1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2010 IBM Corporation 4 * Copyright (c) 2019-2021, Linaro Limited 5 * 6 * See Documentation/security/keys/trusted-encrypted.rst 7 */ 8 9 #include <crypto/hash_info.h> 10 #include <crypto/sha1.h> 11 #include <crypto/utils.h> 12 #include <linux/hex.h> 13 #include <linux/init.h> 14 #include <linux/slab.h> 15 #include <linux/parser.h> 16 #include <linux/string.h> 17 #include <linux/err.h> 18 #include <keys/trusted-type.h> 19 #include <linux/key-type.h> 20 #include <linux/tpm.h> 21 #include <linux/tpm_command.h> 22 23 #include <keys/trusted_tpm.h> 24 25 static struct tpm_chip *chip; 26 static struct tpm_digest *digests; 27 28 /* implementation specific TPM constants */ 29 #define TPM_SIZE_OFFSET 2 30 #define TPM_RETURN_OFFSET 6 31 #define TPM_DATA_OFFSET 10 32 33 #define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset])) 34 #define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset]) 35 #define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset])) 36 37 struct osapsess { 38 uint32_t handle; 39 unsigned char secret[SHA1_DIGEST_SIZE]; 40 unsigned char enonce[TPM_NONCE_SIZE]; 41 }; 42 43 /* discrete values, but have to store in uint16_t for TPM use */ 44 enum { 45 SEAL_keytype = 1, 46 SRK_keytype = 4 47 }; 48 49 #define TPM_DEBUG 0 50 51 #if TPM_DEBUG 52 static inline void dump_options(struct trusted_key_options *o) 53 { 54 pr_info("sealing key type %d\n", o->keytype); 55 pr_info("sealing key handle %0X\n", o->keyhandle); 56 pr_info("pcrlock %d\n", o->pcrlock); 57 pr_info("pcrinfo %d\n", o->pcrinfo_len); 58 print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE, 59 16, 1, o->pcrinfo, o->pcrinfo_len, 0); 60 } 61 62 static inline void dump_sess(struct osapsess *s) 63 { 64 print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE, 65 16, 1, &s->handle, 4, 0); 66 pr_info("secret:\n"); 67 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 68 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0); 69 pr_info("trusted-key: enonce:\n"); 70 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 71 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0); 72 } 73 74 static inline void dump_tpm_buf(unsigned char *buf) 75 { 76 int len; 77 78 pr_info("\ntpm buffer\n"); 79 len = LOAD32(buf, TPM_SIZE_OFFSET); 80 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0); 81 } 82 #else 83 static inline void dump_options(struct trusted_key_options *o) 84 { 85 } 86 87 static inline void dump_sess(struct osapsess *s) 88 { 89 } 90 91 static inline void dump_tpm_buf(unsigned char *buf) 92 { 93 } 94 #endif 95 96 static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 97 unsigned int keylen, ...) 98 { 99 struct hmac_sha1_ctx hmac_ctx; 100 va_list argp; 101 unsigned int dlen; 102 unsigned char *data; 103 int ret = 0; 104 105 hmac_sha1_init_usingrawkey(&hmac_ctx, key, keylen); 106 107 va_start(argp, keylen); 108 for (;;) { 109 dlen = va_arg(argp, unsigned int); 110 if (dlen == 0) 111 break; 112 data = va_arg(argp, unsigned char *); 113 if (data == NULL) { 114 ret = -EINVAL; 115 break; 116 } 117 hmac_sha1_update(&hmac_ctx, data, dlen); 118 } 119 va_end(argp); 120 if (!ret) 121 hmac_sha1_final(&hmac_ctx, digest); 122 return ret; 123 } 124 125 /* 126 * calculate authorization info fields to send to TPM 127 */ 128 static int TSS_authhmac(unsigned char *digest, const unsigned char *key, 129 unsigned int keylen, unsigned char *h1, 130 unsigned char *h2, unsigned int h3, ...) 