linux/security/keys/trusted-keys/trusted_tpm1.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2010 IBM Corporation
   4 *
   5 * Author:
   6 * David Safford <safford@us.ibm.com>
   7 *
   8 * See Documentation/security/keys/trusted-encrypted.rst
   9 */
  10
  11#include <crypto/hash_info.h>
  12#include <linux/uaccess.h>
  13#include <linux/module.h>
  14#include <linux/init.h>
  15#include <linux/slab.h>
  16#include <linux/parser.h>
  17#include <linux/string.h>
  18#include <linux/err.h>
  19#include <keys/user-type.h>
  20#include <keys/trusted-type.h>
  21#include <linux/key-type.h>
  22#include <linux/rcupdate.h>
  23#include <linux/crypto.h>
  24#include <crypto/hash.h>
  25#include <crypto/sha.h>
  26#include <linux/capability.h>
  27#include <linux/tpm.h>
  28#include <linux/tpm_command.h>
  29
  30#include <keys/trusted_tpm.h>
  31
  32static const char hmac_alg[] = "hmac(sha1)";
  33static const char hash_alg[] = "sha1";
  34static struct tpm_chip *chip;
  35static struct tpm_digest *digests;
  36
  37struct sdesc {
  38        struct shash_desc shash;
  39        char ctx[];
  40};
  41
  42static struct crypto_shash *hashalg;
  43static struct crypto_shash *hmacalg;
  44
  45static struct sdesc *init_sdesc(struct crypto_shash *alg)
  46{
  47        struct sdesc *sdesc;
  48        int size;
  49
  50        size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
  51        sdesc = kmalloc(size, GFP_KERNEL);
  52        if (!sdesc)
  53                return ERR_PTR(-ENOMEM);
  54        sdesc->shash.tfm = alg;
  55        return sdesc;
  56}
  57
  58static int TSS_sha1(const unsigned char *data, unsigned int datalen,
  59                    unsigned char *digest)
  60{
  61        struct sdesc *sdesc;
  62        int ret;
  63
  64        sdesc = init_sdesc(hashalg);
  65        if (IS_ERR(sdesc)) {
  66                pr_info("trusted_key: can't alloc %s\n", hash_alg);
  67                return PTR_ERR(sdesc);
  68        }
  69
  70        ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
  71        kzfree(sdesc);
  72        return ret;
  73}
  74
  75static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
  76                       unsigned int keylen, ...)
  77{
  78        struct sdesc *sdesc;
  79        va_list argp;
  80        unsigned int dlen;
  81        unsigned char *data;
  82        int ret;
  83
  84        sdesc = init_sdesc(hmacalg);
  85        if (IS_ERR(sdesc)) {
  86                pr_info("trusted_key: can't alloc %s\n", hmac_alg);
  87                return PTR_ERR(sdesc);
  88        }
  89
  90        ret = crypto_shash_setkey(hmacalg, key, keylen);
  91        if (ret < 0)
  92                goto out;
  93        ret = crypto_shash_init(&sdesc->shash);
  94        if (ret < 0)
  95                goto out;
  96
  97        va_start(argp, keylen);
  98        for (;;) {
  99                dlen = va_arg(argp, unsigned int);
 100                if (dlen == 0)
 101                        break;
 102                data = va_arg(argp, unsigned char *);
 103                if (data == NULL) {
 104                        ret = -EINVAL;
 105                        break;
 106                }
 107                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 108                if (ret < 0)
 109                        break;
 110        }
 111        va_end(argp);
 112        if (!ret)
 113                ret = crypto_shash_final(&sdesc->shash, digest);
 114out:
 115        kzfree(sdesc);
 116        return ret;
 117}
 118
 119/*
 120 * calculate authorization info fields to send to TPM
 121 */
 122int TSS_authhmac(unsigned char *digest, const unsigned char *key,
 123                        unsigned int keylen, unsigned char *h1,
 124                        unsigned char *h2, unsigned int h3, ...)
 125{
 126        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 127        struct sdesc *sdesc;
 128        unsigned int dlen;
 129        unsigned char *data;
 130        unsigned char c;
 131        int ret;
 132        va_list argp;
 133
 134        if (!chip)
 135                return -ENODEV;
 136
 137        sdesc = init_sdesc(hashalg);
 138        if (IS_ERR(sdesc)) {
 139                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 140                return PTR_ERR(sdesc);
 141        }
 142
 143        c = !!h3;
 144        ret = crypto_shash_init(&sdesc->shash);
 145        if (ret < 0)
 146                goto out;
 147        va_start(argp, h3);
 148        for (;;) {
 149                dlen = va_arg(argp, unsigned int);
 150                if (dlen == 0)
 151                        break;
 152                data = va_arg(argp, unsigned char *);
 153                if (!data) {
 154                        ret = -EINVAL;
 155                        break;
 156                }
 157                ret = crypto_shash_update(&sdesc->shash, data, dlen);
 158                if (ret < 0)
 159                        break;
 160        }
 161        va_end(argp);
 162        if (!ret)
 163                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 164        if (!ret)
 165                ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
 166                                  paramdigest, TPM_NONCE_SIZE, h1,
 167                                  TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
 168out:
 169        kzfree(sdesc);
 170        return ret;
 171}
 172EXPORT_SYMBOL_GPL(TSS_authhmac);
 173
 174/*
 175 * verify the AUTH1_COMMAND (Seal) result from TPM
 176 */
 177int TSS_checkhmac1(unsigned char *buffer,
 178                          const uint32_t command,
 179                          const unsigned char *ononce,
 180                          const unsigned char *key,
 181                          unsigned int keylen, ...)
