]>
Commit | Line | Data |
---|---|---|
903be6bb DK |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #define pr_fmt(fmt) "ASYM-TPM: "fmt | |
3 | #include <linux/slab.h> | |
4 | #include <linux/module.h> | |
5 | #include <linux/export.h> | |
6 | #include <linux/kernel.h> | |
7 | #include <linux/seq_file.h> | |
8 | #include <linux/scatterlist.h> | |
9 | #include <linux/tpm.h> | |
0c36264a | 10 | #include <linux/tpm_command.h> |
dff5a61a | 11 | #include <crypto/akcipher.h> |
0c36264a DK |
12 | #include <crypto/hash.h> |
13 | #include <crypto/sha.h> | |
f8c54e1a | 14 | #include <asm/unaligned.h> |
903be6bb | 15 | #include <keys/asymmetric-subtype.h> |
0c36264a | 16 | #include <keys/trusted.h> |
903be6bb | 17 | #include <crypto/asym_tpm_subtype.h> |
e08e6891 | 18 | #include <crypto/public_key.h> |
903be6bb | 19 | |
0c36264a DK |
20 | #define TPM_ORD_FLUSHSPECIFIC 186 |
21 | #define TPM_ORD_LOADKEY2 65 | |
f884fe5a | 22 | #define TPM_ORD_UNBIND 30 |
e73d170f | 23 | #define TPM_ORD_SIGN 60 |
0c36264a DK |
24 | #define TPM_LOADKEY2_SIZE 59 |
25 | #define TPM_FLUSHSPECIFIC_SIZE 18 | |
f884fe5a | 26 | #define TPM_UNBIND_SIZE 63 |
e73d170f | 27 | #define TPM_SIGN_SIZE 63 |
0c36264a DK |
28 | |
29 | #define TPM_RT_KEY 0x00000001 | |
30 | ||
31 | /* | |
32 | * Load a TPM key from the blob provided by userspace | |
33 | */ | |
34 | static int tpm_loadkey2(struct tpm_buf *tb, | |
35 | uint32_t keyhandle, unsigned char *keyauth, | |
36 | const unsigned char *keyblob, int keybloblen, | |
37 | uint32_t *newhandle) | |
38 | { | |
39 | unsigned char nonceodd[TPM_NONCE_SIZE]; | |
40 | unsigned char enonce[TPM_NONCE_SIZE]; | |
41 | unsigned char authdata[SHA1_DIGEST_SIZE]; | |
42 | uint32_t authhandle = 0; | |
43 | unsigned char cont = 0; | |
44 | uint32_t ordinal; | |
45 | int ret; | |
46 | ||
47 | ordinal = htonl(TPM_ORD_LOADKEY2); | |
48 | ||
49 | /* session for loading the key */ | |
50 | ret = oiap(tb, &authhandle, enonce); | |
51 | if (ret < 0) { | |
52 | pr_info("oiap failed (%d)\n", ret); | |
53 | return ret; | |
54 | } | |
55 | ||
56 | /* generate odd nonce */ | |
57 | ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); | |
58 | if (ret < 0) { | |
59 | pr_info("tpm_get_random failed (%d)\n", ret); | |
60 | return ret; | |
61 | } | |
62 | ||
63 | /* calculate authorization HMAC value */ | |
64 | ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce, | |
65 | nonceodd, cont, sizeof(uint32_t), &ordinal, | |
66 | keybloblen, keyblob, 0, 0); | |
67 | if (ret < 0) | |
68 | return ret; | |
69 | ||
70 | /* build the request buffer */ | |
71 | INIT_BUF(tb); | |
72 | store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); | |
73 | store32(tb, TPM_LOADKEY2_SIZE + keybloblen); | |
74 | store32(tb, TPM_ORD_LOADKEY2); | |
75 | store32(tb, keyhandle); | |
76 | storebytes(tb, keyblob, keybloblen); | |
77 | store32(tb, authhandle); | |
78 | storebytes(tb, nonceodd, TPM_NONCE_SIZE); | |
79 | store8(tb, cont); | |
80 | storebytes(tb, authdata, SHA1_DIGEST_SIZE); | |
81 | ||
82 | ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
83 | if (ret < 0) { | |
84 | pr_info("authhmac failed (%d)\n", ret); | |
85 | return ret; | |
86 | } | |
87 | ||
88 | ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, keyauth, | |
89 | SHA1_DIGEST_SIZE, 0, 0); | |
90 | if (ret < 0) { | |
91 | pr_info("TSS_checkhmac1 failed (%d)\n", ret); | |
92 | return ret; | |
93 | } | |
94 | ||
95 | *newhandle = LOAD32(tb->data, TPM_DATA_OFFSET); | |
96 | return 0; | |
97 | } | |
98 | ||
99 | /* | |
100 | * Execute the FlushSpecific TPM command | |
101 | */ | |
102 | static int tpm_flushspecific(struct tpm_buf *tb, uint32_t handle) | |
103 | { | |
104 | INIT_BUF(tb); | |
105 | store16(tb, TPM_TAG_RQU_COMMAND); | |
106 | store32(tb, TPM_FLUSHSPECIFIC_SIZE); | |
107 | store32(tb, TPM_ORD_FLUSHSPECIFIC); | |
108 | store32(tb, handle); | |
109 | store32(tb, TPM_RT_KEY); | |
110 | ||
111 | return trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
112 | } | |
113 | ||
f884fe5a DK |
114 | /* |
