]>
Commit | Line | Data |
---|---|---|
903be6bb DK |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #define pr_fmt(fmt) "ASYM-TPM: "fmt | |
3 | #include <linux/slab.h> | |
4 | #include <linux/module.h> | |
5 | #include <linux/export.h> | |
6 | #include <linux/kernel.h> | |
7 | #include <linux/seq_file.h> | |
8 | #include <linux/scatterlist.h> | |
9 | #include <linux/tpm.h> | |
0c36264a | 10 | #include <linux/tpm_command.h> |
dff5a61a | 11 | #include <crypto/akcipher.h> |
0c36264a DK |
12 | #include <crypto/hash.h> |
13 | #include <crypto/sha.h> | |
f8c54e1a | 14 | #include <asm/unaligned.h> |
903be6bb | 15 | #include <keys/asymmetric-subtype.h> |
0c36264a | 16 | #include <keys/trusted.h> |
903be6bb | 17 | #include <crypto/asym_tpm_subtype.h> |
e08e6891 | 18 | #include <crypto/public_key.h> |
903be6bb | 19 | |
0c36264a DK |
20 | #define TPM_ORD_FLUSHSPECIFIC 186 |
21 | #define TPM_ORD_LOADKEY2 65 | |
f884fe5a | 22 | #define TPM_ORD_UNBIND 30 |
0c36264a DK |
23 | #define TPM_LOADKEY2_SIZE 59 |
24 | #define TPM_FLUSHSPECIFIC_SIZE 18 | |
f884fe5a | 25 | #define TPM_UNBIND_SIZE 63 |
0c36264a DK |
26 | |
27 | #define TPM_RT_KEY 0x00000001 | |
28 | ||
29 | /* | |
30 | * Load a TPM key from the blob provided by userspace | |
31 | */ | |
32 | static int tpm_loadkey2(struct tpm_buf *tb, | |
33 | uint32_t keyhandle, unsigned char *keyauth, | |
34 | const unsigned char *keyblob, int keybloblen, | |
35 | uint32_t *newhandle) | |
36 | { | |
37 | unsigned char nonceodd[TPM_NONCE_SIZE]; | |
38 | unsigned char enonce[TPM_NONCE_SIZE]; | |
39 | unsigned char authdata[SHA1_DIGEST_SIZE]; | |
40 | uint32_t authhandle = 0; | |
41 | unsigned char cont = 0; | |
42 | uint32_t ordinal; | |
43 | int ret; | |
44 | ||
45 | ordinal = htonl(TPM_ORD_LOADKEY2); | |
46 | ||
47 | /* session for loading the key */ | |
48 | ret = oiap(tb, &authhandle, enonce); | |
49 | if (ret < 0) { | |
50 | pr_info("oiap failed (%d)\n", ret); | |
51 | return ret; | |
52 | } | |
53 | ||
54 | /* generate odd nonce */ | |
55 | ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); | |
56 | if (ret < 0) { | |
57 | pr_info("tpm_get_random failed (%d)\n", ret); | |
58 | return ret; | |
59 | } | |
60 | ||
61 | /* calculate authorization HMAC value */ | |
62 | ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce, | |
63 | nonceodd, cont, sizeof(uint32_t), &ordinal, | |
64 | keybloblen, keyblob, 0, 0); | |
65 | if (ret < 0) | |
66 | return ret; | |
67 | ||
68 | /* build the request buffer */ | |
69 | INIT_BUF(tb); | |
70 | store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); | |
71 | store32(tb, TPM_LOADKEY2_SIZE + keybloblen); | |
72 | store32(tb, TPM_ORD_LOADKEY2); | |
73 | store32(tb, keyhandle); | |
74 | storebytes(tb, keyblob, keybloblen); | |
75 | store32(tb, authhandle); | |
76 | storebytes(tb, nonceodd, TPM_NONCE_SIZE); | |
77 | store8(tb, cont); | |
78 | storebytes(tb, authdata, SHA1_DIGEST_SIZE); | |
79 | ||
80 | ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
81 | if (ret < 0) { | |
