1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (C) 2010 IBM Corporation 4 * 5 * Author: 6 * David Safford <safford@us.ibm.com> 7 * 8 * See Documentation/security/keys/trusted-encrypted.rst 9 */ 10 11#include <crypto/hash_info.h> 12#include <linux/uaccess.h> 13#include <linux/module.h> 14#include <linux/init.h> 15#include <linux/slab.h> 16#include <linux/parser.h> 17#include <linux/string.h> 18#include <linux/err.h> 19#include <keys/user-type.h> 20#include <keys/trusted-type.h> 21#include <linux/key-type.h> 22#include <linux/rcupdate.h> 23#include <linux/crypto.h> 24#include <crypto/hash.h> 25#include <crypto/sha.h> 26#include <linux/capability.h> 27#include <linux/tpm.h> 28#include <linux/tpm_command.h> 29 30#include <keys/trusted_tpm.h> 31 32static const char hmac_alg[] = "hmac(sha1)"; 33static const char hash_alg[] = "sha1"; 34static struct tpm_chip *chip; 35static struct tpm_digest *digests; 36 37struct sdesc { 38 struct shash_desc shash; 39 char ctx[]; 40}; 41 42static struct crypto_shash *hashalg; 43static struct crypto_shash *hmacalg; 44 45static struct sdesc *init_sdesc(struct crypto_shash *alg) 46{ 47 struct sdesc *sdesc; 48 int size; 49 50 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 51 sdesc = kmalloc(size, GFP_KERNEL); 52 if (!sdesc) 53 return ERR_PTR(-ENOMEM); 54 sdesc->shash.tfm = alg; 55 return sdesc; 56} 57 58static int TSS_sha1(const unsigned char *data, unsigned int datalen, 59 unsigned char *digest) 60{ 61 struct sdesc *sdesc; 62 int ret; 63 64 sdesc = init_sdesc(hashalg); 65 if (IS_ERR(sdesc)) { 66 pr_info("trusted_key: can't alloc %s\n", hash_alg); 67 return PTR_ERR(sdesc); 68 } 69 70 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 71 kfree_sensitive(sdesc); 72 return ret; 73} 74 75static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 76 unsigned int keylen, ...) 77{ 78 struct sdesc *sdesc; 79 va_list argp; 80 unsigned int dlen; 81 unsigned char *data; 82 int ret; 83 84 sdesc = init_sdesc(hmacalg); 85 if (IS_ERR(sdesc)) { 86 pr_info("trusted_key: can't alloc %s\n", hmac_alg); 87 return PTR_ERR(sdesc); 88 } 89 90 ret = crypto_shash_setkey(hmacalg, key, keylen); 91 if (ret < 0) 92 goto out; 93 ret = crypto_shash_init(&sdesc->shash); 94 if (ret < 0) 95 goto out; 96 97 va_start(argp, keylen); 98 for (;;) { 99 dlen = va_arg(argp, unsigned int); 100 if (dlen == 0) 101 break; 102 data = va_arg(argp, unsigned char *); 103 if (data == NULL) { 104 ret = -EINVAL; 105 break; 106 } 107 ret = crypto_shash_update(&sdesc->shash, data, dlen); 108 if (ret < 0) 109 break; 110 } 111 va_end(argp); 112 if (!ret) 113 ret = crypto_shash_final(&sdesc->shash, digest); 114out: 115 kfree_sensitive(sdesc); 116 return ret; 117} 118 119/* 120 * calculate authorization info fields to send to TPM 121 */ 122int TSS_authhmac(unsigned char *digest, const unsigned char *key, 123 unsigned int keylen, unsigned char *h1, 124 unsigned char *h2, unsigned int h3, ...) 125{ 126 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 127 struct sdesc *sdesc; 128 unsigned int dlen; 129 unsigned char *data; 130 unsigned char c; 131 int ret; 132 va_list argp; 133 134 if (!chip) 135 return -ENODEV; 136 137 sdesc = init_sdesc(hashalg); 138 if (IS_ERR(sdesc)) { 139 pr_info("trusted_key: can't alloc %s\n", hash_alg); 140 return PTR_ERR(sdesc); 141 } 142 143 c = !!h3; 144 ret = crypto_shash_init(&sdesc->shash); 145 if (ret < 0) 146 goto out; 147 va_start(argp, h3); 148 for (;;) { 149 dlen = va_arg(argp, unsigned int); 150 if (dlen == 0) 151 break; 152 data = va_arg(argp, unsigned char *); 153 if (!data) { 154 ret = -EINVAL; 155 break; 156 } 157 ret = crypto_shash_update(&sdesc->shash, data, dlen); 158 if (ret < 0) 159 break; 160 } 161 va_end(argp); 162 if (!ret) 163 ret = crypto_shash_final(&sdesc->shash, paramdigest); 164 if (!ret) 165 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 166 paramdigest, TPM_NONCE_SIZE, h1, 167 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 168out: 169 kfree_sensitive(sdesc); 170 return ret; 171} 172EXPORT_SYMBOL_GPL(TSS_authhmac); 173 174/* 175 * verify the AUTH1_COMMAND (Seal) result from TPM 176 */ 177int TSS_checkhmac1(unsigned char *buffer, 178 const uint32_t command, 179 const unsigned char *ononce, 180 const unsigned char *key, 181 unsigned int keylen, ...) 