 182{
 183        uint32_t bufsize;
 184        uint16_t tag;
 185        uint32_t ordinal;
 186        uint32_t result;
 187        unsigned char *enonce;
 188        unsigned char *continueflag;
 189        unsigned char *authdata;
 190        unsigned char testhmac[SHA1_DIGEST_SIZE];
 191        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 192        struct sdesc *sdesc;
 193        unsigned int dlen;
 194        unsigned int dpos;
 195        va_list argp;
 196        int ret;
 197
 198        if (!chip)
 199                return -ENODEV;
 200
 201        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 202        tag = LOAD16(buffer, 0);
 203        ordinal = command;
 204        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 205        if (tag == TPM_TAG_RSP_COMMAND)
 206                return 0;
 207        if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
 208                return -EINVAL;
 209        authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
 210        continueflag = authdata - 1;
 211        enonce = continueflag - TPM_NONCE_SIZE;
 212
 213        sdesc = init_sdesc(hashalg);
 214        if (IS_ERR(sdesc)) {
 215                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 216                return PTR_ERR(sdesc);
 217        }
 218        ret = crypto_shash_init(&sdesc->shash);
 219        if (ret < 0)
 220                goto out;
 221        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 222                                  sizeof result);
 223        if (ret < 0)
 224                goto out;
 225        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 226                                  sizeof ordinal);
 227        if (ret < 0)
 228                goto out;
 229        va_start(argp, keylen);
 230        for (;;) {
 231                dlen = va_arg(argp, unsigned int);
 232                if (dlen == 0)
 233                        break;
 234                dpos = va_arg(argp, unsigned int);
 235                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 236                if (ret < 0)
 237                        break;
 238        }
 239        va_end(argp);
 240        if (!ret)
 241                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 242        if (ret < 0)
 243                goto out;
 244
 245        ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
 246                          TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
 247                          1, continueflag, 0, 0);
 248        if (ret < 0)
 249                goto out;
 250
 251        if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
 252                ret = -EINVAL;
 253out:
 254        kzfree(sdesc);
 255        return ret;
 256}
 257EXPORT_SYMBOL_GPL(TSS_checkhmac1);
 258
 259/*
 260 * verify the AUTH2_COMMAND (unseal) result from TPM
 261 */
 262static int TSS_checkhmac2(unsigned char *buffer,
 263                          const uint32_t command,
 264                          const unsigned char *ononce,
 265                          const unsigned char *key1,
 266                          unsigned int keylen1,
 267                          const unsigned char *key2,
 268                          unsigned int keylen2, ...)
 269{
 270        uint32_t bufsize;
 271        uint16_t tag;
 272        uint32_t ordinal;
 273        uint32_t result;
 274        unsigned char *enonce1;
 275        unsigned char *continueflag1;
 276        unsigned char *authdata1;
 277        unsigned char *enonce2;
 278        unsigned char *continueflag2;
 279        unsigned char *authdata2;
 280        unsigned char testhmac1[SHA1_DIGEST_SIZE];
 281        unsigned char testhmac2[SHA1_DIGEST_SIZE];
 282        unsigned char paramdigest[SHA1_DIGEST_SIZE];
 283        struct sdesc *sdesc;
 284        unsigned int dlen;
 285        unsigned int dpos;
 286        va_list argp;
 287        int ret;
 288
 289        bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
 290        tag = LOAD16(buffer, 0);
 291        ordinal = command;
 292        result = LOAD32N(buffer, TPM_RETURN_OFFSET);
 293
 294        if (tag == TPM_TAG_RSP_COMMAND)
 295                return 0;
 296        if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
 297                return -EINVAL;
 298        authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
 299                        + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
 300        authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
 301        continueflag1 = authdata1 - 1;
 302        continueflag2 = authdata2 - 1;
 303        enonce1 = continueflag1 - TPM_NONCE_SIZE;
 304        enonce2 = continueflag2 - TPM_NONCE_SIZE;
 305
 306        sdesc = init_sdesc(hashalg);
 307        if (IS_ERR(sdesc)) {
 308                pr_info("trusted_key: can't alloc %s\n", hash_alg);
 309                return PTR_ERR(sdesc);
 310        }
 311        ret = crypto_shash_init(&sdesc->shash);
 312        if (ret < 0)
 313                goto out;
 314        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
 315                                  sizeof result);
 316        if (ret < 0)
 317                goto out;
 318        ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
 319                                  sizeof ordinal);
 320        if (ret < 0)
 321                goto out;
 322
 323        va_start(argp, keylen2);
 324        for (;;) {
 325                dlen = va_arg(argp, unsigned int);
 326                if (dlen == 0)
 327                        break;
 328                dpos = va_arg(argp, unsigned int);
 329                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
 330                if (ret < 0)
 331                        break;
 332        }
 333        va_end(argp);
 334        if (!ret)
 335                ret = crypto_shash_final(&sdesc->shash, paramdigest);
 336        if (ret < 0)
 337                goto out;
 338
 339        ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
 340                          paramdigest, TPM_NONCE_SIZE, enonce1,
 341                          TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
 342        if (ret < 0)
 343                goto out;
 344        if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
 345                ret = -EINVAL;
 346                goto out;
 347        }
 348        ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
 349                          paramdigest, TPM_NONCE_SIZE, enonce2,
 350                          TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
 351        if (ret < 0)
 352                goto out;
 353        if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
 354                ret = -EINVAL;
 355out:
 356        kzfree(sdesc);
 357        return ret;
 358}
 359
 360/*
 361 * For key specific tpm requests, we will generate and send our
 362 * own TPM command packets using the drivers send function.
