Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
trusted.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2010 IBM Corporation
3  *
4  * Author:
5  * David Safford <[email protected]>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation, version 2 of the License.
10  *
11  * See Documentation/security/keys-trusted-encrypted.txt
12  */
13 
14 #include <linux/uaccess.h>
15 #include <linux/module.h>
16 #include <linux/init.h>
17 #include <linux/slab.h>
18 #include <linux/parser.h>
19 #include <linux/string.h>
20 #include <linux/err.h>
21 #include <keys/user-type.h>
22 #include <keys/trusted-type.h>
23 #include <linux/key-type.h>
24 #include <linux/rcupdate.h>
25 #include <linux/crypto.h>
26 #include <crypto/hash.h>
27 #include <crypto/sha.h>
28 #include <linux/capability.h>
29 #include <linux/tpm.h>
30 #include <linux/tpm_command.h>
31 
32 #include "trusted.h"
33 
34 static const char hmac_alg[] = "hmac(sha1)";
35 static const char hash_alg[] = "sha1";
36 
37 struct sdesc {
38  struct shash_desc shash;
39  char ctx[];
40 };
41 
42 static struct crypto_shash *hashalg;
43 static struct crypto_shash *hmacalg;
44 
45 static struct sdesc *init_sdesc(struct crypto_shash *alg)
46 {
47  struct sdesc *sdesc;
48  int size;
49 
50  size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
51  sdesc = kmalloc(size, GFP_KERNEL);
52  if (!sdesc)
53  return ERR_PTR(-ENOMEM);
54  sdesc->shash.tfm = alg;
55  sdesc->shash.flags = 0x0;
56  return sdesc;
57 }
58 
59 static int TSS_sha1(const unsigned char *data, unsigned int datalen,
60  unsigned char *digest)
61 {
62  struct sdesc *sdesc;
63  int ret;
64 
65  sdesc = init_sdesc(hashalg);
66  if (IS_ERR(sdesc)) {
67  pr_info("trusted_key: can't alloc %s\n", hash_alg);
68  return PTR_ERR(sdesc);
69  }
70 
71  ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
72  kfree(sdesc);
73  return ret;
74 }
75 
76 static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
77  unsigned int keylen, ...)
78 {
79  struct sdesc *sdesc;
80  va_list argp;
81  unsigned int dlen;
82  unsigned char *data;
83  int ret;
84 
85  sdesc = init_sdesc(hmacalg);
86  if (IS_ERR(sdesc)) {
87  pr_info("trusted_key: can't alloc %s\n", hmac_alg);
88  return PTR_ERR(sdesc);
89  }
90 
91  ret = crypto_shash_setkey(hmacalg, key, keylen);
92  if (ret < 0)
93  goto out;
94  ret = crypto_shash_init(&sdesc->shash);
95  if (ret < 0)
96  goto out;
97 
98  va_start(argp, keylen);
99  for (;;) {
100  dlen = va_arg(argp, unsigned int);
101  if (dlen == 0)
102  break;
103  data = va_arg(argp, unsigned char *);
104  if (data == NULL) {
105  ret = -EINVAL;
106  break;
107  }
108  ret = crypto_shash_update(&sdesc->shash, data, dlen);
109  if (ret < 0)
110  break;
111  }
112  va_end(argp);
113  if (!ret)
114  ret = crypto_shash_final(&sdesc->shash, digest);
115 out:
116  kfree(sdesc);
117  return ret;
118 }
119 
120 /*
121  * calculate authorization info fields to send to TPM
122  */
123 static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
124  unsigned int keylen, unsigned char *h1,
125  unsigned char *h2, unsigned char h3, ...)
