1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2010 IBM Corporation 4 * 5 * Author: 6 * David Safford <safford@us.ibm.com> 7 * 8 * See Documentation/security/keys/trusted-encrypted.rst 9 */ 10 11 #include <crypto/hash_info.h> 12 #include <linux/uaccess.h> 13 #include <linux/module.h> 14 #include <linux/init.h> 15 #include <linux/slab.h> 16 #include <linux/parser.h> 17 #include <linux/string.h> 18 #include <linux/err.h> 19 #include <keys/user-type.h> 20 #include <keys/trusted-type.h> 21 #include <linux/key-type.h> 22 #include <linux/rcupdate.h> 23 #include <linux/crypto.h> 24 #include <crypto/hash.h> 25 #include <crypto/sha.h> 26 #include <linux/capability.h> 27 #include <linux/tpm.h> 28 #include <linux/tpm_command.h> 29 30 #include <keys/trusted_tpm.h> 31 32 static const char hmac_alg[] = "hmac(sha1)"; 33 static const char hash_alg[] = "sha1"; 34 static struct tpm_chip *chip; 35 static struct tpm_digest *digests; 36 37 struct sdesc { 38 struct shash_desc shash; 39 char ctx[]; 40 }; 41 42 static struct crypto_shash *hashalg; 43 static struct crypto_shash *hmacalg; 44 45 static struct sdesc *init_sdesc(struct crypto_shash *alg) 46 { 47 struct sdesc *sdesc; 48 int size; 49 50 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 51 sdesc = kmalloc(size, GFP_KERNEL); 52 if (!sdesc) 53 return ERR_PTR(-ENOMEM); 54 sdesc->shash.tfm = alg; 55 return sdesc; 56 } 57 58 static int TSS_sha1(const unsigned char *data, unsigned int datalen, 59 unsigned char *digest) 60 { 61 struct sdesc *sdesc; 62 int ret; 63 64 sdesc = init_sdesc(hashalg); 65 if (IS_ERR(sdesc)) { 66 pr_info("trusted_key: can't alloc %s\n", hash_alg); 67 return PTR_ERR(sdesc); 68 } 69 70 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 71 kfree_sensitive(sdesc); 72 return ret; 73 } 74 75 static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 76 unsigned int keylen, ...) 77 { 78 struct sdesc *sdesc; 79 va_list argp; 80 unsigned int dlen; 81 unsigned char *data; 82 int ret; 83 84 sdesc = init_sdesc(hmacalg); 85 if (IS_ERR(sdesc)) { 86 pr_info("trusted_key: can't alloc %s\n", hmac_alg); 87 return PTR_ERR(sdesc); 88 } 89 90 ret = crypto_shash_setkey(hmacalg, key, keylen); 91 if (ret < 0) 92 goto out; 93 ret = crypto_shash_init(&sdesc->shash); 94 if (ret < 0) 95 goto out; 96 97 va_start(argp, keylen); 98 for (;;) { 99 dlen = va_arg(argp, unsigned int); 100 if (dlen == 0) 101 break; 102 data = va_arg(argp, unsigned char *); 103 if (data == NULL) { 104 ret = -EINVAL; 105 break; 106 } 107 ret = crypto_shash_update(&sdesc->shash, data, dlen); 108 if (ret < 0) 109 break; 110 } 111 va_end(argp); 112 if (!ret) 113 ret = crypto_shash_final(&sdesc->shash, digest); 114 out: 115 kfree_sensitive(sdesc); 116 return ret; 117 } 118 119 /* 120 * calculate authorization info fields to send to TPM 121 */ 122 int TSS_authhmac(unsigned char *digest, const unsigned char *key, 123 unsigned int keylen, unsigned char *h1, 124 unsigned char *h2, unsigned int h3, ...) 125 { 126 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 127 struct sdesc *sdesc; 128 unsigned int dlen; 129 unsigned char *data; 130 unsigned char c; 131 int ret; 132 va_list argp; 133 134 if (!chip) 135 return -ENODEV; 136 137 sdesc = init_sdesc(hashalg); 138 if (IS_ERR(sdesc)) { 139 pr_info("trusted_key: can't alloc %s\n", hash_alg); 140 return PTR_ERR(sdesc); 141 } 142 143 c = !!h3; 144 ret = crypto_shash_init(&sdesc->shash); 145 if (ret < 0) 146 goto out; 147 va_start(argp, h3); 148 for (;;) { 149 dlen = va_arg(argp, unsigned int); 150 if (dlen == 0) 151 break; 152 data = va_arg(argp, unsigned char *); 153 if (!data) { 154 ret = -EINVAL; 155 break; 156 } 157 ret = crypto_shash_update(&sdesc->shash, data, dlen); 158 if (ret < 0) 159 break; 160 } 161 va_end(argp); 162 if (!ret) 163 ret = crypto_shash_final(&sdesc->shash, paramdigest); 164 if (!ret) 165 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 166 paramdigest, TPM_NONCE_SIZE, h1, 167 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 168 out: 169 kfree_sensitive(sdesc); 170 return ret; 171 } 172 EXPORT_SYMBOL_GPL(TSS_authhmac); 173 174 /* 175 * verify the AUTH1_COMMAND (Seal) result from TPM 176 */ 177 int TSS_checkhmac1(unsigned char *buffer, 178 const uint32_t command, 179 const unsigned char *ononce, 180 const unsigned char *key, 181 unsigned int keylen, ...) 