1 /* 2 * Copyright (C) 2014, 2015 Intel Corporation 3 * 4 * Authors: 5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> 6 * 7 * Maintained by: <tpmdd-devel@lists.sourceforge.net> 8 * 9 * This file contains TPM2 protocol implementations of the commands 10 * used by the kernel internally. 11 * 12 * This program is free software; you can redistribute it and/or 13 * modify it under the terms of the GNU General Public License 14 * as published by the Free Software Foundation; version 2 15 * of the License. 16 */ 17 18 #include "tpm.h" 19 #include <crypto/hash_info.h> 20 #include <keys/trusted-type.h> 21 22 enum tpm2_object_attributes { 23 TPM2_OA_USER_WITH_AUTH = BIT(6), 24 }; 25 26 enum tpm2_session_attributes { 27 TPM2_SA_CONTINUE_SESSION = BIT(0), 28 }; 29 30 struct tpm2_startup_in { 31 __be16 startup_type; 32 } __packed; 33 34 struct tpm2_self_test_in { 35 u8 full_test; 36 } __packed; 37 38 struct tpm2_pcr_read_in { 39 __be32 pcr_selects_cnt; 40 __be16 hash_alg; 41 u8 pcr_select_size; 42 u8 pcr_select[TPM2_PCR_SELECT_MIN]; 43 } __packed; 44 45 struct tpm2_pcr_read_out { 46 __be32 update_cnt; 47 __be32 pcr_selects_cnt; 48 __be16 hash_alg; 49 u8 pcr_select_size; 50 u8 pcr_select[TPM2_PCR_SELECT_MIN]; 51 __be32 digests_cnt; 52 __be16 digest_size; 53 u8 digest[TPM_DIGEST_SIZE]; 54 } __packed; 55 56 struct tpm2_get_tpm_pt_in { 57 __be32 cap_id; 58 __be32 property_id; 59 __be32 property_cnt; 60 } __packed; 61 62 struct tpm2_get_tpm_pt_out { 63 u8 more_data; 64 __be32 subcap_id; 65 __be32 property_cnt; 66 __be32 property_id; 67 __be32 value; 68 } __packed; 69 70 struct tpm2_get_random_in { 71 __be16 size; 72 } __packed; 73 74 struct tpm2_get_random_out { 75 __be16 size; 76 u8 buffer[TPM_MAX_RNG_DATA]; 77 } __packed; 78 79 union tpm2_cmd_params { 80 struct tpm2_startup_in startup_in; 81 struct tpm2_self_test_in selftest_in; 82 struct tpm2_pcr_read_in pcrread_in; 83 struct tpm2_pcr_read_out pcrread_out; 84 struct tpm2_get_tpm_pt_in get_tpm_pt_in; 85 struct tpm2_get_tpm_pt_out get_tpm_pt_out; 86 struct tpm2_get_random_in getrandom_in; 87 struct tpm2_get_random_out getrandom_out; 88 }; 89 90 struct tpm2_cmd { 91 tpm_cmd_header header; 92 union tpm2_cmd_params params; 93 } __packed; 94 95 struct tpm2_hash { 96 unsigned int crypto_id; 97 unsigned int tpm_id; 98 }; 99 100 static struct tpm2_hash tpm2_hash_map[] = { 101 {HASH_ALGO_SHA1, TPM2_ALG_SHA1}, 102 {HASH_ALGO_SHA256, TPM2_ALG_SHA256}, 103 {HASH_ALGO_SHA384, TPM2_ALG_SHA384}, 104 {HASH_ALGO_SHA512, TPM2_ALG_SHA512}, 105 {HASH_ALGO_SM3_256, TPM2_ALG_SM3_256}, 106 }; 107 108 /* 109 * Array with one entry per ordinal defining the maximum amount 110 * of time the chip could take to return the result. The values 111 * of the SHORT, MEDIUM, and LONG durations are taken from the 112 * PC Client Profile (PTP) specification. 113 */ 114 static const u8 tpm2_ordinal_duration[TPM2_CC_LAST - TPM2_CC_FIRST + 1] = { 115 TPM_UNDEFINED, /* 11F */ 116 TPM_UNDEFINED, /* 120 */ 117 TPM_LONG, /* 121 */ 118 TPM_UNDEFINED, /* 122 */ 119 TPM_UNDEFINED, /* 123 */ 120 TPM_UNDEFINED, /* 124 */ 121 TPM_UNDEFINED, /* 125 */ 122 TPM_UNDEFINED, /* 126 */ 123 TPM_UNDEFINED, /* 127 */ 124 TPM_UNDEFINED, /* 128 */ 125 TPM_LONG, /* 129 */ 126 TPM_UNDEFINED, /* 12a */ 127 TPM_UNDEFINED, /* 12b */ 128 TPM_UNDEFINED, /* 12c */ 129 TPM_UNDEFINED, /* 12d */ 130 TPM_UNDEFINED, /* 12e */ 131 TPM_UNDEFINED, /* 12f */ 132 TPM_UNDEFINED, /* 130 */ 133 TPM_UNDEFINED, /* 131 */ 134 TPM_UNDEFINED, /* 132 */ 135 TPM_UNDEFINED, /* 133 */ 136 TPM_UNDEFINED, /* 134 */ 137 TPM_UNDEFINED, /* 135 */ 138 TPM_UNDEFINED, /* 136 */ 139 TPM_UNDEFINED, /* 137 */ 140 TPM_UNDEFINED, /* 138 */ 141 TPM_UNDEFINED, /* 139 */ 142 TPM_UNDEFINED, /* 13a */ 143 TPM_UNDEFINED, /* 13b */ 144 TPM_UNDEFINED, /* 13c */ 145 TPM_UNDEFINED, /* 13d */ 146 TPM_MEDIUM, /* 13e */ 147 TPM_UNDEFINED, /* 13f */ 148 TPM_UNDEFINED, /* 140 */ 149 TPM_UNDEFINED, /* 141 */ 150 TPM_UNDEFINED, /* 142 */ 151 TPM_LONG, /* 143 */ 152 TPM_MEDIUM, /* 144 */ 153 TPM_UNDEFINED, /* 145 */ 154 TPM_UNDEFINED, /* 146 */ 155 