 363 */
 364int trusted_tpm_send(unsigned char *cmd, size_t buflen)
 365{
 366        int rc;
 367
 368        if (!chip)
 369                return -ENODEV;
 370
 371        dump_tpm_buf(cmd);
 372        rc = tpm_send(chip, cmd, buflen);
 373        dump_tpm_buf(cmd);
 374        if (rc > 0)
 375                /* Can't return positive return codes values to keyctl */
 376                rc = -EPERM;
 377        return rc;
 378}
 379EXPORT_SYMBOL_GPL(trusted_tpm_send);
 380
 381/*
 382 * Lock a trusted key, by extending a selected PCR.
 383 *
 384 * Prevents a trusted key that is sealed to PCRs from being accessed.
 385 * This uses the tpm driver's extend function.
 386 */
 387static int pcrlock(const int pcrnum)
 388{
 389        if (!capable(CAP_SYS_ADMIN))
 390                return -EPERM;
 391
 392        return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0;
 393}
 394
 395/*
 396 * Create an object specific authorisation protocol (OSAP) session
 397 */
 398static int osap(struct tpm_buf *tb, struct osapsess *s,
 399                const unsigned char *key, uint16_t type, uint32_t handle)
 400{
 401        unsigned char enonce[TPM_NONCE_SIZE];
 402        unsigned char ononce[TPM_NONCE_SIZE];
 403        int ret;
 404
 405        ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE);
 406        if (ret != TPM_NONCE_SIZE)
 407                return ret;
 408
 409        tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP);
 410        tpm_buf_append_u16(tb, type);
 411        tpm_buf_append_u32(tb, handle);
 412        tpm_buf_append(tb, ononce, TPM_NONCE_SIZE);
 413
 414        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 415        if (ret < 0)
 416                return ret;
 417
 418        s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 419        memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
 420               TPM_NONCE_SIZE);
 421        memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
 422                                  TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
 423        return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
 424                           enonce, TPM_NONCE_SIZE, ononce, 0, 0);
 425}
 426
 427/*
 428 * Create an object independent authorisation protocol (oiap) session
 429 */
 430int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
 431{
 432        int ret;
 433
 434        if (!chip)
 435                return -ENODEV;
 436
 437        tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP);
 438        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 439        if (ret < 0)
 440                return ret;
 441
 442        *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
 443        memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
 444               TPM_NONCE_SIZE);
 445        return 0;
 446}
 447EXPORT_SYMBOL_GPL(oiap);
 448
 449struct tpm_digests {
 450        unsigned char encauth[SHA1_DIGEST_SIZE];
 451        unsigned char pubauth[SHA1_DIGEST_SIZE];
 452        unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
 453        unsigned char xorhash[SHA1_DIGEST_SIZE];
 454        unsigned char nonceodd[TPM_NONCE_SIZE];
 455};
 456
 457/*
 458 * Have the TPM seal(encrypt) the trusted key, possibly based on
 459 * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
 460 */
 461static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
 462                    uint32_t keyhandle, const unsigned char *keyauth,
 463                    const unsigned char *data, uint32_t datalen,
 464                    unsigned char *blob, uint32_t *bloblen,
 465                    const unsigned char *blobauth,
 466                    const unsigned char *pcrinfo, uint32_t pcrinfosize)
 467{
 468        struct osapsess sess;
 469        struct tpm_digests *td;
 470        unsigned char cont;
 471        uint32_t ordinal;
 472        uint32_t pcrsize;
 473        uint32_t datsize;
 474        int sealinfosize;
 475        int encdatasize;
 476        int storedsize;
 477        int ret;
 478        int i;
 479
 480        /* alloc some work space for all the hashes */
 481        td = kmalloc(sizeof *td, GFP_KERNEL);
 482        if (!td)
 483                return -ENOMEM;
 484
 485        /* get session for sealing key */
 486        ret = osap(tb, &sess, keyauth, keytype, keyhandle);
 487        if (ret < 0)
 488                goto out;
 489        dump_sess(&sess);
 490
 491        /* calculate encrypted authorization value */
 492        memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
 493        memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
 494        ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
 495        if (ret < 0)
 496                goto out;
 497
 498        ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
 499        if (ret != TPM_NONCE_SIZE)
 500                goto out;
 501        ordinal = htonl(TPM_ORD_SEAL);
 502        datsize = htonl(datalen);
 503        pcrsize = htonl(pcrinfosize);
 504        cont = 0;
 505
 506        /* encrypt data authorization key */
 507        for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
 508                td->encauth[i] = td->xorhash[i] ^ blobauth[i];
 509
 510        /* calculate authorization HMAC value */
 511        if (pcrinfosize == 0) {
 512                /* no pcr info specified */
 513                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 514                                   sess.enonce, td->nonceodd, cont,
 515                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 516                                   td->encauth, sizeof(uint32_t), &pcrsize,
 517                                   sizeof(uint32_t), &datsize, datalen, data, 0,
