1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2010 IBM Corporation
4 * Copyright (c) 2019-2021, Linaro Limited
5 *
6 * See Documentation/security/keys/trusted-encrypted.rst
7 */
8
9 #include <crypto/hash_info.h>
10 #include <crypto/sha1.h>
11 #include <crypto/utils.h>
12 #include <linux/hex.h>
13 #include <linux/init.h>
14 #include <linux/slab.h>
15 #include <linux/parser.h>
16 #include <linux/string.h>
17 #include <linux/err.h>
18 #include <keys/trusted-type.h>
19 #include <linux/key-type.h>
20 #include <linux/tpm.h>
21 #include <linux/tpm_command.h>
22
23 #include <keys/trusted_tpm.h>
24
25 static struct tpm_chip *chip;
26 static struct tpm_digest *digests;
27
28 /* implementation specific TPM constants */
29 #define TPM_SIZE_OFFSET 2
30 #define TPM_RETURN_OFFSET 6
31 #define TPM_DATA_OFFSET 10
32
33 #define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset]))
34 #define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset])
35 #define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset]))
36
37 struct osapsess {
38 uint32_t handle;
39 unsigned char secret[SHA1_DIGEST_SIZE];
40 unsigned char enonce[TPM_NONCE_SIZE];
41 };
42
43 /* discrete values, but have to store in uint16_t for TPM use */
44 enum {
45 SEAL_keytype = 1,
46 SRK_keytype = 4
47 };
48
49 #define TPM_DEBUG 0
50
51 #if TPM_DEBUG
dump_options(struct trusted_key_options * o)52 static inline void dump_options(struct trusted_key_options *o)
53 {
54 pr_info("sealing key type %d\n", o->keytype);
55 pr_info("sealing key handle %0X\n", o->keyhandle);
56 pr_info("pcrlock %d\n", o->pcrlock);
57 pr_info("pcrinfo %d\n", o->pcrinfo_len);
58 print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
59 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
60 }
61
dump_sess(struct osapsess * s)62 static inline void dump_sess(struct osapsess *s)
63 {
64 print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
65 16, 1, &s->handle, 4, 0);
66 pr_info("secret:\n");
67 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
68 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
69 pr_info("trusted-key: enonce:\n");
70 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
71 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
72 }
73
dump_tpm_buf(unsigned char * buf)74 static inline void dump_tpm_buf(unsigned char *buf)
75 {
76 int len;
77
78 pr_info("\ntpm buffer\n");
79 len = LOAD32(buf, TPM_SIZE_OFFSET);
80 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
81 }
82 #else
dump_options(struct trusted_key_options * o)83 static inline void dump_options(struct trusted_key_options *o)
84 {
85 }
86
dump_sess(struct osapsess * s)87 static inline void dump_sess(struct osapsess *s)
88 {
89 }
90
dump_tpm_buf(unsigned char * buf)91 static inline void dump_tpm_buf(unsigned char *buf)
92 {
93 }
94 #endif
95
TSS_rawhmac(unsigned char * digest,const unsigned char * key,unsigned int keylen,...)96 static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
97 unsigned int keylen, ...)
98 {
99 struct hmac_sha1_ctx hmac_ctx;
100 va_list argp;
101 unsigned int dlen;
102 unsigned char *data;
103 int ret = 0;
104
105 hmac_sha1_init_usingrawkey(&hmac_ctx, key, keylen);
106
107 va_start(argp, keylen);
108 for (;;) {
109 dlen = va_arg(argp, unsigned int);
110 if (dlen == 0)
111 break;
112 data = va_arg(argp, unsigned char *);
113 if (data == NULL) {
114 ret = -EINVAL;
115 break;
116 }
117 hmac_sha1_update(&hmac_ctx, data, dlen);
118 }
119 va_end(argp);
120 if (!ret)
121 hmac_sha1_final(&hmac_ctx, digest);
122 return ret;
123 }
124
125 /*
126 * calculate authorization info fields to send to TPM
127 */
TSS_authhmac(unsigned char * digest,const unsigned char * key,unsigned int keylen,unsigned char * h1,unsigned char * h2,unsigned int h3,...)128 static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
129 unsigned int keylen, unsigned char *h1,
130 unsigned char *h2, unsigned int h3, ...)
