tpm2-sessions.c 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Copyright (C) 2018 James.Bottomley@HansenPartnership.com
  4. *
  5. * Cryptographic helper routines for handling TPM2 sessions for
  6. * authorization HMAC and request response encryption.
  7. *
  8. * The idea is to ensure that every TPM command is HMAC protected by a
  9. * session, meaning in-flight tampering would be detected and in
  10. * addition all sensitive inputs and responses should be encrypted.
  11. *
  12. * The basic way this works is to use a TPM feature called salted
  13. * sessions where a random secret used in session construction is
  14. * encrypted to the public part of a known TPM key. The problem is we
  15. * have no known keys, so initially a primary Elliptic Curve key is
  16. * derived from the NULL seed (we use EC because most TPMs generate
  17. * these keys much faster than RSA ones). The curve used is NIST_P256
  18. * because that's now mandated to be present in 'TCG TPM v2.0
  19. * Provisioning Guidance'
  20. *
  21. * Threat problems: the initial TPM2_CreatePrimary is not (and cannot
  22. * be) session protected, so a clever Man in the Middle could return a
  23. * public key they control to this command and from there intercept
  24. * and decode all subsequent session based transactions. The kernel
  25. * cannot mitigate this threat but, after boot, userspace can get
  26. * proof this has not happened by asking the TPM to certify the NULL
  27. * key. This certification would chain back to the TPM Endorsement
  28. * Certificate and prove the NULL seed primary had not been tampered
  29. * with and thus all sessions must have been cryptographically secure.
  30. * To assist with this, the initial NULL seed public key name is made
  31. * available in a sysfs file.
  32. *
  33. * Use of these functions:
  34. *
  35. * The design is all the crypto, hash and hmac gunk is confined in this
  36. * file and never needs to be seen even by the kernel internal user. To
  37. * the user there's an init function tpm2_sessions_init() that needs to
  38. * be called once per TPM which generates the NULL seed primary key.
  39. *
  40. * These are the usage functions:
  41. *
  42. * tpm2_end_auth_session() kills the session and frees the resources.
  43. * Under normal operation this function is done by
  44. * tpm_buf_check_hmac_response(), so this is only to be used on
  45. * error legs where the latter is not executed.
  46. * tpm_buf_append_name() to add a handle to the buffer. This must be
  47. * used in place of the usual tpm_buf_append_u32() for adding
  48. * handles because handles have to be processed specially when
  49. * calculating the HMAC. In particular, for NV, volatile and
  50. * permanent objects you now need to provide the name.
  51. * tpm_buf_append_hmac_session() which appends the hmac session to the
  52. * buf in the same way tpm_buf_append_auth does().
  53. * tpm_buf_fill_hmac_session() This calculates the correct hash and
  54. * places it in the buffer. It must be called after the complete
  55. * command buffer is finalized so it can fill in the correct HMAC
  56. * based on the parameters.
  57. * tpm_buf_check_hmac_response() which checks the session response in
  58. * the buffer and calculates what it should be. If there's a
  59. * mismatch it will log a warning and return an error. If
  60. * tpm_buf_append_hmac_session() did not specify
  61. * TPM_SA_CONTINUE_SESSION then the session will be closed (if it
  62. * hasn't been consumed) and the auth structure freed.
  63. */
  64. #include "tpm.h"
  65. #include <linux/random.h>
  66. #include <linux/scatterlist.h>
  67. #include <linux/unaligned.h>
  68. #include <crypto/kpp.h>
  69. #include <crypto/ecdh.h>
  70. #include <crypto/sha2.h>
  71. #include <crypto/utils.h>
  72. /* maximum number of names the TPM must remember for authorization */
  73. #define AUTH_MAX_NAMES 3
  74. #define AES_KEY_BYTES AES_KEYSIZE_128
  75. #define AES_KEY_BITS (AES_KEY_BYTES*8)
  76. /*
  77. * This is the structure that carries all the auth information (like
  78. * session handle, nonces, session key and auth) from use to use it is
  79. * designed to be opaque to anything outside.
  80. */
  81. struct tpm2_auth {
  82. u32 handle;
  83. /*
  84. * This has two meanings: before tpm_buf_fill_hmac_session()
  85. * it marks the offset in the buffer of the start of the
  86. * sessions (i.e. after all the handles). Once the buffer has
  87. * been filled it markes the session number of our auth
  88. * session so we can find it again in the response buffer.