 518                                   0);
 519        } else {
 520                /* pcr info specified */
 521                ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
 522                                   sess.enonce, td->nonceodd, cont,
 523                                   sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
 524                                   td->encauth, sizeof(uint32_t), &pcrsize,
 525                                   pcrinfosize, pcrinfo, sizeof(uint32_t),
 526                                   &datsize, datalen, data, 0, 0);
 527        }
 528        if (ret < 0)
 529                goto out;
 530
 531        /* build and send the TPM request packet */
 532        tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL);
 533        tpm_buf_append_u32(tb, keyhandle);
 534        tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE);
 535        tpm_buf_append_u32(tb, pcrinfosize);
 536        tpm_buf_append(tb, pcrinfo, pcrinfosize);
 537        tpm_buf_append_u32(tb, datalen);
 538        tpm_buf_append(tb, data, datalen);
 539        tpm_buf_append_u32(tb, sess.handle);
 540        tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE);
 541        tpm_buf_append_u8(tb, cont);
 542        tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE);
 543
 544        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 545        if (ret < 0)
 546                goto out;
 547
 548        /* calculate the size of the returned Blob */
 549        sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
 550        encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
 551                             sizeof(uint32_t) + sealinfosize);
 552        storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
 553            sizeof(uint32_t) + encdatasize;
 554
 555        /* check the HMAC in the response */
 556        ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
 557                             SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
 558                             0);
 559
 560        /* copy the returned blob to caller */
 561        if (!ret) {
 562                memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
 563                *bloblen = storedsize;
 564        }
 565out:
 566        kzfree(td);
 567        return ret;
 568}
 569
 570/*
 571 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
 572 */
 573static int tpm_unseal(struct tpm_buf *tb,
 574                      uint32_t keyhandle, const unsigned char *keyauth,
 575                      const unsigned char *blob, int bloblen,
 576                      const unsigned char *blobauth,
 577                      unsigned char *data, unsigned int *datalen)
 578{
 579        unsigned char nonceodd[TPM_NONCE_SIZE];
 580        unsigned char enonce1[TPM_NONCE_SIZE];
 581        unsigned char enonce2[TPM_NONCE_SIZE];
 582        unsigned char authdata1[SHA1_DIGEST_SIZE];
 583        unsigned char authdata2[SHA1_DIGEST_SIZE];
 584        uint32_t authhandle1 = 0;
 585        uint32_t authhandle2 = 0;
 586        unsigned char cont = 0;
 587        uint32_t ordinal;
 588        int ret;
 589
 590        /* sessions for unsealing key and data */
 591        ret = oiap(tb, &authhandle1, enonce1);
 592        if (ret < 0) {
 593                pr_info("trusted_key: oiap failed (%d)\n", ret);
 594                return ret;
 595        }
 596        ret = oiap(tb, &authhandle2, enonce2);
 597        if (ret < 0) {
 598                pr_info("trusted_key: oiap failed (%d)\n", ret);
 599                return ret;
 600        }
 601
 602        ordinal = htonl(TPM_ORD_UNSEAL);
 603        ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE);
 604        if (ret != TPM_NONCE_SIZE) {
 605                pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
 606                return ret;
 607        }
 608        ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
 609                           enonce1, nonceodd, cont, sizeof(uint32_t),
 610                           &ordinal, bloblen, blob, 0, 0);
 611        if (ret < 0)
 612                return ret;
 613        ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
 614                           enonce2, nonceodd, cont, sizeof(uint32_t),
 615                           &ordinal, bloblen, blob, 0, 0);
 616        if (ret < 0)
 617                return ret;
 618
 619        /* build and send TPM request packet */
 620        tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL);
 621        tpm_buf_append_u32(tb, keyhandle);
 622        tpm_buf_append(tb, blob, bloblen);
 623        tpm_buf_append_u32(tb, authhandle1);
 624        tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
 625        tpm_buf_append_u8(tb, cont);
 626        tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE);
 627        tpm_buf_append_u32(tb, authhandle2);
 628        tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
 629        tpm_buf_append_u8(tb, cont);
 630        tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE);
 631
 632        ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 633        if (ret < 0) {
 634                pr_info("trusted_key: authhmac failed (%d)\n", ret);
 635                return ret;
 636        }
 637
 638        *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
 639        ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
 640                             keyauth, SHA1_DIGEST_SIZE,
 641                             blobauth, SHA1_DIGEST_SIZE,
 642                             sizeof(uint32_t), TPM_DATA_OFFSET,
 643                             *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
 644                             0);
 645        if (ret < 0) {