115 | * Decrypt a blob provided by userspace using a specific key handle. | |
116 | * The handle is a well known handle or previously loaded by e.g. LoadKey2 | |
117 | */ | |
118 | static int tpm_unbind(struct tpm_buf *tb, | |
119 | uint32_t keyhandle, unsigned char *keyauth, | |
120 | const unsigned char *blob, uint32_t bloblen, | |
121 | void *out, uint32_t outlen) | |
122 | { | |
123 | unsigned char nonceodd[TPM_NONCE_SIZE]; | |
124 | unsigned char enonce[TPM_NONCE_SIZE]; | |
125 | unsigned char authdata[SHA1_DIGEST_SIZE]; | |
126 | uint32_t authhandle = 0; | |
127 | unsigned char cont = 0; | |
128 | uint32_t ordinal; | |
129 | uint32_t datalen; | |
130 | int ret; | |
131 | ||
132 | ordinal = htonl(TPM_ORD_UNBIND); | |
133 | datalen = htonl(bloblen); | |
134 | ||
135 | /* session for loading the key */ | |
136 | ret = oiap(tb, &authhandle, enonce); | |
137 | if (ret < 0) { | |
138 | pr_info("oiap failed (%d)\n", ret); | |
139 | return ret; | |
140 | } | |
141 | ||
142 | /* generate odd nonce */ | |
143 | ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); | |
144 | if (ret < 0) { | |
145 | pr_info("tpm_get_random failed (%d)\n", ret); | |
146 | return ret; | |
147 | } | |
148 | ||
149 | /* calculate authorization HMAC value */ | |
150 | ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce, | |
151 | nonceodd, cont, sizeof(uint32_t), &ordinal, | |
152 | sizeof(uint32_t), &datalen, | |
153 | bloblen, blob, 0, 0); | |
154 | if (ret < 0) | |
155 | return ret; | |
156 | ||
157 | /* build the request buffer */ | |
158 | INIT_BUF(tb); | |
159 | store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); | |
160 | store32(tb, TPM_UNBIND_SIZE + bloblen); | |
161 | store32(tb, TPM_ORD_UNBIND); | |
162 | store32(tb, keyhandle); | |
163 | store32(tb, bloblen); | |
164 | storebytes(tb, blob, bloblen); | |
165 | store32(tb, authhandle); | |
166 | storebytes(tb, nonceodd, TPM_NONCE_SIZE); | |
167 | store8(tb, cont); | |
168 | storebytes(tb, authdata, SHA1_DIGEST_SIZE); | |
169 | ||
170 | ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
171 | if (ret < 0) { | |
172 | pr_info("authhmac failed (%d)\n", ret); | |
173 | return ret; | |
174 | } | |
175 | ||
176 | datalen = LOAD32(tb->data, TPM_DATA_OFFSET); | |
177 | ||
178 | ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, | |
179 | keyauth, SHA1_DIGEST_SIZE, | |
180 | sizeof(uint32_t), TPM_DATA_OFFSET, | |
181 | datalen, TPM_DATA_OFFSET + sizeof(uint32_t), | |
182 | 0, 0); | |
183 | if (ret < 0) { | |
184 | pr_info("TSS_checkhmac1 failed (%d)\n", ret); | |
185 | return ret; | |
186 | } | |
187 | ||
188 | memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), | |
189 | min(outlen, datalen)); | |
190 | ||
191 | return datalen; | |
192 | } | |
193 | ||
e73d170f DK |
194 | /* |
195 | * Sign a blob provided by userspace (that has had the hash function applied) | |
196 | * using a specific key handle. The handle is assumed to have been previously | |
197 | * loaded by e.g. LoadKey2. | |
198 | * | |
199 | * Note that the key signature scheme of the used key should be set to | |
200 | * TPM_SS_RSASSAPKCS1v15_DER. This allows the hashed input to be of any size | |
201 | * up to key_length_in_bytes - 11 and not be limited to size 20 like the | |
202 | * TPM_SS_RSASSAPKCS1v15_SHA1 signature scheme. | |
203 | */ | |
204 | static int tpm_sign(struct tpm_buf *tb, | |
205 | uint32_t keyhandle, unsigned char *keyauth, | |
206 | const unsigned char *blob, uint32_t bloblen, | |
207 | void *out, uint32_t outlen) | |
208 | { | |
209 | unsigned char nonceodd[TPM_NONCE_SIZE]; | |
210 | unsigned char enonce[TPM_NONCE_SIZE]; | |
211 | unsigned char authdata[SHA1_DIGEST_SIZE]; | |
212 | uint32_t authhandle = 0; | |
213 | unsigned char cont = 0; | |
214 | uint32_t ordinal; | |
215 | uint32_t datalen; | |
216 | int ret; | |
217 | ||
218 | ordinal = htonl(TPM_ORD_SIGN); | |
219 | datalen = htonl(bloblen); | |
220 | ||
221 | /* session for loading the key */ | |
222 | ret = oiap(tb, &authhandle, enonce); | |
223 | if (ret < 0) { | |
224 | pr_info("oiap failed (%d)\n", ret); | |