131 {
132 unsigned char paramdigest[SHA1_DIGEST_SIZE];
133 struct sha1_ctx sha_ctx;
134 unsigned int dlen;
135 unsigned char *data;
136 unsigned char c;
137 int ret = 0;
138 va_list argp;
139
140 if (!chip)
141 return -ENODEV;
142
143 c = !!h3;
144 sha1_init(&sha_ctx);
145 va_start(argp, h3);
146 for (;;) {
147 dlen = va_arg(argp, unsigned int);
148 if (dlen == 0)
149 break;
150 data = va_arg(argp, unsigned char *);
151 if (!data) {
152 ret = -EINVAL;
153 break;
154 }
155 sha1_update(&sha_ctx, data, dlen);
156 }
157 va_end(argp);
158 if (!ret)
159 sha1_final(&sha_ctx, paramdigest);
160 if (!ret)
161 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
162 paramdigest, TPM_NONCE_SIZE, h1,
163 TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
164 return ret;
165 }
166
167 /*
168 * verify the AUTH1_COMMAND (Seal) result from TPM
169 */
TSS_checkhmac1(unsigned char * buffer,const uint32_t command,const unsigned char * ononce,const unsigned char * key,unsigned int keylen,...)170 static int TSS_checkhmac1(unsigned char *buffer,
171 const uint32_t command,
172 const unsigned char *ononce,
173 const unsigned char *key,
174 unsigned int keylen, ...)
175 {
176 uint32_t bufsize;
177 uint16_t tag;
178 uint32_t ordinal;
179 uint32_t result;
180 unsigned char *enonce;
181 unsigned char *continueflag;
182 unsigned char *authdata;
183 unsigned char testhmac[SHA1_DIGEST_SIZE];
184 unsigned char paramdigest[SHA1_DIGEST_SIZE];
185 struct sha1_ctx sha_ctx;
186 unsigned int dlen;
187 unsigned int dpos;
188 va_list argp;
189 int ret;
190
191 if (!chip)
192 return -ENODEV;
193
194 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
195 tag = LOAD16(buffer, 0);
196 ordinal = command;
197 result = LOAD32N(buffer, TPM_RETURN_OFFSET);
198 if (tag == TPM_TAG_RSP_COMMAND)
199 return 0;
200 if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
201 return -EINVAL;
202 authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
203 continueflag = authdata - 1;
204 enonce = continueflag - TPM_NONCE_SIZE;
205
206 sha1_init(&sha_ctx);
207 sha1_update(&sha_ctx, (const u8 *)&result, sizeof(result));
208 sha1_update(&sha_ctx, (const u8 *)&ordinal, sizeof(ordinal));
209 va_start(argp, keylen);
210 for (;;) {
211 dlen = va_arg(argp, unsigned int);
212 if (dlen == 0)
213 break;
214 dpos = va_arg(argp, unsigned int);
215 sha1_update(&sha_ctx, buffer + dpos, dlen);
216 }
217 va_end(argp);
218 sha1_final(&sha_ctx, paramdigest);
219
220 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
221 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
222 1, continueflag, 0, 0);
223 if (ret < 0)
224 return ret;
225
226 if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
227 return -EINVAL;
228 return 0;
229 }
230
231 /*
232 * verify the AUTH2_COMMAND (unseal) result from TPM
233 */
TSS_checkhmac2(unsigned char * buffer,const uint32_t command,const unsigned char * ononce,const unsigned char * key1,unsigned int keylen1,const unsigned char * key2,unsigned int keylen2,...)234 static int TSS_checkhmac2(unsigned char *buffer,
235 const uint32_t command,
236 const unsigned char *ononce,
237 const unsigned char *key1,
238 unsigned int keylen1,
239 const unsigned char *key2,
240 unsigned int keylen2, ...)