182 { 183 uint32_t bufsize; 184 uint16_t tag; 185 uint32_t ordinal; 186 uint32_t result; 187 unsigned char *enonce; 188 unsigned char *continueflag; 189 unsigned char *authdata; 190 unsigned char testhmac[SHA1_DIGEST_SIZE]; 191 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 192 struct sdesc *sdesc; 193 unsigned int dlen; 194 unsigned int dpos; 195 va_list argp; 196 int ret; 197 198 if (!chip) 199 return -ENODEV; 200 201 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 202 tag = LOAD16(buffer, 0); 203 ordinal = command; 204 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 205 if (tag == TPM_TAG_RSP_COMMAND) 206 return 0; 207 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 208 return -EINVAL; 209 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 210 continueflag = authdata - 1; 211 enonce = continueflag - TPM_NONCE_SIZE; 212 213 sdesc = init_sdesc(hashalg); 214 if (IS_ERR(sdesc)) { 215 pr_info("trusted_key: can't alloc %s\n", hash_alg); 216 return PTR_ERR(sdesc); 217 } 218 ret = crypto_shash_init(&sdesc->shash); 219 if (ret < 0) 220 goto out; 221 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 222 sizeof result); 223 if (ret < 0) 224 goto out; 225 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 226 sizeof ordinal); 227 if (ret < 0) 228 goto out; 229 va_start(argp, keylen); 230 for (;;) { 231 dlen = va_arg(argp, unsigned int); 232 if (dlen == 0) 233 break; 234 dpos = va_arg(argp, unsigned int); 235 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 236 if (ret < 0) 237 break; 238 } 239 va_end(argp); 240 if (!ret) 241 ret = crypto_shash_final(&sdesc->shash, paramdigest); 242 if (ret < 0) 243 goto out; 244 245 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 246 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 247 1, continueflag, 0, 0); 248 if (ret < 0) 249 goto out; 250 251 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 252 ret = -EINVAL; 253 out: 254 kfree_sensitive(sdesc); 255 return ret; 256 } 257 EXPORT_SYMBOL_GPL(TSS_checkhmac1); 258 259 /* 260 * verify the AUTH2_COMMAND (unseal) result from TPM 261 */ 262 static int TSS_checkhmac2(unsigned char *buffer, 263 const uint32_t command, 264 const unsigned char *ononce, 265 const unsigned char *key1, 266 unsigned int keylen1, 267 const unsigned char *key2, 268 unsigned int keylen2, ...) 269 { 270 uint32_t bufsize; 271 uint16_t tag; 272 uint32_t ordinal; 273 uint32_t result; 274 unsigned char *enonce1; 275 unsigned char *continueflag1; 276 unsigned char *authdata1; 277 unsigned char *enonce2; 278 unsigned char *continueflag2; 279 unsigned char *authdata2; 280 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 281 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 282 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 283 struct sdesc *sdesc; 284 unsigned int dlen; 285 unsigned int dpos; 286 va_list argp; 287 int ret; 288 289 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 290 tag = LOAD16(buffer, 0); 291 ordinal = command; 292 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 293 294 if (tag == TPM_TAG_RSP_COMMAND) 295 return 0; 296 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 297 return -EINVAL; 298 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 299 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 300 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 301 continueflag1 = authdata1 - 1; 302 continueflag2 = authdata2 - 1; 303 enonce1 = continueflag1 - TPM_NONCE_SIZE; 304 enonce2 = continueflag2 - TPM_NONCE_SIZE; 305 306 sdesc = init_sdesc(hashalg); 307 if (IS_ERR(sdesc)) { 308 pr_info("trusted_key: can't alloc %s\n", hash_alg); 309 return PTR_ERR(sdesc); 310 } 311 ret = crypto_shash_init(&sdesc->shash); 312 if (ret < 0) 313 goto out; 314 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 315 sizeof result); 316 if (ret < 0) 317 goto out; 318 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 319 sizeof ordinal); 320 if (ret < 0) 321 goto out; 322 323 va_start(argp, keylen2); 324 for (;;) { 325 dlen = va_arg(argp, unsigned