1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2010 IBM Corporation 4 * Copyright (c) 2019-2021, Linaro Limited 5 * 6 * See Documentation/security/keys/trusted-encrypted.rst 7 */ 8 9 #include <crypto/hash_info.h> 10 #include <crypto/utils.h> 11 #include <linux/init.h> 12 #include <linux/slab.h> 13 #include <linux/parser.h> 14 #include <linux/string.h> 15 #include <linux/err.h> 16 #include <keys/trusted-type.h> 17 #include <linux/key-type.h> 18 #include <linux/crypto.h> 19 #include <crypto/hash.h> 20 #include <crypto/sha1.h> 21 #include <linux/tpm.h> 22 #include <linux/tpm_command.h> 23 24 #include <keys/trusted_tpm.h> 25 26 static const char hmac_alg[] = "hmac(sha1)"; 27 static const char hash_alg[] = "sha1"; 28 static struct tpm_chip *chip; 29 static struct tpm_digest *digests; 30 31 struct sdesc { 32 struct shash_desc shash; 33 char ctx[]; 34 }; 35 36 static struct crypto_shash *hashalg; 37 static struct crypto_shash *hmacalg; 38 39 static struct sdesc *init_sdesc(struct crypto_shash *alg) 40 { 41 struct sdesc *sdesc; 42 int size; 43 44 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg); 45 sdesc = kmalloc(size, GFP_KERNEL); 46 if (!sdesc) 47 return ERR_PTR(-ENOMEM); 48 sdesc->shash.tfm = alg; 49 return sdesc; 50 } 51 52 static int TSS_sha1(const unsigned char *data, unsigned int datalen, 53 unsigned char *digest) 54 { 55 struct sdesc *sdesc; 56 int ret; 57 58 sdesc = init_sdesc(hashalg); 59 if (IS_ERR(sdesc)) { 60 pr_info("can't alloc %s\n", hash_alg); 61 return PTR_ERR(sdesc); 62 } 63 64 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); 65 kfree_sensitive(sdesc); 66 return ret; 67 } 68 69 static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, 70 unsigned int keylen, ...) 71 { 72 struct sdesc *sdesc; 73 va_list argp; 74 unsigned int dlen; 75 unsigned char *data; 76 int ret; 77 78 sdesc = init_sdesc(hmacalg); 79 if (IS_ERR(sdesc)) { 80 pr_info("can't alloc %s\n", hmac_alg); 81 return PTR_ERR(sdesc); 82 } 83 84 ret = crypto_shash_setkey(hmacalg, key, keylen); 85 if (ret < 0) 86 goto out; 87 ret = crypto_shash_init(&sdesc->shash); 88 if (ret < 0) 89 goto out; 90 91 va_start(argp, keylen); 92 for (;;) { 93 dlen = va_arg(argp, unsigned int); 94 if (dlen == 0) 95 break; 96 data = va_arg(argp, unsigned char *); 97 if (data == NULL) { 98 ret = -EINVAL; 99 break; 100 } 101 ret = crypto_shash_update(&sdesc->shash, data, dlen); 102 if (ret < 0) 103 break; 104 } 105 va_end(argp); 106 if (!ret) 107 ret = crypto_shash_final(&sdesc->shash, digest); 108 out: 109 kfree_sensitive(sdesc); 110 return ret; 111 } 112 113 /* 114 * calculate authorization info fields to send to TPM 115 */ 116 int TSS_authhmac(unsigned char *digest, const unsigned char *key, 117 unsigned int keylen, unsigned char *h1, 118 unsigned char *h2, unsigned int h3, ...) 119 { 120 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 121 struct sdesc *sdesc; 122 unsigned int dlen; 123 unsigned char *data; 124 unsigned char c; 125 int ret; 126 va_list argp; 127 128 if (!chip) 129 return -ENODEV; 130 131 sdesc = init_sdesc(hashalg); 132 if (IS_ERR(sdesc)) { 133 pr_info("can't alloc %s\n", hash_alg); 134 return PTR_ERR(sdesc); 135 } 136 137 c = !!h3; 138 ret = crypto_shash_init(&sdesc->shash); 139 if (ret < 0) 140 goto out; 141 va_start(argp, h3); 142 for (;;) { 143 dlen = va_arg(argp, unsigned int); 144 if (dlen == 0) 145 break; 146 data = va_arg(argp, unsigned char *); 147 if (!data) { 148 ret = -EINVAL; 149 break; 150 } 151 ret = crypto_shash_update(&sdesc->shash, data, dlen); 