225 | return ret; | |
226 | } | |
227 | ||
228 | /* generate odd nonce */ | |
229 | ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); | |
230 | if (ret < 0) { | |
231 | pr_info("tpm_get_random failed (%d)\n", ret); | |
232 | return ret; | |
233 | } | |
234 | ||
235 | /* calculate authorization HMAC value */ | |
236 | ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce, | |
237 | nonceodd, cont, sizeof(uint32_t), &ordinal, | |
238 | sizeof(uint32_t), &datalen, | |
239 | bloblen, blob, 0, 0); | |
240 | if (ret < 0) | |
241 | return ret; | |
242 | ||
243 | /* build the request buffer */ | |
244 | INIT_BUF(tb); | |
245 | store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); | |
246 | store32(tb, TPM_SIGN_SIZE + bloblen); | |
247 | store32(tb, TPM_ORD_SIGN); | |
248 | store32(tb, keyhandle); | |
249 | store32(tb, bloblen); | |
250 | storebytes(tb, blob, bloblen); | |
251 | store32(tb, authhandle); | |
252 | storebytes(tb, nonceodd, TPM_NONCE_SIZE); | |
253 | store8(tb, cont); | |
254 | storebytes(tb, authdata, SHA1_DIGEST_SIZE); | |
255 | ||
256 | ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
257 | if (ret < 0) { | |
258 | pr_info("authhmac failed (%d)\n", ret); | |
259 | return ret; | |
260 | } | |
261 | ||
262 | datalen = LOAD32(tb->data, TPM_DATA_OFFSET); | |
263 | ||
264 | ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, | |
265 | keyauth, SHA1_DIGEST_SIZE, | |
266 | sizeof(uint32_t), TPM_DATA_OFFSET, | |
267 | datalen, TPM_DATA_OFFSET + sizeof(uint32_t), | |
268 | 0, 0); | |
269 | if (ret < 0) { | |
270 | pr_info("TSS_checkhmac1 failed (%d)\n", ret); | |
271 | return ret; | |
272 | } | |
273 | ||
274 | memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), | |
275 | min(datalen, outlen)); | |
276 | ||
277 | return datalen; | |
278 | } | |
dff5a61a DK |
279 | /* |
280 | * Maximum buffer size for the BER/DER encoded public key. The public key | |
281 | * is of the form SEQUENCE { INTEGER n, INTEGER e } where n is a maximum 2048 | |
282 | * bit key and e is usually 65537 | |
283 | * The encoding overhead is: | |
284 | * - max 4 bytes for SEQUENCE | |
285 | * - max 4 bytes for INTEGER n type/length | |
286 | * - 257 bytes of n | |
287 | * - max 2 bytes for INTEGER e type/length | |
288 | * - 3 bytes of e | |
289 | */ | |
290 | #define PUB_KEY_BUF_SIZE (4 + 4 + 257 + 2 + 3) | |
291 | ||
903be6bb DK |
292 | /* |
293 | * Provide a part of a description of the key for /proc/keys. | |
294 | */ | |
295 | static void asym_tpm_describe(const struct key *asymmetric_key, | |
296 | struct seq_file *m) | |
297 | { | |
298 | struct tpm_key *tk = asymmetric_key->payload.data[asym_crypto]; | |
299 | ||
300 | if (!tk) | |
301 | return; | |
302 | ||
303 | seq_printf(m, "TPM1.2/Blob"); | |
304 | } | |
305 | ||
306 | static void asym_tpm_destroy(void *payload0, void *payload3) | |
307 | { | |
308 | struct tpm_key *tk = payload0; | |
309 | ||
310 | if (!tk) | |
311 | return; | |
312 | ||
313 | kfree(tk->blob); | |
314 | tk->blob_len = 0; | |
315 | ||
316 | kfree(tk); | |
317 | } | |
318 | ||
dff5a61a DK |
319 | /* How many bytes will it take to encode the length */ |
320 | static inline uint32_t definite_length(uint32_t len) | |
321 | { | |
322 | if (len <= 127) | |
323 | return 1; | |
324 | if (len <= 255) | |
325 | return 2; | |
326 | return 3; | |
327 | } | |
328 | ||
329 | static inline uint8_t *encode_tag_length(uint8_t *buf, uint8_t tag, | |
330 | uint32_t len) | |
331 | { | |
332 | *buf++ = tag; | |
333 | ||
334 | if (len <= 127) { | |
335 | buf[0] = len; | |
336 | return buf + 1; | |
337 | } | |
338 | ||
339 | if (len <= 255) { | |
340 | buf[0] = 0x81; | |
341 | buf[1] = len; | |
342 | return buf + 2; | |
343 | } | |
344 | ||
345 | buf[0] = 0x82; | |
346 | put_unaligned_be16(len, buf + 1); | |
347 | return buf + 3; | |
348 | } | |
349 | ||
350 | static uint32_t derive_pub_key(const void *pub_key, uint32_t len, uint8_t *buf) | |
351 | { | |
352 | uint8_t *cur = buf; | |
353 | uint32_t n_len = definite_length(len) + 1 + len + 1; | |