82 | pr_info("authhmac failed (%d)\n", ret); | |
83 | return ret; | |
84 | } | |
85 | ||
86 | ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, keyauth, | |
87 | SHA1_DIGEST_SIZE, 0, 0); | |
88 | if (ret < 0) { | |
89 | pr_info("TSS_checkhmac1 failed (%d)\n", ret); | |
90 | return ret; | |
91 | } | |
92 | ||
93 | *newhandle = LOAD32(tb->data, TPM_DATA_OFFSET); | |
94 | return 0; | |
95 | } | |
96 | ||
97 | /* | |
98 | * Execute the FlushSpecific TPM command | |
99 | */ | |
100 | static int tpm_flushspecific(struct tpm_buf *tb, uint32_t handle) | |
101 | { | |
102 | INIT_BUF(tb); | |
103 | store16(tb, TPM_TAG_RQU_COMMAND); | |
104 | store32(tb, TPM_FLUSHSPECIFIC_SIZE); | |
105 | store32(tb, TPM_ORD_FLUSHSPECIFIC); | |
106 | store32(tb, handle); | |
107 | store32(tb, TPM_RT_KEY); | |
108 | ||
109 | return trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
110 | } | |
111 | ||
f884fe5a DK |
112 | /* |
113 | * Decrypt a blob provided by userspace using a specific key handle. | |
114 | * The handle is a well known handle or previously loaded by e.g. LoadKey2 | |
115 | */ | |
116 | static int tpm_unbind(struct tpm_buf *tb, | |
117 | uint32_t keyhandle, unsigned char *keyauth, | |
118 | const unsigned char *blob, uint32_t bloblen, | |
119 | void *out, uint32_t outlen) | |
120 | { | |
121 | unsigned char nonceodd[TPM_NONCE_SIZE]; | |
122 | unsigned char enonce[TPM_NONCE_SIZE]; | |
123 | unsigned char authdata[SHA1_DIGEST_SIZE]; | |
124 | uint32_t authhandle = 0; | |
125 | unsigned char cont = 0; | |
126 | uint32_t ordinal; | |
127 | uint32_t datalen; | |
128 | int ret; | |
129 | ||
130 | ordinal = htonl(TPM_ORD_UNBIND); | |
131 | datalen = htonl(bloblen); | |
132 | ||
133 | /* session for loading the key */ | |
134 | ret = oiap(tb, &authhandle, enonce); | |
135 | if (ret < 0) { | |
136 | pr_info("oiap failed (%d)\n", ret); | |
137 | return ret; | |
138 | } | |
139 | ||
140 | /* generate odd nonce */ | |
141 | ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); | |
142 | if (ret < 0) { | |
143 | pr_info("tpm_get_random failed (%d)\n", ret); | |
144 | return ret; | |
145 | } | |
146 | ||
147 | /* calculate authorization HMAC value */ | |
148 | ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce, | |
149 | nonceodd, cont, sizeof(uint32_t), &ordinal, | |
150 | sizeof(uint32_t), &datalen, | |
151 | bloblen, blob, 0, 0); | |
152 | if (ret < 0) | |
153 | return ret; | |
154 | ||
155 | /* build the request buffer */ | |
156 | INIT_BUF(tb); | |
157 | store16(tb, TPM_TAG_RQU_AUTH1_COMMAND); | |
158 | store32(tb, TPM_UNBIND_SIZE + bloblen); | |
159 | store32(tb, TPM_ORD_UNBIND); | |
160 | store32(tb, keyhandle); | |
161 | store32(tb, bloblen); | |
162 | storebytes(tb, blob, bloblen); | |
163 | store32(tb, authhandle); | |
164 | storebytes(tb, nonceodd, TPM_NONCE_SIZE); | |
165 | store8(tb, cont); | |
166 | storebytes(tb, authdata, SHA1_DIGEST_SIZE); | |
167 | ||
168 | ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); | |
169 | if (ret < 0) { | |
