From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: linux-integrity@vger.kernel.org
Cc: Jarkko Sakkinen <jarkko@kernel.org>,
keyrings@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>
Subject: [PATCH v7 19/21] tpm: add the null key name as a sysfs export
Date: Tue, 13 Feb 2024 12:13:32 -0500 [thread overview]
Message-ID: <20240213171334.30479-20-James.Bottomley@HansenPartnership.com> (raw)
In-Reply-To: <20240213171334.30479-1-James.Bottomley@HansenPartnership.com>
This is the last component of encrypted tpm2 session handling that
allows us to verify from userspace that the key derived from the NULL
seed genuinely belongs to the TPM and has not been spoofed.
The procedure for doing this involves creating an attestation identity
key (which requires verification of the TPM EK certificate) and then
using that AIK to sign a certification of the Elliptic Curve key over
the NULL seed. Userspace must create this EC Key using the parameters
prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if
this is done correctly the names will match and the TPM can then run a
TPM2_Certify operation on this derived primary key using the newly
created AIK.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
---
v6: change config name
v7: add review
---
drivers/char/tpm/tpm-sysfs.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
index 54c71473aa29..94231f052ea7 100644
--- a/drivers/char/tpm/tpm-sysfs.c
+++ b/drivers/char/tpm/tpm-sysfs.c
@@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev,
}
static DEVICE_ATTR_RO(tpm_version_major);
+#ifdef CONFIG_TCG_TPM2_HMAC
+static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ struct tpm_chip *chip = to_tpm_chip(dev);
+ int size = TPM2_NAME_SIZE;
+
+ bin2hex(buf, chip->null_key_name, size);
+ size *= 2;
+ buf[size++] = '\n';
+ return size;
+}
+static DEVICE_ATTR_RO(null_name);
+#endif
+
static struct attribute *tpm1_dev_attrs[] = {
&dev_attr_pubek.attr,
&dev_attr_pcrs.attr,
@@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = {
static struct attribute *tpm2_dev_attrs[] = {
&dev_attr_tpm_version_major.attr,
+#ifdef CONFIG_TCG_TPM2_HMAC
+ &dev_attr_null_name.attr,
+#endif
NULL
};
--
2.35.3
next prev parent reply other threads:[~2024-02-13 17:22 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 17:13 [PATCH v7 00/21] add integrity and security to TPM2 transactions James Bottomley
2024-02-13 17:13 ` [PATCH v7 01/21] tpm: Remove unused tpm_buf_tag() James Bottomley
2024-02-13 17:13 ` [PATCH v7 02/21] tpm: Remove tpm_send() James Bottomley
2024-02-13 17:13 ` [PATCH v7 03/21] tpm: Move buffer handling from static inlines to real functions James Bottomley
2024-02-13 17:13 ` [PATCH v7 04/21] tpm: Update struct tpm_buf documentation comments James Bottomley
2024-02-13 17:13 ` [PATCH v7 05/21] tpm: Store the length of the tpm_buf data separately James Bottomley
2024-02-13 17:13 ` [PATCH v7 06/21] tpm: TPM2B formatted buffers James Bottomley
2024-02-13 17:13 ` [PATCH v7 07/21] tpm: Add tpm_buf_read_{u8,u16,u32} James Bottomley
2024-02-13 17:13 ` [PATCH v7 08/21] KEYS: trusted: tpm2: Use struct tpm_buf for sized buffers James Bottomley
2024-02-13 17:13 ` [PATCH v7 09/21] crypto: lib - implement library version of AES in CFB mode James Bottomley
2024-02-13 17:13 ` [PATCH v7 10/21] tpm: add buffer function to point to returned parameters James Bottomley
2024-02-13 17:13 ` [PATCH v7 11/21] tpm: export the context save and load commands James Bottomley
2024-02-13 17:13 ` [PATCH v7 12/21] tpm: Add NULL primary creation James Bottomley
2024-02-23 15:51 ` Jarkko Sakkinen
2024-04-29 20:10 ` James Bottomley
2024-03-30 18:48 ` Gabríel Arthúr Pétursson
2024-03-31 16:00 ` Jarkko Sakkinen
2024-03-31 16:09 ` Jarkko Sakkinen
2024-03-31 16:52 ` Gabríel Arthúr Pétursson
2024-04-01 12:57 ` Jarkko Sakkinen
2024-04-01 13:04 ` Jarkko Sakkinen
2024-04-02 19:30 ` Ken Goldman
2024-04-03 15:43 ` Jarkko Sakkinen
2024-04-01 14:19 ` James Bottomley
2024-04-01 16:55 ` James Bottomley
2024-04-01 20:54 ` Jarkko Sakkinen
2024-04-01 20:59 ` Jarkko Sakkinen
2024-02-13 17:13 ` [PATCH v7 13/21] tpm: Add HMAC session start and end functions James Bottomley
2024-02-23 17:02 ` Jarkko Sakkinen
2024-04-29 20:11 ` James Bottomley
2024-02-13 17:13 ` [PATCH v7 14/21] tpm: Add HMAC session name/handle append James Bottomley
2024-02-23 17:06 ` Jarkko Sakkinen
2024-04-29 20:11 ` James Bottomley
2024-02-13 17:13 ` [PATCH v7 15/21] tpm: Add the rest of the session HMAC API James Bottomley
2024-02-23 17:10 ` Jarkko Sakkinen
2024-04-29 20:11 ` James Bottomley
2024-02-13 17:13 ` [PATCH v7 16/21] tpm: add hmac checks to tpm2_pcr_extend() James Bottomley
2024-02-23 17:10 ` Jarkko Sakkinen
2024-02-13 17:13 ` [PATCH v7 17/21] tpm: add session encryption protection to tpm2_get_random() James Bottomley
2024-02-23 17:10 ` Jarkko Sakkinen
2024-02-13 17:13 ` [PATCH v7 18/21] KEYS: trusted: Add session encryption protection to the seal/unseal path James Bottomley
2024-02-23 17:11 ` Jarkko Sakkinen
2024-02-13 17:13 ` James Bottomley [this message]
2024-02-23 17:15 ` [PATCH v7 19/21] tpm: add the null key name as a sysfs export Jarkko Sakkinen
2024-02-13 17:13 ` [PATCH v7 20/21] Documentation: add tpm-security.rst James Bottomley
2024-02-13 17:13 ` [PATCH v7 21/21] tpm: disable the TPM if NULL name changes James Bottomley
2024-02-23 18:43 ` Jarkko Sakkinen
2024-02-14 0:13 ` [PATCH v7 00/21] add integrity and security to TPM2 transactions Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240213171334.30479-20-James.Bottomley@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.