241 {
242 uint32_t bufsize;
243 uint16_t tag;
244 uint32_t ordinal;
245 uint32_t result;
246 unsigned char *enonce1;
247 unsigned char *continueflag1;
248 unsigned char *authdata1;
249 unsigned char *enonce2;
250 unsigned char *continueflag2;
251 unsigned char *authdata2;
252 unsigned char testhmac1[SHA1_DIGEST_SIZE];
253 unsigned char testhmac2[SHA1_DIGEST_SIZE];
254 unsigned char paramdigest[SHA1_DIGEST_SIZE];
255 struct sha1_ctx sha_ctx;
256 unsigned int dlen;
257 unsigned int dpos;
258 va_list argp;
259 int ret;
260
261 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
262 tag = LOAD16(buffer, 0);
263 ordinal = command;
264 result = LOAD32N(buffer, TPM_RETURN_OFFSET);
265
266 if (tag == TPM_TAG_RSP_COMMAND)
267 return 0;
268 if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
269 return -EINVAL;
270 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
271 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
272 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
273 continueflag1 = authdata1 - 1;
274 continueflag2 = authdata2 - 1;
275 enonce1 = continueflag1 - TPM_NONCE_SIZE;
276 enonce2 = continueflag2 - TPM_NONCE_SIZE;
277
278 sha1_init(&sha_ctx);
279 sha1_update(&sha_ctx, (const u8 *)&result, sizeof(result));
280 sha1_update(&sha_ctx, (const u8 *)&ordinal, sizeof(ordinal));
281
282 va_start(argp, keylen2);
283 for (;;) {
284 dlen = va_arg(argp, unsigned int);
285 if (dlen == 0)
286 break;
287 dpos = va_arg(argp, unsigned int);
288 sha1_update(&sha_ctx, buffer + dpos, dlen);
289 }
290 va_end(argp);
291 sha1_final(&sha_ctx, paramdigest);
292
293 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
294 paramdigest, TPM_NONCE_SIZE, enonce1,
295 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
296 if (ret < 0)
297 return ret;
298 if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE))
299 return -EINVAL;
300 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
301 paramdigest, TPM_NONCE_SIZE, enonce2,
302 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
303 if (ret < 0)
304 return ret;
305 if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
306 return -EINVAL;
307 return 0;
308 }
309
310 /*
311 * For key specific tpm requests, we will generate and send our
312 * own TPM command packets using the drivers send function.
313 */
trusted_tpm_send(unsigned char * cmd,size_t buflen)314 static int trusted_tpm_send(unsigned char *cmd, size_t buflen)
315 {
316 struct tpm_buf buf;
317 int rc;
318
319 if (!chip)
320 return -ENODEV;
321
322 rc = tpm_try_get_ops(chip);
323 if (rc)
324 return rc;
325
326 buf.flags = 0;
327 buf.length = buflen;
328 buf.data = cmd;
329 dump_tpm_buf(cmd);
330 rc = tpm_transmit_cmd(chip, &buf, 4, "sending data");
331 dump_tpm_buf(cmd);
332
333 if (rc > 0)
334 /* TPM error */
335 rc = -EPERM;
336
337 tpm_put_ops(chip);
338 return rc;
339 }
340
341 /*
342 * Lock a trusted key, by extending a selected PCR.
343 *
344 * Prevents a trusted key that is sealed to PCRs from being accessed.
345 * This uses the tpm driver's extend function.