170 | pr_info("authhmac failed (%d)\n", ret); | |
171 | return ret; | |
172 | } | |
173 | ||
174 | datalen = LOAD32(tb->data, TPM_DATA_OFFSET); | |
175 | ||
176 | ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, | |
177 | keyauth, SHA1_DIGEST_SIZE, | |
178 | sizeof(uint32_t), TPM_DATA_OFFSET, | |
179 | datalen, TPM_DATA_OFFSET + sizeof(uint32_t), | |
180 | 0, 0); | |
181 | if (ret < 0) { | |
182 | pr_info("TSS_checkhmac1 failed (%d)\n", ret); | |
183 | return ret; | |
184 | } | |
185 | ||
186 | memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), | |
187 | min(outlen, datalen)); | |
188 | ||
189 | return datalen; | |
190 | } | |
191 | ||
dff5a61a DK |
192 | /* |
193 | * Maximum buffer size for the BER/DER encoded public key. The public key | |
194 | * is of the form SEQUENCE { INTEGER n, INTEGER e } where n is a maximum 2048 | |
195 | * bit key and e is usually 65537 | |
196 | * The encoding overhead is: | |
197 | * - max 4 bytes for SEQUENCE | |
198 | * - max 4 bytes for INTEGER n type/length | |
199 | * - 257 bytes of n | |
200 | * - max 2 bytes for INTEGER e type/length | |
201 | * - 3 bytes of e | |
202 | */ | |
203 | #define PUB_KEY_BUF_SIZE (4 + 4 + 257 + 2 + 3) | |
204 | ||
903be6bb DK |
205 | /* |
206 | * Provide a part of a description of the key for /proc/keys. | |
207 | */ | |
208 | static void asym_tpm_describe(const struct key *asymmetric_key, | |
209 | struct seq_file *m) | |
210 | { | |
211 | struct tpm_key *tk = asymmetric_key->payload.data[asym_crypto]; | |
212 | ||
213 | if (!tk) | |
214 | return; | |
215 | ||
216 | seq_printf(m, "TPM1.2/Blob"); | |
217 | } | |
218 | ||
219 | static void asym_tpm_destroy(void *payload0, void *payload3) | |
220 | { | |
221 | struct tpm_key *tk = payload0; | |
222 | ||
223 | if (!tk) | |
224 | return; | |
225 | ||
226 | kfree(tk->blob); | |
227 | tk->blob_len = 0; | |
228 | ||
229 | kfree(tk); | |
230 | } | |
231 | ||
dff5a61a DK |
232 | /* How many bytes will it take to encode the length */ |
233 | static inline uint32_t definite_length(uint32_t len) | |
234 | { | |
235 | if (len <= 127) | |
236 | return 1; | |
237 | if (len <= 255) | |
238 | return 2; | |
239 | return 3; | |
240 | } | |
241 | ||
242 | static inline uint8_t *encode_tag_length(uint8_t *buf, uint8_t tag, | |
243 | uint32_t len) | |
244 | { | |
245 | *buf++ = tag; | |
246 | ||
247 | if (len <= 127) { | |
248 | buf[0] = len; | |
249 | return buf + 1; | |
250 | } | |
251 | ||
252 | if (len <= 255) { | |
253 | buf[0] = 0x81; | |
254 | buf[1] = len; | |
255 | return buf + 2; | |
256 | } | |
257 | ||
258 | buf[0] = 0x82; | |
259 | put_unaligned_be16(len, buf + 1); | |
260 | return buf + 3; | |
261 | } | |
262 | ||
263 | static uint32_t derive_pub_key(const void *pub_key, uint32_t len, uint8_t *buf) | |
264 | { | |
265 | uint8_t *cur = buf; | |
266 | uint32_t n_len = definite_length(len) + 1 + len + 1; | |
267 | uint32_t e_len = definite_length(3) + 1 + 3; | |
268 | uint8_t e[3] = { 0x01, 0x00, 0x01 }; | |
269 | ||
270 | /* SEQUENCE */ | |