126 {
127  unsigned char paramdigest[SHA1_DIGEST_SIZE];
128  struct sdesc *sdesc;
129  unsigned int dlen;
130  unsigned char *data;
131  unsigned char c;
132  int ret;
133  va_list argp;
134 
135  sdesc = init_sdesc(hashalg);
136  if (IS_ERR(sdesc)) {
137  pr_info("trusted_key: can't alloc %s\n", hash_alg);
138  return PTR_ERR(sdesc);
139  }
140 
141  c = h3;
142  ret = crypto_shash_init(&sdesc->shash);
143  if (ret < 0)
144  goto out;
145  va_start(argp, h3);
146  for (;;) {
147  dlen = va_arg(argp, unsigned int);
148  if (dlen == 0)
149  break;
150  data = va_arg(argp, unsigned char *);
151  if (!data) {
152  ret = -EINVAL;
153  break;
154  }
155  ret = crypto_shash_update(&sdesc->shash, data, dlen);
156  if (ret < 0)
157  break;
158  }
159  va_end(argp);
160  if (!ret)
161  ret = crypto_shash_final(&sdesc->shash, paramdigest);
162  if (!ret)
163  ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
164  paramdigest, TPM_NONCE_SIZE, h1,
165  TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
166 out:
167  kfree(sdesc);
168  return ret;
169 }
170 
171 /*
172  * verify the AUTH1_COMMAND (Seal) result from TPM
173  */
174 static int TSS_checkhmac1(unsigned char *buffer,
175  const uint32_t command,
176  const unsigned char *ononce,
177  const unsigned char *key,
178  unsigned int keylen, ...)
179 {
181  uint16_t tag;
184  unsigned char *enonce;
185  unsigned char *continueflag;
186  unsigned char *authdata;
187  unsigned char testhmac[SHA1_DIGEST_SIZE];
188  unsigned char paramdigest[SHA1_DIGEST_SIZE];
189  struct sdesc *sdesc;
190  unsigned int dlen;
191  unsigned int dpos;
192  va_list argp;
193  int ret;
194 
195  bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
196  tag = LOAD16(buffer, 0);
197  ordinal = command;
198  result = LOAD32N(buffer, TPM_RETURN_OFFSET);
199  if (tag == TPM_TAG_RSP_COMMAND)
200  return 0;
201  if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
202  return -EINVAL;
203  authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
204  continueflag = authdata - 1;
205  enonce = continueflag - TPM_NONCE_SIZE;
206 
207  sdesc = init_sdesc(hashalg);
208  if (IS_ERR(sdesc)) {
209  pr_info("trusted_key: can't alloc %s\n", hash_alg);
210  return PTR_ERR(sdesc);
211  }
212  ret = crypto_shash_init(&sdesc->shash);
213  if (ret < 0)
214  goto out;
215  ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
216  sizeof result);
217  if (ret < 0)
218  goto out;
219  ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
220  sizeof ordinal);
221  if (ret < 0)
222  goto out;
223  va_start(argp, keylen);
224  for (;;) {
225  dlen = va_arg(argp, unsigned int);
226  if (dlen == 0)
227  break;
228  dpos = va_arg(argp, unsigned int);
229  ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
230  if (ret < 0)
231  break;
232  }
233  va_end(argp);
234  if (!ret)
235  ret = crypto_shash_final(&sdesc->shash, paramdigest);
236  if (ret < 0)
237  goto out;
238 
239  ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
240  TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
241  1, continueflag, 0, 0);
242  if (ret < 0)
243  goto out;
244 
245  if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
246  ret = -EINVAL;
247 out:
248  kfree(sdesc);
249  return ret;
250 }
251 
252 /*
253  * verify the AUTH2_COMMAND (unseal) result from TPM
254  */
255 static int TSS_checkhmac2(unsigned char *buffer,
256  const uint32_t command,
257  const unsigned char *ononce,
258  const unsigned char *key1,
259  unsigned int keylen1,
260  const unsigned char *key2,
261  unsigned int keylen2, ...)