346 */
pcrlock(const int pcrnum)347 static int pcrlock(const int pcrnum)
348 {
349 if (!capable(CAP_SYS_ADMIN))
350 return -EPERM;
351
352 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0;
353 }
354
355 /*
356 * Create an object specific authorisation protocol (OSAP) session
357 */
osap(struct tpm_buf * tb,struct osapsess * s,const unsigned char * key,uint16_t type,uint32_t handle)358 static int osap(struct tpm_buf *tb, struct osapsess *s,
359 const unsigned char *key, uint16_t type, uint32_t handle)
360 {
361 unsigned char enonce[TPM_NONCE_SIZE];
362 unsigned char ononce[TPM_NONCE_SIZE];
363 int ret;
364
365 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE);
366 if (ret < 0)
367 return ret;
368
369 if (ret != TPM_NONCE_SIZE)
370 return -EIO;
371
372 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP);
373 tpm_buf_append_u16(tb, type);
374 tpm_buf_append_u32(tb, handle);
375 tpm_buf_append(tb, ononce, TPM_NONCE_SIZE);
376
377 ret = trusted_tpm_send(tb->data, tb->length);
378 if (ret < 0)
379 return ret;
380
381 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
382 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
383 TPM_NONCE_SIZE);
384 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
385 TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
386 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
387 enonce, TPM_NONCE_SIZE, ononce, 0, 0);
388 }
389
390 /*
391 * Create an object independent authorisation protocol (oiap) session
392 */
oiap(struct tpm_buf * tb,uint32_t * handle,unsigned char * nonce)393 static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
394 {
395 int ret;
396
397 if (!chip)
398 return -ENODEV;
399
400 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP);
401 ret = trusted_tpm_send(tb->data, tb->length);
402 if (ret < 0)
403 return ret;
404
405 *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
406 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
407 TPM_NONCE_SIZE);
408 return 0;
409 }
410
411 struct tpm_digests {
412 unsigned char encauth[SHA1_DIGEST_SIZE];
413 unsigned char pubauth[SHA1_DIGEST_SIZE];
414 unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
415 unsigned char xorhash[SHA1_DIGEST_SIZE];
416 unsigned char nonceodd[TPM_NONCE_SIZE];
417 };
418
419 /*
420 * Have the TPM seal(encrypt) the trusted key, possibly based on
421 * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
422 */
tpm_seal(struct tpm_buf * tb,uint16_t keytype,uint32_t keyhandle,const unsigned char * keyauth,const unsigned char * data,uint32_t datalen,unsigned char * blob,uint32_t * bloblen,const unsigned char * blobauth,const unsigned char * pcrinfo,uint32_t pcrinfosize)423 static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
424 uint32_t keyhandle, const unsigned char *keyauth,
425 const unsigned char *data, uint32_t datalen,
426 unsigned char *blob, uint32_t *bloblen,
427 const unsigned char *blobauth,
428 const unsigned char *pcrinfo, uint32_t pcrinfosize)
429 {
430 struct osapsess sess;
431 struct tpm_digests *td;
432 unsigned char cont;
433 uint32_t ordinal;
434 uint32_t pcrsize;
435 uint32_t datsize;
436 int sealinfosize;
437 int encdatasize;
438 int storedsize;
439 int ret;
440 int i;
441
442 /* alloc some work space for all the hashes */
443 td = kmalloc_obj(*td);
444 if (!td)
445 return -ENOMEM;
446
447 /* get session for sealing key */
448 ret = osap(tb, &sess, keyauth, keytype, keyhandle);
449 if (ret < 0)
450 goto out;
451 dump_sess(&sess);
452
453 /* calculate encrypted authorization value */
454 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
455 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
