[PATCH 4/4] keys, trusted: seal/unseal with TPM 2.0 chips

From: Jarkko Sakkinen
Date: Fri Jul 03 2015 - 11:37:27 EST


Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
---
drivers/char/tpm/tpm2-cmd.c | 6 +-----
include/linux/tpm_command.h | 1 -
security/keys/trusted.c | 18 ++++++++++++++----
security/keys/trusted.h | 7 +++++++
4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index d404e5f..d2bcf79 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -406,21 +406,17 @@ static int tpm2_load(struct tpm_chip *chip,
if (private_len > (payload->blob_len - 2))
return -E2BIG;

- pr_info("private_len=%u\n", private_len);
-
public_len = be16_to_cpup((__be16 *) &payload->blob[2 + private_len]);
blob_len = private_len + public_len + 4;
if (blob_len > payload->blob_len)
return -E2BIG;

- pr_info("public_len=%u\n", public_len);
-
tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_LOAD);
tpm_buf_append_u32(&buf, options->keyhandle);
tpm2_buf_append_auth(&buf, TPM2_RS_PW, NULL /* nonce */, 0,
0 /* session_attributes */, NULL /* hmac */, 0);

- tpm_buf_append(&buf, payload->blob, payload->blob_len);
+ tpm_buf_append(&buf, payload->blob, blob_len);

rc = tpm_transmit_cmd(chip, buf.data, TPM_BUF_SIZE, "loading blob");
if (!rc)
diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
index 727512e..d7b0f82 100644
--- a/include/linux/tpm_command.h
+++ b/include/linux/tpm_command.h
@@ -22,7 +22,6 @@
#define TPM_ORD_UNSEAL 24

/* Other constants */
-#define SRKHANDLE 0x40000000
#define TPM_NONCE_SIZE 20

#endif
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index c0594cb..f6557b1 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -601,7 +601,7 @@ static int tpm_unseal(struct tpm_buf *tb,
}

ordinal = htonl(TPM_ORD_UNSEAL);
- keyhndl = htonl(SRKHANDLE);
+ keyhndl = htonl(TPM1_SRKHANDLE);
ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
if (ret != TPM_NONCE_SIZE) {
pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
@@ -867,7 +867,11 @@ static struct trusted_key_options *trusted_options_alloc(void)
if (options) {
/* set any non-zero defaults */
options->keytype = SRK_keytype;
- options->keyhandle = SRKHANDLE;
+
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ options->keyhandle = TPM2_SRKHANDLE;
+ else
+ options->keyhandle = TPM1_SRKHANDLE;
}
return options;
}
@@ -937,7 +941,10 @@ static int trusted_instantiate(struct key *key,

switch (key_cmd) {
case Opt_load:
- ret = key_unseal(payload, options);
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
+ else
+ ret = key_unseal(payload, options);
dump_payload(payload);
dump_options(options);
if (ret < 0)
@@ -950,7 +957,10 @@ static int trusted_instantiate(struct key *key,
pr_info("trusted_key: key_create failed (%d)\n", ret);
goto out;
}
- ret = key_seal(payload, options);
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
+ else
+ ret = key_seal(payload, options);
if (ret < 0)
pr_info("trusted_key: key_seal failed (%d)\n", ret);
break;
diff --git a/security/keys/trusted.h b/security/keys/trusted.h
index ff001a5..fc32c47 100644
--- a/security/keys/trusted.h
+++ b/security/keys/trusted.h
@@ -12,6 +12,13 @@
#define TPM_RETURN_OFFSET 6
#define TPM_DATA_OFFSET 10

+/* Transient object handles start from 0x80000000 in TPM 2.0, which makes it
+ * a sane default.
+ */
+
+#define TPM1_SRKHANDLE 0x40000000
+#define TPM2_SRKHANDLE 0x80000000
+
#define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset]))
#define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset])
#define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset]))
--
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/