int); 326 if (dlen == 0) 327 break; 328 dpos = va_arg(argp, unsigned int); 329 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 330 if (ret < 0) 331 break; 332 } 333 va_end(argp); 334 if (!ret) 335 ret = crypto_shash_final(&sdesc->shash, paramdigest); 336 if (ret < 0) 337 goto out; 338 339 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 340 paramdigest, TPM_NONCE_SIZE, enonce1, 341 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 342 if (ret < 0) 343 goto out; 344 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 345 ret = -EINVAL; 346 goto out; 347 } 348 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 349 paramdigest, TPM_NONCE_SIZE, enonce2, 350 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 351 if (ret < 0) 352 goto out; 353 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 354 ret = -EINVAL; 355 out: 356 kfree_sensitive(sdesc); 357 return ret; 358 } 359 360 /* 361 * For key specific tpm requests, we will generate and send our 362 * own TPM command packets using the drivers send function. 363 */ 364 int trusted_tpm_send(unsigned char *cmd, size_t buflen) 365 { 366 int rc; 367 368 if (!chip) 369 return -ENODEV; 370 371 dump_tpm_buf(cmd); 372 rc = tpm_send(chip, cmd, buflen); 373 dump_tpm_buf(cmd); 374 if (rc > 0) 375 /* Can't return positive return codes values to keyctl */ 376 rc = -EPERM; 377 return rc; 378 } 379 EXPORT_SYMBOL_GPL(trusted_tpm_send); 380 381 /* 382 * Lock a trusted key, by extending a selected PCR. 383 * 384 * Prevents a trusted key that is sealed to PCRs from being accessed. 385 * This uses the tpm driver's extend function. 386 */ 387 static int pcrlock(const int pcrnum) 388 { 389 if (!capable(CAP_SYS_ADMIN)) 390 return -EPERM; 391 392 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0; 393 } 394 395 /* 396 * Create an object specific authorisation protocol (OSAP) session 397 */ 398 static int osap(struct tpm_buf *tb, struct osapsess *s, 399 const unsigned char *key, uint16_t type, uint32_t handle) 400 { 401 unsigned char enonce[TPM_NONCE_SIZE]; 402 unsigned char ononce[TPM_NONCE_SIZE]; 403 int ret; 404 405 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); 406 if (ret != TPM_NONCE_SIZE) 407 return ret; 408 409 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP); 410 tpm_buf_append_u16(tb, type); 411 tpm_buf_append_u32(tb, handle); 412 tpm_buf_append(tb, ononce, TPM_NONCE_SIZE); 413 414 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 415 if (ret < 0) 416 return ret; 417 418 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 419 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 420 TPM_NONCE_SIZE); 421 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 422 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 423 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 424 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 425 } 426 427 /* 428 * Create an object independent authorisation protocol (oiap) session 429 */ 430 int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 431 { 432 int ret; 433 434 if (!chip) 435 return -ENODEV; 436 437 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP); 438 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 439 if (ret < 0) 440 return ret; 441 442 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 443 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 444 TPM_NONCE_SIZE); 445 return 0; 446 } 447 EXPORT_SYMBOL_GPL(oiap); 448 449 struct tpm_digests { 450 unsigned char encauth[SHA1_DIGEST_SIZE]; 451 unsigned char pubauth[SHA1_DIGEST_SIZE]; 452 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 453 unsigned char xorhash[SHA1_DIGEST_SIZE]; 454 unsigned char nonceodd[TPM_NONCE_SIZE]; 455 }; 456 457 /* 458 * Have the TPM seal(encrypt) the trusted key, possibly based on 459 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 460 */ 461 static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 462 uint32_t keyhandle, const unsigned char *keyauth, 463 const unsigned char *data, uint32_t datalen, 464 unsigned char *blob, uint32_t *bloblen, 465 const unsigned char *blobauth, 466 const unsigned char *pcrinfo, uint32_t pcrinfosize) 467 { 468 struct osapsess sess; 469 struct