456 sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
457
458 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
459 if (ret < 0)
460 goto out;
461
462 if (ret != TPM_NONCE_SIZE) {
463 ret = -EIO;
464 goto out;
465 }
466
467 ordinal = htonl(TPM_ORD_SEAL);
468 datsize = htonl(datalen);
469 pcrsize = htonl(pcrinfosize);
470 cont = 0;
471
472 /* encrypt data authorization key */
473 for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
474 td->encauth[i] = td->xorhash[i] ^ blobauth[i];
475
476 /* calculate authorization HMAC value */
477 if (pcrinfosize == 0) {
478 /* no pcr info specified */
479 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
480 sess.enonce, td->nonceodd, cont,
481 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
482 td->encauth, sizeof(uint32_t), &pcrsize,
483 sizeof(uint32_t), &datsize, datalen, data, 0,
484 0);
485 } else {
486 /* pcr info specified */
487 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
488 sess.enonce, td->nonceodd, cont,
489 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
490 td->encauth, sizeof(uint32_t), &pcrsize,
491 pcrinfosize, pcrinfo, sizeof(uint32_t),
492 &datsize, datalen, data, 0, 0);
493 }
494 if (ret < 0)
495 goto out;
496
497 /* build and send the TPM request packet */
498 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL);
499 tpm_buf_append_u32(tb, keyhandle);
500 tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE);
501 tpm_buf_append_u32(tb, pcrinfosize);
502 tpm_buf_append(tb, pcrinfo, pcrinfosize);
503 tpm_buf_append_u32(tb, datalen);
504 tpm_buf_append(tb, data, datalen);
505 tpm_buf_append_u32(tb, sess.handle);
506 tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE);
507 tpm_buf_append_u8(tb, cont);
508 tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE);
509
510 ret = trusted_tpm_send(tb->data, tb->length);
511 if (ret < 0)
512 goto out;
513
514 /* calculate the size of the returned Blob */
515 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
516 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
517 sizeof(uint32_t) + sealinfosize);
518 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
519 sizeof(uint32_t) + encdatasize;
520
521 /* check the HMAC in the response */
522 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
523 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
524 0);
525
526 /* copy the returned blob to caller */
527 if (!ret) {
528 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
529 *bloblen = storedsize;
530 }
531 out:
532 kfree_sensitive(td);
533 return ret;
534 }
535
536 /*
537 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
538 */
tpm_unseal(struct tpm_buf * tb,uint32_t keyhandle,const unsigned char * keyauth,const unsigned char * blob,int bloblen,const unsigned char * blobauth,unsigned char * data,unsigned int * datalen)539 static int tpm_unseal(struct tpm_buf *tb,
540 uint32_t keyhandle, const unsigned char *keyauth,
541 const unsigned char *blob, int bloblen,
542 const unsigned char *blobauth,
543 unsigned char *data, unsigned int *datalen)
544 {
545 unsigned char nonceodd[TPM_NONCE_SIZE];
546 unsigned char enonce1[TPM_NONCE_SIZE];
547 unsigned char enonce2[TPM_NONCE_SIZE];
548 unsigned char authdata1[SHA1_DIGEST_SIZE];
549 unsigned char authdata2[SHA1_DIGEST_SIZE];
550 uint32_t authhandle1 = 0;
551 uint32_t authhandle2 = 0;
552 unsigned char cont = 0;
553 uint32_t ordinal;
554 int ret;
555
556 /* sessions for unsealing key and data */
557 ret = oiap(tb, &authhandle1, enonce1);
558 if (ret < 0) {
559 pr_info("oiap failed (%d)\n", ret);
560 return ret;
561 }
562 ret = oiap(tb, &authhandle2, enonce2);
563 if (ret < 0) {
564 pr_info("oiap failed (%d)\n", ret);