131 { 132 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 133 struct sha1_ctx sha_ctx; 134 unsigned int dlen; 135 unsigned char *data; 136 unsigned char c; 137 int ret = 0; 138 va_list argp; 139 140 if (!chip) 141 return -ENODEV; 142 143 c = !!h3; 144 sha1_init(&sha_ctx); 145 va_start(argp, h3); 146 for (;;) { 147 dlen = va_arg(argp, unsigned int); 148 if (dlen == 0) 149 break; 150 data = va_arg(argp, unsigned char *); 151 if (!data) { 152 ret = -EINVAL; 153 break; 154 } 155 sha1_update(&sha_ctx, data, dlen); 156 } 157 va_end(argp); 158 if (!ret) 159 sha1_final(&sha_ctx, paramdigest); 160 if (!ret) 161 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 162 paramdigest, TPM_NONCE_SIZE, h1, 163 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 164 return ret; 165 } 166 167 /* 168 * verify the AUTH1_COMMAND (Seal) result from TPM 169 */ 170 static int TSS_checkhmac1(unsigned char *buffer, 171 const uint32_t command, 172 const unsigned char *ononce, 173 const unsigned char *key, 174 unsigned int keylen, ...) 175 { 176 uint32_t bufsize; 177 uint16_t tag; 178 uint32_t ordinal; 179 uint32_t result; 180 unsigned char *enonce; 181 unsigned char *continueflag; 182 unsigned char *authdata; 183 unsigned char testhmac[SHA1_DIGEST_SIZE]; 184 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 185 struct sha1_ctx sha_ctx; 186 unsigned int dlen; 187 unsigned int dpos; 188 va_list argp; 189 int ret; 190 191 if (!chip) 192 return -ENODEV; 193 194 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 195 tag = LOAD16(buffer, 0); 196 ordinal = command; 197 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 198 if (tag == TPM_TAG_RSP_COMMAND) 199 return 0; 200 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 201 return -EINVAL; 202 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 203 continueflag = authdata - 1; 204 enonce = continueflag - TPM_NONCE_SIZE; 205 206 sha1_init(&sha_ctx); 207 sha1_update(&sha_ctx, (const u8 *)&result, sizeof(result)); 208 sha1_update(&sha_ctx, (const u8 *)&ordinal, sizeof(ordinal)); 209 va_start(argp, keylen); 210 for (;;) { 211 dlen = va_arg(argp, unsigned int); 212 if (dlen == 0) 213 break; 214 dpos = va_arg(argp, unsigned int); 215 sha1_update(&sha_ctx, buffer + dpos, dlen); 216 } 217 va_end(argp); 218 sha1_final(&sha_ctx, paramdigest); 219 220 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 221 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 222 1, continueflag, 0, 0); 223 if (ret < 0) 224 return ret; 225 226 if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) 227 return -EINVAL; 228 return 0; 229 } 230 231 /* 232 * verify the AUTH2_COMMAND (unseal) result from TPM 233 */ 234 static int TSS_checkhmac2(unsigned char *buffer, 235 const uint32_t command, 236 const unsigned char *ononce, 237 const unsigned char *key1, 238 unsigned int keylen1, 239 const unsigned char *key2, 240 unsigned int keylen2, ...) 241 { 242 uint32_t bufsize; 243 uint16_t tag; 244 uint32_t ordinal; 245 uint32_t result; 246 unsigned char *enonce1; 247 unsigned char *continueflag1; 248 unsigned char *authdata1; 249 unsigned char *enonce2; 250 unsigned char *continueflag2; 251 unsigned char *authdata2; 252 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 253 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 254 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 255 struct sha1_ctx sha_ctx; 256 unsigned int dlen; 257 unsigned int dpos; 258 va_list argp; 259 int ret; 260 261 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 262 tag = LOAD16(buffer, 0); 263 ordinal = command; 264 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 265 266 if (tag == TPM_TAG_RSP_COMMAND) 267 return 0; 268 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 269 return -EINVAL; 270 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 271 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 272 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 273 continueflag1 = authdata1 - 1; 274 continueflag2 = authdata2 - 1; 275 enonce1 = continueflag1 - TPM_NONCE_SIZE; 276 enonce2 = continueflag2 - TPM_NONCE_SIZE; 277 278 sha1_init(&sha_ctx); 279 