262 {
264  uint16_t tag;
267  unsigned char *enonce1;
268  unsigned char *continueflag1;
269  unsigned char *authdata1;
270  unsigned char *enonce2;
271  unsigned char *continueflag2;
272  unsigned char *authdata2;
273  unsigned char testhmac1[SHA1_DIGEST_SIZE];
274  unsigned char testhmac2[SHA1_DIGEST_SIZE];
275  unsigned char paramdigest[SHA1_DIGEST_SIZE];
276  struct sdesc *sdesc;
277  unsigned int dlen;
278  unsigned int dpos;
279  va_list argp;
280  int ret;
281 
282  bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
283  tag = LOAD16(buffer, 0);
284  ordinal = command;
285  result = LOAD32N(buffer, TPM_RETURN_OFFSET);
286 
287  if (tag == TPM_TAG_RSP_COMMAND)
288  return 0;
289  if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
290  return -EINVAL;
291  authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
292  + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
293  authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
294  continueflag1 = authdata1 - 1;
295  continueflag2 = authdata2 - 1;
296  enonce1 = continueflag1 - TPM_NONCE_SIZE;
297  enonce2 = continueflag2 - TPM_NONCE_SIZE;
298 
299  sdesc = init_sdesc(hashalg);
300  if (IS_ERR(sdesc)) {
301  pr_info("trusted_key: can't alloc %s\n", hash_alg);
302  return PTR_ERR(sdesc);
303  }
304  ret = crypto_shash_init(&sdesc->shash);
305  if (ret < 0)
306  goto out;
307  ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
308  sizeof result);
309  if (ret < 0)
310  goto out;
311  ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
312  sizeof ordinal);
313  if (ret < 0)
314  goto out;
315 
316  va_start(argp, keylen2);
317  for (;;) {
318  dlen = va_arg(argp, unsigned int);
319  if (dlen == 0)
320  break;
321  dpos = va_arg(argp, unsigned int);
322  ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
323  if (ret < 0)
324  break;
325  }
326  va_end(argp);
327  if (!ret)
328  ret = crypto_shash_final(&sdesc->shash, paramdigest);
329  if (ret < 0)
330  goto out;
331 
332  ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
333  paramdigest, TPM_NONCE_SIZE, enonce1,
334  TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
335  if (ret < 0)
336  goto out;
337  if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
338  ret = -EINVAL;
339  goto out;
340  }
341  ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
342  paramdigest, TPM_NONCE_SIZE, enonce2,
343  TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
344  if (ret < 0)
345  goto out;
346  if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
347  ret = -EINVAL;
348 out:
349  kfree(sdesc);
350  return ret;
351 }
352 
353 /*
354  * For key specific tpm requests, we will generate and send our
355  * own TPM command packets using the drivers send function.
356  */
357 static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
358  size_t buflen)
359 {
360  int rc;
361 
362  dump_tpm_buf(cmd);
363  rc = tpm_send(chip_num, cmd, buflen);
364  dump_tpm_buf(cmd);
365  if (rc > 0)
366  /* Can't return positive return codes values to keyctl */
367  rc = -EPERM;
368  return rc;
369 }
370 
371 /*
372  * Lock a trusted key, by extending a selected PCR.
373  *
374  * Prevents a trusted key that is sealed to PCRs from being accessed.
375  * This uses the tpm driver's extend function.
376  */
377 static int pcrlock(const int pcrnum)
378 {
379  unsigned char hash[SHA1_DIGEST_SIZE];
380  int ret;
381 
382  if (!capable(CAP_SYS_ADMIN))
383  return -EPERM;
384  ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE);
385  if (ret != SHA1_DIGEST_SIZE)
386  return ret;
387  return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
388 }
389 
390 /*
391  * Create an object specific authorisation protocol (OSAP) session
392  */
393 static int osap(struct tpm_buf *tb, struct osapsess *s,
394  const unsigned char *key, uint16_t type, uint32_t handle)
395 {
396  unsigned char enonce[TPM_NONCE_SIZE];
397  unsigned char ononce[TPM_NONCE_SIZE];
398  int ret;
399 
400  ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE);
401  if (ret != TPM_NONCE_SIZE)
402  return ret;
403 
404  INIT_BUF(tb);
405  store16(tb, TPM_TAG_RQU_COMMAND);
406  store32(tb, TPM_OSAP_SIZE);
407  store32(tb, TPM_ORD_OSAP);
408  store16(tb, type);
409  store32(tb, handle);
410  storebytes(tb, ononce, TPM_NONCE_SIZE);
411 
412  ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
413  if (ret < 0)
414  return ret;
415 
416  s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
417  memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
418  TPM_NONCE_SIZE);