TPM_UNDEFINED, /* 147 */ 156 TPM_UNDEFINED, /* 148 */ 157 TPM_UNDEFINED, /* 149 */ 158 TPM_UNDEFINED, /* 14a */ 159 TPM_UNDEFINED, /* 14b */ 160 TPM_UNDEFINED, /* 14c */ 161 TPM_UNDEFINED, /* 14d */ 162 TPM_LONG, /* 14e */ 163 TPM_UNDEFINED, /* 14f */ 164 TPM_UNDEFINED, /* 150 */ 165 TPM_UNDEFINED, /* 151 */ 166 TPM_UNDEFINED, /* 152 */ 167 TPM_UNDEFINED, /* 153 */ 168 TPM_UNDEFINED, /* 154 */ 169 TPM_UNDEFINED, /* 155 */ 170 TPM_UNDEFINED, /* 156 */ 171 TPM_UNDEFINED, /* 157 */ 172 TPM_UNDEFINED, /* 158 */ 173 TPM_UNDEFINED, /* 159 */ 174 TPM_UNDEFINED, /* 15a */ 175 TPM_UNDEFINED, /* 15b */ 176 TPM_MEDIUM, /* 15c */ 177 TPM_UNDEFINED, /* 15d */ 178 TPM_UNDEFINED, /* 15e */ 179 TPM_UNDEFINED, /* 15f */ 180 TPM_UNDEFINED, /* 160 */ 181 TPM_UNDEFINED, /* 161 */ 182 TPM_UNDEFINED, /* 162 */ 183 TPM_UNDEFINED, /* 163 */ 184 TPM_UNDEFINED, /* 164 */ 185 TPM_UNDEFINED, /* 165 */ 186 TPM_UNDEFINED, /* 166 */ 187 TPM_UNDEFINED, /* 167 */ 188 TPM_UNDEFINED, /* 168 */ 189 TPM_UNDEFINED, /* 169 */ 190 TPM_UNDEFINED, /* 16a */ 191 TPM_UNDEFINED, /* 16b */ 192 TPM_UNDEFINED, /* 16c */ 193 TPM_UNDEFINED, /* 16d */ 194 TPM_UNDEFINED, /* 16e */ 195 TPM_UNDEFINED, /* 16f */ 196 TPM_UNDEFINED, /* 170 */ 197 TPM_UNDEFINED, /* 171 */ 198 TPM_UNDEFINED, /* 172 */ 199 TPM_UNDEFINED, /* 173 */ 200 TPM_UNDEFINED, /* 174 */ 201 TPM_UNDEFINED, /* 175 */ 202 TPM_UNDEFINED, /* 176 */ 203 TPM_LONG, /* 177 */ 204 TPM_UNDEFINED, /* 178 */ 205 TPM_UNDEFINED, /* 179 */ 206 TPM_MEDIUM, /* 17a */ 207 TPM_LONG, /* 17b */ 208 TPM_UNDEFINED, /* 17c */ 209 TPM_UNDEFINED, /* 17d */ 210 TPM_UNDEFINED, /* 17e */ 211 TPM_UNDEFINED, /* 17f */ 212 TPM_UNDEFINED, /* 180 */ 213 TPM_UNDEFINED, /* 181 */ 214 TPM_MEDIUM, /* 182 */ 215 TPM_UNDEFINED, /* 183 */ 216 TPM_UNDEFINED, /* 184 */ 217 TPM_MEDIUM, /* 185 */ 218 TPM_MEDIUM, /* 186 */ 219 TPM_UNDEFINED, /* 187 */ 220 TPM_UNDEFINED, /* 188 */ 221 TPM_UNDEFINED, /* 189 */ 222 TPM_UNDEFINED, /* 18a */ 223 TPM_UNDEFINED, /* 18b */ 224 TPM_UNDEFINED, /* 18c */ 225 TPM_UNDEFINED, /* 18d */ 226 TPM_UNDEFINED, /* 18e */ 227 TPM_UNDEFINED /* 18f */ 228 }; 229 230 #define TPM2_PCR_READ_IN_SIZE \ 231 (sizeof(struct tpm_input_header) + \ 232 sizeof(struct tpm2_pcr_read_in)) 233 234 #define TPM2_PCR_READ_RESP_BODY_SIZE \ 235 sizeof(struct tpm2_pcr_read_out) 236 237 static const struct tpm_input_header tpm2_pcrread_header = { 238 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 239 .length = cpu_to_be32(TPM2_PCR_READ_IN_SIZE), 240 .ordinal = cpu_to_be32(TPM2_CC_PCR_READ) 241 }; 242 243 /** 244 * tpm2_pcr_read() - read a PCR value 245 * @chip: TPM chip to use. 246 * @pcr_idx: index of the PCR to read. 247 * @res_buf: buffer to store the resulting hash. 248 * 249 * Return: Same as with tpm_transmit_cmd. 250 */ 251 int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) 252 { 253 int rc; 254 struct tpm2_cmd cmd; 255 u8 *buf; 256 257 if (pcr_idx >= TPM2_PLATFORM_PCR) 258 return -EINVAL; 259 260 cmd.header.in = tpm2_pcrread_header; 261 cmd.params.pcrread_in.pcr_selects_cnt = cpu_to_be32(1); 262 cmd.params.pcrread_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); 263 cmd.params.pcrread_in.pcr_select_size = TPM2_PCR_SELECT_MIN; 264 265 memset(cmd.params.pcrread_in.pcr_select, 0, 266 sizeof(cmd.params.pcrread_in.pcr_select)); 267 cmd.params.pcrread_in.pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7); 268 269 rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 270 TPM2_PCR_READ_RESP_BODY_SIZE, 271 0, "attempting to read a pcr value"); 272 if (rc == 0) { 273 buf = cmd.params.pcrread_out.digest; 274 memcpy(res_buf, buf, TPM_DIGEST_SIZE); 275 } 276 277 return rc; 278 } 279 280 struct tpm2_null_auth_area { 281 __be32 handle; 282 __be16 nonce_size; 283 u8 attributes; 284 __be16 auth_size; 285 } __packed; 286 287 /** 288 * tpm2_pcr_extend() - extend a PCR value 289 * 290 * @chip: TPM chip to use. 291 * @pcr_idx: index of the PCR. 292 * @count: number of digests passed. 293 * @digests: list of pcr banks and corresponding digest values to extend. 