271 | cur = encode_tag_length(cur, 0x30, n_len + e_len); | |
272 | /* INTEGER n */ | |
273 | cur = encode_tag_length(cur, 0x02, len + 1); | |
274 | cur[0] = 0x00; | |
275 | memcpy(cur + 1, pub_key, len); | |
276 | cur += len + 1; | |
277 | cur = encode_tag_length(cur, 0x02, sizeof(e)); | |
278 | memcpy(cur, e, sizeof(e)); | |
279 | cur += sizeof(e); | |
280 | ||
281 | return cur - buf; | |
282 | } | |
283 | ||
284 | /* | |
285 | * Determine the crypto algorithm name. | |
286 | */ | |
287 | static int determine_akcipher(const char *encoding, const char *hash_algo, | |
288 | char alg_name[CRYPTO_MAX_ALG_NAME]) | |
289 | { | |
dff5a61a | 290 | if (strcmp(encoding, "pkcs1") == 0) { |
e08e6891 DK |
291 | if (!hash_algo) { |
292 | strcpy(alg_name, "pkcs1pad(rsa)"); | |
293 | return 0; | |
294 | } | |
295 | ||
296 | if (snprintf(alg_name, CRYPTO_MAX_ALG_NAME, "pkcs1pad(rsa,%s)", | |
297 | hash_algo) >= CRYPTO_MAX_ALG_NAME) | |
298 | return -EINVAL; | |
299 | ||
dff5a61a DK |
300 | return 0; |
301 | } | |
302 | ||
303 | if (strcmp(encoding, "raw") == 0) { | |
304 | strcpy(alg_name, "rsa"); | |
305 | return 0; | |
306 | } | |
307 | ||
308 | return -ENOPKG; | |
309 | } | |
310 | ||
311 | /* | |
312 | * Query information about a key. | |
313 | */ | |
314 | static int tpm_key_query(const struct kernel_pkey_params *params, | |
315 | struct kernel_pkey_query *info) | |
316 | { | |
317 | struct tpm_key *tk = params->key->payload.data[asym_crypto]; | |
318 | int ret; | |
319 | char alg_name[CRYPTO_MAX_ALG_NAME]; | |
320 | struct crypto_akcipher *tfm; | |
321 | uint8_t der_pub_key[PUB_KEY_BUF_SIZE]; | |
322 | uint32_t der_pub_key_len; | |
323 | int len; | |
324 | ||
325 | /* TPM only works on private keys, public keys still done in software */ | |
326 | ret = determine_akcipher(params->encoding, params->hash_algo, alg_name); | |
327 | if (ret < 0) | |
328 | return ret; | |
329 | ||
330 | tfm = crypto_alloc_akcipher(alg_name, 0, 0); | |
331 | if (IS_ERR(tfm)) | |
332 | return PTR_ERR(tfm); | |
333 | ||
334 | der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len, | |
335 | der_pub_key); | |
336 | ||
337 | ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len); | |
338 | if (ret < 0) | |
339 | goto error_free_tfm; | |
340 | ||
341 | len = crypto_akcipher_maxsize(tfm); | |
342 | ||
343 | info->key_size = tk->key_len; | |
344 | info->max_data_size = tk->key_len / 8; | |
345 | info->max_sig_size = len; | |
346 | info->max_enc_size = len; | |
347 | info->max_dec_size = tk->key_len / 8; | |
348 | ||
a335974a | 349 | info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT | |
e08e6891 DK |
350 | KEYCTL_SUPPORTS_DECRYPT | |
351 | KEYCTL_SUPPORTS_VERIFY; | |
ad4b1eb5 | 352 | |
dff5a61a DK |
353 | ret = 0; |
354 | error_free_tfm: | |
355 | crypto_free_akcipher(tfm); | |
356 | pr_devel("<==%s() = %d\n", __func__, ret); | |
357 | return ret; | |
358 | } | |
359 | ||
ad4b1eb5 DK |
360 | /* |
361 | * Encryption operation is performed with the public key. Hence it is done | |
362 | * in software | |