419  memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
420  TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
421  return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
422  enonce, TPM_NONCE_SIZE, ononce, 0, 0);
423 }
424 
425 /*
426  * Create an object independent authorisation protocol (oiap) session
427  */
428 static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
429 {
430  int ret;
431 
432  INIT_BUF(tb);
433  store16(tb, TPM_TAG_RQU_COMMAND);
434  store32(tb, TPM_OIAP_SIZE);
435  store32(tb, TPM_ORD_OIAP);
436  ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
437  if (ret < 0)
438  return ret;
439 
440  *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
441  memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
442  TPM_NONCE_SIZE);
443  return 0;
444 }
445 
446 struct tpm_digests {
447  unsigned char encauth[SHA1_DIGEST_SIZE];
448  unsigned char pubauth[SHA1_DIGEST_SIZE];
449  unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
450  unsigned char xorhash[SHA1_DIGEST_SIZE];
451  unsigned char nonceodd[TPM_NONCE_SIZE];
452 };
453 
454 /*
455  * Have the TPM seal(encrypt) the trusted key, possibly based on
456  * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
457  */
458 static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
459  uint32_t keyhandle, const unsigned char *keyauth,
460  const unsigned char *data, uint32_t datalen,
461  unsigned char *blob, uint32_t *bloblen,
462  const unsigned char *blobauth,
463  const unsigned char *pcrinfo, uint32_t pcrinfosize)
464 {
465  struct osapsess sess;
466  struct tpm_digests *td;
467  unsigned char cont;
469  uint32_t pcrsize;
470  uint32_t datsize;
471  int sealinfosize;
472  int encdatasize;
473  int storedsize;
474  int ret;
475  int i;
476 
477  /* alloc some work space for all the hashes */
478  td = kmalloc(sizeof *td, GFP_KERNEL);
479  if (!td)
480  return -ENOMEM;
481 
482  /* get session for sealing key */
483  ret = osap(tb, &sess, keyauth, keytype, keyhandle);
484  if (ret < 0)
485  goto out;
486  dump_sess(&sess);
487 
488  /* calculate encrypted authorization value */
489  memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
490  memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
491  ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
492  if (ret < 0)
493  goto out;
494 
495  ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
496  if (ret != TPM_NONCE_SIZE)
497  goto out;
498  ordinal = htonl(TPM_ORD_SEAL);
499  datsize = htonl(datalen);
500  pcrsize = htonl(pcrinfosize);
501  cont = 0;
502 
503  /* encrypt data authorization key */
504  for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
505  td->encauth[i] = td->xorhash[i] ^ blobauth[i];
506 
507  /* calculate authorization HMAC value */
508  if (pcrinfosize == 0) {
509  /* no pcr info specified */
510  ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
511  sess.enonce, td->nonceodd, cont,
512  sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
513  td->encauth, sizeof(uint32_t), &pcrsize,
514  sizeof(uint32_t), &datsize, datalen, data, 0,
515  0);
516  } else {
517  /* pcr info specified */
518  ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
519  sess.enonce, td->nonceodd, cont,
520  sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
521  td->encauth, sizeof(uint32_t), &pcrsize,
522  pcrinfosize, pcrinfo, sizeof(uint32_t),
523  &datsize, datalen, data, 0, 0);
524  }
525  if (ret < 0)
526  goto out;
527 
528  /* build and send the TPM request packet */
529  INIT_BUF(tb);
530  store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
531  store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
532  store32(tb, TPM_ORD_SEAL);
533  store32(tb, keyhandle);
534  storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
535  store32(tb, pcrinfosize);
536  storebytes(tb, pcrinfo, pcrinfosize);
537  store32(tb, datalen);
538  storebytes(tb, data, datalen);
539  store32(tb, sess.handle);
540  storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
541  store8(tb, cont);
542  storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
543 
544  ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
545  if (ret < 0)
546  goto out;
547 
548  /* calculate the size of the returned Blob */
549  sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
550  encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
551  sizeof(uint32_t) + sealinfosize);
552  storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
553  sizeof(uint32_t) + encdatasize;
554 
555  /* check the HMAC in the response */