  89. *
  90. * The two cases are distinguished because the first offset
  91. * must always be greater than TPM_HEADER_SIZE and the second
  92. * must be less than or equal to 5.
  93. */
  94. u32 session;
  95. /*
  96. * the size here is variable and set by the size of our_nonce
  97. * which must be between 16 and the name hash length. we set
  98. * the maximum sha256 size for the greatest protection
  99. */
  100. u8 our_nonce[SHA256_DIGEST_SIZE];
  101. u8 tpm_nonce[SHA256_DIGEST_SIZE];
  102. /*
  103. * the salt is only used across the session command/response
  104. * after that it can be used as a scratch area
  105. */
  106. union {
  107. u8 salt[EC_PT_SZ];
  108. /* scratch for key + IV */
  109. u8 scratch[AES_KEY_BYTES + AES_BLOCK_SIZE];
  110. };
  111. /*
  112. * the session key and passphrase are the same size as the
  113. * name digest (sha256 again). The session key is constant
  114. * for the use of the session and the passphrase can change
  115. * with every invocation.
  116. *
  117. * Note: these fields must be adjacent and in this order
  118. * because several HMAC/KDF schemes use the combination of the
  119. * session_key and passphrase.
  120. */
  121. u8 session_key[SHA256_DIGEST_SIZE];
  122. u8 passphrase[SHA256_DIGEST_SIZE];
  123. int passphrase_len;
  124. struct aes_enckey aes_key;
  125. /* saved session attributes: */
  126. u8 attrs;
  127. __be32 ordinal;
  128. /*
  129. * memory for three authorization handles. We know them by
  130. * handle, but they are part of the session by name, which
  131. * we must compute and remember
  132. */
  133. u32 name_h[AUTH_MAX_NAMES];
  134. u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
  135. };
  136. #ifdef CONFIG_TCG_TPM2_HMAC
  137. /*
  138. * Name Size based on TPM algorithm (assumes no hash bigger than 255)
  139. */
  140. static int name_size(const u8 *name)
  141. {
  142. u16 hash_alg = get_unaligned_be16(name);
  143. switch (hash_alg) {
  144. case TPM_ALG_SHA1:
  145. return SHA1_DIGEST_SIZE + 2;
  146. case TPM_ALG_SHA256:
  147. return SHA256_DIGEST_SIZE + 2;
  148. case TPM_ALG_SHA384:
  149. return SHA384_DIGEST_SIZE + 2;
  150. case TPM_ALG_SHA512:
  151. return SHA512_DIGEST_SIZE + 2;
  152. default:
  153. pr_warn("tpm: unsupported name algorithm: 0x%04x\n", hash_alg);
  154. return -EINVAL;
  155. }
  156. }
  157. static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name)
  158. {
  159. u32 mso = tpm2_handle_mso(handle);
  160. off_t offset = TPM_HEADER_SIZE;
  161. int rc, name_size_alg;
  162. struct tpm_buf buf;
  163. if (mso != TPM2_MSO_PERSISTENT && mso != TPM2_MSO_VOLATILE &&
  164. mso != TPM2_MSO_NVRAM) {
  165. memcpy(name, &handle, sizeof(u32));
  166. return sizeof(u32);
  167. }
  168. rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
  169. if (rc)
  170. return rc;
  171. tpm_buf_append_u32(&buf, handle);
  172. rc = tpm_transmit_cmd(chip, &buf, 0, "TPM2_ReadPublic");
  173. if (rc) {
  174. tpm_buf_destroy(&buf);
  175. return tpm_ret_to_err(rc);
  176. }
  177. /* Skip TPMT_PUBLIC: */
  178. offset += tpm_buf_read_u16(&buf, &offset);
  179. /*
  180. * Ensure space for the length field of TPM2B_NAME and hashAlg field of
  181. * TPMT_HA (the extra four bytes).