294 * 295 * Return: Same as with tpm_transmit_cmd. 296 */ 297 int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, 298 struct tpm2_digest *digests) 299 { 300 struct tpm_buf buf; 301 struct tpm2_null_auth_area auth_area; 302 int rc; 303 int i; 304 int j; 305 306 if (count > ARRAY_SIZE(chip->active_banks)) 307 return -EINVAL; 308 309 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); 310 if (rc) 311 return rc; 312 313 tpm_buf_append_u32(&buf, pcr_idx); 314 315 auth_area.handle = cpu_to_be32(TPM2_RS_PW); 316 auth_area.nonce_size = 0; 317 auth_area.attributes = 0; 318 auth_area.auth_size = 0; 319 320 tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); 321 tpm_buf_append(&buf, (const unsigned char *)&auth_area, 322 sizeof(auth_area)); 323 tpm_buf_append_u32(&buf, count); 324 325 for (i = 0; i < count; i++) { 326 for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { 327 if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) 328 continue; 329 tpm_buf_append_u16(&buf, digests[i].alg_id); 330 tpm_buf_append(&buf, (const unsigned char 331 *)&digests[i].digest, 332 hash_digest_size[tpm2_hash_map[j].crypto_id]); 333 } 334 } 335 336 rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, 337 "attempting extend a PCR value"); 338 339 tpm_buf_destroy(&buf); 340 341 return rc; 342 } 343 344 345 #define TPM2_GETRANDOM_IN_SIZE \ 346 (sizeof(struct tpm_input_header) + \ 347 sizeof(struct tpm2_get_random_in)) 348 349 static const struct tpm_input_header tpm2_getrandom_header = { 350 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 351 .length = cpu_to_be32(TPM2_GETRANDOM_IN_SIZE), 352 .ordinal = cpu_to_be32(TPM2_CC_GET_RANDOM) 353 }; 354 355 /** 356 * tpm2_get_random() - get random bytes from the TPM RNG 357 * 358 * @chip: TPM chip to use 359 * @out: destination buffer for the random bytes 360 * @max: the max number of bytes to write to @out 361 * 362 * Return: 363 * Size of the output buffer, or -EIO on error. 364 */ 365 int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max) 366 { 367 struct tpm2_cmd cmd; 368 u32 recd, rlength; 369 u32 num_bytes; 370 int err; 371 int total = 0; 372 int retries = 5; 373 u8 *dest = out; 374 375 num_bytes = min_t(u32, max, sizeof(cmd.params.getrandom_out.buffer)); 376 377 if (!out || !num_bytes || 378 max > sizeof(cmd.params.getrandom_out.buffer)) 379 return -EINVAL; 380 381 do { 382 cmd.header.in = tpm2_getrandom_header; 383 cmd.params.getrandom_in.size = cpu_to_be16(num_bytes); 384 385 err = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 386 offsetof(struct tpm2_get_random_out, 387 buffer), 388 0, "attempting get random"); 389 if (err) 390 break; 391 392 recd = min_t(u32, be16_to_cpu(cmd.params.getrandom_out.size), 393 num_bytes); 394 rlength = be32_to_cpu(cmd.header.out.length); 395 if (rlength < offsetof(struct tpm2_get_random_out, buffer) + 396 recd) 397 return -EFAULT; 398 memcpy(dest, cmd.params.getrandom_out.buffer, recd); 399 400 dest += recd; 401 total += recd; 402 num_bytes -= recd; 403 } while (retries-- && total < max); 404 405 return total ? total : -EIO; 406 } 407 408 #define TPM2_GET_TPM_PT_IN_SIZE \ 409 (sizeof(struct tpm_input_header) + \ 410 sizeof(struct tpm2_get_tpm_pt_in)) 411 412 #define TPM2_GET_TPM_PT_OUT_BODY_SIZE \ 413 sizeof(struct tpm2_get_tpm_pt_out) 414 415 static const struct tpm_input_header tpm2_get_tpm_pt_header = { 416 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 417 .length = cpu_to_be32(TPM2_GET_TPM_PT_IN_SIZE), 418 .ordinal = cpu_to_be32(TPM2_CC_GET_CAPABILITY) 419 }; 420 421 /** 422 * tpm2_flush_context_cmd() - execute a TPM2_FlushContext command 423 * @chip: TPM chip to use 424 * @payload: the key data in clear and encrypted form 425 * @options: authentication values and other options 426 * 427 * Return: same as with tpm_transmit_cmd 428 */ 429 void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, 430 unsigned int flags) 431 { 432 struct tpm_buf buf; 433 int rc; 434 435 rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); 436 if (rc) { 437 dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", 438 handle); 439 return; 440 } 441 442 tpm_buf_append_u32(&buf, handle); 443 444 (void) tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, flags, 445 "flushing context"); 446 447 tpm_buf_destroy(&buf); 448 } 449 450 /** 451 * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. 