tpm_digests *td; 470 unsigned char cont; 471 uint32_t ordinal; 472 uint32_t pcrsize; 473 uint32_t datsize; 474 int sealinfosize; 475 int encdatasize; 476 int storedsize; 477 int ret; 478 int i; 479 480 /* alloc some work space for all the hashes */ 481 td = kmalloc(sizeof *td, GFP_KERNEL); 482 if (!td) 483 return -ENOMEM; 484 485 /* get session for sealing key */ 486 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 487 if (ret < 0) 488 goto out; 489 dump_sess(&sess); 490 491 /* calculate encrypted authorization value */ 492 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 493 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 494 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 495 if (ret < 0) 496 goto out; 497 498 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); 499 if (ret != TPM_NONCE_SIZE) 500 goto out; 501 ordinal = htonl(TPM_ORD_SEAL); 502 datsize = htonl(datalen); 503 pcrsize = htonl(pcrinfosize); 504 cont = 0; 505 506 /* encrypt data authorization key */ 507 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 508 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 509 510 /* calculate authorization HMAC value */ 511 if (pcrinfosize == 0) { 512 /* no pcr info specified */ 513 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 514 sess.enonce, td->nonceodd, cont, 515 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 516 td->encauth, sizeof(uint32_t), &pcrsize, 517 sizeof(uint32_t), &datsize, datalen, data, 0, 518 0); 519 } else { 520 /* pcr info specified */ 521 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 522 sess.enonce, td->nonceodd, cont, 523 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 524 td->encauth, sizeof(uint32_t), &pcrsize, 525 pcrinfosize, pcrinfo, sizeof(uint32_t), 526 &datsize, datalen, data, 0, 0); 527 } 528 if (ret < 0) 529 goto out; 530 531 /* build and send the TPM request packet */ 532 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL); 533 tpm_buf_append_u32(tb, keyhandle); 534 tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE); 535 tpm_buf_append_u32(tb, pcrinfosize); 536 tpm_buf_append(tb, pcrinfo, pcrinfosize); 537 tpm_buf_append_u32(tb, datalen); 538 tpm_buf_append(tb, data, datalen); 539 tpm_buf_append_u32(tb, sess.handle); 540 tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE); 541 tpm_buf_append_u8(tb, cont); 542 tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE); 543 544 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 545 if (ret < 0) 546 goto out; 547 548 /* calculate the size of the returned Blob */ 549 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 550 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 551 sizeof(uint32_t) + sealinfosize); 552 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 553 sizeof(uint32_t) + encdatasize; 554 555 /* check the HMAC in the response */ 556 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 557 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 558 0); 559 560 /* copy the returned blob to caller */ 561 if (!ret) { 562 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 563 *bloblen = storedsize; 564 } 565 out: 566 kfree_sensitive(td); 567 return ret; 568 } 569 570 /* 571 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 572 */ 573 static int tpm_unseal(struct tpm_buf *tb, 574 uint32_t keyhandle, const unsigned char *keyauth, 575 const unsigned char *blob, int bloblen, 576 const unsigned char *blobauth, 577 unsigned char *data, unsigned int *datalen) 578 { 579 unsigned char nonceodd[TPM_NONCE_SIZE]; 580 unsigned char enonce1[TPM_NONCE_SIZE]; 581 unsigned char enonce2[TPM_NONCE_SIZE]; 582 unsigned char authdata1[SHA1_DIGEST_SIZE]; 583 unsigned char authdata2[SHA1_DIGEST_SIZE]; 584 uint32_t authhandle1 = 0; 585 uint32_t authhandle2 = 0; 586 unsigned char cont = 0; 587 uint32_t ordinal; 588 int ret; 589 590 /* sessions for unsealing key and data */ 591 ret = oiap(tb, &authhandle1, enonce1); 592 if (ret < 0) { 593 pr_info("trusted_key: oiap failed (%d)\n", ret); 594 return ret; 595 } 596 ret = oiap(tb, &authhandle2, enonce2); 597 if (ret < 0) { 598 pr_info("trusted_key: oiap failed (%d)\n", ret); 599 return ret; 600 } 601 602 