  182. */
  183. if (offset + 4 > tpm_buf_length(&buf)) {
  184. tpm_buf_destroy(&buf);
  185. return -EIO;
  186. }
  187. rc = tpm_buf_read_u16(&buf, &offset);
  188. name_size_alg = name_size(&buf.data[offset]);
  189. if (name_size_alg < 0)
  190. return name_size_alg;
  191. if (rc != name_size_alg) {
  192. tpm_buf_destroy(&buf);
  193. return -EIO;
  194. }
  195. if (offset + rc > tpm_buf_length(&buf)) {
  196. tpm_buf_destroy(&buf);
  197. return -EIO;
  198. }
  199. memcpy(name, &buf.data[offset], rc);
  200. return name_size_alg;
  201. }
  202. #endif /* CONFIG_TCG_TPM2_HMAC */
  203. /**
  204. * tpm_buf_append_name() - add a handle area to the buffer
  205. * @chip: the TPM chip structure
  206. * @buf: The buffer to be appended
  207. * @handle: The handle to be appended
  208. * @name: The name of the handle (may be NULL)
  209. *
  210. * In order to compute session HMACs, we need to know the names of the
  211. * objects pointed to by the handles. For most objects, this is simply
  212. * the actual 4 byte handle or an empty buf (in these cases @name
  213. * should be NULL) but for volatile objects, permanent objects and NV
  214. * areas, the name is defined as the hash (according to the name
  215. * algorithm which should be set to sha256) of the public area to
  216. * which the two byte algorithm id has been appended. For these
  217. * objects, the @name pointer should point to this. If a name is
  218. * required but @name is NULL, then TPM2_ReadPublic() will be called
  219. * on the handle to obtain the name.
  220. *
  221. * As with most tpm_buf operations, success is assumed because failure
  222. * will be caused by an incorrect programming model and indicated by a
  223. * kernel message.
  224. *
  225. * Ends the authorization session on failure.
  226. */
  227. int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf,
  228. u32 handle, u8 *name)
  229. {
  230. #ifdef CONFIG_TCG_TPM2_HMAC
  231. enum tpm2_mso_type mso = tpm2_handle_mso(handle);
  232. struct tpm2_auth *auth;
  233. u16 name_size_alg;
  234. int slot;
  235. int ret;
  236. #endif
  237. if (!tpm2_chip_auth(chip)) {
  238. tpm_buf_append_handle(chip, buf, handle);
  239. return 0;
  240. }
  241. #ifdef CONFIG_TCG_TPM2_HMAC
  242. slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4;
  243. if (slot >= AUTH_MAX_NAMES) {
  244. dev_err(&chip->dev, "too many handles\n");
  245. ret = -EIO;
  246. goto err;
  247. }
  248. auth = chip->auth;
  249. if (auth->session != tpm_buf_length(buf)) {
  250. dev_err(&chip->dev, "session state malformed");
  251. ret = -EIO;
  252. goto err;
  253. }
  254. tpm_buf_append_u32(buf, handle);
  255. auth->session += 4;
  256. if (mso == TPM2_MSO_PERSISTENT ||
  257. mso == TPM2_MSO_VOLATILE ||
  258. mso == TPM2_MSO_NVRAM) {
  259. if (!name) {
  260. ret = tpm2_read_public(chip, handle, auth->name[slot]);
  261. if (ret < 0)
  262. goto err;
  263. name_size_alg = ret;
  264. }
  265. } else {
  266. if (name) {
  267. dev_err(&chip->dev, "handle 0x%08x does not use a name\n",
  268. handle);
  269. ret = -EIO;
  270. goto err;
  271. }
  272. }
  273. auth->name_h[slot] = handle;
  274. if (name)
  275. memcpy(auth->name[slot], name, name_size_alg);
  276. #endif
  277. return 0;
  278. #ifdef CONFIG_TCG_TPM2_HMAC
  279. err:
  280. tpm2_end_auth_session(chip);
  281. return tpm_ret_to_err(ret);
  282. #endif
  283. }
  284. EXPORT_SYMBOL_GPL(tpm_buf_append_name);
  285. void tpm_buf_append_auth(struct tpm_chip *chip, struct tpm_buf *buf,
  286. u8 *passphrase, int passphrase_len)
  287. {
  288. /* offset tells us where the sessions area begins */
  289. int offset = buf->handles * 4 + TPM_HEADER_SIZE;
  290. u32 len = 9 + passphrase_len;
  291. if (tpm_buf_length(buf) != offset) {
  292. /* not the first session so update the existing length */
  293. len += get_unaligned_be32(&buf->data[offset]);
  294. put_unaligned_be32(len, &buf->data[offset]);
  295. } else {
  296. tpm_buf_append_u32(buf, len);
  297. }
  298. /* auth handle */
  299. tpm_buf_append_u32(buf, TPM2_RS_PW);