556  ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
557  SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
558  0);
559 
560  /* copy the returned blob to caller */
561  if (!ret) {
562  memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
563  *bloblen = storedsize;
564  }
565 out:
566  kfree(td);
567  return ret;
568 }
569 
570 /*
571  * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
572  */
573 static int tpm_unseal(struct tpm_buf *tb,
574  uint32_t keyhandle, const unsigned char *keyauth,
575  const unsigned char *blob, int bloblen,
576  const unsigned char *blobauth,
577  unsigned char *data, unsigned int *datalen)
578 {
579  unsigned char nonceodd[TPM_NONCE_SIZE];
580  unsigned char enonce1[TPM_NONCE_SIZE];
581  unsigned char enonce2[TPM_NONCE_SIZE];
582  unsigned char authdata1[SHA1_DIGEST_SIZE];
583  unsigned char authdata2[SHA1_DIGEST_SIZE];
584  uint32_t authhandle1 = 0;
585  uint32_t authhandle2 = 0;
586  unsigned char cont = 0;
588  uint32_t keyhndl;
589  int ret;
590 
591  /* sessions for unsealing key and data */
592  ret = oiap(tb, &authhandle1, enonce1);
593  if (ret < 0) {
594  pr_info("trusted_key: oiap failed (%d)\n", ret);
595  return ret;
596  }
597  ret = oiap(tb, &authhandle2, enonce2);
598  if (ret < 0) {
599  pr_info("trusted_key: oiap failed (%d)\n", ret);
600  return ret;
601  }
602 
603  ordinal = htonl(TPM_ORD_UNSEAL);
604  keyhndl = htonl(SRKHANDLE);
605  ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
606  if (ret != TPM_NONCE_SIZE) {
607  pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
608  return ret;
609  }
610  ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
611  enonce1, nonceodd, cont, sizeof(uint32_t),
612  &ordinal, bloblen, blob, 0, 0);
613  if (ret < 0)
614  return ret;
615  ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
616  enonce2, nonceodd, cont, sizeof(uint32_t),
617  &ordinal, bloblen, blob, 0, 0);
618  if (ret < 0)
619  return ret;
620 
621  /* build and send TPM request packet */
622  INIT_BUF(tb);
623  store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
624  store32(tb, TPM_UNSEAL_SIZE + bloblen);
625  store32(tb, TPM_ORD_UNSEAL);
626  store32(tb, keyhandle);
627  storebytes(tb, blob, bloblen);
628  store32(tb, authhandle1);
629  storebytes(tb, nonceodd, TPM_NONCE_SIZE);
630  store8(tb, cont);
631  storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
632  store32(tb, authhandle2);
633  storebytes(tb, nonceodd, TPM_NONCE_SIZE);
634  store8(tb, cont);
635  storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
636 
637  ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
638  if (ret < 0) {
639  pr_info("trusted_key: authhmac failed (%d)\n", ret);
640  return ret;
641  }
642 
643  *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
644  ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
645  keyauth, SHA1_DIGEST_SIZE,
646  blobauth, SHA1_DIGEST_SIZE,
647  sizeof(uint32_t), TPM_DATA_OFFSET,
648  *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
649  0);
650  if (ret < 0) {
651  pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
652  return ret;
653  }
654  memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
655  return 0;
656 }
657 
658 /*
659  * Have the TPM seal(encrypt) the symmetric key
660  */
661 static int key_seal(struct trusted_key_payload *p,
662  struct trusted_key_options *o)
663 {
664  struct tpm_buf *tb;
665  int ret;
666 
667  tb = kzalloc(sizeof *tb, GFP_KERNEL);
668  if (!tb)
669  return -ENOMEM;
670 
671  /* include migratable flag at end of sealed key */
672  p->key[p->key_len] = p->migratable;
673 
674  ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
675  p->key, p->key_len + 1, p->blob, &p->blob_len,
676  o->blobauth, o->pcrinfo, o->pcrinfo_len);
677  if (ret < 0)
678  pr_info("trusted_key: srkseal failed (%d)\n", ret);
679 
680  kfree(tb);
681  return ret;
682 }
683 
684 /*
685  * Have the TPM unseal(decrypt) the symmetric key
686  */
687 static int key_unseal(struct trusted_key_payload *p,
688  struct trusted_key_options *o)
689 {
690  struct tpm_buf *tb;
691  int ret;
692 
693  tb = kzalloc(sizeof *tb, GFP_KERNEL);
694  if (!tb)
695  return -ENOMEM;
696 
697  ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
698  o->blobauth, p->key, &p->key_len);
699  if (ret < 0)
700  pr_info("trusted_key: srkunseal failed (%d)\n", ret);
701  else
702  /* pull migratable flag out of sealed key */
703  p->migratable = p->key[--p->key_len];
704 
705  kfree(tb);
706  return ret;
707 }
708 
709 enum {
710  Opt_err = -1,
714 };
715 