ordinal = htonl(TPM_ORD_UNSEAL); 603 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); 604 if (ret != TPM_NONCE_SIZE) { 605 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 606 return ret; 607 } 608 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 609 enonce1, nonceodd, cont, sizeof(uint32_t), 610 &ordinal, bloblen, blob, 0, 0); 611 if (ret < 0) 612 return ret; 613 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 614 enonce2, nonceodd, cont, sizeof(uint32_t), 615 &ordinal, bloblen, blob, 0, 0); 616 if (ret < 0) 617 return ret; 618 619 /* build and send TPM request packet */ 620 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL); 621 tpm_buf_append_u32(tb, keyhandle); 622 tpm_buf_append(tb, blob, bloblen); 623 tpm_buf_append_u32(tb, authhandle1); 624 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 625 tpm_buf_append_u8(tb, cont); 626 tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE); 627 tpm_buf_append_u32(tb, authhandle2); 628 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 629 tpm_buf_append_u8(tb, cont); 630 tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE); 631 632 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); 633 if (ret < 0) { 634 pr_info("trusted_key: authhmac failed (%d)\n", ret); 635 return ret; 636 } 637 638 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 639 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 640 keyauth, SHA1_DIGEST_SIZE, 641 blobauth, SHA1_DIGEST_SIZE, 642 sizeof(uint32_t), TPM_DATA_OFFSET, 643 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 644 0); 645 if (ret < 0) { 646 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret); 647 return ret; 648 } 649 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 650 return 0; 651 } 652 653 /* 654 * Have the TPM seal(encrypt) the symmetric key 655 */ 656 static int key_seal(struct trusted_key_payload *p, 657 struct trusted_key_options *o) 658 { 659 struct tpm_buf tb; 660 int ret; 661 662 ret = tpm_buf_init(&tb, 0, 0); 663 if (ret) 664 return ret; 665 666 /* include migratable flag at end of sealed key */ 667 p->key[p->key_len] = p->migratable; 668 669 ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth, 670 p->key, p->key_len + 1, p->blob, &p->blob_len, 671 o->blobauth, o->pcrinfo, o->pcrinfo_len); 672 if (ret < 0) 673 pr_info("trusted_key: srkseal failed (%d)\n", ret); 674 675 tpm_buf_destroy(&tb); 676 return ret; 677 } 678 679 /* 680 * Have the TPM unseal(decrypt) the symmetric key 681 */ 682 static int key_unseal(struct trusted_key_payload *p, 683 struct trusted_key_options *o) 684 { 685 struct tpm_buf tb; 686 int ret; 687 688 ret = tpm_buf_init(&tb, 0, 0); 689 if (ret) 690 return ret; 691 692 ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 693 o->blobauth, p->key, &p->key_len); 694 if (ret < 0) 695 pr_info("trusted_key: srkunseal failed (%d)\n", ret); 696 else 697 /* pull migratable flag out of sealed key */ 698 p->migratable = p->key[--p->key_len]; 699 700 tpm_buf_destroy(&tb); 701 return ret; 702 } 703 704 enum { 705 Opt_err, 706 Opt_new, Opt_load, Opt_update, 707 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 708 Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 709 Opt_hash, 710 Opt_policydigest, 711 Opt_policyhandle, 712 }; 713 714 static const match_table_t key_tokens = { 715 {Opt_new, "new"}, 716 {Opt_load, "load"}, 717 {Opt_update, "update"}, 718 {Opt_keyhandle, "keyhandle=%s"}, 719 {Opt_keyauth, "keyauth=%s"}, 720 {Opt_blobauth, "blobauth=%s"}, 721 {Opt_pcrinfo, "pcrinfo=%s"}, 722 {Opt_pcrlock, "pcrlock=%s"}, 723 {Opt_migratable, "migratable=%s"}, 724 {Opt_hash, "hash=%s"}, 725 {Opt_policydigest, "policydigest=%s"}, 726 {Opt_policyhandle, "policyhandle=%s"}, 727 {Opt_err, NULL} 728 }; 729 730 /* can have zero or more token= options */ 731 static int getoptions(char *c, struct trusted_key_payload *pay, 732 struct trusted_key_options *opt) 733 { 734 substring_t args[MAX_OPT_ARGS]; 735 char *p = c; 736 int token; 737 int res; 738 unsigned long handle; 739 unsigned long lock; 740 unsigned long token_mask = 0; 741 unsigned int digest_len; 742 int i; 743 int tpm2; 744 745 tpm2 = tpm_is_tpm2(chip); 746 if (tpm2 < 0) 747 return tpm2; 