 646                pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
 647                return ret;
 648        }
 649        memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
 650        return 0;
 651}
 652
 653/*
 654 * Have the TPM seal(encrypt) the symmetric key
 655 */
 656static int key_seal(struct trusted_key_payload *p,
 657                    struct trusted_key_options *o)
 658{
 659        struct tpm_buf tb;
 660        int ret;
 661
 662        ret = tpm_buf_init(&tb, 0, 0);
 663        if (ret)
 664                return ret;
 665
 666        /* include migratable flag at end of sealed key */
 667        p->key[p->key_len] = p->migratable;
 668
 669        ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth,
 670                       p->key, p->key_len + 1, p->blob, &p->blob_len,
 671                       o->blobauth, o->pcrinfo, o->pcrinfo_len);
 672        if (ret < 0)
 673                pr_info("trusted_key: srkseal failed (%d)\n", ret);
 674
 675        tpm_buf_destroy(&tb);
 676        return ret;
 677}
 678
 679/*
 680 * Have the TPM unseal(decrypt) the symmetric key
 681 */
 682static int key_unseal(struct trusted_key_payload *p,
 683                      struct trusted_key_options *o)
 684{
 685        struct tpm_buf tb;
 686        int ret;
 687
 688        ret = tpm_buf_init(&tb, 0, 0);
 689        if (ret)
 690                return ret;
 691
 692        ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
 693                         o->blobauth, p->key, &p->key_len);
 694        if (ret < 0)
 695                pr_info("trusted_key: srkunseal failed (%d)\n", ret);
 696        else
 697                /* pull migratable flag out of sealed key */
 698                p->migratable = p->key[--p->key_len];
 699
 700        tpm_buf_destroy(&tb);
 701        return ret;
 702}
 703
 704enum {
 705        Opt_err,
 706        Opt_new, Opt_load, Opt_update,
 707        Opt_keyhandle, Opt_keyauth, Opt_blobauth,
 708        Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
 709        Opt_hash,
 710        Opt_policydigest,
 711        Opt_policyhandle,
 712};
 713
 714static const match_table_t key_tokens = {
 715        {Opt_new, "new"},
 716        {Opt_load, "load"},
 717        {Opt_update, "update"},
 718        {Opt_keyhandle, "keyhandle=%s"},
 719        {Opt_keyauth, "keyauth=%s"},
 720        {Opt_blobauth, "blobauth=%s"},
 721        {Opt_pcrinfo, "pcrinfo=%s"},
 722        {Opt_pcrlock, "pcrlock=%s"},
 723        {Opt_migratable, "migratable=%s"},
 724        {Opt_hash, "hash=%s"},
 725        {Opt_policydigest, "policydigest=%s"},
 726        {Opt_policyhandle, "policyhandle=%s"},
 727        {Opt_err, NULL}
 728};
 729
 730/* can have zero or more token= options */
 731static int getoptions(char *c, struct trusted_key_payload *pay,
 732                      struct trusted_key_options *opt)
 733{
 734        substring_t args[MAX_OPT_ARGS];
 735        char *p = c;
 736        int token;
 737        int res;
 738        unsigned long handle;
 739        unsigned long lock;
 740        unsigned long token_mask = 0;
 741        unsigned int digest_len;
 742        int i;
 743        int tpm2;
 744
 745        tpm2 = tpm_is_tpm2(chip);
 746        if (tpm2 < 0)
 747                return tpm2;
 748
 749        opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
 750
 751        while ((p = strsep(&c, " \t"))) {
 752                if (*p == '\0' || *p == ' ' || *p == '\t')
 753                        continue;
 754                token = match_token(p, key_tokens, args);
 755                if (test_and_set_bit(token, &token_mask))
 756                        return -EINVAL;
 757
 758                switch (token) {
 759                case Opt_pcrinfo:
 760                        opt->pcrinfo_len = strlen(args[0].from) / 2;
 761                        if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
 762                                return -EINVAL;
 763                        res = hex2bin(opt->pcrinfo, args[0].from,
 764                                      opt->pcrinfo_len);
 765                        if (res < 0)
 766                                return -EINVAL;
 767                        break;
 768                case Opt_keyhandle:
 769                        res = kstrtoul(args[0].from, 16, &handle);
 770                        if (res < 0)
 771                                return -EINVAL;
 772                        opt->keytype = SEAL_keytype;
 773                        opt->keyhandle = handle;
 774                        break;
 775                case Opt_keyauth:
 776                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 777                                return -EINVAL;
 778                        res = hex2bin(opt->keyauth, args[0].from,
 779                                      SHA1_DIGEST_SIZE);
 780                        if (res < 0)
 781                                return -EINVAL;
 782                        break;
 783                case Opt_blobauth:
 784                        if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
 785                                return -EINVAL;
 786                        res = hex2bin(opt->blobauth, args[0].from,
 787                                      SHA1_DIGEST_SIZE);
 788                        if (res < 0)
 789                                return -EINVAL;
 790                        break;
 791                case Opt_migratable:
 792                        if (*args[0].from == '0')
 793                                pay->migratable = 0;
 794                        else
 795                                return -EINVAL;
 796                        break;
 797                case Opt_pcrlock:
 798                        res = kstrtoul(args[0].from, 10, &lock);