182{ 183 uint32_t bufsize; 184 uint16_t tag; 185 uint32_t ordinal; 186 uint32_t result; 187 unsigned char *enonce; 188 unsigned char *continueflag; 189 unsigned char *authdata; 190 unsigned char testhmac[SHA1_DIGEST_SIZE]; 191 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 192 struct sdesc *sdesc; 193 unsigned int dlen; 194 unsigned int dpos; 195 va_list argp; 196 int ret; 197 198 if (!chip) 199 return -ENODEV; 200 201 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 202 tag = LOAD16(buffer, 0); 203 ordinal = command; 204 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 205 if (tag == TPM_TAG_RSP_COMMAND) 206 return 0; 207 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 208 return -EINVAL; 209 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 210 continueflag = authdata - 1; 211 enonce = continueflag - TPM_NONCE_SIZE; 212 213 sdesc = init_sdesc(hashalg); 214 if (IS_ERR(sdesc)) { 215 pr_info("trusted_key: can't alloc %s\n", hash_alg); 216 return PTR_ERR(sdesc); 217 } 218 ret = crypto_shash_init(&sdesc->shash); 219 if (ret < 0) 220 goto out; 221 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 222 sizeof result); 223 if (ret < 0) 224 goto out; 225 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 226 sizeof ordinal); 227 if (ret < 0) 228 goto out; 229 va_start(argp, keylen); 230 for (;;) { 231 dlen = va_arg(argp, unsigned int); 232 if (dlen == 0) 233 break; 234 dpos = va_arg(argp, unsigned int); 235 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 236 if (ret < 0) 237 break; 238 } 239 va_end(argp); 240 if (!ret) 241 ret = crypto_shash_final(&sdesc->shash, paramdigest); 242 if (ret < 0) 243 goto out; 244 245 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 246 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 247 1, continueflag, 0, 0); 248 if (ret < 0) 249 goto out; 250 251 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 252 ret = -EINVAL; 253out: 254 kfree_sensitive(sdesc); 255 return ret; 256} 257EXPORT_SYMBOL_GPL(TSS_checkhmac1); 258 259/* 260 * verify the AUTH2_COMMAND (unseal) result from TPM 261 */ 262static int TSS_checkhmac2(unsigned char *buffer, 263 const uint32_t command, 264 const unsigned char *ononce, 265 const unsigned char *key1, 266 unsigned int keylen1, 267 const unsigned char *key2, 268 unsigned int keylen2, ...) 269{ 270 uint32_t bufsize; 271 uint16_t tag; 272 uint32_t ordinal; 273 uint32_t result; 274 unsigned char *enonce1; 275 unsigned char *continueflag1; 276 unsigned char *authdata1; 277 unsigned char *enonce2; 278 unsigned char *continueflag2; 279 unsigned char *authdata2; 280 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 281 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 282 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 283 struct sdesc *sdesc; 284 unsigned int dlen; 285 unsigned int dpos; 286 va_list argp; 287 int ret; 288 289 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 290 tag = LOAD16(buffer, 0); 291 ordinal = command; 292 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 293 294 if (tag == TPM_TAG_RSP_COMMAND) 295 return 0; 296 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 297 return -EINVAL; 298 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 299 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 300 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 301 continueflag1 = authdata1 - 1; 302 continueflag2 = authdata2 - 1; 303 enonce1 = continueflag1 - TPM_NONCE_SIZE; 304 enonce2 = continueflag2 - TPM_NONCE_SIZE; 305 306 sdesc = init_sdesc(hashalg); 307 if (IS_ERR(sdesc)) { 308 pr_info("trusted_key: can't alloc %s\n", hash_alg); 309 return PTR_ERR(sdesc); 310 } 311 ret = crypto_shash_init(&sdesc->shash); 312 if (ret < 0) 313 goto out; 314 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 315 sizeof result); 316 if (ret < 0) 317 goto out; 318 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 319 sizeof ordinal); 320 if (ret < 0) 321 goto out; 322 323 va_start(argp, keylen2); 324 for (;;) { 325 dlen = va_arg(argp, unsigned int); 326 if (dlen == 0) 327 break; 328 dpos = va_arg(argp, unsigned int); 329 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 330 if (ret < 0) 331 break; 332 } 333 va_end(argp); 