152 if (ret < 0) 153 break; 154 } 155 va_end(argp); 156 if (!ret) 157 ret = crypto_shash_final(&sdesc->shash, paramdigest); 158 if (!ret) 159 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, 160 paramdigest, TPM_NONCE_SIZE, h1, 161 TPM_NONCE_SIZE, h2, 1, &c, 0, 0); 162 out: 163 kfree_sensitive(sdesc); 164 return ret; 165 } 166 EXPORT_SYMBOL_GPL(TSS_authhmac); 167 168 /* 169 * verify the AUTH1_COMMAND (Seal) result from TPM 170 */ 171 int TSS_checkhmac1(unsigned char *buffer, 172 const uint32_t command, 173 const unsigned char *ononce, 174 const unsigned char *key, 175 unsigned int keylen, ...) 176 { 177 uint32_t bufsize; 178 uint16_t tag; 179 uint32_t ordinal; 180 uint32_t result; 181 unsigned char *enonce; 182 unsigned char *continueflag; 183 unsigned char *authdata; 184 unsigned char testhmac[SHA1_DIGEST_SIZE]; 185 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 186 struct sdesc *sdesc; 187 unsigned int dlen; 188 unsigned int dpos; 189 va_list argp; 190 int ret; 191 192 if (!chip) 193 return -ENODEV; 194 195 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 196 tag = LOAD16(buffer, 0); 197 ordinal = command; 198 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 199 if (tag == TPM_TAG_RSP_COMMAND) 200 return 0; 201 if (tag != TPM_TAG_RSP_AUTH1_COMMAND) 202 return -EINVAL; 203 authdata = buffer + bufsize - SHA1_DIGEST_SIZE; 204 continueflag = authdata - 1; 205 enonce = continueflag - TPM_NONCE_SIZE; 206 207 sdesc = init_sdesc(hashalg); 208 if (IS_ERR(sdesc)) { 209 pr_info("can't alloc %s\n", hash_alg); 210 return PTR_ERR(sdesc); 211 } 212 ret = crypto_shash_init(&sdesc->shash); 213 if (ret < 0) 214 goto out; 215 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 216 sizeof result); 217 if (ret < 0) 218 goto out; 219 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 220 sizeof ordinal); 221 if (ret < 0) 222 goto out; 223 va_start(argp, keylen); 224 for (;;) { 225 dlen = va_arg(argp, unsigned int); 226 if (dlen == 0) 227 break; 228 dpos = va_arg(argp, unsigned int); 229 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 230 if (ret < 0) 231 break; 232 } 233 va_end(argp); 234 if (!ret) 235 ret = crypto_shash_final(&sdesc->shash, paramdigest); 236 if (ret < 0) 237 goto out; 238 239 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, 240 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 241 1, continueflag, 0, 0); 242 if (ret < 0) 243 goto out; 244 245 if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) 246 ret = -EINVAL; 247 out: 248 kfree_sensitive(sdesc); 249 return ret; 250 } 251 EXPORT_SYMBOL_GPL(TSS_checkhmac1); 252 253 /* 254 * verify the AUTH2_COMMAND (unseal) result from TPM 255 */ 256 static int TSS_checkhmac2(unsigned char *buffer, 257 const uint32_t command, 258 const unsigned char *ononce, 259 const unsigned char *key1, 260 unsigned int keylen1, 261 const unsigned char *key2, 262 unsigned int keylen2, ...) 263 { 264 uint32_t bufsize; 265 uint16_t tag; 266 uint32_t ordinal; 267 uint32_t result; 268 unsigned char *enonce1; 269 unsigned char *continueflag1; 270 unsigned char *authdata1; 271 unsigned char *enonce2; 272 unsigned char *continueflag2; 273 unsigned char *authdata2; 274 unsigned char testhmac1[SHA1_DIGEST_SIZE]; 275 unsigned char testhmac2[SHA1_DIGEST_SIZE]; 276 unsigned char paramdigest[SHA1_DIGEST_SIZE]; 277 struct sdesc *sdesc; 278 unsigned int dlen; 279 unsigned int dpos; 280 va_list argp; 281 int ret; 282 283 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET); 284 tag = LOAD16(buffer, 