363 | */ | |
364 | static int tpm_key_encrypt(struct tpm_key *tk, | |
365 | struct kernel_pkey_params *params, | |
366 | const void *in, void *out) | |
367 | { | |
368 | char alg_name[CRYPTO_MAX_ALG_NAME]; | |
369 | struct crypto_akcipher *tfm; | |
370 | struct akcipher_request *req; | |
371 | struct crypto_wait cwait; | |
372 | struct scatterlist in_sg, out_sg; | |
373 | uint8_t der_pub_key[PUB_KEY_BUF_SIZE]; | |
374 | uint32_t der_pub_key_len; | |
375 | int ret; | |
376 | ||
377 | pr_devel("==>%s()\n", __func__); | |
378 | ||
379 | ret = determine_akcipher(params->encoding, params->hash_algo, alg_name); | |
380 | if (ret < 0) | |
381 | return ret; | |
382 | ||
383 | tfm = crypto_alloc_akcipher(alg_name, 0, 0); | |
384 | if (IS_ERR(tfm)) | |
385 | return PTR_ERR(tfm); | |
386 | ||
387 | der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len, | |
388 | der_pub_key); | |
389 | ||
390 | ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len); | |
391 | if (ret < 0) | |
392 | goto error_free_tfm; | |
393 | ||
394 | req = akcipher_request_alloc(tfm, GFP_KERNEL); | |
395 | if (!req) | |
396 | goto error_free_tfm; | |
397 | ||
398 | sg_init_one(&in_sg, in, params->in_len); | |
399 | sg_init_one(&out_sg, out, params->out_len); | |
400 | akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len, | |
401 | params->out_len); | |
402 | crypto_init_wait(&cwait); | |
403 | akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
404 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
405 | crypto_req_done, &cwait); | |
406 | ||
407 | ret = crypto_akcipher_encrypt(req); | |
408 | ret = crypto_wait_req(ret, &cwait); | |
409 | ||
410 | if (ret == 0) | |
411 | ret = req->dst_len; | |
412 | ||
413 | akcipher_request_free(req); | |
414 | error_free_tfm: | |
415 | crypto_free_akcipher(tfm); | |
416 | pr_devel("<==%s() = %d\n", __func__, ret); | |
417 | return ret; | |
418 | } | |
419 | ||
a335974a DK |
420 | /* |
421 | * Decryption operation is performed with the private key in the TPM. | |
422 | */ | |
423 | static int tpm_key_decrypt(struct tpm_key *tk, | |
424 | struct kernel_pkey_params *params, | |
425 | const void *in, void *out) | |
426 | { | |
427 | struct tpm_buf *tb; | |
428 | uint32_t keyhandle; | |
429 | uint8_t srkauth[SHA1_DIGEST_SIZE]; | |
430 | uint8_t keyauth[SHA1_DIGEST_SIZE]; | |
431 | int r; | |
432 | ||
433 | pr_devel("==>%s()\n", __func__); | |
434 | ||
435 | if (params->hash_algo) | |
436 | return -ENOPKG; | |
437 | ||
438 | if (strcmp(params->encoding, "pkcs1")) | |
439 | return -ENOPKG; | |
440 | ||
441 | tb = kzalloc(sizeof(*tb), GFP_KERNEL); | |
442 | if (!tb) | |
443 | return -ENOMEM; | |
444 | ||
445 | /* TODO: Handle a non-all zero SRK authorization */ | |
446 | memset(srkauth, 0, sizeof(srkauth)); | |
447 | ||
448 | r = tpm_loadkey2(tb, SRKHANDLE, srkauth, | |
449 | tk->blob, tk->blob_len, &keyhandle); | |
450 | if (r < 0) { | |
451 | pr_devel("loadkey2 failed (%d)\n", r); | |
452 | goto error; | |
453 | } | |
454 | ||