452 * 453 * @buf: an allocated tpm_buf instance 454 * @session_handle: session handle 455 * @nonce: the session nonce, may be NULL if not used 456 * @nonce_len: the session nonce length, may be 0 if not used 457 * @attributes: the session attributes 458 * @hmac: the session HMAC or password, may be NULL if not used 459 * @hmac_len: the session HMAC or password length, maybe 0 if not used 460 */ 461 static void tpm2_buf_append_auth(struct tpm_buf *buf, u32 session_handle, 462 const u8 *nonce, u16 nonce_len, 463 u8 attributes, 464 const u8 *hmac, u16 hmac_len) 465 { 466 tpm_buf_append_u32(buf, 9 + nonce_len + hmac_len); 467 tpm_buf_append_u32(buf, session_handle); 468 tpm_buf_append_u16(buf, nonce_len); 469 470 if (nonce && nonce_len) 471 tpm_buf_append(buf, nonce, nonce_len); 472 473 tpm_buf_append_u8(buf, attributes); 474 tpm_buf_append_u16(buf, hmac_len); 475 476 if (hmac && hmac_len) 477 tpm_buf_append(buf, hmac, hmac_len); 478 } 479 480 /** 481 * tpm2_seal_trusted() - seal the payload of a trusted key 482 * 483 * @chip: TPM chip to use 484 * @payload: the key data in clear and encrypted form 485 * @options: authentication values and other options 486 * 487 * Return: < 0 on error and 0 on success. 488 */ 489 int tpm2_seal_trusted(struct tpm_chip *chip, 490 struct trusted_key_payload *payload, 491 struct trusted_key_options *options) 492 { 493 unsigned int blob_len; 494 struct tpm_buf buf; 495 u32 hash, rlength; 496 int i; 497 int rc; 498 499 for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) { 500 if (options->hash == tpm2_hash_map[i].crypto_id) { 501 hash = tpm2_hash_map[i].tpm_id; 502 break; 503 } 504 } 505 506 if (i == ARRAY_SIZE(tpm2_hash_map)) 507 return -EINVAL; 508 509 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE); 510 if (rc) 511 return rc; 512 513 tpm_buf_append_u32(&buf, options->keyhandle); 514 tpm2_buf_append_auth(&buf, TPM2_RS_PW, 515 NULL /* nonce */, 0, 516 0 /* session_attributes */, 517 options->keyauth /* hmac */, 518 TPM_DIGEST_SIZE); 519 520 /* sensitive */ 521 tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1); 522 523 tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE); 524 tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE); 525 tpm_buf_append_u16(&buf, payload->key_len + 1); 526 tpm_buf_append(&buf, payload->key, payload->key_len); 527 tpm_buf_append_u8(&buf, payload->migratable); 528 529 /* public */ 530 tpm_buf_append_u16(&buf, 14 + options->policydigest_len); 531 tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH); 532 tpm_buf_append_u16(&buf, hash); 533 534 /* policy */ 535 if (options->policydigest_len) { 536 tpm_buf_append_u32(&buf, 0); 537 tpm_buf_append_u16(&buf, options->policydigest_len); 538 tpm_buf_append(&buf, options->policydigest, 539 options->policydigest_len); 540 } else { 541 tpm_buf_append_u32(&buf, TPM2_OA_USER_WITH_AUTH); 542 tpm_buf_append_u16(&buf, 0); 543 } 544 545 /* public parameters */ 546 tpm_buf_append_u16(&buf, TPM2_ALG_NULL); 547 tpm_buf_append_u16(&buf, 0); 548 549 /* outside info */ 550 tpm_buf_append_u16(&buf, 0); 551 552 /* creation PCR */ 553 tpm_buf_append_u32(&buf, 0); 554 555 if (buf.flags & TPM_BUF_OVERFLOW) { 556 rc = -E2BIG; 557 goto out; 558 } 559 560 rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 4, 0, 561 "sealing data"); 562 if (rc) 563 goto out; 564 565 blob_len = be32_to_cpup((__be32 *) &buf.data[TPM_HEADER_SIZE]); 566 if (blob_len > MAX_BLOB_SIZE) { 567 rc = -E2BIG; 568 goto out; 569 } 570 rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)->header.out.length); 571 if (rlength < TPM_HEADER_SIZE + 4 + blob_len) { 572 rc = -EFAULT; 573 goto out; 574 } 575 576 memcpy(payload->blob, &buf.data[TPM_HEADER_SIZE + 4], blob_len); 577 payload->blob_len = blob_len; 578 579 out: 580 tpm_buf_destroy(&buf); 581 582 if (rc > 0) { 583 if (tpm2_rc_value(rc) == TPM2_RC_HASH) 584 rc = -EINVAL; 585 else 586 rc = -EPERM; 587 } 588 589 return rc; 590 } 591 592 /** 593 * tpm2_load_cmd() - execute a TPM2_Load command 594 * 595 * @chip: TPM chip to use 596 * @payload: the key data in clear and encrypted form 597 * @options: authentication values and other options 598 * @blob_handle: returned blob handle 599 * @flags: tpm transmit flags 600 * 601 * Return: 0 on success. 