0); 285 ordinal = command; 286 result = LOAD32N(buffer, TPM_RETURN_OFFSET); 287 288 if (tag == TPM_TAG_RSP_COMMAND) 289 return 0; 290 if (tag != TPM_TAG_RSP_AUTH2_COMMAND) 291 return -EINVAL; 292 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1 293 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE); 294 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE); 295 continueflag1 = authdata1 - 1; 296 continueflag2 = authdata2 - 1; 297 enonce1 = continueflag1 - TPM_NONCE_SIZE; 298 enonce2 = continueflag2 - TPM_NONCE_SIZE; 299 300 sdesc = init_sdesc(hashalg); 301 if (IS_ERR(sdesc)) { 302 pr_info("can't alloc %s\n", hash_alg); 303 return PTR_ERR(sdesc); 304 } 305 ret = crypto_shash_init(&sdesc->shash); 306 if (ret < 0) 307 goto out; 308 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result, 309 sizeof result); 310 if (ret < 0) 311 goto out; 312 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, 313 sizeof ordinal); 314 if (ret < 0) 315 goto out; 316 317 va_start(argp, keylen2); 318 for (;;) { 319 dlen = va_arg(argp, unsigned int); 320 if (dlen == 0) 321 break; 322 dpos = va_arg(argp, unsigned int); 323 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); 324 if (ret < 0) 325 break; 326 } 327 va_end(argp); 328 if (!ret) 329 ret = crypto_shash_final(&sdesc->shash, paramdigest); 330 if (ret < 0) 331 goto out; 332 333 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, 334 paramdigest, TPM_NONCE_SIZE, enonce1, 335 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 336 if (ret < 0) 337 goto out; 338 if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 339 ret = -EINVAL; 340 goto out; 341 } 342 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, 343 paramdigest, TPM_NONCE_SIZE, enonce2, 344 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 345 if (ret < 0) 346 goto out; 347 if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 348 ret = -EINVAL; 349 out: 350 kfree_sensitive(sdesc); 351 return ret; 352 } 353 354 /* 355 * For key specific tpm requests, we will generate and send our 356 * own TPM command packets using the drivers send function. 357 */ 358 int trusted_tpm_send(unsigned char *cmd, size_t buflen) 359 { 360 struct tpm_buf buf; 361 int rc; 362 363 if (!chip) 364 return -ENODEV; 365 366 rc = tpm_try_get_ops(chip); 367 if (rc) 368 return rc; 369 370 buf.flags = 0; 371 buf.length = buflen; 372 buf.data = cmd; 373 dump_tpm_buf(cmd); 374 rc = tpm_transmit_cmd(chip, &buf, 4, "sending data"); 375 dump_tpm_buf(cmd); 376 377 if (rc > 0) 378 /* TPM error */ 379 rc = -EPERM; 380 381 tpm_put_ops(chip); 382 return rc; 383 } 384 EXPORT_SYMBOL_GPL(trusted_tpm_send); 385 386 /* 387 * Lock a trusted key, by extending a selected PCR. 388 * 389 * Prevents a trusted key that is sealed to PCRs from being accessed. 390 * This uses the tpm driver's extend function. 391 */ 392 static int pcrlock(const int pcrnum) 393 { 394 if (!capable(CAP_SYS_ADMIN)) 395 return -EPERM; 396 397 return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0; 398 } 399 400 /* 401 * Create an object specific authorisation protocol (OSAP) session 402 */ 403 static int osap(struct tpm_buf *tb, struct osapsess *s, 404 const unsigned char *key, uint16_t type, uint32_t handle) 405 { 406 unsigned char enonce[TPM_NONCE_SIZE]; 407 unsigned char ononce[TPM_NONCE_SIZE]; 408 int ret; 409 410 ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); 411 if (ret < 0) 412 return ret; 413 414 if (ret != TPM_NONCE_SIZE) 415 return -EIO; 416 417 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OSAP); 