From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Cc: peterhuewe@gmx.de, gregkh@linuxfoundation.org,
jgunthorpe@obsidianresearch.com, akpm@linux-foundation.org,
mjg59@srcf.ucam.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Marcel Selhorst <tpmdd@selhorst.net>,
David Safford <safford@us.ibm.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org (open list:KEYS-TRUSTED),
keyrings@vger.kernel.org (open list:KEYS-TRUSTED)
Subject: [PATCH 4/4] keys, trusted: seal/unseal with TPM 2.0 chips
Date: Fri, 2 Oct 2015 11:38:18 +0300 [thread overview]
Message-ID: <1443775102-9727-5-git-send-email-jarkko.sakkinen@linux.intel.com> (raw)
In-Reply-To: <1443775102-9727-1-git-send-email-jarkko.sakkinen@linux.intel.com>
Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
drivers/char/tpm/tpm2-cmd.c | 2 +-
include/linux/tpm_command.h | 1 -
security/keys/trusted.c | 18 ++++++++++++++----
security/keys/trusted.h | 7 +++++++
4 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 0986c96..0fba698 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -422,7 +422,7 @@ static int tpm2_load(struct tpm_chip *chip,
options->keyauth /* hmac */,
TPM_DIGEST_SIZE);
- tpm_buf_append(&buf, payload->blob, payload->blob_len);
+ tpm_buf_append(&buf, payload->blob, blob_len);
rc = tpm_transmit_cmd(chip, buf.data, TPM_BUF_SIZE, "loading blob");
if (!rc)
diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
index 727512e..d7b0f82 100644
--- a/include/linux/tpm_command.h
+++ b/include/linux/tpm_command.h
@@ -22,7 +22,6 @@
#define TPM_ORD_UNSEAL 24
/* Other constants */
-#define SRKHANDLE 0x40000000
#define TPM_NONCE_SIZE 20
#endif
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index c0594cb..f6557b1 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -601,7 +601,7 @@ static int tpm_unseal(struct tpm_buf *tb,
}
ordinal = htonl(TPM_ORD_UNSEAL);
- keyhndl = htonl(SRKHANDLE);
+ keyhndl = htonl(TPM1_SRKHANDLE);
ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
if (ret != TPM_NONCE_SIZE) {
pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
@@ -867,7 +867,11 @@ static struct trusted_key_options *trusted_options_alloc(void)
if (options) {
/* set any non-zero defaults */
options->keytype = SRK_keytype;
- options->keyhandle = SRKHANDLE;
+
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ options->keyhandle = TPM2_SRKHANDLE;
+ else
+ options->keyhandle = TPM1_SRKHANDLE;
}
return options;
}
@@ -937,7 +941,10 @@ static int trusted_instantiate(struct key *key,
switch (key_cmd) {
case Opt_load:
- ret = key_unseal(payload, options);
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
+ else
+ ret = key_unseal(payload, options);
dump_payload(payload);
dump_options(options);
if (ret < 0)
@@ -950,7 +957,10 @@ static int trusted_instantiate(struct key *key,
pr_info("trusted_key: key_create failed (%d)\n", ret);
goto out;
}
- ret = key_seal(payload, options);
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
+ else
+ ret = key_seal(payload, options);
if (ret < 0)
pr_info("trusted_key: key_seal failed (%d)\n", ret);
break;
diff --git a/security/keys/trusted.h b/security/keys/trusted.h
index ff001a5..fc32c47 100644
--- a/security/keys/trusted.h
+++ b/security/keys/trusted.h
@@ -12,6 +12,13 @@
#define TPM_RETURN_OFFSET 6
#define TPM_DATA_OFFSET 10
+/* Transient object handles start from 0x80000000 in TPM 2.0, which makes it
+ * a sane default.
+ */
+
+#define TPM1_SRKHANDLE 0x40000000
+#define TPM2_SRKHANDLE 0x80000000
+
#define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset]))
#define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset])
#define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset]))
--
2.5.0
next prev parent reply other threads:[~2015-10-02 8:39 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-02 8:38 [PATCH 0/4] Basic trusted keys support for TPM 2.0 Jarkko Sakkinen
2015-10-02 8:38 ` [PATCH 1/4] tpm: introduce struct tpm_buf Jarkko Sakkinen
2015-10-02 8:38 ` [PATCH 2/4] trusted: move struct trusted_key_options to trusted-type.h Jarkko Sakkinen
2015-10-02 8:38 ` [PATCH 3/4] tpm: seal/unseal for TPM 2.0 Jarkko Sakkinen
2015-10-13 17:34 ` Jason Gunthorpe
2015-10-13 19:49 ` Jarkko Sakkinen
2015-10-02 8:38 ` Jarkko Sakkinen [this message]
2015-10-03 10:00 ` [tpmdd-devel] [PATCH 4/4] keys, trusted: seal/unseal with TPM 2.0 chips Fuchs, Andreas
2015-10-03 10:26 ` Jarkko Sakkinen
2015-10-03 10:35 ` Jarkko Sakkinen
2015-10-04 18:57 ` Fuchs, Andreas
2015-10-05 8:37 ` Jarkko Sakkinen
2015-10-05 9:00 ` Fuchs, Andreas
2015-10-05 11:56 ` Jarkko Sakkinen
2015-10-05 12:20 ` Fuchs, Andreas
2015-10-05 13:17 ` Jarkko Sakkinen
2015-10-05 13:36 ` Fuchs, Andreas
2015-10-05 13:57 ` Jarkko Sakkinen
2015-10-05 14:13 ` Fuchs, Andreas
2015-10-05 14:28 ` Jarkko Sakkinen
2015-10-05 15:20 ` Arthur, Will C
2015-10-06 6:22 ` Fuchs, Andreas
2015-10-06 12:26 ` Jarkko Sakkinen
2015-10-06 13:16 ` Fuchs, Andreas
2015-10-06 15:05 ` Jarkko Sakkinen
2015-10-07 10:04 ` Fuchs, Andreas
2015-10-07 10:25 ` Jarkko Sakkinen
2015-10-07 10:32 ` Fuchs, Andreas
2015-10-07 11:15 ` Jarkko Sakkinen
-- strict thread matches above, loose matches on Subject: below --
2015-07-03 15:36 [PATCH 0/4] Basic trusted keys support for TPM 2.0 Jarkko Sakkinen
2015-07-03 15:36 ` [PATCH 4/4] keys, trusted: seal/unseal with TPM 2.0 chips Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1443775102-9727-5-git-send-email-jarkko.sakkinen@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=peterhuewe@gmx.de \
--cc=safford@us.ibm.com \
--cc=serge@hallyn.com \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).