354 | uint32_t e_len = definite_length(3) + 1 + 3; | |
355 | uint8_t e[3] = { 0x01, 0x00, 0x01 }; | |
356 | ||
357 | /* SEQUENCE */ | |
358 | cur = encode_tag_length(cur, 0x30, n_len + e_len); | |
359 | /* INTEGER n */ | |
360 | cur = encode_tag_length(cur, 0x02, len + 1); | |
361 | cur[0] = 0x00; | |
362 | memcpy(cur + 1, pub_key, len); | |
363 | cur += len + 1; | |
364 | cur = encode_tag_length(cur, 0x02, sizeof(e)); | |
365 | memcpy(cur, e, sizeof(e)); | |
366 | cur += sizeof(e); | |
367 | ||
368 | return cur - buf; | |
369 | } | |
370 | ||
371 | /* | |
372 | * Determine the crypto algorithm name. | |
373 | */ | |
374 | static int determine_akcipher(const char *encoding, const char *hash_algo, | |
375 | char alg_name[CRYPTO_MAX_ALG_NAME]) | |
376 | { | |
dff5a61a | 377 | if (strcmp(encoding, "pkcs1") == 0) { |
e08e6891 DK |
378 | if (!hash_algo) { |
379 | strcpy(alg_name, "pkcs1pad(rsa)"); | |
380 | return 0; | |
381 | } | |
382 | ||
383 | if (snprintf(alg_name, CRYPTO_MAX_ALG_NAME, "pkcs1pad(rsa,%s)", | |
384 | hash_algo) >= CRYPTO_MAX_ALG_NAME) | |
385 | return -EINVAL; | |
386 | ||
dff5a61a DK |
387 | return 0; |
388 | } | |
389 | ||
390 | if (strcmp(encoding, "raw") == 0) { | |
391 | strcpy(alg_name, "rsa"); | |
392 | return 0; | |
393 | } | |
394 | ||
395 | return -ENOPKG; | |
396 | } | |
397 | ||
398 | /* | |
399 | * Query information about a key. | |
400 | */ | |
401 | static int tpm_key_query(const struct kernel_pkey_params *params, | |
402 | struct kernel_pkey_query *info) | |
403 | { | |
404 | struct tpm_key *tk = params->key->payload.data[asym_crypto]; | |
405 | int ret; | |
406 | char alg_name[CRYPTO_MAX_ALG_NAME]; | |
407 | struct crypto_akcipher *tfm; | |
408 | uint8_t der_pub_key[PUB_KEY_BUF_SIZE]; | |
409 | uint32_t der_pub_key_len; | |
410 | int len; | |
411 | ||
412 | /* TPM only works on private keys, public keys still done in software */ | |
413 | ret = determine_akcipher(params->encoding, params->hash_algo, alg_name); | |
414 | if (ret < 0) | |
415 | return ret; | |
416 | ||
417 | tfm = crypto_alloc_akcipher(alg_name, 0, 0); | |
418 | if (IS_ERR(tfm)) | |
419 | return PTR_ERR(tfm); | |
420 | ||
421 | der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len, | |
422 | der_pub_key); | |
423 | ||
424 | ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len); | |
425 | if (ret < 0) | |
426 | goto error_free_tfm; | |
427 | ||
428 | len = crypto_akcipher_maxsize(tfm); | |
429 | ||
430 | info->key_size = tk->key_len; | |
431 | info->max_data_size = tk->key_len / 8; | |
432 | info->max_sig_size = len; | |
433 | info->max_enc_size = len; | |
434 | info->max_dec_size = tk->key_len / 8; | |
435 | ||
a335974a | 436 | info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT | |
e08e6891 | 437 | KEYCTL_SUPPORTS_DECRYPT | |
64ae16df DK |
438 | KEYCTL_SUPPORTS_VERIFY | |
439 | KEYCTL_SUPPORTS_SIGN; | |
ad4b1eb5 | 440 | |
dff5a61a DK |
441 | ret = 0; |
442 | error_free_tfm: | |
443 | crypto_free_akcipher(tfm); | |
444 | pr_devel("<==%s() = %d\n", __func__, ret); | |
445 | return ret; | |
446 | } | |
447 | ||
ad4b1eb5 DK |
448 | /* |
449 | * Encryption operation is performed with the public key. Hence it is done | |
450 | * in software | |
451 | */ | |
452 | static int tpm_key_encrypt(struct tpm_key *tk, | |
453 | struct kernel_pkey_params *params, | |
454 | const void *in, void *out) | |
455 | { | |
456 | char alg_name[CRYPTO_MAX_ALG_NAME]; | |
457 | struct crypto_akcipher *tfm; | |
458 | struct akcipher_request *req; | |
459 | struct crypto_wait cwait; | |
460 | struct scatterlist in_sg, out_sg; | |
461 | uint8_t der_pub_key[PUB_KEY_BUF_SIZE]; | |
462 | uint32_t der_pub_key_len; | |
463 | int ret; | |
464 | ||
465 | pr_devel("==>%s()\n", __func__); | |
466 | ||
467 | ret = determine_akcipher(params->encoding, params->hash_algo, alg_name); | |
468 | if (ret < 0) | |
469 | return ret; | |
470 | ||
471 | tfm = crypto_alloc_akcipher(alg_name, 0, 0); | |
472 | if (IS_ERR(tfm)) | |
473 | return PTR_ERR(tfm); | |
474 | ||
475 | der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len, | |
