfree(new_p);
1118                goto out;
1119        }
1120        if (new_o->pcrlock) {
1121                ret = pcrlock(new_o->pcrlock);
1122                if (ret < 0) {
1123                        pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1124                        kfree(new_p);
1125                        goto out;
1126                }
1127        }
1128        rcu_assign_keypointer(key, new_p);
1129        call_rcu(&p->rcu, trusted_rcu_free);
1130out:
1131        kfree(datablob);
1132        kfree(new_o);
1133        return ret;
1134}
1135
1136/*
1137 * trusted_read - copy the sealed blob data to userspace in hex.
1138 * On success, return to userspace the trusted key datablob size.
1139 */
1140static long trusted_read(const struct key *key, char __user *buffer,
1141                         size_t buflen)
1142{
1143        struct trusted_key_payload *p;
1144        char *ascii_buf;
1145        char *bufp;
1146        int i;
1147
1148        p = rcu_dereference_key(key);
1149        if (!p)
1150                return -EINVAL;
1151        if (!buffer || buflen <= 0)
1152                return 2 * p->blob_len;
1153        ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
1154        if (!ascii_buf)
1155                return -ENOMEM;
1156
1157        bufp = ascii_buf;
1158        for (i = 0; i < p->blob_len; i++)
1159                bufp = hex_byte_pack(bufp, p->blob[i]);
1160        if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
1161                kfree(ascii_buf);
1162                return -EFAULT;
1163        }
1164        kfree(ascii_buf);
1165        return 2 * p->blob_len;
1166}
1167
1168/*
1169 * trusted_destroy - before freeing the key, clear the decrypted data
1170 */
1171static void trusted_destroy(struct key *key)
1172{
1173        struct trusted_key_payload *p = key->payload.data[0];
1174
1175        if (!p)
1176                return;
1177        memset(p->key, 0, p->key_len);
1178        kfree(key->payload.data[0]);
1179}
1180
1181struct key_type key_type_trusted = {
1182        .name = "trusted",
1183        .instantiate = trusted_instantiate,
1184        .update = trusted_update,
1185        .destroy = trusted_destroy,
1186        .describe = user_describe,
1187        .read = trusted_read,
1188};
1189
1190EXPORT_SYMBOL_GPL(key_type_trusted);
1191
1192static void trusted_shash_release(void)
1193{
1194        if (hashalg)
1195                crypto_free_shash(hashalg);
1196        if (hmacalg)
1197                crypto_free_shash(hmacalg);
1198}
1199
1200static int __init trusted_shash_alloc(void)
1201{
1202        int ret;
1203
1204        hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
1205        if (IS_ERR(hmacalg)) {
1206                pr_info("trusted_key: could not allocate crypto %s\n",
1207                        hmac_alg);
1208                return PTR_ERR(hmacalg);
1209        }
1210
1211        hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
1212        if (IS_ERR(hashalg)) {
1213                pr_info("trusted_key: could not allocate crypto %s\n",
1214                        hash_alg);
1215                ret = PTR_ERR(hashalg);
1216                goto hashalg_fail;
1217        }
1218
1219        return 0;
1220
1221hashalg_fail:
1222        crypto_free_shash(hmacalg);
1223        return ret;
1224}
1225
1226static int __init init_trusted(void)
1227{
1228        int ret;
1229
1230        ret = trusted_shash_alloc();
1231        if (ret < 0)
1232                return ret;
1233        ret = register_key_type(&key_type_trusted);
1234        if (ret < 0)
1235                trusted_shash_release();
1236        return ret;
1237}
1238
1239static void __exit cleanup_trusted(void)
1240{
1241        trusted_shash_release();
1242        unregister_key_type(&key_type_trusted);
1243}
1244
1245late_initcall(init_trusted);
1246module_exit(cleanup_trusted);
1247
1248MODULE_LICENSE("GPL");
1249