 799                        if (res < 0)
 800                                return -EINVAL;
 801                        opt->pcrlock = lock;
 802                        break;
 803                case Opt_hash:
 804                        if (test_bit(Opt_policydigest, &token_mask))
 805                                return -EINVAL;
 806                        for (i = 0; i < HASH_ALGO__LAST; i++) {
 807                                if (!strcmp(args[0].from, hash_algo_name[i])) {
 808                                        opt->hash = i;
 809                                        break;
 810                                }
 811                        }
 812                        if (i == HASH_ALGO__LAST)
 813                                return -EINVAL;
 814                        if  (!tpm2 && i != HASH_ALGO_SHA1) {
 815                                pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
 816                                return -EINVAL;
 817                        }
 818                        break;
 819                case Opt_policydigest:
 820                        digest_len = hash_digest_size[opt->hash];
 821                        if (!tpm2 || strlen(args[0].from) != (2 * digest_len))
 822                                return -EINVAL;
 823                        res = hex2bin(opt->policydigest, args[0].from,
 824                                      digest_len);
 825                        if (res < 0)
 826                                return -EINVAL;
 827                        opt->policydigest_len = digest_len;
 828                        break;
 829                case Opt_policyhandle:
 830                        if (!tpm2)
 831                                return -EINVAL;
 832                        res = kstrtoul(args[0].from, 16, &handle);
 833                        if (res < 0)
 834                                return -EINVAL;
 835                        opt->policyhandle = handle;
 836                        break;
 837                default:
 838                        return -EINVAL;
 839                }
 840        }
 841        return 0;
 842}
 843
 844/*
 845 * datablob_parse - parse the keyctl data and fill in the
 846 *                  payload and options structures
 847 *
 848 * On success returns 0, otherwise -EINVAL.
 849 */
 850static int datablob_parse(char *datablob, struct trusted_key_payload *p,
 851                          struct trusted_key_options *o)
 852{
 853        substring_t args[MAX_OPT_ARGS];
 854        long keylen;
 855        int ret = -EINVAL;
 856        int key_cmd;
 857        char *c;
 858
 859        /* main command */
 860        c = strsep(&datablob, " \t");
 861        if (!c)
 862                return -EINVAL;
 863        key_cmd = match_token(c, key_tokens, args);
 864        switch (key_cmd) {
 865        case Opt_new:
 866                /* first argument is key size */
 867                c = strsep(&datablob, " \t");
 868                if (!c)
 869                        return -EINVAL;
 870                ret = kstrtol(c, 10, &keylen);
 871                if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
 872                        return -EINVAL;
 873                p->key_len = keylen;
 874                ret = getoptions(datablob, p, o);
 875                if (ret < 0)
 876                        return ret;
 877                ret = Opt_new;
 878                break;
 879        case Opt_load:
 880                /* first argument is sealed blob */
 881                c = strsep(&datablob, " \t");
 882                if (!c)
 883                        return -EINVAL;
 884                p->blob_len = strlen(c) / 2;
 885                if (p->blob_len > MAX_BLOB_SIZE)
 886                        return -EINVAL;
 887                ret = hex2bin(p->blob, c, p->blob_len);
 888                if (ret < 0)
 889                        return -EINVAL;
 890                ret = getoptions(datablob, p, o);
 891                if (ret < 0)
 892                        return ret;
 893                ret = Opt_load;
 894                break;
 895        case Opt_update:
 896                /* all arguments are options */
 897                ret = getoptions(datablob, p, o);
 898                if (ret < 0)
 899                        return ret;
 900                ret = Opt_update;
 901                break;
 902        case Opt_err:
 903                return -EINVAL;
 904                break;
 905        }
 906        return ret;
 907}
 908
 909static struct trusted_key_options *trusted_options_alloc(void)
 910{
 911        struct trusted_key_options *options;
 912        int tpm2;
 913
 914        tpm2 = tpm_is_tpm2(chip);
 915        if (tpm2 < 0)
 916                return NULL;
 917
 918        options = kzalloc(sizeof *options, GFP_KERNEL);
 919        if (options) {
 920                /* set any non-zero defaults */
 921                options->keytype = SRK_keytype;
 922
 923                if (!tpm2)
 924                        options->keyhandle = SRKHANDLE;
 925        }
 926        return options;
 927}
 928
 929static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
 930{
 931        struct trusted_key_payload *p = NULL;
 932        int ret;
 933
 934        ret = key_payload_reserve(key, sizeof *p);
 935        if (ret < 0)
 936                return p;
 937        p = kzalloc(sizeof *p, GFP_KERNEL);
 938        if (p)
 939                p->migratable = 1; /* migratable by default */
 940        return p;
 941}
 942
 943/*
 944 * trusted_instantiate - create a new trusted key
 945 *
 946 * Unseal an existing trusted blob or, for a new key, get a
 947 * random key, then seal and create a trusted key-type key,
 948 * adding it to the specified keyring.