  300. /* nonce */
  301. tpm_buf_append_u16(buf, 0);
  302. /* attributes */
  303. tpm_buf_append_u8(buf, 0);
  304. /* passphrase */
  305. tpm_buf_append_u16(buf, passphrase_len);
  306. tpm_buf_append(buf, passphrase, passphrase_len);
  307. }
  308. /**
  309. * tpm_buf_append_hmac_session() - Append a TPM session element
  310. * @chip: the TPM chip structure
  311. * @buf: The buffer to be appended
  312. * @attributes: The session attributes
  313. * @passphrase: The session authority (NULL if none)
  314. * @passphrase_len: The length of the session authority (0 if none)
  315. *
  316. * This fills in a session structure in the TPM command buffer, except
  317. * for the HMAC which cannot be computed until the command buffer is
  318. * complete. The type of session is controlled by the @attributes,
  319. * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the
  320. * session won't terminate after tpm_buf_check_hmac_response(),
  321. * TPM2_SA_DECRYPT which means this buffers first parameter should be
  322. * encrypted with a session key and TPM2_SA_ENCRYPT, which means the
  323. * response buffer's first parameter needs to be decrypted (confusing,
  324. * but the defines are written from the point of view of the TPM).
  325. *
  326. * Any session appended by this command must be finalized by calling
  327. * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect
  328. * and the TPM will reject the command.
  329. *
  330. * As with most tpm_buf operations, success is assumed because failure
  331. * will be caused by an incorrect programming model and indicated by a
  332. * kernel message.
  333. */
  334. void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
  335. u8 attributes, u8 *passphrase,
  336. int passphrase_len)
  337. {
  338. #ifdef CONFIG_TCG_TPM2_HMAC
  339. u8 nonce[SHA256_DIGEST_SIZE];
  340. struct tpm2_auth *auth;
  341. u32 len;
  342. #endif
  343. if (!tpm2_chip_auth(chip)) {
  344. tpm_buf_append_auth(chip, buf, passphrase, passphrase_len);
  345. return;
  346. }
  347. #ifdef CONFIG_TCG_TPM2_HMAC
  348. /* The first write to /dev/tpm{rm0} will flush the session. */
  349. attributes |= TPM2_SA_CONTINUE_SESSION;
  350. /*
  351. * The Architecture Guide requires us to strip trailing zeros
  352. * before computing the HMAC
  353. */
  354. while (passphrase && passphrase_len > 0 && passphrase[passphrase_len - 1] == '\0')
  355. passphrase_len--;
  356. auth = chip->auth;
  357. auth->attrs = attributes;
  358. auth->passphrase_len = passphrase_len;
  359. if (passphrase_len)
  360. memcpy(auth->passphrase, passphrase, passphrase_len);
  361. if (auth->session != tpm_buf_length(buf)) {
  362. /* we're not the first session */
  363. len = get_unaligned_be32(&buf->data[auth->session]);
  364. if (4 + len + auth->session != tpm_buf_length(buf)) {
  365. WARN(1, "session length mismatch, cannot append");
  366. return;
  367. }
  368. /* add our new session */
  369. len += 9 + 2 * SHA256_DIGEST_SIZE;
  370. put_unaligned_be32(len, &buf->data[auth->session]);
  371. } else {
  372. tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE);
  373. }
  374. /* random number for our nonce */
  375. get_random_bytes(nonce, sizeof(nonce));
  376. memcpy(auth->our_nonce, nonce, sizeof(nonce));
  377. tpm_buf_append_u32(buf, auth->handle);
  378. /* our new nonce */
  379. tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
  380. tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
  381. tpm_buf_append_u8(buf, auth->attrs);
  382. /* and put a placeholder for the hmac */
  383. tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
  384. tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
  385. #endif
  386. }
  387. EXPORT_SYMBOL_GPL(tpm_buf_append_hmac_session);
  388. #ifdef CONFIG_TCG_TPM2_HMAC
  389. static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
  390. u32 *handle, u8 *name);
  391. /*
  392. * assume hash sha256 and nonces u, v of size SHA256_DIGEST_SIZE but
  393. * otherwise standard tpm2_KDFa. Note output is in bytes not bits.