334 if (!ret) 335 ret = crypto_shash_final(&sdesc->shash, paramdigest); 336 if (ret < 0) 337 goto out; 338 339 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 340 paramdigest, TPM_NONCE_SIZE, enonce1, 341 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 342 if (ret < 0) 343 goto out; 344 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 345 ret = -EINVAL; 346 goto out; 347 } 348 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 349 paramdigest, TPM_NONCE_SIZE, enonce2, 350 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 351 if (ret < 0) 352 goto out; 353 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 354 ret = -EINVAL; 355out: 356 kfree_sensitive(sdesc); 357 return ret; 358} 359 360/* 361 * For key specific tpm requests, we will generate and send our 362 * own TPM command packets using the drivers send function. 363 */ 364int trusted_tpm_send(unsigned char *cmd, size_t buflen) 365{ 366 int rc; 367 368 if (!chip) 369 return -ENODEV; 370 371 dump_tpm_buf(cmd); 372 rc = tpm_send(chip, cmd, buflen); 373 dump_tpm_buf(cmd); 374 if (rc > 0) 375 /* Can't return positive return codes values to keyctl */ 376 rc = -EPERM; 377 return rc; 378} 379EXPORT_SYMBOL_GPL(trusted_tpm_send); 380 381/* 382 * Lock a trusted key, by extending a selected PCR. 383 * 384 * Prevents a trusted key that is sealed to PCRs from being accessed. 385 * This uses the tpm driver's extend function. 386 */ 387static int pcrlock(const int pcrnum) 388{ 389 if (!capable(CAP_SYS_ADMIN)) 390 return -EPERM; 391 392 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0; 393} 394 395/* 396 * Create an object specific authorisation protocol (OSAP) session 397 */ 398static int osap(struct tpm_buf *tb, struct osapsess *s, 399 const unsigned char *key, uint16_t type, uint32_t handle) 400{ 401 unsigned char enonce[TPM_NONCE_SIZE]; 402 unsigned char ononce[TPM_NONCE_SIZE]; 403 int ret; 404 405 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); 406 if (ret < 0) 407 return ret; 408 409 if (ret != TPM_NONCE_SIZE) 410 return -EIO; 411 412 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP); 413 tpm_buf_append_u16(tb, type); 414 tpm_buf_append_u32(tb, handle); 415 tpm_buf_append(tb, ononce, TPM_NONCE_SIZE); 416 417 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 418 if (ret < 0) 419 return ret; 420 421 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 422 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 423 TPM_NONCE_SIZE); 424 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 425 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 426 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 427 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 428} 429 430/* 431 * Create an object independent authorisation protocol (oiap) session 432 */ 433int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 434{ 435 int ret; 436 437 if (!chip) 438 return -ENODEV; 439 440 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP); 441 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 442 if (ret < 0) 443 return ret; 444 445 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 446 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 447 TPM_NONCE_SIZE); 448 return 0; 449} 450EXPORT_SYMBOL_GPL(oiap); 451 452struct tpm_digests { 453 unsigned char encauth[SHA1_DIGEST_SIZE]; 454 unsigned char pubauth[SHA1_DIGEST_SIZE]; 455 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 456 unsigned char xorhash[SHA1_DIGEST_SIZE]; 457 unsigned char nonceodd[TPM_NONCE_SIZE]; 458}; 459 460/* 461 * Have the TPM seal(encrypt) the trusted key, possibly based on 462 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 463 */ 464static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 465 uint32_t keyhandle, const unsigned char *keyauth, 466 const unsigned char *data, uint32_t datalen, 467 unsigned char *blob, uint32_t *bloblen, 468 const unsigned char *blobauth, 469 const unsigned char *pcrinfo, uint32_t pcrinfosize) 470{ 471 struct osapsess sess; 472 struct tpm_digests *td; 473 unsigned char cont; 474 uint32_t ordinal; 475 uint32_t pcrsize; 476 uint32_t datsize; 477 int sealinfosize; 478 int encdatasize; 479 int storedsize; 480 int ret; 481 int i; 482 483 /* alloc some work space for all the