418 tpm_buf_append_u16(tb, type); 419 tpm_buf_append_u32(tb, handle); 420 tpm_buf_append(tb, ononce, TPM_NONCE_SIZE); 421 422 ret = trusted_tpm_send(tb->data, tb->length); 423 if (ret < 0) 424 return ret; 425 426 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET); 427 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]), 428 TPM_NONCE_SIZE); 429 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) + 430 TPM_NONCE_SIZE]), TPM_NONCE_SIZE); 431 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE, 432 enonce, TPM_NONCE_SIZE, ononce, 0, 0); 433 } 434 435 /* 436 * Create an object independent authorisation protocol (oiap) session 437 */ 438 int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) 439 { 440 int ret; 441 442 if (!chip) 443 return -ENODEV; 444 445 tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP); 446 ret = trusted_tpm_send(tb->data, tb->length); 447 if (ret < 0) 448 return ret; 449 450 *handle = LOAD32(tb->data, TPM_DATA_OFFSET); 451 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)], 452 TPM_NONCE_SIZE); 453 return 0; 454 } 455 EXPORT_SYMBOL_GPL(oiap); 456 457 struct tpm_digests { 458 unsigned char encauth[SHA1_DIGEST_SIZE]; 459 unsigned char pubauth[SHA1_DIGEST_SIZE]; 460 unsigned char xorwork[SHA1_DIGEST_SIZE * 2]; 461 unsigned char xorhash[SHA1_DIGEST_SIZE]; 462 unsigned char nonceodd[TPM_NONCE_SIZE]; 463 }; 464 465 /* 466 * Have the TPM seal(encrypt) the trusted key, possibly based on 467 * Platform Configuration Registers (PCRs). AUTH1 for sealing key. 468 */ 469 static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, 470 uint32_t keyhandle, const unsigned char *keyauth, 471 const unsigned char *data, uint32_t datalen, 472 unsigned char *blob, uint32_t *bloblen, 473 const unsigned char *blobauth, 474 const unsigned char *pcrinfo, uint32_t pcrinfosize) 475 { 476 struct osapsess sess; 477 struct tpm_digests *td; 478 unsigned char cont; 479 uint32_t ordinal; 480 uint32_t pcrsize; 481 uint32_t datsize; 482 int sealinfosize; 483 int encdatasize; 484 int storedsize; 485 int ret; 486 int i; 487 488 /* alloc some work space for all the hashes */ 489 td = kmalloc(sizeof *td, GFP_KERNEL); 490 if (!td) 491 return -ENOMEM; 492 493 /* get session for sealing key */ 494 ret = osap(tb, &sess, keyauth, keytype, keyhandle); 495 if (ret < 0) 496 goto out; 497 dump_sess(&sess); 498 499 /* calculate encrypted authorization value */ 500 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); 501 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); 502 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); 503 if (ret < 0) 504 goto out; 505 506 ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); 507 if (ret < 0) 508 goto out; 509 510 if (ret != TPM_NONCE_SIZE) { 511 ret = -EIO; 512 goto out; 513 } 514 515 ordinal = htonl(TPM_ORD_SEAL); 516 datsize = htonl(datalen); 517 pcrsize = htonl(pcrinfosize); 518 cont = 0; 519 520 /* encrypt data authorization key */ 521 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 522 td->encauth[i] = td->xorhash[i] ^ blobauth[i]; 523 524 /* calculate authorization HMAC value */ 525 if (pcrinfosize == 0) { 526 /* no pcr info specified */ 527 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 528 sess.enonce, td->nonceodd, cont, 529 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 530 td->encauth, sizeof(uint32_t), &pcrsize, 531 sizeof(uint32_t), &datsize, datalen, data, 0, 532 0); 533 } else { 534 /* pcr info specified */ 535 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE, 