sha1_update(&sha_ctx, (const u8 *)&result, sizeof(result)); 280 sha1_update(&sha_ctx, (const u8 *)&ordinal, sizeof(ordinal)); 281 282 va_start(argp, keylen2); 283 for (;;) { 284 dlen = va_arg(argp, unsigned int); 285 if (dlen == 0) 286 break; 287 dpos = va_arg(argp, unsigned int); 288 sha1_update(&sha_ctx, buffer + dpos, dlen); 289 } 290 va_end(argp); 291 sha1_final(&sha_ctx, paramdigest); 292 293 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 294 paramdigest, TPM_NONCE_SIZE, enonce1, 295 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 296 if (ret < 0) 297 return ret; 298 if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) 299 return -EINVAL; 300 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 301 paramdigest, TPM_NONCE_SIZE, enonce2, 302 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 303 if (ret < 0) 304 return ret; 305 if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 306 return -EINVAL; 307 return 0; 308 } 309 310 /* 311 * For key specific tpm requests, we will generate and send our 312 * own TPM command packets using the drivers send function. 313 */ 314 static int trusted_tpm_send(unsigned char *cmd, size_t buflen) 315 { 316 struct tpm_buf buf; 317 int rc; 318 319 if (!chip) 320 return -ENODEV; 321 322 rc = tpm_try_get_ops(chip); 323 if (rc) 324 return rc; 325 326 buf.flags = 0; 327 buf.length = buflen; 328 buf.data = cmd; 329 dump_tpm_buf(cmd); 330 rc = tpm_transmit_cmd(chip, &buf, 4, "sending data"); 331 dump_tpm_buf(cmd); 332 333 if (rc > 0) 334 /* TPM error */ 335 rc = -EPERM; 336 337 tpm_put_ops(chip); 338 return rc; 339 } 340 341 /* 342 * Lock a trusted key, by extending a selected PCR. 343 * 344 * Prevents a trusted key that is sealed to PCRs from being accessed. 345 * This uses the tpm driver's extend function. 346 */ 347 static int pcrlock(const int pcrnum) 348 { 349 if (!capable(CAP_SYS_ADMIN)) 350 return -EPERM; 351 352 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0; 353 } 354 355 /* 356 * Create an object specific authorisation protocol (OSAP) session 357 */ 358 static int osap(struct tpm_buf *tb, struct osapsess *s, 359 const unsigned char *key, uint16_t type, uint32_t handle) 360 { 361 unsigned char enonce[TPM_NONCE_SIZE]; 362 unsigned char ononce[TPM_NONCE_SIZE]; 363 int ret; 364 365 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); 366 if (ret < 0) 367 return ret; 368 369 if (ret != TPM_NONCE_SIZE) 370 return -EIO; 371 372 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP); 373 tpm_buf_append_u16(tb, type); 374 tpm_buf_append_u32(tb, handle); 375 tpm_buf_append(tb, ononce, TPM_NONCE_SIZE); 376 377 ret = trusted_tpm_send(tb->data, tb->length); 378 if (ret < 0) 379 return ret; 380 381 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 382 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 383 TPM_NONCE_SIZE); 384 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 385 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 386 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 387 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 388 } 389 390 /* 391 * Create an object independent authorisation protocol (oiap) session 392 */ 393 static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 394 { 395 int ret; 396 397 if (!chip) 398 return -ENODEV; 399 400 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP); 401 ret = trusted_tpm_send(tb->data, tb->length); 402 if (ret < 0) 403 return ret; 404 405 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 406 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 407 TPM_NONCE_SIZE); 408 return 0; 409 } 410 411 struct tpm_digests { 412 unsigned char encauth[SHA1_DIGEST_SIZE]; 413 unsigned char pubauth[SHA1_DIGEST_SIZE]; 414 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 415 unsigned char xorhash[SHA1_DIGEST_SIZE]; 