476 | der_pub_key); | |
477 | ||
478 | ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len); | |
479 | if (ret < 0) | |
480 | goto error_free_tfm; | |
481 | ||
482 | req = akcipher_request_alloc(tfm, GFP_KERNEL); | |
483 | if (!req) | |
484 | goto error_free_tfm; | |
485 | ||
486 | sg_init_one(&in_sg, in, params->in_len); | |
487 | sg_init_one(&out_sg, out, params->out_len); | |
488 | akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len, | |
489 | params->out_len); | |
490 | crypto_init_wait(&cwait); | |
491 | akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
492 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
493 | crypto_req_done, &cwait); | |
494 | ||
495 | ret = crypto_akcipher_encrypt(req); | |
496 | ret = crypto_wait_req(ret, &cwait); | |
497 | ||
498 | if (ret == 0) | |
499 | ret = req->dst_len; | |
500 | ||
501 | akcipher_request_free(req); | |
502 | error_free_tfm: | |
503 | crypto_free_akcipher(tfm); | |
504 | pr_devel("<==%s() = %d\n", __func__, ret); | |
505 | return ret; | |
506 | } | |
507 | ||
a335974a DK |
508 | /* |
509 | * Decryption operation is performed with the private key in the TPM. | |
510 | */ | |
511 | static int tpm_key_decrypt(struct tpm_key *tk, | |
512 | struct kernel_pkey_params *params, | |
513 | const void *in, void *out) | |
514 | { | |
515 | struct tpm_buf *tb; | |
516 | uint32_t keyhandle; | |
517 | uint8_t srkauth[SHA1_DIGEST_SIZE]; | |
518 | uint8_t keyauth[SHA1_DIGEST_SIZE]; | |
519 | int r; | |
520 | ||
521 | pr_devel("==>%s()\n", __func__); | |
522 | ||
523 | if (params->hash_algo) | |
524 | return -ENOPKG; | |
525 | ||
526 | if (strcmp(params->encoding, "pkcs1")) | |
527 | return -ENOPKG; | |
528 | ||
529 | tb = kzalloc(sizeof(*tb), GFP_KERNEL); | |
530 | if (!tb) | |
531 | return -ENOMEM; | |
532 | ||
533 | /* TODO: Handle a non-all zero SRK authorization */ | |
534 | memset(srkauth, 0, sizeof(srkauth)); | |
535 | ||
536 | r = tpm_loadkey2(tb, SRKHANDLE, srkauth, | |
537 | tk->blob, tk->blob_len, &keyhandle); | |
538 | if (r < 0) { | |
539 | pr_devel("loadkey2 failed (%d)\n", r); | |
540 | goto error; | |
541 | } | |
542 | ||
543 | /* TODO: Handle a non-all zero key authorization */ | |
544 | memset(keyauth, 0, sizeof(keyauth)); | |
545 | ||
546 | r = tpm_unbind(tb, keyhandle, keyauth, | |
547 | in, params->in_len, out, params->out_len); | |
548 | if (r < 0) | |
549 | pr_devel("tpm_unbind failed (%d)\n", r); | |
550 | ||
551 | if (tpm_flushspecific(tb, keyhandle) < 0) | |
552 | pr_devel("flushspecific failed (%d)\n", r); | |
553 | ||
554 | error: | |
555 | kzfree(tb); | |
556 | pr_devel("<==%s() = %d\n", __func__, r); | |
557 | return r; | |
558 | } | |
559 | ||
64ae16df DK |
560 | /* |
561 | * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. | |
562 | */ | |
563 | static const u8 digest_info_md5[] = { | |
564 | 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, | |
565 | 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */ | |
566 | 0x05, 0x00, 0x04, 0x10 | |
567 | }; | |
568 | ||
569 | static const u8 digest_info_sha1[] = { | |
570 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | |
571 | 0x2b, 0x0e, 0x03, 0x02, 0x1a, | |
572 | 0x05, 0x00, 0x04, 0x14 | |
573 | }; | |
574 | ||
575 | static const u8 digest_info_rmd160[] = { | |
576 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | |
577 | 0x2b, 0x24, 0x03, 0x02, 0x01, | |
578 | 0x05, 0x00, 0x04, 0x14 | |
579 | }; | |
580 | ||
581 | static const u8 digest_info_sha224[] = { | |
582 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, | |
583 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, | |
584 | 0x05, 0x00, 0x04, 0x1c | |
585 | }; | |
586 | ||
587 | static const u8 digest_info_sha256[] = { | |
588 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, | |
589 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, | |
590 | 0x05, 0x00, 0x04, 0x20 | |
591 | }; | |
592 | ||
593 | static const u8 digest_info_sha384[] = { | |
594 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, | |
595 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, | |