748 749 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 750 751 while ((p = strsep(&c, " \t"))) { 752 if (*p == '\0' || *p == ' ' || *p == '\t') 753 continue; 754 token = match_token(p, key_tokens, args); 755 if (test_and_set_bit(token, &token_mask)) 756 return -EINVAL; 757 758 switch (token) { 759 case Opt_pcrinfo: 760 opt->pcrinfo_len = strlen(args[0].from) / 2; 761 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 762 return -EINVAL; 763 res = hex2bin(opt->pcrinfo, args[0].from, 764 opt->pcrinfo_len); 765 if (res < 0) 766 return -EINVAL; 767 break; 768 case Opt_keyhandle: 769 res = kstrtoul(args[0].from, 16, &handle); 770 if (res < 0) 771 return -EINVAL; 772 opt->keytype = SEAL_keytype; 773 opt->keyhandle = handle; 774 break; 775 case Opt_keyauth: 776 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 777 return -EINVAL; 778 res = hex2bin(opt->keyauth, args[0].from, 779 SHA1_DIGEST_SIZE); 780 if (res < 0) 781 return -EINVAL; 782 break; 783 case Opt_blobauth: 784 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 785 return -EINVAL; 786 res = hex2bin(opt->blobauth, args[0].from, 787 SHA1_DIGEST_SIZE); 788 if (res < 0) 789 return -EINVAL; 790 break; 791 case Opt_migratable: 792 if (*args[0].from == '0') 793 pay->migratable = 0; 794 else 795 return -EINVAL; 796 break; 797 case Opt_pcrlock: 798 res = kstrtoul(args[0].from, 10, &lock); 799 if (res < 0) 800 return -EINVAL; 801 opt->pcrlock = lock; 802 break; 803 case Opt_hash: 804 if (test_bit(Opt_policydigest, &token_mask)) 805 return -EINVAL; 806 for (i = 0; i < HASH_ALGO__LAST; i++) { 807 if (!strcmp(args[0].from, hash_algo_name[i])) { 808 opt->hash = i; 809 break; 810 } 811 } 812 if (i == HASH_ALGO__LAST) 813 return -EINVAL; 814 if (!tpm2 && i != HASH_ALGO_SHA1) { 815 pr_info("trusted_key: TPM 1.x only supports SHA-1.\n"); 816 return -EINVAL; 817 } 818 break; 819 case Opt_policydigest: 820 digest_len = hash_digest_size[opt->hash]; 821 if (!tpm2 || strlen(args[0].from) != (2 * digest_len)) 822 return -EINVAL; 823 res = hex2bin(opt->policydigest, args[0].from, 824 digest_len); 825 if (res < 0) 826 return -EINVAL; 827 opt->policydigest_len = digest_len; 828 break; 829 case Opt_policyhandle: 830 if (!tpm2) 831 return -EINVAL; 832 res = kstrtoul(args[0].from, 16, &handle); 833 if (res < 0) 834 return -EINVAL; 835 opt->policyhandle = handle; 836 break; 837 default: 838 return -EINVAL; 839 } 840 } 841 return 0; 842 } 843 844 /* 845 * datablob_parse - parse the keyctl data and fill in the 846 * payload and options structures 847 * 848 * On success returns 0, otherwise -EINVAL. 849 */ 850 static int datablob_parse(char *datablob, struct trusted_key_payload *p, 851 struct trusted_key_options *o) 852 { 853 substring_t args[MAX_OPT_ARGS]; 854 long keylen; 855 int ret = -EINVAL; 856 int key_cmd; 857 char *c; 858 859 /* main command */ 860 c = strsep(&datablob, " \t"); 861 if (!c) 862 return -EINVAL; 863 key_cmd = match_token(c, key_tokens, args); 864 switch (key_cmd) { 865 case Opt_new: 866 /* first argument is key size */ 867 c = strsep(&datablob, " \t"); 868 if (!c) 869 return -EINVAL; 870 ret = kstrtol(c, 10, &keylen); 871 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) 872 return -EINVAL; 873 p->key_len = keylen; 874 ret = getoptions(datablob, p, o); 875 if (ret < 0) 876 return ret; 877 ret = Opt_new; 878 break; 879 case Opt_load: 880 /* first argument is sealed blob */ 881 c = strsep(&datablob, " \t"); 882 if (!c) 883 return -EINVAL; 884 p->blob_len = strlen(c) / 2; 885 if (p->blob_len > MAX_BLOB_SIZE) 886 return -EINVAL; 887 ret = hex2bin(p->blob, c, p->blob_len); 888 if (ret < 0) 889 return -EINVAL; 890 ret = getoptions(datablob, p, o); 891 if (ret < 0) 892 return ret; 893 ret = Opt_load; 894 break; 895 case Opt_update: 896 /* all arguments are options */ 897 ret = getoptions(datablob, p, o); 898 if (ret < 0) 899 return ret; 900 ret = Opt_update; 901 break; 902 case Opt_err: 903 return -EINVAL; 904 break; 905 } 906 return ret; 907 } 908 909 static struct trusted_key_options *trusted_options_alloc(void) 910 { 911 struct trusted_key_options *options; 912 int tpm2; 913 914 tpm2 = tpm_is_tpm2(chip); 915 if (tpm2 < 0) 916 return NULL; 917 918 