hashes */ 484 td = kmalloc(sizeof *td, GFP_KERNEL); 485 if (!td) 486 return -ENOMEM; 487 488 /* get session for sealing key */ 489 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 490 if (ret < 0) 491 goto out; 492 dump_sess(&sess); 493 494 /* calculate encrypted authorization value */ 495 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 496 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 497 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 498 if (ret < 0) 499 goto out; 500 501 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); 502 if (ret < 0) 503 goto out; 504 505 if (ret != TPM_NONCE_SIZE) { 506 ret = -EIO; 507 goto out; 508 } 509 510 ordinal = htonl(TPM_ORD_SEAL); 511 datsize = htonl(datalen); 512 pcrsize = htonl(pcrinfosize); 513 cont = 0; 514 515 /* encrypt data authorization key */ 516 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 517 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 518 519 /* calculate authorization HMAC value */ 520 if (pcrinfosize == 0) { 521 /* no pcr info specified */ 522 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 523 sess.enonce, td->nonceodd, cont, 524 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 525 td->encauth, sizeof(uint32_t), &pcrsize, 526 sizeof(uint32_t), &datsize, datalen, data, 0, 527 0); 528 } else { 529 /* pcr info specified */ 530 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 531 sess.enonce, td->nonceodd, cont, 532 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 533 td->encauth, sizeof(uint32_t), &pcrsize, 534 pcrinfosize, pcrinfo, sizeof(uint32_t), 535 &datsize, datalen, data, 0, 0); 536 } 537 if (ret < 0) 538 goto out; 539 540 /* build and send the TPM request packet */ 541 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL); 542 tpm_buf_append_u32(tb, keyhandle); 543 tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE); 544 tpm_buf_append_u32(tb, pcrinfosize); 545 tpm_buf_append(tb, pcrinfo, pcrinfosize); 546 tpm_buf_append_u32(tb, datalen); 547 tpm_buf_append(tb, data, datalen); 548 tpm_buf_append_u32(tb, sess.handle); 549 tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE); 550 tpm_buf_append_u8(tb, cont); 551 tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE); 552 553 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 554 if (ret < 0) 555 goto out; 556 557 /* calculate the size of the returned Blob */ 558 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 559 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 560 sizeof(uint32_t) + sealinfosize); 561 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 562 sizeof(uint32_t) + encdatasize; 563 564 /* check the HMAC in the response */ 565 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 566 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 567 0); 568 569 /* copy the returned blob to caller */ 570 if (!ret) { 571 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 572 *bloblen = storedsize; 573 } 574out: 575 kfree_sensitive(td); 576 return ret; 577} 578 579/* 580 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 581 */ 582static int tpm_unseal(struct tpm_buf *tb, 583 uint32_t keyhandle, const unsigned char *keyauth, 584 const unsigned char *blob, int bloblen, 585 const unsigned char *blobauth, 586 unsigned char *data, unsigned int *datalen) 587{ 588 unsigned char nonceodd[TPM_NONCE_SIZE]; 589 unsigned char enonce1[TPM_NONCE_SIZE]; 590 unsigned char enonce2[TPM_NONCE_SIZE]; 591 unsigned char authdata1[SHA1_DIGEST_SIZE]; 592 unsigned char authdata2[SHA1_DIGEST_SIZE]; 593 uint32_t authhandle1 = 0; 594 uint32_t authhandle2 = 0; 595 unsigned char cont = 0; 596 uint32_t ordinal; 597 int ret; 598 599 /* sessions for unsealing key and data */ 600 ret = oiap(tb, &authhandle1, enonce1); 601 if (ret < 0) { 602 pr_info("trusted_key: oiap failed (%d)\n", ret); 603 return ret; 604 } 605 ret = oiap(tb, &authhandle2, enonce2); 606 if (ret < 0) { 607 pr_info("trusted_key: oiap failed (%d)\n", ret); 608 return ret; 609 } 610 611 ordinal = htonl(TPM_ORD_UNSEAL); 612 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); 613 if (ret < 0) 614 return ret; 615 616 if (ret != TPM_NONCE_SIZE) { 617 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 618 return -EIO; 619 } 620 