From: dhowells@redhat.com (David Howells)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 17/22] KEYS: asym_tpm: Add loadkey2 and flushspecific
Date: Wed, 05 Sep 2018 22:56:10 +0100 [thread overview]
Message-ID: <153618457002.7946.741829373041553399.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <153618445730.7946.10001472635835806478.stgit@warthog.procyon.org.uk>
From: Denis Kenzior <denkenz@gmail.com>
This commit adds TPM_LoadKey2 and TPM_FlushSpecific operations.
Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
---
crypto/asymmetric_keys/asym_tpm.c | 94 +++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/crypto/asymmetric_keys/asym_tpm.c b/crypto/asymmetric_keys/asym_tpm.c
index 8edca3c4c193..6a2d33014ecc 100644
--- a/crypto/asymmetric_keys/asym_tpm.c
+++ b/crypto/asymmetric_keys/asym_tpm.c
@@ -7,11 +7,105 @@
#include <linux/seq_file.h>
#include <linux/scatterlist.h>
#include <linux/tpm.h>
+#include <linux/tpm_command.h>
#include <crypto/akcipher.h>
+#include <crypto/hash.h>
+#include <crypto/sha.h>
#include <asm/unaligned.h>
#include <keys/asymmetric-subtype.h>
+#include <keys/trusted.h>
#include <crypto/asym_tpm_subtype.h>
+#define TPM_ORD_FLUSHSPECIFIC 186
+#define TPM_ORD_LOADKEY2 65
+#define TPM_LOADKEY2_SIZE 59
+#define TPM_FLUSHSPECIFIC_SIZE 18
+
+#define TPM_RT_KEY 0x00000001
+
+/*
+ * Load a TPM key from the blob provided by userspace
+ */
+static int tpm_loadkey2(struct tpm_buf *tb,
+ uint32_t keyhandle, unsigned char *keyauth,
+ const unsigned char *keyblob, int keybloblen,
+ uint32_t *newhandle)
+{
+ unsigned char nonceodd[TPM_NONCE_SIZE];
+ unsigned char enonce[TPM_NONCE_SIZE];
+ unsigned char authdata[SHA1_DIGEST_SIZE];
+ uint32_t authhandle = 0;
+ unsigned char cont = 0;
+ uint32_t ordinal;
+ int ret;
+
+ ordinal = htonl(TPM_ORD_LOADKEY2);
+
+ /* session for loading the key */
+ ret = oiap(tb, &authhandle, enonce);
+ if (ret < 0) {
+ pr_info("oiap failed (%d)\n", ret);
+ return ret;
+ }
+
+ /* generate odd nonce */
+ ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
+ if (ret < 0) {
+ pr_info("tpm_get_random failed (%d)\n", ret);
+ return ret;
+ }
+
+ /* calculate authorization HMAC value */
+ ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
+ nonceodd, cont, sizeof(uint32_t), &ordinal,
+ keybloblen, keyblob, 0, 0);
+ if (ret < 0)
+ return ret;
+
+ /* build the request buffer */
+ INIT_BUF(tb);
+ store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
+ store32(tb, TPM_LOADKEY2_SIZE + keybloblen);
+ store32(tb, TPM_ORD_LOADKEY2);
+ store32(tb, keyhandle);
+ storebytes(tb, keyblob, keybloblen);
+ store32(tb, authhandle);
+ storebytes(tb, nonceodd, TPM_NONCE_SIZE);
+ store8(tb, cont);
+ storebytes(tb, authdata, SHA1_DIGEST_SIZE);
+
+ ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
+ if (ret < 0) {
+ pr_info("authhmac failed (%d)\n", ret);
+ return ret;
+ }
+
+ ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, keyauth,
+ SHA1_DIGEST_SIZE, 0, 0);
+ if (ret < 0) {
+ pr_info("TSS_checkhmac1 failed (%d)\n", ret);
+ return ret;
+ }
+
+ *newhandle = LOAD32(tb->data, TPM_DATA_OFFSET);
+ return 0;
+}
+
+/*
+ * Execute the FlushSpecific TPM command
+ */
+static int tpm_flushspecific(struct tpm_buf *tb, uint32_t handle)
+{
+ INIT_BUF(tb);
+ store16(tb, TPM_TAG_RQU_COMMAND);
+ store32(tb, TPM_FLUSHSPECIFIC_SIZE);
+ store32(tb, TPM_ORD_FLUSHSPECIFIC);
+ store32(tb, handle);
+ store32(tb, TPM_RT_KEY);
+
+ return trusted_tpm_send(tb->data, MAX_BUF_SIZE);
+}
+
/*
* Maximum buffer size for the BER/DER encoded public key. The public key
* is of the form SEQUENCE { INTEGER n, INTEGER e } where n is a maximum 2048