options = kzalloc(sizeof *options, GFP_KERNEL); 919 if (options) { 920 /* set any non-zero defaults */ 921 options->keytype = SRK_keytype; 922 923 if (!tpm2) 924 options->keyhandle = SRKHANDLE; 925 } 926 return options; 927 } 928 929 static struct trusted_key_payload *trusted_payload_alloc(struct key *key) 930 { 931 struct trusted_key_payload *p = NULL; 932 int ret; 933 934 ret = key_payload_reserve(key, sizeof *p); 935 if (ret < 0) 936 return p; 937 p = kzalloc(sizeof *p, GFP_KERNEL); 938 if (p) 939 p->migratable = 1; /* migratable by default */ 940 return p; 941 } 942 943 /* 944 * trusted_instantiate - create a new trusted key 945 * 946 * Unseal an existing trusted blob or, for a new key, get a 947 * random key, then seal and create a trusted key-type key, 948 * adding it to the specified keyring. 949 * 950 * On success, return 0. Otherwise return errno. 951 */ 952 static int trusted_instantiate(struct key *key, 953 struct key_preparsed_payload *prep) 954 { 955 struct trusted_key_payload *payload = NULL; 956 struct trusted_key_options *options = NULL; 957 size_t datalen = prep->datalen; 958 char *datablob; 959 int ret = 0; 960 int key_cmd; 961 size_t key_len; 962 int tpm2; 963 964 tpm2 = tpm_is_tpm2(chip); 965 if (tpm2 < 0) 966 return tpm2; 967 968 if (datalen <= 0 || datalen > 32767 || !prep->data) 969 return -EINVAL; 970 971 datablob = kmalloc(datalen + 1, GFP_KERNEL); 972 if (!datablob) 973 return -ENOMEM; 974 memcpy(datablob, prep->data, datalen); 975 datablob[datalen] = '\0'; 976 977 options = trusted_options_alloc(); 978 if (!options) { 979 ret = -ENOMEM; 980 goto out; 981 } 982 payload = trusted_payload_alloc(key); 983 if (!payload) { 984 ret = -ENOMEM; 985 goto out; 986 } 987 988 key_cmd = datablob_parse(datablob, payload, options); 989 if (key_cmd < 0) { 990 ret = key_cmd; 991 goto out; 992 } 993 994 if (!options->keyhandle) { 995 ret = -EINVAL; 996 goto out; 997 } 998 999 dump_payload(payload); 1000 dump_options(options); 1001 1002 switch (key_cmd) { 1003 case Opt_load: 1004 if (tpm2) 1005 ret = tpm2_unseal_trusted(chip, payload, options); 1006 else 1007 ret = key_unseal(payload, options); 1008 dump_payload(payload); 1009 dump_options(options); 1010 if (ret < 0) 1011 pr_info("trusted_key: key_unseal failed (%d)\n", ret); 1012 break; 1013 case Opt_new: 1014 key_len = payload->key_len; 1015 ret = tpm_get_random(chip, payload->key, key_len); 1016 if (ret != key_len) { 1017 pr_info("trusted_key: key_create failed (%d)\n", ret); 1018 goto out; 1019 } 1020 if (tpm2) 1021 ret = tpm2_seal_trusted(chip, payload, options); 1022 else 1023 ret = key_seal(payload, options); 1024 if (ret < 0) 1025 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1026 break; 1027 default: 1028 ret = -EINVAL; 1029 goto out; 1030 } 1031 if (!ret && options->pcrlock) 1032 ret = pcrlock(options->pcrlock); 1033 out: 1034 kfree_sensitive(datablob); 1035 kfree_sensitive(options); 1036 if (!ret) 1037 rcu_assign_keypointer(key, payload); 1038 else 1039 kfree_sensitive(payload); 1040 return ret; 1041 } 1042 1043 static void trusted_rcu_free(struct rcu_head *rcu) 1044 { 1045 struct trusted_key_payload *p; 1046 1047 p = container_of(rcu, struct trusted_key_payload, rcu); 1048 kfree_sensitive(p); 1049 } 1050 1051 /* 1052 * trusted_update - reseal an existing key with new PCR values 1053 */ 1054 static int trusted_update(struct key *key, struct key_preparsed_payload *prep) 1055 { 1056 struct trusted_key_payload *p; 1057 struct trusted_key_payload *new_p; 1058 struct trusted_key_options *new_o; 1059 size_t datalen = prep->datalen; 1060 char *datablob; 1061 int ret = 0; 1062 1063 if (key_is_negative(key)) 1064 return -ENOKEY; 1065 p = key->payload.data[0]; 1066 if (!p->migratable) 1067 return -EPERM; 1068 if (datalen <= 0 || datalen > 32767 || !prep->data) 1069 return -EINVAL; 1070 1071 datablob = kmalloc(datalen + 1, GFP_KERNEL); 1072 if (!datablob) 1073 return -ENOMEM; 1074 new_o = trusted_options_alloc(); 1075 if (!new_o) { 1076 ret = -ENOMEM; 1077 goto out; 1078 } 1079 new_p = trusted_payload_alloc(key); 1080 if (!new_p) { 1081 ret = -ENOMEM; 1082 goto out; 1083 } 1084 1085 memcpy(datablob, prep->data, datalen); 1086 datablob[datalen] = '\0'; 