536 sess.enonce, td->nonceodd, cont, 537 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE, 538 td->encauth, sizeof(uint32_t), &pcrsize, 539 pcrinfosize, pcrinfo, sizeof(uint32_t), 540 &datsize, datalen, data, 0, 0); 541 } 542 if (ret < 0) 543 goto out; 544 545 /* build and send the TPM request packet */ 546 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SEAL); 547 tpm_buf_append_u32(tb, keyhandle); 548 tpm_buf_append(tb, td->encauth, SHA1_DIGEST_SIZE); 549 tpm_buf_append_u32(tb, pcrinfosize); 550 tpm_buf_append(tb, pcrinfo, pcrinfosize); 551 tpm_buf_append_u32(tb, datalen); 552 tpm_buf_append(tb, data, datalen); 553 tpm_buf_append_u32(tb, sess.handle); 554 tpm_buf_append(tb, td->nonceodd, TPM_NONCE_SIZE); 555 tpm_buf_append_u8(tb, cont); 556 tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE); 557 558 ret = trusted_tpm_send(tb->data, tb->length); 559 if (ret < 0) 560 goto out; 561 562 /* calculate the size of the returned Blob */ 563 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t)); 564 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) + 565 sizeof(uint32_t) + sealinfosize); 566 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize + 567 sizeof(uint32_t) + encdatasize; 568 569 /* check the HMAC in the response */ 570 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret, 571 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0, 572 0); 573 574 /* copy the returned blob to caller */ 575 if (!ret) { 576 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize); 577 *bloblen = storedsize; 578 } 579 out: 580 kfree_sensitive(td); 581 return ret; 582 } 583 584 /* 585 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob 586 */ 587 static int tpm_unseal(struct tpm_buf *tb, 588 uint32_t keyhandle, const unsigned char *keyauth, 589 const unsigned char *blob, int bloblen, 590 const unsigned char *blobauth, 591 unsigned char *data, unsigned int *datalen) 592 { 593 unsigned char nonceodd[TPM_NONCE_SIZE]; 594 unsigned char enonce1[TPM_NONCE_SIZE]; 595 unsigned char enonce2[TPM_NONCE_SIZE]; 596 unsigned char authdata1[SHA1_DIGEST_SIZE]; 597 unsigned char authdata2[SHA1_DIGEST_SIZE]; 598 uint32_t authhandle1 = 0; 599 uint32_t authhandle2 = 0; 600 unsigned char cont = 0; 601 uint32_t ordinal; 602 int ret; 603 604 /* sessions for unsealing key and data */ 605 ret = oiap(tb, &authhandle1, enonce1); 606 if (ret < 0) { 607 pr_info("oiap failed (%d)\n", ret); 608 return ret; 609 } 610 ret = oiap(tb, &authhandle2, enonce2); 611 if (ret < 0) { 612 pr_info("oiap failed (%d)\n", ret); 613 return ret; 614 } 615 616 ordinal = htonl(TPM_ORD_UNSEAL); 617 ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); 618 if (ret < 0) 619 return ret; 620 621 if (ret != TPM_NONCE_SIZE) { 622 pr_info("tpm_get_random failed (%d)\n", ret); 623 return -EIO; 624 } 625 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE, 626 enonce1, nonceodd, cont, sizeof(uint32_t), 627 &ordinal, bloblen, blob, 0, 0); 628 if (ret < 0) 629 return ret; 630 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE, 631 enonce2, nonceodd, cont, sizeof(uint32_t), 632 &ordinal, bloblen, blob, 0, 0); 633 if (ret < 0) 634 return ret; 635 636 /* build and send TPM request packet */ 637 tpm_buf_reset(tb, TPM_TAG_RQU_AUTH2_COMMAND, TPM_ORD_UNSEAL); 638 tpm_buf_append_u32(tb, keyhandle); 639 tpm_buf_append(tb, blob, bloblen); 640 tpm_buf_append_u32(tb, authhandle1); 641 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 642 tpm_buf_append_u8(tb, cont); 643 