455 | /* TODO: Handle a non-all zero key authorization */ | |
456 | memset(keyauth, 0, sizeof(keyauth)); | |
457 | ||
458 | r = tpm_unbind(tb, keyhandle, keyauth, | |
459 | in, params->in_len, out, params->out_len); | |
460 | if (r < 0) | |
461 | pr_devel("tpm_unbind failed (%d)\n", r); | |
462 | ||
463 | if (tpm_flushspecific(tb, keyhandle) < 0) | |
464 | pr_devel("flushspecific failed (%d)\n", r); | |
465 | ||
466 | error: | |
467 | kzfree(tb); | |
468 | pr_devel("<==%s() = %d\n", __func__, r); | |
469 | return r; | |
470 | } | |
471 | ||
ad4b1eb5 DK |
472 | /* |
473 | * Do encryption, decryption and signing ops. | |
474 | */ | |
475 | static int tpm_key_eds_op(struct kernel_pkey_params *params, | |
476 | const void *in, void *out) | |
477 | { | |
478 | struct tpm_key *tk = params->key->payload.data[asym_crypto]; | |
479 | int ret = -EOPNOTSUPP; | |
480 | ||
481 | /* Perform the encryption calculation. */ | |
482 | switch (params->op) { | |
483 | case kernel_pkey_encrypt: | |
484 | ret = tpm_key_encrypt(tk, params, in, out); | |
485 | break; | |
a335974a DK |
486 | case kernel_pkey_decrypt: |
487 | ret = tpm_key_decrypt(tk, params, in, out); | |
488 | break; | |
ad4b1eb5 DK |
489 | default: |
490 | BUG(); | |
491 | } | |
492 | ||
493 | return ret; | |
494 | } | |
495 | ||
e08e6891 DK |
496 | /* |
497 | * Verify a signature using a public key. | |
498 | */ | |
499 | static int tpm_key_verify_signature(const struct key *key, | |
500 | const struct public_key_signature *sig) | |
501 | { | |
502 | const struct tpm_key *tk = key->payload.data[asym_crypto]; | |
503 | struct crypto_wait cwait; | |
504 | struct crypto_akcipher *tfm; | |
505 | struct akcipher_request *req; | |
506 | struct scatterlist sig_sg, digest_sg; | |
507 | char alg_name[CRYPTO_MAX_ALG_NAME]; | |
508 | uint8_t der_pub_key[PUB_KEY_BUF_SIZE]; | |
509 | uint32_t der_pub_key_len; | |
510 | void *output; | |
511 | unsigned int outlen; | |
512 | int ret; | |
513 | ||
514 | pr_devel("==>%s()\n", __func__); | |
515 | ||
516 | BUG_ON(!tk); | |
517 | BUG_ON(!sig); | |
518 | BUG_ON(!sig->s); | |
519 | ||
520 | if (!sig->digest) | |
521 | return -ENOPKG; | |
522 | ||
523 | ret = determine_akcipher(sig->encoding, sig->hash_algo, alg_name); | |
524 | if (ret < 0) | |
525 | return ret; | |
526 | ||
527 | tfm = crypto_alloc_akcipher(alg_name, 0, 0); | |
528 | if (IS_ERR(tfm)) | |
529 | return PTR_ERR(tfm); | |
530 | ||
531 | der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len, | |
532 | der_pub_key); | |
533 | ||
534 | ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len); | |
535 | if (ret < 0) | |
536 | goto error_free_tfm; | |
537 | ||
538 | ret = -ENOMEM; | |
539 | req = akcipher_request_alloc(tfm, GFP_KERNEL); | |
540 | if (!req) | |
541 | goto error_free_tfm; | |
542 | ||
543 | ret = -ENOMEM; | |
544 | outlen = crypto_akcipher_maxsize(tfm); | |
545 | output = kmalloc(outlen, GFP_KERNEL); | |
546 | if (!output) | |
547 | goto error_free_req; | |
548 | ||
549 | sg_init_one(&sig_sg, sig->s, sig->s_size); | |