596 | 0x05, 0x00, 0x04, 0x30 | |
597 | }; | |
598 | ||
599 | static const u8 digest_info_sha512[] = { | |
600 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, | |
601 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, | |
602 | 0x05, 0x00, 0x04, 0x40 | |
603 | }; | |
604 | ||
605 | static const struct asn1_template { | |
606 | const char *name; | |
607 | const u8 *data; | |
608 | size_t size; | |
609 | } asn1_templates[] = { | |
610 | #define _(X) { #X, digest_info_##X, sizeof(digest_info_##X) } | |
611 | _(md5), | |
612 | _(sha1), | |
613 | _(rmd160), | |
614 | _(sha256), | |
615 | _(sha384), | |
616 | _(sha512), | |
617 | _(sha224), | |
618 | { NULL } | |
619 | #undef _ | |
620 | }; | |
621 | ||
622 | static const struct asn1_template *lookup_asn1(const char *name) | |
623 | { | |
624 | const struct asn1_template *p; | |
625 | ||
626 | for (p = asn1_templates; p->name; p++) | |
627 | if (strcmp(name, p->name) == 0) | |
628 | return p; | |
629 | return NULL; | |
630 | } | |
631 | ||
632 | /* | |
633 | * Sign operation is performed with the private key in the TPM. | |
634 | */ | |
635 | static int tpm_key_sign(struct tpm_key *tk, | |
636 | struct kernel_pkey_params *params, | |
637 | const void *in, void *out) | |
638 | { | |
639 | struct tpm_buf *tb; | |
640 | uint32_t keyhandle; | |
641 | uint8_t srkauth[SHA1_DIGEST_SIZE]; | |
642 | uint8_t keyauth[SHA1_DIGEST_SIZE]; | |
643 | void *asn1_wrapped = NULL; | |
644 | uint32_t in_len = params->in_len; | |
645 | int r; | |
646 | ||
647 | pr_devel("==>%s()\n", __func__); | |
648 | ||
649 | if (strcmp(params->encoding, "pkcs1")) | |
650 | return -ENOPKG; | |
651 | ||
652 | if (params->hash_algo) { | |
653 | const struct asn1_template *asn1 = | |
654 | lookup_asn1(params->hash_algo); | |
655 | ||
656 | if (!asn1) | |
657 | return -ENOPKG; | |
658 | ||
659 | /* request enough space for the ASN.1 template + input hash */ | |
660 | asn1_wrapped = kzalloc(in_len + asn1->size, GFP_KERNEL); | |
661 | if (!asn1_wrapped) | |
662 | return -ENOMEM; | |
663 | ||
664 | /* Copy ASN.1 template, then the input */ | |
665 | memcpy(asn1_wrapped, asn1->data, asn1->size); | |
666 | memcpy(asn1_wrapped + asn1->size, in, in_len); | |
667 | ||
668 | in = asn1_wrapped; | |
669 | in_len += asn1->size; | |
670 | } | |
671 | ||
672 | if (in_len > tk->key_len / 8 - 11) { | |
673 | r = -EOVERFLOW; | |
674 | goto error_free_asn1_wrapped; | |
675 | } | |
676 | ||
677 | r = -ENOMEM; | |
678 | tb = kzalloc(sizeof(*tb), GFP_KERNEL); | |
679 | if (!tb) | |
680 | goto error_free_asn1_wrapped; | |
681 | ||
682 | /* TODO: Handle a non-all zero SRK authorization */ | |
683 | memset(srkauth, 0, sizeof(srkauth)); | |
684 | ||
685 | r = tpm_loadkey2(tb, SRKHANDLE, srkauth, | |
686 | tk->blob, tk->blob_len, &keyhandle); | |
687 | if (r < 0) { | |
688 | pr_devel("loadkey2 failed (%d)\n", r); | |
689 | goto error_free_tb; | |
690 | } | |
691 | ||
692 | /* TODO: Handle a non-all zero key authorization */ | |
693 | memset(keyauth, 0, sizeof(keyauth)); | |
694 | ||
695 | r = tpm_sign(tb, keyhandle, keyauth, in, in_len, out, params->out_len); | |
696 | if (r < 0) | |
697 | pr_devel("tpm_sign failed (%d)\n", r); | |
698 | ||
699 | if (tpm_flushspecific(tb, keyhandle) < 0) | |
700 | pr_devel("flushspecific failed (%d)\n", r); | |
701 | ||
702 | error_free_tb: | |
703 | kzfree(tb); | |
704 | error_free_asn1_wrapped: | |
705 | kfree(asn1_wrapped); | |
706 | pr_devel("<==%s() = %d\n", __func__, r); | |
707 | return r; | |
708 | } | |
709 | ||
ad4b1eb5 DK |
710 | /* |
711 | * Do encryption, decryption and signing ops. | |
712 | */ | |
713 | static int tpm_key_eds_op(struct kernel_pkey_params *params, | |
714 | const void *in, void *out) | |
715 | { | |
716 | struct tpm_key *tk = params->key->payload.data[asym_crypto]; | |
717 | int ret = -EOPNOTSUPP; | |
718 | ||
719 | /* Perform the encryption calculation. */ | |
720 | switch (params->op) { | |
721 | case kernel_pkey_encrypt: | |
722 | ret = tpm_key_encrypt(tk, params, in, out); | |
723 | break; | |
a335974a DK |