565 return ret;
566 }
567
568 ordinal = htonl(TPM_ORD_UNSEAL);
569 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE);
570 if (ret < 0)
571 return ret;
572
573 if (ret != TPM_NONCE_SIZE) {
574 pr_info("tpm_get_random failed (%d)\n", ret);
575 return -EIO;
576 }
577 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
578 enonce1, nonceodd, cont, sizeof(uint32_t),
579 &ordinal, bloblen, blob, 0, 0);
580 if (ret < 0)
581 return ret;
582 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
583 enonce2, nonceodd, cont, sizeof(uint32_t),
584 &ordinal, bloblen, blob, 0, 0);
585 if (ret < 0)
586 return ret;
587
588 /* build and send TPM request packet */
589 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL);
590 tpm_buf_append_u32(tb, keyhandle);
591 tpm_buf_append(tb, blob, bloblen);
592 tpm_buf_append_u32(tb, authhandle1);
593 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
594 tpm_buf_append_u8(tb, cont);
595 tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE);
596 tpm_buf_append_u32(tb, authhandle2);
597 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
598 tpm_buf_append_u8(tb, cont);
599 tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE);
600
601 ret = trusted_tpm_send(tb->data, tb->length);
602 if (ret < 0) {
603 pr_info("authhmac failed (%d)\n", ret);
604 return ret;
605 }
606
607 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
608 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
609 keyauth, SHA1_DIGEST_SIZE,
610 blobauth, SHA1_DIGEST_SIZE,
611 sizeof(uint32_t), TPM_DATA_OFFSET,
612 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
613 0);
614 if (ret < 0) {
615 pr_info("TSS_checkhmac2 failed (%d)\n", ret);
616 return ret;
617 }
618 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
619 return 0;
620 }
621
622 /*
623 * Have the TPM seal(encrypt) the symmetric key
624 */
key_seal(struct trusted_key_payload * p,struct trusted_key_options * o)625 static int key_seal(struct trusted_key_payload *p,
626 struct trusted_key_options *o)
627 {
628 struct tpm_buf tb;
629 int ret;
630
631 ret = tpm_buf_init(&tb, 0, 0);
632 if (ret)
633 return ret;
634
635 /* include migratable flag at end of sealed key */
636 p->key[p->key_len] = p->migratable;
637
638 ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth,
639 p->key, p->key_len + 1, p->blob, &p->blob_len,
640 o->blobauth, o->pcrinfo, o->pcrinfo_len);
641 if (ret < 0)
642 pr_info("srkseal failed (%d)\n", ret);
643
644 tpm_buf_destroy(&tb);
645 return ret;
646 }
647
648 /*
649 * Have the TPM unseal(decrypt) the symmetric key
650 */
key_unseal(struct trusted_key_payload * p,struct trusted_key_options * o)651 static int key_unseal(struct trusted_key_payload *p,
652 struct trusted_key_options *o)
653 {
654 struct tpm_buf tb;
655 int ret;
656
657 ret = tpm_buf_init(&tb, 0, 0);
658 if (ret)
659 return ret;
660
661 ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
662 o->blobauth, p->key, &p->key_len);
663 if (ret < 0)
664 pr_info("srkunseal failed (%d)\n", ret);
665 else
666 /* pull migratable flag out of sealed key */
667 p->migratable = p->key[--p->key_len];
668
669 tpm_buf_destroy(&tb);
670 return ret;
671 }
672
673 enum {
674 Opt_err,
675 Opt_keyhandle, Opt_keyauth, Opt_blobauth,
676 Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
677 Opt_hash,
678 Opt_policydigest,
679 Opt_policyhandle,
680 };
681
682 static const match_table_t key_tokens = {
683 {Opt_keyhandle, "keyhandle=%s"},
684 {Opt_keyauth, "keyauth=%s"},
685 {Opt_blobauth, "blobauth=%s"},
686 {Opt_pcrinfo, "pcrinfo=%s"},
687 {Opt_pcrlock, "pcrlock=%s"},
688 {Opt_migratable, "migratable=%s"},
689 {Opt_hash, "hash=%s"},
690 {Opt_policydigest, "policydigest=%s"},