602 * -E2BIG on wrong payload size. 603 * -EPERM on tpm error status. 604 * < 0 error from tpm_transmit_cmd. 605 */ 606 static int tpm2_load_cmd(struct tpm_chip *chip, 607 struct trusted_key_payload *payload, 608 struct trusted_key_options *options, 609 u32 *blob_handle, unsigned int flags) 610 { 611 struct tpm_buf buf; 612 unsigned int private_len; 613 unsigned int public_len; 614 unsigned int blob_len; 615 int rc; 616 617 private_len = be16_to_cpup((__be16 *) &payload->blob[0]); 618 if (private_len > (payload->blob_len - 2)) 619 return -E2BIG; 620 621 public_len = be16_to_cpup((__be16 *) &payload->blob[2 + private_len]); 622 blob_len = private_len + public_len + 4; 623 if (blob_len > payload->blob_len) 624 return -E2BIG; 625 626 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_LOAD); 627 if (rc) 628 return rc; 629 630 tpm_buf_append_u32(&buf, options->keyhandle); 631 tpm2_buf_append_auth(&buf, TPM2_RS_PW, 632 NULL /* nonce */, 0, 633 0 /* session_attributes */, 634 options->keyauth /* hmac */, 635 TPM_DIGEST_SIZE); 636 637 tpm_buf_append(&buf, payload->blob, blob_len); 638 639 if (buf.flags & TPM_BUF_OVERFLOW) { 640 rc = -E2BIG; 641 goto out; 642 } 643 644 rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 4, flags, 645 "loading blob"); 646 if (!rc) 647 *blob_handle = be32_to_cpup( 648 (__be32 *) &buf.data[TPM_HEADER_SIZE]); 649 650 out: 651 tpm_buf_destroy(&buf); 652 653 if (rc > 0) 654 rc = -EPERM; 655 656 return rc; 657 } 658 659 /** 660 * tpm2_unseal_cmd() - execute a TPM2_Unload command 661 * 662 * @chip: TPM chip to use 663 * @payload: the key data in clear and encrypted form 664 * @options: authentication values and other options 665 * @blob_handle: blob handle 666 * @flags: tpm_transmit_cmd flags 667 * 668 * Return: 0 on success 669 * -EPERM on tpm error status 670 * < 0 error from tpm_transmit_cmd 671 */ 672 static int tpm2_unseal_cmd(struct tpm_chip *chip, 673 struct trusted_key_payload *payload, 674 struct trusted_key_options *options, 675 u32 blob_handle, unsigned int flags) 676 { 677 struct tpm_buf buf; 678 u16 data_len; 679 u8 *data; 680 int rc; 681 u32 rlength; 682 683 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL); 684 if (rc) 685 return rc; 686 687 tpm_buf_append_u32(&buf, blob_handle); 688 tpm2_buf_append_auth(&buf, 689 options->policyhandle ? 690 options->policyhandle : TPM2_RS_PW, 691 NULL /* nonce */, 0, 692 TPM2_SA_CONTINUE_SESSION, 693 options->blobauth /* hmac */, 694 TPM_DIGEST_SIZE); 695 696 rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 6, flags, 697 "unsealing"); 698 if (rc > 0) 699 rc = -EPERM; 700 701 if (!rc) { 702 data_len = be16_to_cpup( 703 (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); 704 705 rlength = be32_to_cpu(((struct tpm2_cmd *)&buf) 706 ->header.out.length); 707 if (rlength < TPM_HEADER_SIZE + 6 + data_len) { 708 rc = -EFAULT; 709 goto out; 710 } 711 data = &buf.data[TPM_HEADER_SIZE + 6]; 712 713 memcpy(payload->key, data, data_len - 1); 714 payload->key_len = data_len - 1; 715 payload->migratable = data[data_len - 1]; 716 } 717 718 out: 719 tpm_buf_destroy(&buf); 720 return rc; 721 } 722 723 /** 724 * tpm2_unseal_trusted() - unseal the payload of a trusted key 725 * 726 * @chip: TPM chip to use 727 * @payload: the key data in clear and encrypted form 728 * @options: authentication values and other options 729 * 730 * Return: Same as with tpm_transmit_cmd. 731 */ 732 int tpm2_unseal_trusted(struct tpm_chip *chip, 733 struct trusted_key_payload *payload, 734 struct trusted_key_options *options) 735 { 736 u32 blob_handle; 737 int rc; 738 739 mutex_lock(&chip->tpm_mutex); 740 rc = tpm2_load_cmd(chip, payload, options, &blob_handle, 741 TPM_TRANSMIT_UNLOCKED); 742 if (rc) 743 goto out; 744 745 rc = tpm2_unseal_cmd(chip, payload, options, blob_handle, 746 TPM_TRANSMIT_UNLOCKED); 747 tpm2_flush_context_cmd(chip, blob_handle, TPM_TRANSMIT_UNLOCKED); 748 out: 749 mutex_unlock(&chip->tpm_mutex); 750 return rc; 751 } 752 753 /** 754 * tpm2_get_tpm_pt() - get value of a TPM_CAP_TPM_PROPERTIES type property 755 * @chip: TPM chip to use. 756 * @property_id: property ID. 757 * @value: output variable. 