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 621 enonce1, nonceodd, cont, sizeof(uint32_t), 622 &ordinal, bloblen, blob, 0, 0); 623 if (ret < 0) 624 return ret; 625 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 626 enonce2, nonceodd, cont, sizeof(uint32_t), 627 &ordinal, bloblen, blob, 0, 0); 628 if (ret < 0) 629 return ret; 630 631 /* build and send TPM request packet */ 632 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL); 633 tpm_buf_append_u32(tb, keyhandle); 634 tpm_buf_append(tb, blob, bloblen); 635 tpm_buf_append_u32(tb, authhandle1); 636 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 637 tpm_buf_append_u8(tb, cont); 638 tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE); 639 tpm_buf_append_u32(tb, authhandle2); 640 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 641 tpm_buf_append_u8(tb, cont); 642 tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE); 643 644 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 645 if (ret < 0) { 646 pr_info("trusted_key: authhmac failed (%d)\n", ret); 647 return ret; 648 } 649 650 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 651 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 652 keyauth, SHA1_DIGEST_SIZE, 653 blobauth, SHA1_DIGEST_SIZE, 654 sizeof(uint32_t), TPM_DATA_OFFSET, 655 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 656 0); 657 if (ret < 0) { 658 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 659 return ret; 660 } 661 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 662 return 0; 663} 664 665/* 666 * Have the TPM seal(encrypt) the symmetric key 667 */ 668static int key_seal(struct trusted_key_payload *p, 669 struct trusted_key_options *o) 670{ 671 struct tpm_buf tb; 672 int ret; 673 674 ret = tpm_buf_init(&tb, 0, 0); 675 if (ret) 676 return ret; 677 678 /* include migratable flag at end of sealed key */ 679 p->key[p->key_len] = p->migratable; 680 681 ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth, 682 p->key, p->key_len + 1, p->blob, &p->blob_len, 683 o->blobauth, o->pcrinfo, o->pcrinfo_len); 684 if (ret < 0) 685 pr_info("trusted_key: srkseal failed (%d)\n", ret); 686 687 tpm_buf_destroy(&tb); 688 return ret; 689} 690 691/* 692 * Have the TPM unseal(decrypt) the symmetric key 693 */ 694static int key_unseal(struct trusted_key_payload *p, 695 struct trusted_key_options *o) 696{ 697 struct tpm_buf tb; 698 int ret; 699 700 ret = tpm_buf_init(&tb, 0, 0); 701 if (ret) 702 return ret; 703 704 ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 705 o->blobauth, p->key, &p->key_len); 706 if (ret < 0) 707 pr_info("trusted_key: srkunseal failed (%d)\n", ret); 708 else 709 /* pull migratable flag out of sealed key */ 710 p->migratable = p->key[--p->key_len]; 711 712 tpm_buf_destroy(&tb); 713 return ret; 714} 715 716enum { 717 Opt_err, 718 Opt_new, Opt_load, Opt_update, 719 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 720 Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 721 Opt_hash, 722 Opt_policydigest, 723 Opt_policyhandle, 724}; 725 726static const match_table_t key_tokens = { 727 {Opt_new, "new"}, 728 {Opt_load, "load"}, 729 {Opt_update, "update"}, 730 {Opt_keyhandle, "keyhandle=%s"}, 731 {Opt_keyauth, "keyauth=%s"}, 732 {Opt_blobauth, "blobauth=%s"}, 733 {Opt_pcrinfo, "pcrinfo=%s"}, 734 {Opt_pcrlock, "pcrlock=%s"}, 735 {Opt_migratable, "migratable=%s"}, 736 {Opt_hash, "hash=%s"}, 737 {Opt_policydigest, "policydigest=%s"}, 738 {Opt_policyhandle, "policyhandle=%s"}, 739 {Opt_err, NULL} 740}; 741 742/* can have zero or more token= options */ 743static int getoptions(char *c, struct trusted_key_payload *pay, 744 struct trusted_key_options *opt) 745{ 746 substring_t args[MAX_OPT_ARGS]; 747 char *p = c; 748 int token; 749 int res; 750 unsigned long handle; 751 unsigned long lock; 752 unsigned long token_mask = 0; 753 unsigned int digest_len; 754 int i; 755 int tpm2; 756 757 tpm2 = tpm_is_tpm2(chip); 758 if (tpm2 < 0) 759 return tpm2; 760 761 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 762 763 while ((p = strsep(&c, " \t"))) { 764 if (*p == '\0' || *p == ' ' || *p == '\t') 765 continue; 766 token = match_token(p, key_tokens, args); 767 if (test_and_set_bit(token, &token_mask)) 768 return -EINVAL; 769 770 switch (token) { 771 