716 static const match_table_t key_tokens = {
717  {Opt_new, "new"},
718  {Opt_load, "load"},
719  {Opt_update, "update"},
720  {Opt_keyhandle, "keyhandle=%s"},
721  {Opt_keyauth, "keyauth=%s"},
722  {Opt_blobauth, "blobauth=%s"},
723  {Opt_pcrinfo, "pcrinfo=%s"},
724  {Opt_pcrlock, "pcrlock=%s"},
725  {Opt_migratable, "migratable=%s"},
726  {Opt_err, NULL}
727 };
728 
729 /* can have zero or more token= options */
730 static int getoptions(char *c, struct trusted_key_payload *pay,
731  struct trusted_key_options *opt)
732 {
734  char *p = c;
735  int token;
736  int res;
737  unsigned long handle;
738  unsigned long lock;
739 
740  while ((p = strsep(&c, " \t"))) {
741  if (*p == '\0' || *p == ' ' || *p == '\t')
742  continue;
743  token = match_token(p, key_tokens, args);
744 
745  switch (token) {
746  case Opt_pcrinfo:
747  opt->pcrinfo_len = strlen(args[0].from) / 2;
748  if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
749  return -EINVAL;
750  res = hex2bin(opt->pcrinfo, args[0].from,
751  opt->pcrinfo_len);
752  if (res < 0)
753  return -EINVAL;
754  break;
755  case Opt_keyhandle:
756  res = strict_strtoul(args[0].from, 16, &handle);
757  if (res < 0)
758  return -EINVAL;
759  opt->keytype = SEAL_keytype;
760  opt->keyhandle = handle;
761  break;
762  case Opt_keyauth:
763  if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
764  return -EINVAL;
765  res = hex2bin(opt->keyauth, args[0].from,
766  SHA1_DIGEST_SIZE);
767  if (res < 0)
768  return -EINVAL;
769  break;
770  case Opt_blobauth:
771  if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
772  return -EINVAL;
773  res = hex2bin(opt->blobauth, args[0].from,
774  SHA1_DIGEST_SIZE);
775  if (res < 0)
776  return -EINVAL;
777  break;
778  case Opt_migratable:
779  if (*args[0].from == '0')
780  pay->migratable = 0;
781  else
782  return -EINVAL;
783  break;
784  case Opt_pcrlock:
785  res = strict_strtoul(args[0].from, 10, &lock);
786  if (res < 0)
787  return -EINVAL;
788  opt->pcrlock = lock;
789  break;
790  default:
791  return -EINVAL;
792  }
793  }
794  return 0;
795 }
796 
797 /*
798  * datablob_parse - parse the keyctl data and fill in the
799  * payload and options structures
800  *
801  * On success returns 0, otherwise -EINVAL.
802  */
803 static int datablob_parse(char *datablob, struct trusted_key_payload *p,
804  struct trusted_key_options *o)
805 {
807  long keylen;
808  int ret = -EINVAL;
809  int key_cmd;
810  char *c;
811 
812  /* main command */
813  c = strsep(&datablob, " \t");
814  if (!c)
815  return -EINVAL;
816  key_cmd = match_token(c, key_tokens, args);
817  switch (key_cmd) {
818  case Opt_new:
819  /* first argument is key size */
820  c = strsep(&datablob, " \t");
821  if (!c)
822  return -EINVAL;
823  ret = strict_strtol(c, 10, &keylen);
824  if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
825  return -EINVAL;
826  p->key_len = keylen;
827  ret = getoptions(datablob, p, o);
828  if (ret < 0)
829  return ret;
830  ret = Opt_new;
831  break;
832  case Opt_load:
833  /* first argument is sealed blob */
834  c = strsep(&datablob, " \t");
835  if (!c)
836  return -EINVAL;
837  p->blob_len = strlen(c) / 2;
838  if (p->blob_len > MAX_BLOB_SIZE)
839  return -EINVAL;
840  ret = hex2bin(p->blob, c, p->blob_len);
841  if (ret < 0)
842  return -EINVAL;
843  ret = getoptions(datablob, p, o);
844  if (ret < 0)
845  return ret;
846  ret = Opt_load;
847  break;
848  case Opt_update:
849  /* all arguments are options */
850  ret = getoptions(datablob, p, o);
851  if (ret < 0)
852  return ret;
853  ret = Opt_update;
854  break;
855  case Opt_err:
856  return -EINVAL;
857  break;
858  }
859  return ret;
860 }
861 
862 static struct trusted_key_options *trusted_options_alloc(void)
863 {
865 
866  options = kzalloc(sizeof *options, GFP_KERNEL);
867  if (options) {
868  /* set any non-zero defaults */
869  options->keytype = SRK_keytype;
870  options->keyhandle = SRKHANDLE;
871  }
872  return options;
873 }
874 
875 static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
876 {
877  struct trusted_key_payload *p = NULL;
878  int ret;
879 
880  ret = key_payload_reserve(key, sizeof *p);
881  if (ret < 0)
882  return p;
883  p = kzalloc(sizeof *p, GFP_KERNEL);
884  if (p)
885  p->migratable = 1; /* migratable by default */
886  return p;
887 }
888 
889 /*
890  * trusted_instantiate - create a new trusted key
891  *
892  * Unseal an existing trusted blob or, for a new key, get a
893  * random key, then seal and create a trusted key-type key,
894  * adding it to the specified keyring.