758 * @desc: passed to tpm_transmit_cmd() 759 * 760 * Return: Same as with tpm_transmit_cmd. 761 */ 762 ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32 property_id, u32 *value, 763 const char *desc) 764 { 765 struct tpm2_cmd cmd; 766 int rc; 767 768 cmd.header.in = tpm2_get_tpm_pt_header; 769 cmd.params.get_tpm_pt_in.cap_id = cpu_to_be32(TPM2_CAP_TPM_PROPERTIES); 770 cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(property_id); 771 cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); 772 773 rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 774 TPM2_GET_TPM_PT_OUT_BODY_SIZE, 0, desc); 775 if (!rc) 776 *value = be32_to_cpu(cmd.params.get_tpm_pt_out.value); 777 778 return rc; 779 } 780 EXPORT_SYMBOL_GPL(tpm2_get_tpm_pt); 781 782 #define TPM2_STARTUP_IN_SIZE \ 783 (sizeof(struct tpm_input_header) + \ 784 sizeof(struct tpm2_startup_in)) 785 786 static const struct tpm_input_header tpm2_startup_header = { 787 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 788 .length = cpu_to_be32(TPM2_STARTUP_IN_SIZE), 789 .ordinal = cpu_to_be32(TPM2_CC_STARTUP) 790 }; 791 792 /** 793 * tpm2_startup() - send startup command to the TPM chip 794 * 795 * @chip: TPM chip to use. 796 * @startup_type: startup type. The value is either 797 * TPM_SU_CLEAR or TPM_SU_STATE. 798 * 799 * Return: Same as with tpm_transmit_cmd. 800 */ 801 static int tpm2_startup(struct tpm_chip *chip, u16 startup_type) 802 { 803 struct tpm2_cmd cmd; 804 805 cmd.header.in = tpm2_startup_header; 806 807 cmd.params.startup_in.startup_type = cpu_to_be16(startup_type); 808 return tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, 809 "attempting to start the TPM"); 810 } 811 812 #define TPM2_SHUTDOWN_IN_SIZE \ 813 (sizeof(struct tpm_input_header) + \ 814 sizeof(struct tpm2_startup_in)) 815 816 static const struct tpm_input_header tpm2_shutdown_header = { 817 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 818 .length = cpu_to_be32(TPM2_SHUTDOWN_IN_SIZE), 819 .ordinal = cpu_to_be32(TPM2_CC_SHUTDOWN) 820 }; 821 822 /** 823 * tpm2_shutdown() - send shutdown command to the TPM chip 824 * 825 * @chip: TPM chip to use. 826 * @shutdown_type: shutdown type. The value is either 827 * TPM_SU_CLEAR or TPM_SU_STATE. 828 */ 829 void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type) 830 { 831 struct tpm2_cmd cmd; 832 int rc; 833 834 cmd.header.in = tpm2_shutdown_header; 835 cmd.params.startup_in.startup_type = cpu_to_be16(shutdown_type); 836 837 rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, 838 "stopping the TPM"); 839 840 /* In places where shutdown command is sent there's no much we can do 841 * except print the error code on a system failure. 842 */ 843 if (rc < 0) 844 dev_warn(&chip->dev, "transmit returned %d while stopping the TPM", 845 rc); 846 } 847 848 /* 849 * tpm2_calc_ordinal_duration() - maximum duration for a command 850 * 851 * @chip: TPM chip to use. 852 * @ordinal: command code number. 