416 unsigned char nonceodd[TPM_NONCE_SIZE]; 417 }; 418 419 /* 420 * Have the TPM seal(encrypt) the trusted key, possibly based on 421 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 422 */ 423 static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 424 uint32_t keyhandle, const unsigned char *keyauth, 425 const unsigned char *data, uint32_t datalen, 426 unsigned char *blob, uint32_t *bloblen, 427 const unsigned char *blobauth, 428 const unsigned char *pcrinfo, uint32_t pcrinfosize) 429 { 430 struct osapsess sess; 431 struct tpm_digests *td; 432 unsigned char cont; 433 uint32_t ordinal; 434 uint32_t pcrsize; 435 uint32_t datsize; 436 int sealinfosize; 437 int encdatasize; 438 int storedsize; 439 int ret; 440 int i; 441 442 /* alloc some work space for all the hashes */ 443 td = kmalloc(sizeof *td, GFP_KERNEL); 444 if (!td) 445 return -ENOMEM; 446 447 /* get session for sealing key */ 448 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 449 if (ret < 0) 450 goto out; 451 dump_sess(&sess); 452 453 /* calculate encrypted authorization value */ 454 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 455 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 456 sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 457 458 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); 459 if (ret < 0) 460 goto out; 461 462 if (ret != TPM_NONCE_SIZE) { 463 ret = -EIO; 464 goto out; 465 } 466 467 ordinal = htonl(TPM_ORD_SEAL); 468 datsize = htonl(datalen); 469 pcrsize = htonl(pcrinfosize); 470 cont = 0; 471 472 /* encrypt data authorization key */ 473 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 474 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 475 476 /* calculate authorization HMAC value */ 477 if (pcrinfosize == 0) { 478 /* no pcr info specified */ 479 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 480 sess.enonce, td->nonceodd, cont, 481 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 482 td->encauth, sizeof(uint32_t), &pcrsize, 483 sizeof(uint32_t), &datsize, datalen, data, 0, 484 0); 485 } else { 486 /* pcr info specified */ 487 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 488 sess.enonce, td->nonceodd, cont, 489 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 490 td->encauth, sizeof(uint32_t), &pcrsize, 491 pcrinfosize, pcrinfo, sizeof(uint32_t), 492 &datsize, datalen, data, 0, 0); 493 } 494 if (ret < 0) 495 goto out; 496 497 /* build and send the TPM request packet */ 498 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL); 499 tpm_buf_append_u32(tb, keyhandle); 500 tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE); 501 tpm_buf_append_u32(tb, pcrinfosize); 502 tpm_buf_append(tb, pcrinfo, pcrinfosize); 503 tpm_buf_append_u32(tb, datalen); 504 tpm_buf_append(tb, data, datalen); 505 tpm_buf_append_u32(tb, sess.handle); 506 tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE); 507 tpm_buf_append_u8(tb, cont); 508 tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE); 509 510 ret = trusted_tpm_send(tb->data, tb->length); 511 if (ret < 0) 512 goto out; 513 514 /* calculate the size of the returned Blob */ 515 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 516 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 517 sizeof(uint32_t) + sealinfosize); 518 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 519 sizeof(uint32_t) + encdatasize; 520 521 /* check the HMAC in the response */ 522 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 523 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 524 0); 525 526 /* copy the returned blob to caller */ 527 if (!ret) { 528 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 529 *bloblen = storedsize; 530 } 531 out: 532 kfree_sensitive(td); 533 return ret; 534 } 535 536 /* 537 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 