1087 ret = datablob_parse(datablob, new_p, new_o); 1088 if (ret != Opt_update) { 1089 ret = -EINVAL; 1090 kfree_sensitive(new_p); 1091 goto out; 1092 } 1093 1094 if (!new_o->keyhandle) { 1095 ret = -EINVAL; 1096 kfree_sensitive(new_p); 1097 goto out; 1098 } 1099 1100 /* copy old key values, and reseal with new pcrs */ 1101 new_p->migratable = p->migratable; 1102 new_p->key_len = p->key_len; 1103 memcpy(new_p->key, p->key, p->key_len); 1104 dump_payload(p); 1105 dump_payload(new_p); 1106 1107 ret = key_seal(new_p, new_o); 1108 if (ret < 0) { 1109 pr_info("trusted_key: key_seal failed (%d)\n", ret); 1110 kfree_sensitive(new_p); 1111 goto out; 1112 } 1113 if (new_o->pcrlock) { 1114 ret = pcrlock(new_o->pcrlock); 1115 if (ret < 0) { 1116 pr_info("trusted_key: pcrlock failed (%d)\n", ret); 1117 kfree_sensitive(new_p); 1118 goto out; 1119 } 1120 } 1121 rcu_assign_keypointer(key, new_p); 1122 call_rcu(&p->rcu, trusted_rcu_free); 1123 out: 1124 kfree_sensitive(datablob); 1125 kfree_sensitive(new_o); 1126 return ret; 1127 } 1128 1129 /* 1130 * trusted_read - copy the sealed blob data to userspace in hex. 1131 * On success, return to userspace the trusted key datablob size. 1132 */ 1133 static long trusted_read(const struct key *key, char *buffer, 1134 size_t buflen) 1135 { 1136 const struct trusted_key_payload *p; 1137 char *bufp; 1138 int i; 1139 1140 p = dereference_key_locked(key); 1141 if (!p) 1142 return -EINVAL; 1143 1144 if (buffer && buflen >= 2 * p->blob_len) { 1145 bufp = buffer; 1146 for (i = 0; i < p->blob_len; i++) 1147 bufp = hex_byte_pack(bufp, p->blob[i]); 1148 } 1149 return 2 * p->blob_len; 1150 } 1151 1152 /* 1153 * trusted_destroy - clear and free the key's payload 1154 */ 1155 static void trusted_destroy(struct key *key) 1156 { 1157 kfree_sensitive(key->payload.data[0]); 1158 } 1159 1160 struct key_type key_type_trusted = { 1161 .name = "trusted", 1162 .instantiate = trusted_instantiate, 1163 .update = trusted_update, 1164 .destroy = trusted_destroy, 1165 .describe = user_describe, 1166 .read = trusted_read, 1167 }; 1168 1169 EXPORT_SYMBOL_GPL(key_type_trusted); 1170 1171 static void trusted_shash_release(void) 1172 { 1173 if (hashalg) 1174 crypto_free_shash(hashalg); 1175 if (hmacalg) 1176 crypto_free_shash(hmacalg); 1177 } 1178 1179 static int __init trusted_shash_alloc(void) 1180 { 1181 int ret; 1182 1183 hmacalg = crypto_alloc_shash(hmac_alg, 0, 0); 1184 if (IS_ERR(hmacalg)) { 1185 pr_info("trusted_key: could not allocate crypto %s\n", 1186 hmac_alg); 1187 return PTR_ERR(hmacalg); 1188 } 1189 1190 hashalg = crypto_alloc_shash(hash_alg, 0, 0); 1191 if (IS_ERR(hashalg)) { 1192 pr_info("trusted_key: could not allocate crypto %s\n", 1193 hash_alg); 1194 ret = PTR_ERR(hashalg); 1195 goto hashalg_fail; 1196 } 1197 1198 return 0; 1199 1200 hashalg_fail: 1201 crypto_free_shash(hmacalg); 1202 return ret; 1203 } 1204 1205 static int __init init_digests(void) 1206 { 1207 int i; 1208 1209 digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), 1210 GFP_KERNEL); 1211 if (!digests) 1212 return -ENOMEM; 1213 1214 for (i = 0; i < chip->nr_allocated_banks; i++) 1215 digests[i].alg_id = chip->allocated_banks[i].alg_id; 1216 1217 return 0; 1218 } 1219 1220 static int __init init_trusted(void) 1221 { 1222 int ret; 1223 1224 /* encrypted_keys.ko depends on successful load of this module even if 1225 * TPM is not used. 1226 */ 1227 chip = tpm_default_chip(); 1228 if (!chip) 1229 return 0; 1230 1231 ret = init_digests(); 1232 if (ret < 0) 1233 goto err_put; 1234 ret = trusted_shash_alloc(); 1235 if (ret < 0) 1236 goto err_free; 1237 ret = register_key_type(&key_type_trusted); 1238 if (ret < 0) 1239 goto err_release; 1240 return 0; 1241 err_release: 1242 trusted_shash_release(); 1243 err_free: 1244 kfree(digests); 1245 err_put: 1246 put_device(&chip->dev); 1247 return ret; 1248 } 1249 1250 static void __exit cleanup_trusted(void) 1251 { 1252 if (chip) { 1253 put_device(&chip->dev); 1254 kfree(digests); 1255 trusted_shash_release(); 1256 unregister_key_type(&key_type_trusted); 1257 } 1258 } 1259 1260 late_initcall(init_trusted); 1261 module_exit(cleanup_trusted); 1262 1263 MODULE_LICENSE("GPL"); 1264