853 * 854 * Return: maximum duration for a command 855 */ 856 unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal) 857 { 858 int index = TPM_UNDEFINED; 859 int duration = 0; 860 861 if (ordinal >= TPM2_CC_FIRST && ordinal <= TPM2_CC_LAST) 862 index = tpm2_ordinal_duration[ordinal - TPM2_CC_FIRST]; 863 864 if (index != TPM_UNDEFINED) 865 duration = chip->duration[index]; 866 867 if (duration <= 0) 868 duration = 2 * 60 * HZ; 869 870 return duration; 871 } 872 EXPORT_SYMBOL_GPL(tpm2_calc_ordinal_duration); 873 874 #define TPM2_SELF_TEST_IN_SIZE \ 875 (sizeof(struct tpm_input_header) + \ 876 sizeof(struct tpm2_self_test_in)) 877 878 static const struct tpm_input_header tpm2_selftest_header = { 879 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 880 .length = cpu_to_be32(TPM2_SELF_TEST_IN_SIZE), 881 .ordinal = cpu_to_be32(TPM2_CC_SELF_TEST) 882 }; 883 884 /** 885 * tpm2_continue_selftest() - start a self test 886 * 887 * @chip: TPM chip to use 888 * @full: test all commands instead of testing only those that were not 889 * previously tested. 890 * 891 * Return: Same as with tpm_transmit_cmd with exception of RC_TESTING. 892 */ 893 static int tpm2_start_selftest(struct tpm_chip *chip, bool full) 894 { 895 int rc; 896 struct tpm2_cmd cmd; 897 898 cmd.header.in = tpm2_selftest_header; 899 cmd.params.selftest_in.full_test = full; 900 901 rc = tpm_transmit_cmd(chip, NULL, &cmd, TPM2_SELF_TEST_IN_SIZE, 0, 0, 902 "continue selftest"); 903 904 /* At least some prototype chips seem to give RC_TESTING error 905 * immediately. This is a workaround for that. 906 */ 907 if (rc == TPM2_RC_TESTING) { 908 dev_warn(&chip->dev, "Got RC_TESTING, ignoring\n"); 909 rc = 0; 910 } 911 912 return rc; 913 } 914 915 /** 916 * tpm2_do_selftest() - run a full self test 917 * 918 * @chip: TPM chip to use 919 * 920 * Return: Same as with tpm_transmit_cmd. 921 * 922 * During the self test TPM2 commands return with the error code RC_TESTING. 923 * Waiting is done by issuing PCR read until it executes successfully. 924 */ 925 static int tpm2_do_selftest(struct tpm_chip *chip) 926 { 927 int rc; 928 unsigned int loops; 929 unsigned int delay_msec = 100; 930 unsigned long duration; 931 struct tpm2_cmd cmd; 932 int i; 933 934 duration = tpm2_calc_ordinal_duration(chip, TPM2_CC_SELF_TEST); 935 936 loops = jiffies_to_msecs(duration) / delay_msec; 937 938 rc = tpm2_start_selftest(chip, true); 939 if (rc) 940 return rc; 941 942 for (i = 0; i < loops; i++) { 943 /* Attempt to read a PCR value */ 944 cmd.header.in = tpm2_pcrread_header; 945 cmd.params.pcrread_in.pcr_selects_cnt = cpu_to_be32(1); 946 cmd.params.pcrread_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); 947 cmd.params.pcrread_in.pcr_select_size = TPM2_PCR_SELECT_MIN; 948 cmd.params.pcrread_in.pcr_select[0] = 0x01; 949 cmd.params.pcrread_in.pcr_select[1] = 0x00; 950 cmd.params.pcrread_in.pcr_select[2] = 0x00; 951 952 rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, 953 NULL); 954 if (rc < 0) 955 break; 956 957 rc = be32_to_cpu(cmd.header.out.return_code); 958 if (rc != TPM2_RC_TESTING) 959 break; 960 961 msleep(delay_msec); 962 } 963 964 return rc; 965 } 966 967 /** 968 * tpm2_probe() - probe TPM 2.0 969 * @chip: TPM chip to use 970 * 971 * Return: < 0 error and 0 on success. 972 * 973 * Send idempotent TPM 2.0 command and see whether TPM 2.0 chip replied based on 974 * the reply tag. 975 */ 976 int tpm2_probe(struct tpm_chip *chip) 977 { 978 struct tpm2_cmd cmd; 979 int rc; 980 981 cmd.header.in = tpm2_get_tpm_pt_header; 982 cmd.params.get_tpm_pt_in.cap_id = cpu_to_be32(TPM2_CAP_TPM_PROPERTIES); 983 cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(0x100); 984 cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); 985 986 rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, NULL); 987 if (rc < 0) 988 return rc; 989 990 if (be16_to_cpu(cmd.header.out.tag) == TPM2_ST_NO_SESSIONS) 991 chip->flags |= TPM_CHIP_FLAG_TPM2; 992 993 return 0; 994 } 995 EXPORT_SYMBOL_GPL(tpm2_probe); 996 997 struct tpm2_pcr_selection { 998 __be16 hash_alg; 999 u8 size_of_select; 1000 u8 pcr_select[3]; 1001 } __packed; 1002 1003 static ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) 1004 { 1005 struct tpm2_pcr_selection pcr_selection; 1006 struct tpm_buf buf; 1007 void *marker; 1008 void *end; 1009 void *pcr_select_offset; 1010 unsigned int count; 1011 u32 sizeof_pcr_selection; 1012 u32 rsp_len; 1013 int rc; 1014 int i = 0; 1015 1016 rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); 1017 if (rc) 1018 return rc; 