724 | case kernel_pkey_decrypt: |
725 | ret = tpm_key_decrypt(tk, params, in, out); | |
726 | break; | |
64ae16df DK |
727 | case kernel_pkey_sign: |
728 | ret = tpm_key_sign(tk, params, in, out); | |
729 | break; | |
ad4b1eb5 DK |
730 | default: |
731 | BUG(); | |
732 | } | |
733 | ||
734 | return ret; | |
735 | } | |
736 | ||
e08e6891 DK |
737 | /* |
738 | * Verify a signature using a public key. | |
739 | */ | |
740 | static int tpm_key_verify_signature(const struct key *key, | |
741 | const struct public_key_signature *sig) | |
742 | { | |
743 | const struct tpm_key *tk = key->payload.data[asym_crypto]; | |
744 | struct crypto_wait cwait; | |
745 | struct crypto_akcipher *tfm; | |
746 | struct akcipher_request *req; | |
747 | struct scatterlist sig_sg, digest_sg; | |
748 | char alg_name[CRYPTO_MAX_ALG_NAME]; | |
749 | uint8_t der_pub_key[PUB_KEY_BUF_SIZE]; | |
750 | uint32_t der_pub_key_len; | |
751 | void *output; | |
752 | unsigned int outlen; | |
753 | int ret; | |
754 | ||
755 | pr_devel("==>%s()\n", __func__); | |
756 | ||
757 | BUG_ON(!tk); | |
758 | BUG_ON(!sig); | |
759 | BUG_ON(!sig->s); | |
760 | ||
761 | if (!sig->digest) | |
762 | return -ENOPKG; | |
763 | ||
764 | ret = determine_akcipher(sig->encoding, sig->hash_algo, alg_name); | |
765 | if (ret < 0) | |
766 | return ret; | |
767 | ||
768 | tfm = crypto_alloc_akcipher(alg_name, 0, 0); | |
769 | if (IS_ERR(tfm)) | |
770 | return PTR_ERR(tfm); | |
771 | ||
772 | der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len, | |
773 | der_pub_key); | |
774 | ||
775 | ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len); | |
776 | if (ret < 0) | |
777 | goto error_free_tfm; | |
778 | ||
779 | ret = -ENOMEM; | |
780 | req = akcipher_request_alloc(tfm, GFP_KERNEL); | |
781 | if (!req) | |
782 | goto error_free_tfm; | |
783 | ||
784 | ret = -ENOMEM; | |
785 | outlen = crypto_akcipher_maxsize(tfm); | |
786 | output = kmalloc(outlen, GFP_KERNEL); | |
787 | if (!output) | |
788 | goto error_free_req; | |
789 | ||
790 | sg_init_one(&sig_sg, sig->s, sig->s_size); | |
791 | sg_init_one(&digest_sg, output, outlen); | |
792 | akcipher_request_set_crypt(req, &sig_sg, &digest_sg, sig->s_size, | |
793 | outlen); | |
794 | crypto_init_wait(&cwait); | |
795 | akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
796 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
797 | crypto_req_done, &cwait); | |
798 | ||
799 | /* Perform the verification calculation. This doesn't actually do the | |
800 | * verification, but rather calculates the hash expected by the | |
801 | * signature and returns that to us. | |
802 | */ | |
803 | ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); | |
804 | if (ret) | |
805 | goto out_free_output; | |
806 | ||
807 | /* Do the actual verification step. */ | |
808 | if (req->dst_len != sig->digest_size || | |
809 | memcmp(sig->digest, output, sig->digest_size) != 0) | |
810 | ret = -EKEYREJECTED; | |
811 | ||
812 | out_free_output: | |
813 | kfree(output); | |
814 | error_free_req: | |
815 | akcipher_request_free(req); | |
816 | error_free_tfm: | |
817 | crypto_free_akcipher(tfm); | |
818 | pr_devel("<==%s() = %d\n", __func__, ret); | |
819 | if (WARN_ON_ONCE(ret > 0)) | |
820 | ret = -EINVAL; | |
821 | return ret; | |
822 | } | |
823 | ||
f8c54e1a DK |
824 | /* |
825 | * Parse enough information out of TPM_KEY structure: | |
826 | * TPM_STRUCT_VER -> 4 bytes | |
827 | * TPM_KEY_USAGE -> 2 bytes | |
828 | * TPM_KEY_FLAGS -> 4 bytes | |
829 | * TPM_AUTH_DATA_USAGE -> 1 byte | |
830 | * TPM_KEY_PARMS -> variable | |
831 | * UINT32 PCRInfoSize -> 4 bytes | |
832 | * BYTE* -> PCRInfoSize bytes | |
833 | * TPM_STORE_PUBKEY | |
834 | * UINT32 encDataSize; | |
835 | * BYTE* -> encDataSize; | |
836 | * | |
837 | * TPM_KEY_PARMS: | |
838 | * TPM_ALGORITHM_ID -> 4 bytes | |
839 | * TPM_ENC_SCHEME -> 2 bytes | |
840 | * TPM_SIG_SCHEME -> 2 bytes | |
841 | * UINT32 parmSize -> 4 bytes | |
842 | * BYTE* -> variable | |
843 | */ | |
844 | static int extract_key_parameters(struct tpm_key *tk) | |