691 {Opt_policyhandle, "policyhandle=%s"},
692 {Opt_err, NULL}
693 };
694
695 /* can have zero or more token= options */
getoptions(char * c,struct trusted_key_payload * pay,struct trusted_key_options * opt)696 static int getoptions(char *c, struct trusted_key_payload *pay,
697 struct trusted_key_options *opt)
698 {
699 substring_t args[MAX_OPT_ARGS];
700 char *p = c;
701 int token;
702 int res;
703 unsigned long handle;
704 unsigned long lock;
705 unsigned long token_mask = 0;
706 unsigned int digest_len;
707 int i;
708 int tpm2;
709
710 tpm2 = tpm_is_tpm2(chip);
711 if (tpm2 < 0)
712 return tpm2;
713
714 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
715
716 if (!c)
717 return 0;
718
719 while ((p = strsep(&c, " \t"))) {
720 if (*p == '\0' || *p == ' ' || *p == '\t')
721 continue;
722 token = match_token(p, key_tokens, args);
723 if (test_and_set_bit(token, &token_mask))
724 return -EINVAL;
725
726 switch (token) {
727 case Opt_pcrinfo:
728 opt->pcrinfo_len = strlen(args[0].from) / 2;
729 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
730 return -EINVAL;
731 res = hex2bin(opt->pcrinfo, args[0].from,
732 opt->pcrinfo_len);
733 if (res < 0)
734 return -EINVAL;
735 break;
736 case Opt_keyhandle:
737 res = kstrtoul(args[0].from, 16, &handle);
738 if (res < 0)
739 return -EINVAL;
740 opt->keytype = SEAL_keytype;
741 opt->keyhandle = handle;
742 break;
743 case Opt_keyauth:
744 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
745 return -EINVAL;
746 res = hex2bin(opt->keyauth, args[0].from,
747 SHA1_DIGEST_SIZE);
748 if (res < 0)
749 return -EINVAL;
750 break;
751 case Opt_blobauth:
752 /*
753 * TPM 1.2 authorizations are sha1 hashes passed in as
754 * hex strings. TPM 2.0 authorizations are simple
755 * passwords (although it can take a hash as well)
756 */
757 opt->blobauth_len = strlen(args[0].from);
758
759 if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) {
760 res = hex2bin(opt->blobauth, args[0].from,
761 TPM_DIGEST_SIZE);
762 if (res < 0)
763 return -EINVAL;
764
765 opt->blobauth_len = TPM_DIGEST_SIZE;
766 break;
767 }
768
769 if (tpm2 && opt->blobauth_len <= sizeof(opt->blobauth)) {
770 memcpy(opt->blobauth, args[0].from,
771 opt->blobauth_len);
772 break;
773 }
774
775 return -EINVAL;
776
777 break;
778
779 case Opt_migratable:
780 if (*args[0].from == '0')
781 pay->migratable = 0;
782 else if (*args[0].from != '1')
783 return -EINVAL;
784 break;
785 case Opt_pcrlock:
786 res = kstrtoul(args[0].from, 10, &lock);
787 if (res < 0)
788 return -EINVAL;
789 opt->pcrlock = lock;
790 break;
791 case Opt_hash:
792 if (test_bit(Opt_policydigest, &token_mask))
793 return -EINVAL;
794 for (i = 0; i < HASH_ALGO__LAST; i++) {
795 if (!strcmp(args[0].from, hash_algo_name[i])) {
796 opt->hash = i;
797 break;
798 }
799 }
800 if (i == HASH_ALGO__LAST)
801 return -EINVAL;
802 if (!tpm2 && i != HASH_ALGO_SHA1) {
803 pr_info("TPM 1.x only supports SHA-1.\n");
804 return -EINVAL;
805 }
806 break;
807 case Opt_policydigest:
808 digest_len = hash_digest_size[opt->hash];
809 if (!tpm2 || strlen(args[0].from) != (2 * digest_len))
810 return -EINVAL;
811 res = hex2bin(opt->policydigest, args[0].from,
812 digest_len);
813 if (res < 0)
814 return -EINVAL;
815 opt->policydigest_len = digest_len;
816 break;
817 case Opt_policyhandle:
818 if (!tpm2)
819 return -EINVAL;
820 res = kstrtoul(args[0].from, 16, &handle);
821 if (res < 0)
822 return -EINVAL;
823 opt->policyhandle = handle;
824 break;
825 default:
826 return -EINVAL;
827 }
828 }
829 return 0;
830 }
831
trusted_options_alloc(void)832 static struct trusted_key_options *trusted_options_alloc(void)
833 {
834 struct trusted_key_options *options;
