From: James Prestwood <prestwoj@gmail.com>
To: keyrings@vger.kernel.org
Cc: James.Bottomley@HansenPartnership.com
Subject: [PATCH 10/17] tpm: add the null key name as a tpm2 sysfs variable
Date: Mon, 18 May 2020 17:26:57 +0000 [thread overview]
Message-ID: <20200518172704.29608-11-prestwoj@gmail.com> (raw)
In-Reply-To: <20200518172704.29608-1-prestwoj@gmail.com>
From: James Bottomley <James.Bottomley@HansenPartnership.com>
This is the last component of encrypted tpm2 session handling that
allows us to verify from userspace that the key derived from the NULL
seed genuinely belongs to the TPM and has not been spoofed.
The procedure for doing this involves creating an attestation identity
key (which requires verification of the TPM EK certificate) and then
using that AIK to sign a certification of the Elliptic Curve key over
the NULL seed. Userspace must create this EC Key using the parameters
prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if
this is done correctly the names will match and the TPM can then run a
TPM2_Certify operation on this derived primary key using the newly
created AIK.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
drivers/char/tpm/tpm-sysfs.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
index d52bf4df0bca..c2733252320a 100644
--- a/drivers/char/tpm/tpm-sysfs.c
+++ b/drivers/char/tpm/tpm-sysfs.c
@@ -310,6 +310,19 @@ static ssize_t timeouts_show(struct device *dev, struct device_attribute *attr,
}
static DEVICE_ATTR_RO(timeouts);
+static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ struct tpm_chip *chip = to_tpm_chip(dev);
+ int size = TPM2_NAME_SIZE;
+
+ bin2hex(buf, chip->tpmkeyname, size);
+ size *= 2;
+ buf[size++] = '\n';
+ return size;
+}
+static DEVICE_ATTR_RO(null_name);
+
static ssize_t tpm_version_major_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
@@ -336,7 +349,7 @@ static struct attribute *tpm1_dev_attrs[] = {
};
static struct attribute *tpm2_dev_attrs[] = {
- &dev_attr_tpm_version_major.attr,
+ &dev_attr_null_name.attr,
NULL
};
@@ -346,10 +359,24 @@ static const struct attribute_group tpm1_dev_group = {
static const struct attribute_group tpm2_dev_group = {
.attrs = tpm2_dev_attrs,
+
};
void tpm_sysfs_add_device(struct tpm_chip *chip)
{
+ /* XXX: If you wish to remove this restriction, you must first update
+ * tpm_sysfs to explicitly lock chip->ops.
+ */
+ if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ WARN_ON(chip->groups_cnt != 0);
+ chip->groups[chip->groups_cnt++] = &tpm2_dev_group;
+ return;
+ }
+
+ /* The sysfs routines rely on an implicit tpm_try_get_ops, device_del
+ * is called before ops is null'd and the sysfs core synchronizes this
+ * removal so that no callbacks are running or can run again
+ */
WARN_ON(chip->groups_cnt != 0);
if (chip->flags & TPM_CHIP_FLAG_TPM2)
chip->groups[chip->groups_cnt++] = &tpm2_dev_group;
--
2.21.1
next prev parent reply other threads:[~2020-05-18 17:26 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 17:26 [PATCH 00/17] Asymmetric key operations on TPM2 James Prestwood
2020-05-18 17:26 ` [PATCH 01/17] tpm-buf: move from static inlines to real functions James Prestwood
2020-05-18 17:26 ` [PATCH 02/17] tpm-buf: add handling for TPM2B types James Prestwood
2020-05-18 17:26 ` [PATCH 03/17] tpm-buf: add cursor based functions for response parsing James Prestwood
2020-05-18 17:26 ` [PATCH 04/17] tpm2-space: export the context save and load commands James Prestwood
2020-05-18 17:26 ` [PATCH 05/17] tpm2-sessions: Add full HMAC and encrypt/decrypt session handling James Prestwood
2020-05-18 17:26 ` [PATCH 06/17] tpm-buf: add tpm_buf_parameters() James Prestwood
2020-05-18 17:26 ` [PATCH 07/17] tpm2: add hmac checks to tpm2_pcr_extend() James Prestwood
2020-05-18 17:26 ` [PATCH 08/17] tpm2: add session encryption protection to tpm2_get_random() James Prestwood
2020-05-18 17:26 ` [PATCH 09/17] trusted keys: Add session encryption protection to the seal/unseal path James Prestwood
2020-05-18 17:26 ` James Prestwood [this message]
2020-05-18 17:26 ` [PATCH 11/17] Documentation: add tpm-security.rst James Prestwood
2020-05-18 17:26 ` [PATCH 12/17] oid_registry: Add TCG defined OIDS for TPM keys James Prestwood
2020-05-18 17:27 ` [PATCH 13/17] tpm: tpm2-cmd: add driver API for RSA decryption James Prestwood
2020-05-18 17:27 ` [PATCH 14/17] include: linux: tpm: expose tpm2_rsa_decrypt James Prestwood
2020-05-18 17:27 ` [PATCH 15/17] include: crypto: add asym_tpm2_subtype definition James Prestwood
2020-05-18 17:27 ` [PATCH 16/17] asymmetric_keys: add TPM2 ASN1 definition James Prestwood
2020-05-18 17:27 ` [PATCH 17/17] asymmetric_keys: add tpm2 key parser/type James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200518172704.29608-11-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=keyrings@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.