845 | { | |
846 | const void *cur = tk->blob; | |
847 | uint32_t len = tk->blob_len; | |
848 | const void *pub_key; | |
849 | uint32_t sz; | |
850 | uint32_t key_len; | |
851 | ||
852 | if (len < 11) | |
853 | return -EBADMSG; | |
854 | ||
855 | /* Ensure this is a legacy key */ | |
856 | if (get_unaligned_be16(cur + 4) != 0x0015) | |
857 | return -EBADMSG; | |
858 | ||
859 | /* Skip to TPM_KEY_PARMS */ | |
860 | cur += 11; | |
861 | len -= 11; | |
862 | ||
863 | if (len < 12) | |
864 | return -EBADMSG; | |
865 | ||
866 | /* Make sure this is an RSA key */ | |
867 | if (get_unaligned_be32(cur) != 0x00000001) | |
868 | return -EBADMSG; | |
869 | ||
870 | /* Make sure this is TPM_ES_RSAESPKCSv15 encoding scheme */ | |
871 | if (get_unaligned_be16(cur + 4) != 0x0002) | |
872 | return -EBADMSG; | |
873 | ||
874 | /* Make sure this is TPM_SS_RSASSAPKCS1v15_DER signature scheme */ | |
875 | if (get_unaligned_be16(cur + 6) != 0x0003) | |
876 | return -EBADMSG; | |
877 | ||
878 | sz = get_unaligned_be32(cur + 8); | |
879 | if (len < sz + 12) | |
880 | return -EBADMSG; | |
881 | ||
882 | /* Move to TPM_RSA_KEY_PARMS */ | |
883 | len -= 12; | |
884 | cur += 12; | |
885 | ||
886 | /* Grab the RSA key length */ | |
887 | key_len = get_unaligned_be32(cur); | |
888 | ||
889 | switch (key_len) { | |
890 | case 512: | |
891 | case 1024: | |
892 | case 1536: | |
893 | case 2048: | |
894 | break; | |
895 | default: | |
896 | return -EINVAL; | |
897 | } | |
898 | ||
899 | /* Move just past TPM_KEY_PARMS */ | |
900 | cur += sz; | |
901 | len -= sz; | |
902 | ||
903 | if (len < 4) | |
904 | return -EBADMSG; | |
905 | ||
906 | sz = get_unaligned_be32(cur); | |
907 | if (len < 4 + sz) | |
908 | return -EBADMSG; | |
909 | ||
910 | /* Move to TPM_STORE_PUBKEY */ | |
911 | cur += 4 + sz; | |
912 | len -= 4 + sz; | |
913 | ||
914 | /* Grab the size of the public key, it should jive with the key size */ | |
915 | sz = get_unaligned_be32(cur); | |
916 | if (sz > 256) | |
917 | return -EINVAL; | |
918 | ||
919 | pub_key = cur + 4; | |
920 | ||
921 | tk->key_len = key_len; | |
922 | tk->pub_key = pub_key; | |
923 | tk->pub_key_len = sz; | |
924 | ||
925 | return 0; | |
926 | } | |
927 | ||
903be6bb DK |
928 | /* Given the blob, parse it and load it into the TPM */ |
929 | struct tpm_key *tpm_key_create(const void *blob, uint32_t blob_len) | |
930 | { | |
931 | int r; | |
932 | struct tpm_key *tk; | |
933 | ||
934 | r = tpm_is_tpm2(NULL); | |
935 | if (r < 0) | |
936 | goto error; | |
937 | ||
938 | /* We don't support TPM2 yet */ | |
939 | if (r > 0) { | |
940 | r = -ENODEV; | |
941 | goto error; | |
942 | } | |
943 | ||
944 | r = -ENOMEM; | |
945 | tk = kzalloc(sizeof(struct tpm_key), GFP_KERNEL); | |
946 | if (!tk) | |
947 | goto error; | |
948 | ||
949 | tk->blob = kmemdup(blob, blob_len, GFP_KERNEL); | |
950 | if (!tk->blob) | |
951 | goto error_memdup; | |
952 | ||
953 | tk->blob_len = blob_len; | |
954 | ||
f8c54e1a DK |
955 | r = extract_key_parameters(tk); |
956 | if (r < 0) | |
957 | goto error_extract; | |
958 | ||
903be6bb DK |
959 | return tk; |
960 | ||
f8c54e1a DK |
961 | error_extract: |
962 | kfree(tk->blob); | |
963 | tk->blob_len = 0; | |
903be6bb DK |
964 | error_memdup: |
965 | kfree(tk); | |
966 | error: | |
967 | return ERR_PTR(r); | |
968 | } | |
969 | EXPORT_SYMBOL_GPL(tpm_key_create); | |
970 | ||
971 | /* | |
972 | * TPM-based asymmetric key subtype | |
973 | */ | |
974 | struct asymmetric_key_subtype asym_tpm_subtype = { | |
975 | .owner = THIS_MODULE, | |
976 | .name = "asym_tpm", | |
977 | .name_len = sizeof("asym_tpm") - 1, | |
978 | .describe = asym_tpm_describe, | |
979 | .destroy = asym_tpm_destroy, | |
dff5a61a | 980 | .query = tpm_key_query, |
ad4b1eb5 | 981 | .eds_op = tpm_key_eds_op, |
e08e6891 | 982 | .verify_signature = tpm_key_verify_signature, |
903be6bb DK |
983 | }; |
984 | EXPORT_SYMBOL_GPL(asym_tpm_subtype); | |
985 | ||
986 | MODULE_DESCRIPTION("TPM based asymmetric key subtype"); | |
987 | MODULE_AUTHOR("Intel Corporation"); | |
988 | MODULE_LICENSE("GPL v2"); |