550 | sg_init_one(&digest_sg, output, outlen); | |
551 | akcipher_request_set_crypt(req, &sig_sg, &digest_sg, sig->s_size, | |
552 | outlen); | |
553 | crypto_init_wait(&cwait); | |
554 | akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
555 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
556 | crypto_req_done, &cwait); | |
557 | ||
558 | /* Perform the verification calculation. This doesn't actually do the | |
559 | * verification, but rather calculates the hash expected by the | |
560 | * signature and returns that to us. | |
561 | */ | |
562 | ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); | |
563 | if (ret) | |
564 | goto out_free_output; | |
565 | ||
566 | /* Do the actual verification step. */ | |
567 | if (req->dst_len != sig->digest_size || | |
568 | memcmp(sig->digest, output, sig->digest_size) != 0) | |
569 | ret = -EKEYREJECTED; | |
570 | ||
571 | out_free_output: | |
572 | kfree(output); | |
573 | error_free_req: | |
574 | akcipher_request_free(req); | |
575 | error_free_tfm: | |
576 | crypto_free_akcipher(tfm); | |
577 | pr_devel("<==%s() = %d\n", __func__, ret); | |
578 | if (WARN_ON_ONCE(ret > 0)) | |
579 | ret = -EINVAL; | |
580 | return ret; | |
581 | } | |
582 | ||
f8c54e1a DK |
583 | /* |
584 | * Parse enough information out of TPM_KEY structure: | |
585 | * TPM_STRUCT_VER -> 4 bytes | |
586 | * TPM_KEY_USAGE -> 2 bytes | |
587 | * TPM_KEY_FLAGS -> 4 bytes | |
588 | * TPM_AUTH_DATA_USAGE -> 1 byte | |
589 | * TPM_KEY_PARMS -> variable | |
590 | * UINT32 PCRInfoSize -> 4 bytes | |
591 | * BYTE* -> PCRInfoSize bytes | |
592 | * TPM_STORE_PUBKEY | |
593 | * UINT32 encDataSize; | |
594 | * BYTE* -> encDataSize; | |
595 | * | |
596 | * TPM_KEY_PARMS: | |
597 | * TPM_ALGORITHM_ID -> 4 bytes | |
598 | * TPM_ENC_SCHEME -> 2 bytes | |
599 | * TPM_SIG_SCHEME -> 2 bytes | |
600 | * UINT32 parmSize -> 4 bytes | |
601 | * BYTE* -> variable | |
602 | */ | |
603 | static int extract_key_parameters(struct tpm_key *tk) | |
604 | { | |
605 | const void *cur = tk->blob; | |
606 | uint32_t len = tk->blob_len; | |
607 | const void *pub_key; | |
608 | uint32_t sz; | |
609 | uint32_t key_len; | |
610 | ||
611 | if (len < 11) | |
612 | return -EBADMSG; | |
613 | ||
614 | /* Ensure this is a legacy key */ | |
615 | if (get_unaligned_be16(cur + 4) != 0x0015) | |
616 | return -EBADMSG; | |
617 | ||
618 | /* Skip to TPM_KEY_PARMS */ | |
619 | cur += 11; | |
620 | len -= 11; | |
621 | ||
622 | if (len < 12) | |
623 | return -EBADMSG; | |
624 | ||
625 | /* Make sure this is an RSA key */ | |
626 | if (get_unaligned_be32(cur) != 0x00000001) | |
627 | return -EBADMSG; | |
628 | ||
629 | /* Make sure this is TPM_ES_RSAESPKCSv15 encoding scheme */ | |
630 | if (get_unaligned_be16(cur + 4) != 0x0002) | |
631 | return -EBADMSG; | |
632 | ||
633 | /* Make sure this is TPM_SS_RSASSAPKCS1v15_DER signature scheme */ | |
634 | if (get_unaligned_be16(cur + 6) != 0x0003) | |
635 | return -EBADMSG; | |
636 | ||
637 | sz = get_unaligned_be32(cur + 8); | |