835 int tpm2;
836
837 tpm2 = tpm_is_tpm2(chip);
838 if (tpm2 < 0)
839 return NULL;
840
841 options = kzalloc_obj(*options);
842 if (options) {
843 /* set any non-zero defaults */
844 options->keytype = SRK_keytype;
845
846 if (!tpm2)
847 options->keyhandle = SRKHANDLE;
848 }
849 return options;
850 }
851
trusted_tpm_seal(struct trusted_key_payload * p,char * datablob)852 static int trusted_tpm_seal(struct trusted_key_payload *p, char *datablob)
853 {
854 struct trusted_key_options *options = NULL;
855 int ret = 0;
856 int tpm2;
857
858 tpm2 = tpm_is_tpm2(chip);
859 if (tpm2 < 0)
860 return tpm2;
861
862 options = trusted_options_alloc();
863 if (!options)
864 return -ENOMEM;
865
866 ret = getoptions(datablob, p, options);
867 if (ret < 0)
868 goto out;
869 dump_options(options);
870
871 if (!options->keyhandle && !tpm2) {
872 ret = -EINVAL;
873 goto out;
874 }
875
876 if (tpm2)
877 ret = tpm2_seal_trusted(chip, p, options);
878 else
879 ret = key_seal(p, options);
880 if (ret < 0) {
881 pr_info("key_seal failed (%d)\n", ret);
882 goto out;
883 }
884
885 if (options->pcrlock) {
886 ret = pcrlock(options->pcrlock);
887 if (ret < 0) {
888 pr_info("pcrlock failed (%d)\n", ret);
889 goto out;
890 }
891 }
892 out:
893 kfree_sensitive(options);
894 return ret;
895 }
896
trusted_tpm_unseal(struct trusted_key_payload * p,char * datablob)897 static int trusted_tpm_unseal(struct trusted_key_payload *p, char *datablob)
898 {
899 struct trusted_key_options *options = NULL;
900 int ret = 0;
901 int tpm2;
902
903 tpm2 = tpm_is_tpm2(chip);
904 if (tpm2 < 0)
905 return tpm2;
906
907 options = trusted_options_alloc();
908 if (!options)
909 return -ENOMEM;
910
911 ret = getoptions(datablob, p, options);
912 if (ret < 0)
913 goto out;
914 dump_options(options);
915
916 if (!options->keyhandle && !tpm2) {
917 ret = -EINVAL;
918 goto out;
919 }
920
921 if (tpm2)
922 ret = tpm2_unseal_trusted(chip, p, options);
923 else
924 ret = key_unseal(p, options);
925 if (ret < 0)
926 pr_info("key_unseal failed (%d)\n", ret);
927
928 if (options->pcrlock) {
929 ret = pcrlock(options->pcrlock);
930 if (ret < 0) {
931 pr_info("pcrlock failed (%d)\n", ret);
932 goto out;
933 }
934 }
935 out:
936 kfree_sensitive(options);
937 return ret;
938 }
939
trusted_tpm_get_random(unsigned char * key,size_t key_len)940 static int trusted_tpm_get_random(unsigned char *key, size_t key_len)
941 {
942 return tpm_get_random(chip, key, key_len);
943 }
944
init_digests(void)945 static int __init init_digests(void)
946 {
947 int i;
948
949 digests = kzalloc_objs(*digests, chip->nr_allocated_banks);
950 if (!digests)
951 return -ENOMEM;
952
953 for (i = 0; i < chip->nr_allocated_banks; i++)
954 digests[i].alg_id = chip->allocated_banks[i].alg_id;
955
956 return 0;
957 }
958
trusted_tpm_init(void)959 static int __init trusted_tpm_init(void)
960 {
961 int ret;
962
963 chip = tpm_default_chip();
964 if (!chip)
965 return -ENODEV;
966
967 ret = init_digests();
968 if (ret < 0)
969 goto err_put;
970 ret = register_key_type(&key_type_trusted);
971 if (ret < 0)
972 goto err_free;
973 return 0;
974 err_free:
975 kfree(digests);
976 err_put:
977 put_device(&chip->dev);
978 return ret;
979 }
980
trusted_tpm_exit(void)981 static void trusted_tpm_exit(void)
982 {
983 if (chip) {
984 put_device(&chip->dev);
985 kfree(digests);
986 unregister_key_type(&key_type_trusted);
987 }
988 }
989
990 struct trusted_key_ops trusted_key_tpm_ops = {
991 .migratable = 1, /* migratable by default */
992 .init = trusted_tpm_init,
993 .seal = trusted_tpm_seal,
994 .unseal = trusted_tpm_unseal,
995 .get_random = trusted_tpm_get_random,
996 .exit = trusted_tpm_exit,
997 };
998