538 */ 539 static int tpm_unseal(struct tpm_buf *tb, 540 uint32_t keyhandle, const unsigned char *keyauth, 541 const unsigned char *blob, int bloblen, 542 const unsigned char *blobauth, 543 unsigned char *data, unsigned int *datalen) 544 { 545 unsigned char nonceodd[TPM_NONCE_SIZE]; 546 unsigned char enonce1[TPM_NONCE_SIZE]; 547 unsigned char enonce2[TPM_NONCE_SIZE]; 548 unsigned char authdata1[SHA1_DIGEST_SIZE]; 549 unsigned char authdata2[SHA1_DIGEST_SIZE]; 550 uint32_t authhandle1 = 0; 551 uint32_t authhandle2 = 0; 552 unsigned char cont = 0; 553 uint32_t ordinal; 554 int ret; 555 556 /* sessions for unsealing key and data */ 557 ret = oiap(tb, &authhandle1, enonce1); 558 if (ret < 0) { 559 pr_info("oiap failed (%d)\n", ret); 560 return ret; 561 } 562 ret = oiap(tb, &authhandle2, enonce2); 563 if (ret < 0) { 564 pr_info("oiap failed (%d)\n", ret); 565 return ret; 566 } 567 568 ordinal = htonl(TPM_ORD_UNSEAL); 569 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); 570 if (ret < 0) 571 return ret; 572 573 if (ret != TPM_NONCE_SIZE) { 574 pr_info("tpm_get_random failed (%d)\n", ret); 575 return -EIO; 576 } 577 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 578 enonce1, nonceodd, cont, sizeof(uint32_t), 579 &ordinal, bloblen, blob, 0, 0); 580 if (ret < 0) 581 return ret; 582 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 583 enonce2, nonceodd, cont, sizeof(uint32_t), 584 &ordinal, bloblen, blob, 0, 0); 585 if (ret < 0) 586 return ret; 587 588 /* build and send TPM request packet */ 589 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL); 590 tpm_buf_append_u32(tb, keyhandle); 591 tpm_buf_append(tb, blob, bloblen); 592 tpm_buf_append_u32(tb, authhandle1); 593 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 594 tpm_buf_append_u8(tb, cont); 595 tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE); 596 tpm_buf_append_u32(tb, authhandle2); 597 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 598 tpm_buf_append_u8(tb, cont); 599 tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE); 600 601 ret = trusted_tpm_send(tb->data, tb->length); 602 if (ret < 0) { 603 pr_info("authhmac failed (%d)\n", ret); 604 return ret; 605 } 606 607 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 608 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 609 keyauth, SHA1_DIGEST_SIZE, 610 blobauth, SHA1_DIGEST_SIZE, 611 sizeof(uint32_t), TPM_DATA_OFFSET, 612 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 613 0); 614 if (ret < 0) { 615 pr_info("TSS_checkhmac2 failed (%d)\n", ret); 616 return ret; 617 } 618 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 619 return 0; 620 } 621 622 /* 623 * Have the TPM seal(encrypt) the symmetric key 624 */ 625 static int key_seal(struct trusted_key_payload *p, 626 struct trusted_key_options *o) 627 { 628 struct tpm_buf tb; 629 int ret; 630 631 ret = tpm_buf_init(&tb, 0, 0); 632 if (ret) 633 return ret; 634 635 /* include migratable flag at end of sealed key */ 636 p->key[p->key_len] = p->migratable; 637 638 ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth, 639 p->key, p->key_len + 1, p->blob, &p->blob_len, 640 o->blobauth, o->pcrinfo, o->pcrinfo_len); 641 if (ret < 0) 642 pr_info("srkseal failed (%d)\n", ret); 643 644 tpm_buf_destroy(&tb); 645 return ret; 646 } 647 648 /* 649 * Have the TPM unseal(decrypt) the symmetric key 650 */ 651 static int key_unseal(struct trusted_key_payload *p, 652 struct trusted_key_options *o) 653 { 654 struct tpm_buf tb; 655 int ret; 656 657 ret = tpm_buf_init(&tb, 0, 0); 658 if (ret) 659 return ret; 660 661 ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 662 o->blobauth, p->key, &p->key_len); 663 if (ret < 0) 664 pr_info("srkunseal failed (%d)\n", ret); 665 else 666 /* pull migratable flag out of sealed key */ 667 