638 | if (len < sz + 12) | |
639 | return -EBADMSG; | |
640 | ||
641 | /* Move to TPM_RSA_KEY_PARMS */ | |
642 | len -= 12; | |
643 | cur += 12; | |
644 | ||
645 | /* Grab the RSA key length */ | |
646 | key_len = get_unaligned_be32(cur); | |
647 | ||
648 | switch (key_len) { | |
649 | case 512: | |
650 | case 1024: | |
651 | case 1536: | |
652 | case 2048: | |
653 | break; | |
654 | default: | |
655 | return -EINVAL; | |
656 | } | |
657 | ||
658 | /* Move just past TPM_KEY_PARMS */ | |
659 | cur += sz; | |
660 | len -= sz; | |
661 | ||
662 | if (len < 4) | |
663 | return -EBADMSG; | |
664 | ||
665 | sz = get_unaligned_be32(cur); | |
666 | if (len < 4 + sz) | |
667 | return -EBADMSG; | |
668 | ||
669 | /* Move to TPM_STORE_PUBKEY */ | |
670 | cur += 4 + sz; | |
671 | len -= 4 + sz; | |
672 | ||
673 | /* Grab the size of the public key, it should jive with the key size */ | |
674 | sz = get_unaligned_be32(cur); | |
675 | if (sz > 256) | |
676 | return -EINVAL; | |
677 | ||
678 | pub_key = cur + 4; | |
679 | ||
680 | tk->key_len = key_len; | |
681 | tk->pub_key = pub_key; | |
682 | tk->pub_key_len = sz; | |
683 | ||
684 | return 0; | |
685 | } | |
686 | ||
903be6bb DK |
687 | /* Given the blob, parse it and load it into the TPM */ |
688 | struct tpm_key *tpm_key_create(const void *blob, uint32_t blob_len) | |
689 | { | |
690 | int r; | |
691 | struct tpm_key *tk; | |
692 | ||
693 | r = tpm_is_tpm2(NULL); | |
694 | if (r < 0) | |
695 | goto error; | |
696 | ||
697 | /* We don't support TPM2 yet */ | |
698 | if (r > 0) { | |
699 | r = -ENODEV; | |
700 | goto error; | |
701 | } | |
702 | ||
703 | r = -ENOMEM; | |
704 | tk = kzalloc(sizeof(struct tpm_key), GFP_KERNEL); | |
705 | if (!tk) | |
706 | goto error; | |
707 | ||
708 | tk->blob = kmemdup(blob, blob_len, GFP_KERNEL); | |
709 | if (!tk->blob) | |
710 | goto error_memdup; | |
711 | ||
712 | tk->blob_len = blob_len; | |
713 | ||
f8c54e1a DK |
714 | r = extract_key_parameters(tk); |
715 | if (r < 0) | |
716 | goto error_extract; | |
717 | ||
903be6bb DK |
718 | return tk; |
719 | ||
f8c54e1a DK |
720 | error_extract: |
721 | kfree(tk->blob); | |
722 | tk->blob_len = 0; | |
903be6bb DK |
723 | error_memdup: |
724 | kfree(tk); | |
725 | error: | |
726 | return ERR_PTR(r); | |
727 | } | |
728 | EXPORT_SYMBOL_GPL(tpm_key_create); | |
729 | ||
730 | /* | |
731 | * TPM-based asymmetric key subtype | |
732 | */ | |
733 | struct asymmetric_key_subtype asym_tpm_subtype = { | |
734 | .owner = THIS_MODULE, | |
735 | .name = "asym_tpm", | |
736 | .name_len = sizeof("asym_tpm") - 1, | |
737 | .describe = asym_tpm_describe, | |
738 | .destroy = asym_tpm_destroy, | |
dff5a61a | 739 | .query = tpm_key_query, |
ad4b1eb5 | 740 | .eds_op = tpm_key_eds_op, |
e08e6891 | 741 | .verify_signature = tpm_key_verify_signature, |
903be6bb DK |
742 | }; |
743 | EXPORT_SYMBOL_GPL(asym_tpm_subtype); | |
744 | ||
745 | MODULE_DESCRIPTION("TPM based asymmetric key subtype"); | |
746 | MODULE_AUTHOR("Intel Corporation"); | |
747 | MODULE_LICENSE("GPL v2"); |