next prev parent reply other threads:[~2018-09-05 21:56 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 21:54 [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops David Howells
2018-09-05 21:54 ` [PATCH 01/22] KEYS: Provide key type operations for asymmetric key ops David Howells
2018-09-05 21:54 ` [PATCH 02/22] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys David Howells
2018-09-05 21:54 ` [PATCH 03/22] KEYS: Provide missing asymmetric key subops for new key type ops David Howells
2018-10-03 19:03 ` James Morris
2018-10-05 15:39 ` David Howells
2018-09-05 21:54 ` [PATCH 04/22] KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type David Howells
2018-10-03 19:12 ` James Morris
2018-10-05 15:43 ` David Howells
2018-09-05 21:54 ` [PATCH 05/22] KEYS: Provide software public key query function David Howells
2018-10-03 19:24 ` James Morris
2018-10-05 15:51 ` David Howells
2018-10-05 16:28 ` James Morris
2018-10-05 18:23 ` James Morris
2018-10-09 15:21 ` David Howells
2018-09-05 21:54 ` [PATCH 06/22] KEYS: Allow the public_key struct to hold a private key David Howells
2018-09-05 21:55 ` [PATCH 07/22] KEYS: Implement encrypt, decrypt and sign for software asymmetric key David Howells
2018-09-05 21:55 ` [PATCH 08/22] KEYS: Implement PKCS#8 RSA Private Key parser David Howells
2018-09-05 21:55 ` [PATCH 09/22] crypto: rsa-pkcs1pad: Allow hash to be optional David Howells
2018-09-05 21:55 ` [PATCH 10/22] KEYS: asym_tpm: add skeleton for asym_tpm David Howells
2018-09-05 21:55 ` [PATCH 11/22] KEYS: asym_tpm: extract key size & public key David Howells
2018-09-05 21:55 ` [PATCH 12/22] KEYS: Add parser for TPM-based keys David Howells
2018-09-05 21:55 ` [PATCH 13/22] KEYS: asym_tpm: Implement pkey_query David Howells
2018-09-05 21:55 ` [PATCH 14/22] KEYS: asym_tpm: Implement encryption operation David Howells
2018-09-05 21:55 ` [PATCH 15/22] KEYS: trusted: Expose common functionality David Howells
2018-09-05 21:56 ` [PATCH 16/22] KEYS: Move trusted.h to include/keys David Howells
2018-09-05 21:56 ` David Howells [this message]
2018-09-05 21:56 ` [PATCH 18/22] KEYS: asym_tpm: Implement tpm_unbind David Howells
2018-09-05 21:56 ` [PATCH 19/22] KEYS: asym_tpm: Implement the decrypt operation David Howells
2018-09-05 21:56 ` [PATCH 20/22] KEYS: asym_tpm: Implement signature verification David Howells
2018-09-05 21:56 ` [PATCH 21/22] KEYS: asym_tpm: Implement tpm_sign David Howells
2018-09-05 21:56 ` [PATCH 22/22] KEYS: asym_tpm: Add support for the sign operation David Howells
2018-09-06 0:07 ` [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops James Morris
2018-09-07 17:31 ` Marcel Holtmann
2018-09-07 17:32 ` James Morris
2018-09-08 15:26 ` David Howells
[not found] ` <1537254055.20009.64.camel@infradead.org>
2018-09-18 11:30 ` James Bottomley
[not found] ` <1537253993.20009.62.camel@infradead.org>
2018-09-18 4:34 ` Denis Kenzior
2018-09-18 15:50 ` David Howells
2018-09-18 5:24 ` Denis Kenzior
[not found] ` <0d51fca9a29458a40121df0c5380af91e3429c08.camel@infradead.org>
2018-09-18 5:41 ` Denis Kenzior
2018-09-18 16:33 ` David Howells
2018-09-18 5:51 ` Denis Kenzior
2018-09-18 16:55 ` David Howells
2018-09-18 17:00 ` Denis Kenzior
2018-09-18 17:18 ` David Howells
2018-09-20 7:26 ` Marcel Holtmann
[not found] ` <219367882d33fda9705485aa4a40b2ef55f3992f.camel@infradead.org>
2018-09-20 17:07 ` Denis Kenzior
2018-09-28 17:20 ` Marcel Holtmann
2018-09-18 15:02 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=153618457002.7946.741829373041553399.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).