case Opt_pcrinfo: 772 opt->pcrinfo_len = strlen(args[0].from) / 2; 773 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 774 return -EINVAL; 775 res = hex2bin(opt->pcrinfo, args[0].from, 776 opt->pcrinfo_len); 777 if (res < 0) 778 return -EINVAL; 779 break; 780 case Opt_keyhandle: 781 res = kstrtoul(args[0].from, 16, &handle); 782 if (res < 0) 783 return -EINVAL; 784 opt->keytype = SEAL_keytype; 785 opt->keyhandle = handle; 786 break; 787 case Opt_keyauth: 788 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 789 return -EINVAL; 790 res = hex2bin(opt->keyauth, args[0].from, 791 SHA1_DIGEST_SIZE); 792 if (res < 0) 793 return -EINVAL; 794 break; 795 case Opt_blobauth: 796 /* 797 * TPM 1.2 authorizations are sha1 hashes passed in as 798 * hex strings. TPM 2.0 authorizations are simple 799 * passwords (although it can take a hash as well) 800 */ 801 opt->blobauth_len = strlen(args[0].from); 802 803 if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) { 804 res = hex2bin(opt->blobauth, args[0].from, 805 TPM_DIGEST_SIZE); 806 if (res < 0) 807 return -EINVAL; 808 809 opt->blobauth_len = TPM_DIGEST_SIZE; 810 break; 811 } 812 813 if (tpm2 && opt->blobauth_len <= sizeof(opt->blobauth)) { 814 memcpy(opt->blobauth, args[0].from, 815 opt->blobauth_len); 816 break; 817 } 818 819 return -EINVAL; 820 821 break; 822 823 case Opt_migratable: 824 if (*args[0].from == '0') 825 pay->migratable = 0; 826 else if (*args[0].from != '1') 827 return -EINVAL; 828 break; 829 case Opt_pcrlock: 830 res = kstrtoul(args[0].from, 10, &lock); 831 if (res < 0) 832 return -EINVAL; 833 opt->pcrlock = lock; 834 break; 835 case Opt_hash: 836 if (test_bit(Opt_policydigest, &token_mask)) 837 return -EINVAL; 838 for (i = 0; i < HASH_ALGO__LAST; i++) { 839 if (!strcmp(args[0].from, hash_algo_name[i])) { 840 opt->hash = i; 841 break; 842 } 843 } 844 if (i == HASH_ALGO__LAST) 845 return -EINVAL; 846 if (!tpm2 && i != HASH_ALGO_SHA1) { 847 pr_info("trusted_key: TPM 1.x only supports SHA-1.\n"); 848 return -EINVAL; 849 } 850 break; 851 case Opt_policydigest: 852 digest_len = hash_digest_size[opt->hash]; 853 if (!tpm2 || strlen(args[0].from) != (2 * digest_len)) 854 return -EINVAL; 855 res = hex2bin(opt->policydigest, args[0].from, 856 digest_len); 857 if (res < 0) 858 return -EINVAL; 859 opt->policydigest_len = digest_len; 860 break; 861 case Opt_policyhandle: 862 if (!tpm2) 863 return -EINVAL; 864 res = kstrtoul(args[0].from, 16, &handle); 865 if (res < 0) 866 return -EINVAL; 867 opt->policyhandle = handle; 868 break; 869 default: 870 return -EINVAL; 871 } 872 } 873 return 0; 874} 875 876/* 877 * datablob_parse - parse the keyctl data and fill in the 878 * payload and options structures 879 * 880 * On success returns 0, otherwise -EINVAL. 881 */ 882static int datablob_parse(char *datablob, struct trusted_key_payload *p, 883 struct trusted_key_options *o) 884{ 885 substring_t args[MAX_OPT_ARGS]; 886 long keylen; 887 int ret = -EINVAL; 888 int key_cmd; 889 char *c; 890 891 /* main command */ 892 c = strsep(&datablob, " \t"); 893 if (!c) 894 return -EINVAL; 895 key_cmd = match_token(c, key_tokens, args); 896 switch (key_cmd) { 897 case Opt_new: 898 /* first argument is key size */ 899 c = strsep(&datablob, " \t"); 900 if (!c) 901 return -EINVAL; 902 ret = kstrtol(c, 10, &keylen); 903 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 904 return -EINVAL; 905 p->key_len = keylen; 906 ret = getoptions(datablob, p, o); 907 if (ret < 0) 908 return ret; 909 ret = Opt_new; 910 break; 911 case Opt_load: 912 /* first argument is sealed blob */ 913 c = strsep(&datablob, " \t"); 914 if (!c) 915 return -EINVAL; 916 p->blob_len = strlen(c) / 2; 917 if (p->blob_len > MAX_BLOB_SIZE) 918 return -EINVAL; 919 ret = hex2bin(p->blob, c, p->blob_len); 920 if (ret < 0) 921 return -EINVAL; 922 ret = getoptions(datablob, p, o); 923 if (ret < 0) 924 return ret; 925 ret = Opt_load; 926 break; 927 case Opt_update: 928 /* all arguments are options */ 929 ret = getoptions(datablob, p, o); 930 if (ret < 0) 931 return ret; 932 ret = Opt_update; 933 break; 934 case Opt_err: 935 return -EINVAL; 936 break; 937 } 938 return ret; 939} 940 941static struct trusted_key_options *trusted_options_alloc(void) 942{ 943 struct trusted_key_options *options; 944 int tpm2; 945 946 tpm2 = tpm_is_tpm2(chip); 947 if (tpm2 < 0) 948 return NULL; 949 950 options = kzalloc(sizeof *options, GFP_KERNEL); 951 if (options) { 952 /* set any non-zero defaults */ 953 options->keytype = SRK_keytype; 954 955 if (!tpm2) 956 options->keyhandle = SRKHANDLE; 957 } 958 return options; 959} 960 961static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 962{ 963 struct trusted_key_payload *p = NULL; 964 int ret; 965 966 ret = key_payload_reserve(key, sizeof *p); 967 if (ret < 0) 968 return p; 969 p = kzalloc(sizeof *p, GFP_KERNEL); 970 if (p) 971 p->migratable = 1; /* migratable by default */ 972 return p; 973} 974 975/* 976 * trusted_instantiate - create a new trusted key 977 * 978 * Unseal an existing trusted blob or, for a new key, get a 979 * random key, then seal and create a trusted key-type key, 980 * adding it to the specified keyring. 981 * 982 * On success, return 0. Otherwise return errno. 983 */ 984static int trusted_instantiate(struct key *key, 985 struct key_preparsed_payload *prep) 986{ 987 struct trusted_key_payload *payload = NULL; 988 struct trusted_key_options *options = NULL; 989 size_t datalen = prep->datalen; 990 char *datablob; 991 int ret = 0; 992 int key_cmd; 993 size_t key_len; 994 int tpm2; 995 996 tpm2 = tpm_is_tpm2(chip); 997 if (tpm2 < 0) 998 return tpm2; 999 1000 if (datalen <= 0 || datalen > 32767 || !prep->data) 1001 return -EINVAL; 1002 1003 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1004 if (!datablob) 1005 return -ENOMEM; 1006 memcpy(datablob, prep->data, datalen); 1007 datablob[datalen] = '\0'; 1008 1009 options = trusted_options_alloc(); 1010 if (!options) { 1011 ret = -ENOMEM; 1012 goto out; 1013 } 1014 payload = trusted_payload_alloc(key); 1015 if (!payload) { 1016 ret = -ENOMEM; 1017 goto out; 1018 } 1019 1020 key_cmd = datablob_parse(datablob, payload, options); 1021 if (key_cmd < 0) { 1022 ret = key_cmd; 1023 goto out; 1024 } 1025 1026 if (!options->keyhandle) { 1027 ret = -EINVAL; 1028 goto out; 1029 } 1030 1031 dump_payload(payload); 1032 dump_options(options); 1033 1034 switch (key_cmd) { 1035 case Opt_load: 1036 if (tpm2) 1037 ret = tpm2_unseal_trusted(chip, payload, options); 1038 else 1039 ret = key_unseal(payload, options); 1040 dump_payload(payload); 1041 dump_options(options); 1042 if (ret < 0) 1043 pr_info("trusted_key: key_unseal failed (%d)\n", ret); 1044 break; 1045 case Opt_new: 1046 key_len = payload->key_len; 1047 ret = tpm_get_random(chip, payload->key, key_len); 1048 if (ret < 0) 1049 goto out; 1050 1051 if (ret != key_len) { 1052 pr_info("trusted_key: key_create failed (%d)\n", ret); 1053 ret = -EIO; 1054 goto out; 1055 } 1056 if (tpm2) 1057 ret = tpm2_seal_trusted(chip, payload, options); 1058 else 1059 ret = key_seal(payload, options); 1060 if (ret < 0) 1061 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1062 break; 1063 default: 1064 ret = -EINVAL; 1065 goto out; 1066 } 1067 if (!ret && options->pcrlock) 1068 ret = pcrlock(options->pcrlock); 1069out: 1070 kfree_sensitive(datablob); 1071 kfree_sensitive(options); 1072 if (!ret) 1073 rcu_assign_keypointer(key, payload); 1074 else 1075 kfree_sensitive(payload); 1076 return ret; 1077} 1078 1079static void trusted_rcu_free(struct rcu_head *rcu) 1080{ 1081 struct trusted_key_payload *p; 1082 1083 p = container_of(rcu, struct trusted_key_payload, rcu); 1084 kfree_sensitive(p); 1085} 1086 1087/* 1088 * trusted_update - reseal an existing key with new PCR values 1089 */ 1090static int trusted_update(struct key *key, struct key_preparsed_payload *prep) 1091{ 1092 struct trusted_key_payload *p; 1093 struct trusted_key_payload *new_p; 1094 struct trusted_key_options *new_o; 1095 size_t datalen = prep->datalen; 1096 char *datablob; 1097 int ret = 0; 1098 1099 if (key_is_negative(key)) 1100 return -ENOKEY; 1101 p = key->payload.data[0]; 1102 if (!p->migratable) 1103 return -EPERM; 1104 if (datalen <= 0 || datalen > 32767 || !prep->data) 1105 return -EINVAL; 1106 1107 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1108 if (!datablob) 1109 return -ENOMEM; 1110 new_o = trusted_options_alloc(); 1111 if (!new_o) { 1112 ret = -ENOMEM; 1113 goto out; 1114 } 1115 new_p = trusted_payload_alloc(key); 1116 if (!new_p) { 1117 ret = -ENOMEM; 1118 goto out; 1119 } 1120 1121 memcpy(datablob, prep->data, datalen); 1122 datablob[datalen] = '\0'; 1123 ret = datablob_parse(datablob, new_p, new_o); 1124 if (ret != Opt_update) { 1125 ret = -EINVAL; 1126 kfree_sensitive(new_p); 1127 goto out; 1128 } 1129 1130 if (!new_o->keyhandle) { 1131 ret = -EINVAL; 1132 kfree_sensitive(new_p); 1133 goto out; 1134 } 1135 1136 /* copy old key values, and reseal with new pcrs */ 1137 new_p->migratable = p->migratable; 1138 new_p->key_len = p->key_len; 1139 memcpy(new_p->key, p->key, p->key_len); 1140 dump_payload(p); 1141 dump_payload(new_p); 1142 1143 ret = key_seal(new_p, new_o); 1144 if (ret < 0) { 1145 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1146 kfree_sensitive(new_p); 1147 goto out; 1148 } 1149 if (new_o->pcrlock) { 1150 ret = pcrlock(new_o->pcrlock); 1151 if (ret < 0) { 1152 pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1153 kfree_sensitive(new_p); 1154 goto out; 1155 } 1156 } 1157 rcu_assign_keypointer(key, new_p); 1158 call_rcu(&p->rcu, trusted_rcu_free); 1159out: 1160 kfree_sensitive(datablob); 1161 kfree_sensitive(new_o); 1162 return ret; 1163} 1164 1165/* 1166 * trusted_read - copy the sealed blob data to userspace in hex. 1167 * On success, return to userspace the trusted key datablob size. 1168 */ 1169static long trusted_read(const struct key *key, char *buffer, 1170 size_t buflen) 1171{ 1172 const struct trusted_key_payload *p; 1173 char *bufp; 1174 int i; 1175 1176 p = dereference_key_locked(key); 1177 if (!p) 1178 return -EINVAL; 1179 1180 if (buffer && buflen >= 2 * p->blob_len) { 1181 bufp = buffer; 1182 for (i = 0; i < p->blob_len; i++) 1183 bufp = hex_byte_pack(bufp, p->blob[i]); 1184 } 1185 return 2 * p->blob_len; 1186} 1187 1188/* 1189 * trusted_destroy - clear and free the key's payload 1190 */ 1191static void trusted_destroy(struct key *key) 1192{ 1193 kfree_sensitive(key->payload.data[0]); 1194} 1195 1196struct key_type key_type_trusted = { 1197 .name = "trusted", 1198 .instantiate = trusted_instantiate, 1199 .update = trusted_update, 1200 .destroy = trusted_destroy, 1201 .describe = user_describe, 1202 .read = trusted_read, 1203}; 1204 1205EXPORT_SYMBOL_GPL(key_type_trusted); 1206 1207static void trusted_shash_release(void) 1208{ 1209 if (hashalg) 1210 crypto_free_shash(hashalg); 1211 if (hmacalg) 1212 crypto_free_shash(hmacalg); 1213} 1214 1215static int __init trusted_shash_alloc(void) 1216{ 1217 int ret; 1218 1219 hmacalg = crypto_alloc_shash(hmac_alg, 0, 0); 1220 if (IS_ERR(hmacalg)) { 1221 pr_info("trusted_key: could not allocate crypto %s\n", 1222 hmac_alg); 1223 return PTR_ERR(hmacalg); 1224 } 1225 1226 hashalg = crypto_alloc_shash(hash_alg, 0, 0); 1227 if (IS_ERR(hashalg)) { 1228 pr_info("trusted_key: could not allocate crypto %s\n", 1229 hash_alg); 1230 ret = PTR_ERR(hashalg); 1231 goto hashalg_fail; 1232 } 1233 1234 return 0; 1235 1236hashalg_fail: 1237 crypto_free_shash(hmacalg); 1238 return ret; 1239} 1240 1241static int __init init_digests(void) 1242{ 1243 int i; 1244 1245 digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), 1246 GFP_KERNEL); 1247 if (!digests) 1248 return -ENOMEM; 1249 1250 for (i = 0; i < chip->nr_allocated_banks; i++) 1251 digests[i].alg_id = chip->allocated_banks[i].alg_id; 1252 1253 return 0; 1254} 1255 1256static int __init init_trusted(void) 1257{ 1258 int ret; 1259 1260 /* encrypted_keys.ko depends on successful load of this module even if 1261 * TPM is not used. 1262 */ 1263 chip = tpm_default_chip(); 1264 if (!chip) 1265 return 0; 1266 1267 ret = init_digests(); 1268 if (ret < 0) 1269 goto err_put; 1270 ret = trusted_shash_alloc(); 1271 if (ret < 0) 1272 goto err_free; 1273 ret = register_key_type(&key_type_trusted); 1274 if (ret < 0) 1275 goto err_release; 1276 return 0; 1277err_release: 1278 trusted_shash_release(); 1279err_free: 1280 kfree(digests); 1281err_put: 1282 put_device(&chip->dev); 1283 return ret; 1284} 1285 1286static void __exit cleanup_trusted(void) 1287{ 1288 if (chip) { 1289 put_device(&chip->dev); 1290 kfree(digests); 1291 trusted_shash_release(); 1292 unregister_key_type(&key_type_trusted); 1293 } 1294} 1295 1296late_initcall(init_trusted); 1297module_exit(cleanup_trusted); 1298 1299MODULE_LICENSE("GPL"); 1300