 949 *
 950 * On success, return 0. Otherwise return errno.
 951 */
 952static int trusted_instantiate(struct key *key,
 953                               struct key_preparsed_payload *prep)
 954{
 955        struct trusted_key_payload *payload = NULL;
 956        struct trusted_key_options *options = NULL;
 957        size_t datalen = prep->datalen;
 958        char *datablob;
 959        int ret = 0;
 960        int key_cmd;
 961        size_t key_len;
 962        int tpm2;
 963
 964        tpm2 = tpm_is_tpm2(chip);
 965        if (tpm2 < 0)
 966                return tpm2;
 967
 968        if (datalen <= 0 || datalen > 32767 || !prep->data)
 969                return -EINVAL;
 970
 971        datablob = kmalloc(datalen + 1, GFP_KERNEL);
 972        if (!datablob)
 973                return -ENOMEM;
 974        memcpy(datablob, prep->data, datalen);
 975        datablob[datalen] = '\0';
 976
 977        options = trusted_options_alloc();
 978        if (!options) {
 979                ret = -ENOMEM;
 980                goto out;
 981        }
 982        payload = trusted_payload_alloc(key);
 983        if (!payload) {
 984                ret = -ENOMEM;
 985                goto out;
 986        }
 987
 988        key_cmd = datablob_parse(datablob, payload, options);
 989        if (key_cmd < 0) {
 990                ret = key_cmd;
 991                goto out;
 992        }
 993
 994        if (!options->keyhandle) {
 995                ret = -EINVAL;
 996                goto out;
 997        }
 998
 999        dump_payload(payload);
1000        dump_options(options);
1001
1002        switch (key_cmd) {
1003        case Opt_load:
1004                if (tpm2)
1005                        ret = tpm2_unseal_trusted(chip, payload, options);
1006                else
1007                        ret = key_unseal(payload, options);
1008                dump_payload(payload);
1009                dump_options(options);
1010                if (ret < 0)
1011                        pr_info("trusted_key: key_unseal failed (%d)\n", ret);
1012                break;
1013        case Opt_new:
1014                key_len = payload->key_len;
1015                ret = tpm_get_random(chip, payload->key, key_len);
1016                if (ret != key_len) {
1017                        pr_info("trusted_key: key_create failed (%d)\n", ret);
1018                        goto out;
1019                }
1020                if (tpm2)
1021                        ret = tpm2_seal_trusted(chip, payload, options);
1022                else
1023                        ret = key_seal(payload, options);
1024                if (ret < 0)
1025                        pr_info("trusted_key: key_seal failed (%d)\n", ret);
1026                break;
1027        default:
1028                ret = -EINVAL;
1029                goto out;
1030        }
1031        if (!ret && options->pcrlock)
1032                ret = pcrlock(options->pcrlock);
1033out:
1034        kzfree(datablob);
1035        kzfree(options);
1036        if (!ret)
1037                rcu_assign_keypointer(key, payload);
1038        else
1039                kzfree(payload);
1040        return ret;
1041}
1042
1043static void trusted_rcu_free(struct rcu_head *rcu)
1044{
1045        struct trusted_key_payload *p;
1046
1047        p = container_of(rcu, struct trusted_key_payload, rcu);
1048        kzfree(p);
1049}
1050
1051/*
1052 * trusted_update - reseal an existing key with new PCR values
1053 */
1054static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
1055{
1056        struct trusted_key_payload *p;
1057        struct trusted_key_payload *new_p;
1058        struct trusted_key_options *new_o;
1059        size_t datalen = prep->datalen;
1060        char *datablob;
1061        int ret = 0;
1062
1063        if (key_is_negative(key))
1064                return -ENOKEY;
1065        p = key->payload.data[0];
1066        if (!p->migratable)
1067                return -EPERM;
1068        if (datalen <= 0 || datalen > 32767 || !prep->data)
1069                return -EINVAL;
1070
1071        datablob = kmalloc(datalen + 1, GFP_KERNEL);
1072        if (!datablob)
1073                return -ENOMEM;
1074        new_o = trusted_options_alloc();
1075        if (!new_o) {
1076                ret = -ENOMEM;
1077                goto out;
1078        }
1079        new_p = trusted_payload_alloc(key);
1080        if (!new_p) {
1081                ret = -ENOMEM;
1082                goto out;
1083        }
1084
1085        memcpy(datablob, prep->data, datalen);
1086        datablob[datalen] = '\0';
1087        ret = datablob_parse(datablob, new_p, new_o);
1088        if (ret != Opt_update) {
1089                ret = -EINVAL;
1090                kzfree(new_p);
1091                goto out;
1092        }
1093
1094        if (!new_o->keyhandle) {
1095                ret = -EINVAL;
1096                kzfree(new_p);
1097                goto out;
1098        }
1099
1100        /* copy old key values, and reseal with new pcrs */
1101        new_p->migratable = p->migratable;
1102        new_p->key_len = p->key_len;
1103        memcpy(new_p->key, p->key, p->key_len);
1104        dump_payload(p);
1105        dump_payload(new_p);
1106
1107        ret = key_seal(new_p, new_o);
1108        if (ret < 0) {
1109                pr_info("trusted_key: key_seal failed (%d)\n", ret);
1110                kzfree(new_p);
1111                goto out;
1112        }
1113        if (new_o->pcrlock) {
1114                ret = pcrlock(new_o->pcrlock);
1115                if (ret < 0) {
1116                        pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1117                        kzfree(new_p);
1118                        goto out;
1119                }
1120        }
1121        rcu_assign_keypointer(key, new_p);
1122        call_rcu(&p->rcu, trusted_rcu_free);
1123out:
1124        kzfree(datablob);
1125        kzfree(new_o);
1126        return ret;
1127}
1128
1129/*
1130 * trusted_read - copy the sealed blob data to userspace in hex.