p->migratable = p->key[--p->key_len]; 668 669 tpm_buf_destroy(&tb); 670 return ret; 671 } 672 673 enum { 674 Opt_err, 675 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 676 Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 677 Opt_hash, 678 Opt_policydigest, 679 Opt_policyhandle, 680 }; 681 682 static const match_table_t key_tokens = { 683 {Opt_keyhandle, "keyhandle=%s"}, 684 {Opt_keyauth, "keyauth=%s"}, 685 {Opt_blobauth, "blobauth=%s"}, 686 {Opt_pcrinfo, "pcrinfo=%s"}, 687 {Opt_pcrlock, "pcrlock=%s"}, 688 {Opt_migratable, "migratable=%s"}, 689 {Opt_hash, "hash=%s"}, 690 {Opt_policydigest, "policydigest=%s"}, 691 {Opt_policyhandle, "policyhandle=%s"}, 692 {Opt_err, NULL} 693 }; 694 695 /* can have zero or more token= options */ 696 static int getoptions(char *c, struct trusted_key_payload *pay, 697 struct trusted_key_options *opt) 698 { 699 substring_t args[MAX_OPT_ARGS]; 700 char *p = c; 701 int token; 702 int res; 703 unsigned long handle; 704 unsigned long lock; 705 unsigned long token_mask = 0; 706 unsigned int digest_len; 707 int i; 708 int tpm2; 709 710 tpm2 = tpm_is_tpm2(chip); 711 if (tpm2 < 0) 712 return tpm2; 713 714 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 715 716 if (!c) 717 return 0; 718 719 while ((p = strsep(&c, " \t"))) { 720 if (*p == '\0' || *p == ' ' || *p == '\t') 721 continue; 722 token = match_token(p, key_tokens, args); 723 if (test_and_set_bit(token, &token_mask)) 724 return -EINVAL; 725 726 switch (token) { 727 case Opt_pcrinfo: 728 opt->pcrinfo_len = strlen(args[0].from) / 2; 729 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 730 return -EINVAL; 731 res = hex2bin(opt->pcrinfo, args[0].from, 732 opt->pcrinfo_len); 733 if (res < 0) 734 return -EINVAL; 735 break; 736 case Opt_keyhandle: 737 res = kstrtoul(args[0].from, 16, &handle); 738 if (res < 0) 739 return -EINVAL; 740 opt->keytype = SEAL_keytype; 741 opt->keyhandle = handle; 742 break; 743 case Opt_keyauth: 744 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 745 return -EINVAL; 746 res = hex2bin(opt->keyauth, args[0].from, 747 SHA1_DIGEST_SIZE); 748 if (res < 0) 749 return -EINVAL; 750 break; 751 case Opt_blobauth: 752 /* 753 * TPM 1.2 authorizations are sha1 hashes passed in as 754 * hex strings. TPM 2.0 authorizations are simple 755 * passwords (although it can take a hash as well) 756 */ 757 opt->blobauth_len = strlen(args[0].from); 758 759 if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) { 760 res = hex2bin(opt->blobauth, args[0].from, 761 TPM_DIGEST_SIZE); 762 if (res < 0) 763 return -EINVAL; 764 765 opt->blobauth_len = TPM_DIGEST_SIZE; 766 break; 767 } 768 769 if (tpm2 && opt->blobauth_len <= sizeof(opt->blobauth)) { 770 memcpy(opt->blobauth, args[0].from, 771 opt->blobauth_len); 772 break; 773 } 774 775 return -EINVAL; 776 777 break; 778 779 case Opt_migratable: 780 if (*args[0].from == '0') 781 pay->migratable = 0; 782 else if (*args[0].from != '1') 783 return -EINVAL; 784 break; 785 case Opt_pcrlock: 786 res = kstrtoul(args[0].from, 10, &lock); 787 if (res < 0) 788 return -EINVAL; 789 opt->pcrlock = lock; 790 break; 791 case Opt_hash: 792 if (test_bit(Opt_policydigest, &token_mask)) 793 return -EINVAL; 794 for (i = 0; i < HASH_ALGO__LAST; i++) { 795 if (!strcmp(args[0].from, hash_algo_name[i])) { 796 opt->hash = i; 797 break; 798 } 799 } 800 if (i == HASH_ALGO__LAST) 801 return -EINVAL; 802 if (!tpm2 && i != HASH_ALGO_SHA1) { 803 pr_info("TPM 1.x only supports SHA-1.