1019 1020 tpm_buf_append_u32(&buf, TPM2_CAP_PCRS); 1021 tpm_buf_append_u32(&buf, 0); 1022 tpm_buf_append_u32(&buf, 1); 1023 1024 rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 9, 0, 1025 "get tpm pcr allocation"); 1026 if (rc) 1027 goto out; 1028 1029 count = be32_to_cpup( 1030 (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); 1031 1032 if (count > ARRAY_SIZE(chip->active_banks)) { 1033 rc = -ENODEV; 1034 goto out; 1035 } 1036 1037 marker = &buf.data[TPM_HEADER_SIZE + 9]; 1038 1039 rsp_len = be32_to_cpup((__be32 *)&buf.data[2]); 1040 end = &buf.data[rsp_len]; 1041 1042 for (i = 0; i < count; i++) { 1043 pcr_select_offset = marker + 1044 offsetof(struct tpm2_pcr_selection, size_of_select); 1045 if (pcr_select_offset >= end) { 1046 rc = -EFAULT; 1047 break; 1048 } 1049 1050 memcpy(&pcr_selection, marker, sizeof(pcr_selection)); 1051 chip->active_banks[i] = be16_to_cpu(pcr_selection.hash_alg); 1052 sizeof_pcr_selection = sizeof(pcr_selection.hash_alg) + 1053 sizeof(pcr_selection.size_of_select) + 1054 pcr_selection.size_of_select; 1055 marker = marker + sizeof_pcr_selection; 1056 } 1057 1058 out: 1059 if (i < ARRAY_SIZE(chip->active_banks)) 1060 chip->active_banks[i] = TPM2_ALG_ERROR; 1061 1062 tpm_buf_destroy(&buf); 1063 1064 return rc; 1065 } 1066 1067 static int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip) 1068 { 1069 struct tpm_buf buf; 1070 u32 nr_commands; 1071 u32 *attrs; 1072 u32 cc; 1073 int i; 1074 int rc; 1075 1076 rc = tpm2_get_tpm_pt(chip, TPM_PT_TOTAL_COMMANDS, &nr_commands, NULL); 1077 if (rc) 1078 goto out; 1079 1080 if (nr_commands > 0xFFFFF) { 1081 rc = -EFAULT; 1082 goto out; 1083 } 1084 1085 chip->cc_attrs_tbl = devm_kzalloc(&chip->dev, 4 * nr_commands, 1086 GFP_KERNEL); 1087 1088 rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); 1089 if (rc) 1090 goto out; 1091 1092 tpm_buf_append_u32(&buf, TPM2_CAP_COMMANDS); 1093 tpm_buf_append_u32(&buf, TPM2_CC_FIRST); 1094 tpm_buf_append_u32(&buf, nr_commands); 1095 1096 rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 1097 9 + 4 * nr_commands, 0, NULL); 1098 if (rc) { 1099 tpm_buf_destroy(&buf); 1100 goto out; 1101 } 1102 1103 if (nr_commands != 1104 be32_to_cpup((__be32 *)&buf.data[TPM_HEADER_SIZE + 5])) { 1105 tpm_buf_destroy(&buf); 1106 goto out; 1107 } 1108 1109 chip->nr_commands = nr_commands; 1110 1111 attrs = (u32 *)&buf.data[TPM_HEADER_SIZE + 9]; 1112 for (i = 0; i < nr_commands; i++, attrs++) { 1113 chip->cc_attrs_tbl[i] = be32_to_cpup(attrs); 1114 cc = chip->cc_attrs_tbl[i] & 0xFFFF; 1115 1116 if (cc == TPM2_CC_CONTEXT_SAVE || cc == TPM2_CC_FLUSH_CONTEXT) { 1117 chip->cc_attrs_tbl[i] &= 1118 ~(GENMASK(2, 0) << TPM2_CC_ATTR_CHANDLES); 1119 chip->cc_attrs_tbl[i] |= 1 << TPM2_CC_ATTR_CHANDLES; 1120 } 1121 } 1122 1123 tpm_buf_destroy(&buf); 1124 1125 out: 1126 if (rc > 0) 1127 rc = -ENODEV; 1128 return rc; 1129 } 1130 1131 /** 1132 * tpm2_auto_startup - Perform the standard automatic TPM initialization 1133 * sequence 1134 * @chip: TPM chip to use 1135 * 1136 * Returns 0 on success, < 0 in case of fatal error. 1137 */ 1138 int tpm2_auto_startup(struct tpm_chip *chip) 1139 { 1140 int rc; 1141 1142 rc = tpm_get_timeouts(chip); 1143 if (rc) 1144 goto out; 1145 1146 rc = tpm2_do_selftest(chip); 1147 if (rc != 0 && rc != TPM2_RC_INITIALIZE) { 1148 dev_err(&chip->dev, "TPM self test failed\n"); 1149 goto out; 1150 } 1151 1152 if (rc == TPM2_RC_INITIALIZE) { 1153 rc = tpm2_startup(chip, TPM2_SU_CLEAR); 1154 if (rc) 1155 goto out; 1156 1157 rc = tpm2_do_selftest(chip); 1158 if (rc) { 1159 dev_err(&chip->dev, "TPM self test failed\n"); 1160 goto out; 1161 } 1162 } 1163 1164 rc = tpm2_get_pcr_allocation(chip); 1165 if (rc) 1166 goto out; 1167 1168 rc = tpm2_get_cc_attrs_tbl(chip); 1169 1170 out: 1171 if (rc > 0) 1172 rc = -ENODEV; 1173 return rc; 1174 } 1175 1176 int tpm2_find_cc(struct tpm_chip *chip, u32 cc) 1177 { 1178 int i; 1179 1180 for (i = 0; i < chip->nr_commands; i++) 1181 if (cc == (chip->cc_attrs_tbl[i] & GENMASK(15, 0))) 1182 return i; 1183 1184 return -1; 1185 } 1186