895  *
896  * On success, return 0. Otherwise return errno.
897  */
898 static int trusted_instantiate(struct key *key,
899  struct key_preparsed_payload *prep)
900 {
901  struct trusted_key_payload *payload = NULL;
902  struct trusted_key_options *options = NULL;
903  size_t datalen = prep->datalen;
904  char *datablob;
905  int ret = 0;
906  int key_cmd;
907  size_t key_len;
908 
909  if (datalen <= 0 || datalen > 32767 || !prep->data)
910  return -EINVAL;
911 
912  datablob = kmalloc(datalen + 1, GFP_KERNEL);
913  if (!datablob)
914  return -ENOMEM;
915  memcpy(datablob, prep->data, datalen);
916  datablob[datalen] = '\0';
917 
918  options = trusted_options_alloc();
919  if (!options) {
920  ret = -ENOMEM;
921  goto out;
922  }
923  payload = trusted_payload_alloc(key);
924  if (!payload) {
925  ret = -ENOMEM;
926  goto out;
927  }
928 
929  key_cmd = datablob_parse(datablob, payload, options);
930  if (key_cmd < 0) {
931  ret = key_cmd;
932  goto out;
933  }
934 
935  dump_payload(payload);
936  dump_options(options);
937 
938  switch (key_cmd) {
939  case Opt_load:
940  ret = key_unseal(payload, options);
941  dump_payload(payload);
942  dump_options(options);
943  if (ret < 0)
944  pr_info("trusted_key: key_unseal failed (%d)\n", ret);
945  break;
946  case Opt_new:
947  key_len = payload->key_len;
948  ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len);
949  if (ret != key_len) {
950  pr_info("trusted_key: key_create failed (%d)\n", ret);
951  goto out;
952  }
953  ret = key_seal(payload, options);
954  if (ret < 0)
955  pr_info("trusted_key: key_seal failed (%d)\n", ret);
956  break;
957  default:
958  ret = -EINVAL;
959  goto out;
960  }
961  if (!ret && options->pcrlock)
962  ret = pcrlock(options->pcrlock);
963 out:
964  kfree(datablob);
965  kfree(options);
966  if (!ret)
967  rcu_assign_keypointer(key, payload);
968  else
969  kfree(payload);
970  return ret;
971 }
972 
973 static void trusted_rcu_free(struct rcu_head *rcu)
974 {
975  struct trusted_key_payload *p;
976 
977  p = container_of(rcu, struct trusted_key_payload, rcu);
978  memset(p->key, 0, p->key_len);
979  kfree(p);
980 }
981 
982 /*
983  * trusted_update - reseal an existing key with new PCR values
984  */
985 static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
986 {
987  struct trusted_key_payload *p = key->payload.data;
988  struct trusted_key_payload *new_p;
989  struct trusted_key_options *new_o;
990  size_t datalen = prep->datalen;
991  char *datablob;
992  int ret = 0;
993 
994  if (!p->migratable)
995  return -EPERM;
996  if (datalen <= 0 || datalen > 32767 || !prep->data)
997  return -EINVAL;
998 
999  datablob = kmalloc(datalen + 1, GFP_KERNEL);
1000  if (!datablob)
1001  return -ENOMEM;
1002  new_o = trusted_options_alloc();
1003  if (!new_o) {
1004  ret = -ENOMEM;
1005  goto out;
1006  }
1007  new_p = trusted_payload_alloc(key);
1008  if (!new_p) {
1009  ret = -ENOMEM;
1010  goto out;
1011  }
1012 
1013  memcpy(datablob, prep->data, datalen);
1014  datablob[datalen] = '\0';
1015  ret = datablob_parse(datablob, new_p, new_o);
1016  if (ret != Opt_update) {
1017  ret = -EINVAL;
1018  kfree(new_p);
1019  goto out;
1020  }
1021  /* copy old key values, and reseal with new pcrs */
1022  new_p->migratable = p->migratable;
1023  new_p->key_len = p->key_len;
1024  memcpy(new_p->key, p->key, p->key_len);
1025  dump_payload(p);
1026  dump_payload(new_p);
1027 
1028  ret = key_seal(new_p, new_o);
1029  if (ret < 0) {
1030  pr_info("trusted_key: key_seal failed (%d)\n", ret);
1031  kfree(new_p);
1032  goto out;
1033  }
1034  if (new_o->pcrlock) {
1035  ret = pcrlock(new_o->pcrlock);
1036  if (ret < 0) {
1037  pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1038  kfree(new_p);
1039  goto out;
1040  }
1041  }
1042  rcu_assign_keypointer(key, new_p);
1043  call_rcu(&p->rcu, trusted_rcu_free);
1044 out:
1045  kfree(datablob);
1046  kfree(new_o);
1047  return ret;
1048 }
1049 
1050 /*
1051  * trusted_read - copy the sealed blob data to userspace in hex.