tpm_buf_append(tb, authdata1, SHA1_DIGEST_SIZE); 644 tpm_buf_append_u32(tb, authhandle2); 645 tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE); 646 tpm_buf_append_u8(tb, cont); 647 tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE); 648 649 ret = trusted_tpm_send(tb->data, tb->length); 650 if (ret < 0) { 651 pr_info("authhmac failed (%d)\n", ret); 652 return ret; 653 } 654 655 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET); 656 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd, 657 keyauth, SHA1_DIGEST_SIZE, 658 blobauth, SHA1_DIGEST_SIZE, 659 sizeof(uint32_t), TPM_DATA_OFFSET, 660 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0, 661 0); 662 if (ret < 0) { 663 pr_info("TSS_checkhmac2 failed (%d)\n", ret); 664 return ret; 665 } 666 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen); 667 return 0; 668 } 669 670 /* 671 * Have the TPM seal(encrypt) the symmetric key 672 */ 673 static int key_seal(struct trusted_key_payload *p, 674 struct trusted_key_options *o) 675 { 676 struct tpm_buf tb; 677 int ret; 678 679 ret = tpm_buf_init(&tb, 0, 0); 680 if (ret) 681 return ret; 682 683 /* include migratable flag at end of sealed key */ 684 p->key[p->key_len] = p->migratable; 685 686 ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth, 687 p->key, p->key_len + 1, p->blob, &p->blob_len, 688 o->blobauth, o->pcrinfo, o->pcrinfo_len); 689 if (ret < 0) 690 pr_info("srkseal failed (%d)\n", ret); 691 692 tpm_buf_destroy(&tb); 693 return ret; 694 } 695 696 /* 697 * Have the TPM unseal(decrypt) the symmetric key 698 */ 699 static int key_unseal(struct trusted_key_payload *p, 700 struct trusted_key_options *o) 701 { 702 struct tpm_buf tb; 703 int ret; 704 705 ret = tpm_buf_init(&tb, 0, 0); 706 if (ret) 707 return ret; 708 709 ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len, 710 o->blobauth, p->key, &p->key_len); 711 if (ret < 0) 712 pr_info("srkunseal failed (%d)\n", ret); 713 else 714 /* pull migratable flag out of sealed key */ 715 p->migratable = p->key[--p->key_len]; 716 717 tpm_buf_destroy(&tb); 718 return ret; 719 } 720 721 enum { 722 Opt_err, 723 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 724 Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 725 Opt_hash, 726 Opt_policydigest, 727 Opt_policyhandle, 728 }; 729 730 static const match_table_t key_tokens = { 731 {Opt_keyhandle, "keyhandle=%s"}, 732 {Opt_keyauth, "keyauth=%s"}, 733 {Opt_blobauth, "blobauth=%s"}, 734 {Opt_pcrinfo, "pcrinfo=%s"}, 735 {Opt_pcrlock, "pcrlock=%s"}, 736 {Opt_migratable, "migratable=%s"}, 737 {Opt_hash, "hash=%s"}, 738 {Opt_policydigest, "policydigest=%s"}, 739 {Opt_policyhandle, "policyhandle=%s"}, 740 {Opt_err, NULL} 741 }; 742 743 /* can have zero or more token= options */ 744 static int getoptions(char *c, struct trusted_key_payload *pay, 745 struct trusted_key_options *opt) 746 { 747 substring_t args[MAX_OPT_ARGS]; 748 char *p = c; 749 int token; 750 int res; 751 unsigned long handle; 752 unsigned long lock; 753 unsigned long token_mask = 0; 754 unsigned int digest_len; 755 int i; 756 int tpm2; 757 758 tpm2 = tpm_is_tpm2(chip); 759 if (tpm2 < 0) 760 return tpm2; 761 762 opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 763 764 if (!c) 765 return 0; 766 767 while ((p = strsep(&c, " \t"))) { 768 if (*p == '\0' || *p == ' ' || *p == '\t') 769 continue; 770 token = match_token(p, key_tokens, args); 771 if (test_and_set_bit(token, &token_mask)) 772 return -EINVAL; 773 774 switch (token) { 775 case Opt_pcrinfo: 776 opt->pcrinfo_len = strlen(args[0].from) / 2; 777 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE) 778 return -EINVAL; 779 res = hex2bin(opt->pcrinfo, args[0].from, 780 opt->pcrinfo_len); 781 if (res < 0) 782 return -EINVAL; 783 break; 784 case Opt_keyhandle: 785 res = kstrtoul(args[0].from, 16, &handle); 786 if (res < 0) 787 return -EINVAL; 788 opt->keytype = SEAL_keytype; 789 opt->keyhandle = handle; 790 break; 791 case Opt_keyauth: 792 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) 793 return -EINVAL; 794 res = hex2bin(opt->keyauth, args[0].from, 795 SHA1_DIGEST_SIZE); 796 if (res < 0) 797 return -EINVAL; 798 break; 799 case Opt_blobauth: 800 /* 801 * TPM 1.2 authorizations are sha1 hashes passed in as 802 * hex strings. TPM 2.0 authorizations are simple 803 * passwords (although it can take a hash as well) 804 */ 805 opt->blobauth_len = strlen(args[0].from); 806 807 if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) { 808 res = hex2bin(opt->blobauth, args[0].from, 809 TPM_DIGEST_SIZE); 810 if (res < 0) 811 return -EINVAL; 812 813 opt->blobauth_len = TPM_DIGEST_SIZE; 814 break; 815 } 816 817 if (tpm2 && opt->blobauth_len <= sizeof(opt->blobauth)) { 818 memcpy(opt->blobauth, args[0].from, 819 opt->blobauth_len); 820 break; 821 } 822 823 return -EINVAL; 824 825 break; 826 827 case Opt_migratable: 828 if (*args[0].from == '0') 829 pay->migratable = 0; 830 else if (*args[0].from != '1') 831 return -EINVAL; 832 break; 833 case Opt_pcrlock: 834 res = kstrtoul(args[0].from, 10, &lock); 835 if (res < 0) 836 return -EINVAL; 837 opt->pcrlock = lock; 838 break; 839 case Opt_hash: 840 if (test_bit(Opt_policydigest, &token_mask)) 841 return -EINVAL; 842 for (i = 0; i < HASH_ALGO__LAST; i++) { 843 if (!strcmp(args[0].from, hash_algo_name[i])) { 844 opt->hash = i; 845 break; 846 } 847 } 848 if (i == HASH_ALGO__LAST) 849 return -EINVAL; 850 if (!tpm2 && i != HASH_ALGO_SHA1) { 851 pr_info("TPM 1.x only supports SHA-1.\n"); 852 return -EINVAL; 853 } 854 break; 855 case Opt_policydigest: 856 digest_len = hash_digest_size[opt->hash]; 857 if (!tpm2 || strlen(args[0].from) != (2 * digest_len)) 858 return -EINVAL; 859 res = hex2bin(opt->policydigest, args[0].from, 860 digest_len); 861 if (res < 0) 862 return -EINVAL; 863 opt->policydigest_len = digest_len; 864 break; 865 case Opt_policyhandle: 866 if (!tpm2) 867 return -EINVAL; 868 res = kstrtoul(args[0].from, 16, &handle); 869 if (res < 0) 870 return -EINVAL; 871 opt->policyhandle = handle; 872 break; 873 default: 874 return -EINVAL; 875 } 876 } 877 return 0; 878 } 879 880 static struct trusted_key_options *trusted_options_alloc(void) 881 { 882 struct trusted_key_options *options; 883 int tpm2; 884 885 tpm2 = tpm_is_tpm2(chip); 886 if (tpm2 < 0) 887 return NULL; 888 889 options = kzalloc(sizeof *options, GFP_KERNEL); 890 if (options) { 891 /* set any non-zero defaults */ 892 options->keytype = SRK_keytype; 893 894 if (!tpm2) 895 options->keyhandle = SRKHANDLE; 896 } 897 return options; 898 } 899 900 static int trusted_tpm_seal(struct trusted_key_payload *p, char *datablob) 901 { 902 struct trusted_key_options *options = NULL; 903 int ret = 0; 904 int tpm2; 905 906 tpm2 = tpm_is_tpm2(chip); 907 if (tpm2 < 0) 908 return tpm2; 909 910 options = trusted_options_alloc(); 911 if (!options) 912 return -ENOMEM; 913 914 ret = getoptions(datablob, p, options); 915 if (ret < 0) 916 goto out; 917 dump_options(options); 918 919 if (!options->keyhandle && !tpm2) { 920 ret = -EINVAL; 921 goto out; 922 } 923 924 if (tpm2) 925 ret = tpm2_seal_trusted(chip, p, options); 926 else 927 ret = key_seal(p, options); 928 if (ret < 0) { 929 pr_info("key_seal failed (%d)\n", ret); 930 goto out; 931 } 932 933 if (options->pcrlock) { 934 ret = pcrlock(options->pcrlock); 935 if (ret < 0) { 936 pr_info("pcrlock failed (%d)\n", ret); 937 goto out; 938 } 939 } 940 out: 941 kfree_sensitive(options); 942 return ret; 943 } 944 945 static int trusted_tpm_unseal(struct trusted_key_payload *p, char *datablob) 946 { 947 struct trusted_key_options *options = NULL; 948 int ret = 0; 949 int tpm2; 950 951 tpm2 = tpm_is_tpm2(chip); 952 if (tpm2 < 0) 953 return tpm2; 954 955 options = trusted_options_alloc(); 956 if (!options) 957 return -ENOMEM; 958 959 ret = getoptions(datablob, p, options); 960 if (ret < 0) 961 goto out; 962 dump_options(options); 963 964 if (!options->keyhandle && !tpm2) { 965 ret = -EINVAL; 966 goto out; 967 } 968 969 if (tpm2) 970 ret = tpm2_unseal_trusted(chip, p, options); 971 else 972 ret = key_unseal(p, options); 973 if (ret < 0) 974 pr_info("key_unseal failed (%d)\n", ret); 975 976 if (options->pcrlock) { 977 ret = pcrlock(options->pcrlock); 978 if (ret < 0) { 979 pr_info("pcrlock failed (%d)\n", ret); 980 goto out; 981 } 982 } 983 out: 984 kfree_sensitive(options); 985 return ret; 986 } 987 988 static int trusted_tpm_get_random(unsigned char *key, size_t key_len) 989 { 990 return tpm_get_random(chip, key, key_len); 991 } 992 993 static void trusted_shash_release(void) 994 { 995 if (hashalg) 996 crypto_free_shash(hashalg); 997 if (hmacalg) 998 crypto_free_shash(hmacalg); 999 } 1000 1001 static int __init trusted_shash_alloc(void) 1002 { 1003 int ret; 1004 1005 hmacalg = crypto_alloc_shash(hmac_alg, 0, 0); 1006 if (IS_ERR(hmacalg)) { 1007 pr_info("could not allocate crypto %s\n", 1008 hmac_alg); 1009 return PTR_ERR(hmacalg); 1010 } 1011 1012 hashalg = crypto_alloc_shash(hash_alg, 0, 0); 1013 if (IS_ERR(hashalg)) { 1014 pr_info("could not allocate crypto %s\n", 1015 hash_alg); 1016 ret = PTR_ERR(hashalg); 1017 goto hashalg_fail; 1018 } 1019 1020 return 0; 1021 1022 hashalg_fail: 1023 crypto_free_shash(hmacalg); 1024 return ret; 1025 } 1026 1027 static int __init init_digests(void) 1028 { 1029 int i; 1030 1031 digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), 1032 GFP_KERNEL); 1033 if (!digests) 1034 return -ENOMEM; 1035 1036 for (i = 0; i < chip->nr_allocated_banks; i++) 1037 digests[i].alg_id = chip->allocated_banks[i].alg_id; 1038 1039 return 0; 1040 } 1041 1042 static int __init trusted_tpm_init(void) 1043 { 1044 int ret; 1045 1046 chip = tpm_default_chip(); 1047 if (!chip) 1048 return -ENODEV; 1049 1050 ret = init_digests(); 1051 if (ret < 0) 1052 goto err_put; 1053 ret = trusted_shash_alloc(); 1054 if (ret < 0) 1055 goto err_free; 1056 ret = register_key_type(&key_type_trusted); 1057 if (ret < 0) 1058 goto err_release; 1059 return 0; 1060 err_release: 1061 trusted_shash_release(); 1062 err_free: 1063 kfree(digests); 1064 err_put: 1065 put_device(&chip->dev); 1066 return ret; 1067 } 1068 1069 static void trusted_tpm_exit(void) 1070 { 1071 if (chip) { 1072 put_device(&chip->dev); 1073 kfree(digests); 1074 trusted_shash_release(); 1075 unregister_key_type(&key_type_trusted); 1076 } 1077 } 1078 1079 struct trusted_key_ops trusted_key_tpm_ops = { 1080 .migratable = 1, /* migratable by default */ 1081 .init = trusted_tpm_init, 1082 .seal = trusted_tpm_seal, 1083 .unseal = trusted_tpm_unseal, 1084 .get_random = trusted_tpm_get_random, 1085 .exit = trusted_tpm_exit, 1086 }; 1087