1131 * On success, return to userspace the trusted key datablob size.
1132 */
1133static long trusted_read(const struct key *key, char *buffer,
1134                         size_t buflen)
1135{
1136        const struct trusted_key_payload *p;
1137        char *bufp;
1138        int i;
1139
1140        p = dereference_key_locked(key);
1141        if (!p)
1142                return -EINVAL;
1143
1144        if (buffer && buflen >= 2 * p->blob_len) {
1145                bufp = buffer;
1146                for (i = 0; i < p->blob_len; i++)
1147                        bufp = hex_byte_pack(bufp, p->blob[i]);
1148        }
1149        return 2 * p->blob_len;
1150}
1151
1152/*
1153 * trusted_destroy - clear and free the key's payload
1154 */
1155static void trusted_destroy(struct key *key)
1156{
1157        kzfree(key->payload.data[0]);
1158}
1159
1160struct key_type key_type_trusted = {
1161        .name = "trusted",
1162        .instantiate = trusted_instantiate,
1163        .update = trusted_update,
1164        .destroy = trusted_destroy,
1165        .describe = user_describe,
1166        .read = trusted_read,
1167};
1168
1169EXPORT_SYMBOL_GPL(key_type_trusted);
1170
1171static void trusted_shash_release(void)
1172{
1173        if (hashalg)
1174                crypto_free_shash(hashalg);
1175        if (hmacalg)
1176                crypto_free_shash(hmacalg);
1177}
1178
1179static int __init trusted_shash_alloc(void)
1180{
1181        int ret;
1182
1183        hmacalg = crypto_alloc_shash(hmac_alg, 0, 0);
1184        if (IS_ERR(hmacalg)) {
1185                pr_info("trusted_key: could not allocate crypto %s\n",
1186                        hmac_alg);
1187                return PTR_ERR(hmacalg);
1188        }
1189
1190        hashalg = crypto_alloc_shash(hash_alg, 0, 0);
1191        if (IS_ERR(hashalg)) {
1192                pr_info("trusted_key: could not allocate crypto %s\n",
1193                        hash_alg);
1194                ret = PTR_ERR(hashalg);
1195                goto hashalg_fail;
1196        }
1197
1198        return 0;
1199
1200hashalg_fail:
1201        crypto_free_shash(hmacalg);
1202        return ret;
1203}
1204
1205static int __init init_digests(void)
1206{
1207        int i;
1208
1209        digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests),
1210                          GFP_KERNEL);
1211        if (!digests)
1212                return -ENOMEM;
1213
1214        for (i = 0; i < chip->nr_allocated_banks; i++)
1215                digests[i].alg_id = chip->allocated_banks[i].alg_id;
1216
1217        return 0;
1218}
1219
1220static int __init init_trusted(void)
1221{
1222        int ret;
1223
1224        /* encrypted_keys.ko depends on successful load of this module even if
1225         * TPM is not used.
1226         */
1227        chip = tpm_default_chip();
1228        if (!chip)
1229                return 0;
1230
1231        ret = init_digests();
1232        if (ret < 0)
1233                goto err_put;
1234        ret = trusted_shash_alloc();
1235        if (ret < 0)
1236                goto err_free;
1237        ret = register_key_type(&key_type_trusted);
1238        if (ret < 0)
1239                goto err_release;
1240        return 0;
1241err_release:
1242        trusted_shash_release();
1243err_free:
1244        kfree(digests);
1245err_put:
1246        put_device(&chip->dev);
1247        return ret;
1248}
1249
1250static void __exit cleanup_trusted(void)
1251{
1252        if (chip) {
1253                put_device(&chip->dev);
1254                kfree(digests);
1255                trusted_shash_release();
1256                unregister_key_type(&key_type_trusted);
1257        }
1258}
1259
1260late_initcall(init_trusted);
1261module_exit(cleanup_trusted);
1262
1263MODULE_LICENSE("GPL");
1264