1052  * On success, return to userspace the trusted key datablob size.
1053  */
1054 static long trusted_read(const struct key *key, char __user *buffer,
1055  size_t buflen)
1056 {
1057  struct trusted_key_payload *p;
1058  char *ascii_buf;
1059  char *bufp;
1060  int i;
1061 
1062  p = rcu_dereference_key(key);
1063  if (!p)
1064  return -EINVAL;
1065  if (!buffer || buflen <= 0)
1066  return 2 * p->blob_len;
1067  ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
1068  if (!ascii_buf)
1069  return -ENOMEM;
1070 
1071  bufp = ascii_buf;
1072  for (i = 0; i < p->blob_len; i++)
1073  bufp = hex_byte_pack(bufp, p->blob[i]);
1074  if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
1075  kfree(ascii_buf);
1076  return -EFAULT;
1077  }
1078  kfree(ascii_buf);
1079  return 2 * p->blob_len;
1080 }
1081 
1082 /*
1083  * trusted_destroy - before freeing the key, clear the decrypted data
1084  */
1085 static void trusted_destroy(struct key *key)
1086 {
1087  struct trusted_key_payload *p = key->payload.data;
1088 
1089  if (!p)
1090  return;
1091  memset(p->key, 0, p->key_len);
1092  kfree(key->payload.data);
1093 }
1094 
1095 struct key_type key_type_trusted = {
1096  .name = "trusted",
1097  .instantiate = trusted_instantiate,
1098  .update = trusted_update,
1099  .match = user_match,
1100  .destroy = trusted_destroy,
1101  .describe = user_describe,
1102  .read = trusted_read,
1103 };
1104 
1105 EXPORT_SYMBOL_GPL(key_type_trusted);
1106 
1107 static void trusted_shash_release(void)
1108 {
1109  if (hashalg)
1110  crypto_free_shash(hashalg);
1111  if (hmacalg)
1112  crypto_free_shash(hmacalg);
1113 }
1114 
1115 static int __init trusted_shash_alloc(void)
1116 {
1117  int ret;
1118 
1119  hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
1120  if (IS_ERR(hmacalg)) {
1121  pr_info("trusted_key: could not allocate crypto %s\n",
1122  hmac_alg);
1123  return PTR_ERR(hmacalg);
1124  }
1125 
1127  if (IS_ERR(hashalg)) {
1128  pr_info("trusted_key: could not allocate crypto %s\n",
1129  hash_alg);
1130  ret = PTR_ERR(hashalg);
1131  goto hashalg_fail;
1132  }
1133 
1134  return 0;
1135 
1136 hashalg_fail:
1137  crypto_free_shash(hmacalg);
1138  return ret;
1139 }
1140 
1141 static int __init init_trusted(void)
1142 {
1143  int ret;
1144 
1145  ret = trusted_shash_alloc();
1146  if (ret < 0)
1147  return ret;
1148  ret = register_key_type(&key_type_trusted);
1149  if (ret < 0)
1150  trusted_shash_release();
1151  return ret;
1152 }
1153 
1154 static void __exit cleanup_trusted(void)
1155 {
1156  trusted_shash_release();
1157  unregister_key_type(&key_type_trusted);
1158 }
1159 
1160 late_initcall(init_trusted);
1161 module_exit(cleanup_trusted);
1162 
1163 MODULE_LICENSE("GPL");