\n"); 804 return -EINVAL; 805 } 806 break; 807 case Opt_policydigest: 808 digest_len = hash_digest_size[opt->hash]; 809 if (!tpm2 || strlen(args[0].from) != (2 * digest_len)) 810 return -EINVAL; 811 res = hex2bin(opt->policydigest, args[0].from, 812 digest_len); 813 if (res < 0) 814 return -EINVAL; 815 opt->policydigest_len = digest_len; 816 break; 817 case Opt_policyhandle: 818 if (!tpm2) 819 return -EINVAL; 820 res = kstrtoul(args[0].from, 16, &handle); 821 if (res < 0) 822 return -EINVAL; 823 opt->policyhandle = handle; 824 break; 825 default: 826 return -EINVAL; 827 } 828 } 829 return 0; 830 } 831 832 static struct trusted_key_options *trusted_options_alloc(void) 833 { 834 struct trusted_key_options *options; 835 int tpm2; 836 837 tpm2 = tpm_is_tpm2(chip); 838 if (tpm2 < 0) 839 return NULL; 840 841 options = kzalloc(sizeof *options, GFP_KERNEL); 842 if (options) { 843 /* set any non-zero defaults */ 844 options->keytype = SRK_keytype; 845 846 if (!tpm2) 847 options->keyhandle = SRKHANDLE; 848 } 849 return options; 850 } 851 852 static int trusted_tpm_seal(struct trusted_key_payload *p, char *datablob) 853 { 854 struct trusted_key_options *options = NULL; 855 int ret = 0; 856 int tpm2; 857 858 tpm2 = tpm_is_tpm2(chip); 859 if (tpm2 < 0) 860 return tpm2; 861 862 options = trusted_options_alloc(); 863 if (!options) 864 return -ENOMEM; 865 866 ret = getoptions(datablob, p, options); 867 if (ret < 0) 868 goto out; 869 dump_options(options); 870 871 if (!options->keyhandle && !tpm2) { 872 ret = -EINVAL; 873 goto out; 874 } 875 876 if (tpm2) 877 ret = tpm2_seal_trusted(chip, p, options); 878 else 879 ret = key_seal(p, options); 880 if (ret < 0) { 881 pr_info("key_seal failed (%d)\n", ret); 882 goto out; 883 } 884 885 if (options->pcrlock) { 886 ret = pcrlock(options->pcrlock); 887 if (ret < 0) { 888 pr_info("pcrlock failed (%d)\n", ret); 889 goto out; 890 } 891 } 892 out: 893 kfree_sensitive(options); 894 return ret; 895 } 896 897 static int trusted_tpm_unseal(struct trusted_key_payload *p, char *datablob) 898 { 899 struct trusted_key_options *options = NULL; 900 int ret = 0; 901 int tpm2; 902 903 tpm2 = tpm_is_tpm2(chip); 904 if (tpm2 < 0) 905 return tpm2; 906 907 options = trusted_options_alloc(); 908 if (!options) 909 return -ENOMEM; 910 911 ret = getoptions(datablob, p, options); 912 if (ret < 0) 913 goto out; 914 dump_options(options); 915 916 if (!options->keyhandle && !tpm2) { 917 ret = -EINVAL; 918 goto out; 919 } 920 921 if (tpm2) 922 ret = tpm2_unseal_trusted(chip, p, options); 923 else 924 ret = key_unseal(p, options); 925 if (ret < 0) 926 pr_info("key_unseal failed (%d)\n", ret); 927 928 if (options->pcrlock) { 929 ret = pcrlock(options->pcrlock); 930 if (ret < 0) { 931 pr_info("pcrlock failed (%d)\n", ret); 932 goto out; 933 } 934 } 935 out: 936 kfree_sensitive(options); 937 return ret; 938 } 939 940 static int trusted_tpm_get_random(unsigned char *key, size_t key_len) 941 { 942 return tpm_get_random(chip, key, key_len); 943 } 944 945 static int __init init_digests(void) 946 { 947 int i; 948 949 digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), 950 GFP_KERNEL); 951 if (!digests) 952 return -ENOMEM; 953 954 for (i = 0; i < chip->nr_allocated_banks; i++) 955 digests[i].alg_id = chip->allocated_banks[i].alg_id; 956 957 return 0; 958 } 959 960 static int __init trusted_tpm_init(void) 961 { 962 int ret; 963 964 chip = tpm_default_chip(); 965 if (!chip) 966 return -ENODEV; 967 968 ret = init_digests(); 969 if (ret < 0) 970 goto err_put; 971 ret = register_key_type(&key_type_trusted); 972 if (ret < 0) 973 goto err_free; 974 return 0; 975 err_free: 976 kfree(digests); 977 err_put: 978 put_device(&chip->dev); 979 return ret; 980 } 981 982 static void trusted_tpm_exit(void) 983 { 984 if (chip) { 985 put_device(&chip->dev); 986 kfree(digests); 987 unregister_key_type(&key_type_trusted); 988 } 989 } 990 991 struct trusted_key_ops trusted_key_tpm_ops = { 992 .migratable = 1, /* migratable by default */ 993 .init = trusted_tpm_init, 994 .seal = trusted_tpm_seal, 995 .unseal = trusted_tpm_unseal, 996 .get_random = trusted_tpm_get_random, 997 .exit = trusted_tpm_exit, 998 }; 999