  394. */
  395. static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
  396. u8 *v, u32 bytes, u8 *out)
  397. {
  398. u32 counter = 1;
  399. const __be32 bits = cpu_to_be32(bytes * 8);
  400. while (bytes > 0) {
  401. struct hmac_sha256_ctx hctx;
  402. __be32 c = cpu_to_be32(counter);
  403. hmac_sha256_init_usingrawkey(&hctx, key, key_len);
  404. hmac_sha256_update(&hctx, (u8 *)&c, sizeof(c));
  405. hmac_sha256_update(&hctx, label, strlen(label) + 1);
  406. hmac_sha256_update(&hctx, u, SHA256_DIGEST_SIZE);
  407. hmac_sha256_update(&hctx, v, SHA256_DIGEST_SIZE);
  408. hmac_sha256_update(&hctx, (u8 *)&bits, sizeof(bits));
  409. hmac_sha256_final(&hctx, out);
  410. bytes -= SHA256_DIGEST_SIZE;
  411. counter++;
  412. out += SHA256_DIGEST_SIZE;
  413. }
  414. }
  415. /*
  416. * Somewhat of a bastardization of the real KDFe. We're assuming
  417. * we're working with known point sizes for the input parameters and
  418. * the hash algorithm is fixed at sha256. Because we know that the
  419. * point size is 32 bytes like the hash size, there's no need to loop
  420. * in this KDF.
  421. */
  422. static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v,
  423. u8 *out)
  424. {
  425. struct sha256_ctx sctx;
  426. /*
  427. * this should be an iterative counter, but because we know
  428. * we're only taking 32 bytes for the point using a sha256
  429. * hash which is also 32 bytes, there's only one loop
  430. */
  431. __be32 c = cpu_to_be32(1);
  432. sha256_init(&sctx);
  433. /* counter (BE) */
  434. sha256_update(&sctx, (u8 *)&c, sizeof(c));
  435. /* secret value */
  436. sha256_update(&sctx, z, EC_PT_SZ);
  437. /* string including trailing zero */
  438. sha256_update(&sctx, str, strlen(str)+1);
  439. sha256_update(&sctx, pt_u, EC_PT_SZ);
  440. sha256_update(&sctx, pt_v, EC_PT_SZ);
  441. sha256_final(&sctx, out);
  442. }
  443. static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip,
  444. struct tpm2_auth *auth)
  445. {
  446. struct crypto_kpp *kpp;
  447. struct kpp_request *req;
  448. struct scatterlist s[2], d[1];
  449. struct ecdh p = {0};
  450. u8 encoded_key[EC_PT_SZ], *x, *y;
  451. unsigned int buf_len;
  452. /* secret is two sized points */
  453. tpm_buf_append_u16(buf, (EC_PT_SZ + 2)*2);
  454. /*
  455. * we cheat here and append uninitialized data to form
  456. * the points. All we care about is getting the two
  457. * co-ordinate pointers, which will be used to overwrite
  458. * the uninitialized data
  459. */
  460. tpm_buf_append_u16(buf, EC_PT_SZ);
  461. x = &buf->data[tpm_buf_length(buf)];
  462. tpm_buf_append(buf, encoded_key, EC_PT_SZ);
  463. tpm_buf_append_u16(buf, EC_PT_SZ);
  464. y = &buf->data[tpm_buf_length(buf)];
  465. tpm_buf_append(buf, encoded_key, EC_PT_SZ);
  466. sg_init_table(s, 2);
  467. sg_set_buf(&s[0], x, EC_PT_SZ);
  468. sg_set_buf(&s[1], y, EC_PT_SZ);
  469. kpp = crypto_alloc_kpp("ecdh-nist-p256", CRYPTO_ALG_INTERNAL, 0);
  470. if (IS_ERR(kpp)) {
  471. dev_err(&chip->dev, "crypto ecdh allocation failed\n");
  472. return;
  473. }
  474. buf_len = crypto_ecdh_key_len(&p);
  475. if (sizeof(encoded_key) < buf_len) {
  476. dev_err(&chip->dev, "salt buffer too small needs %d\n",
  477. buf_len);
  478. goto out;
  479. }
  480. crypto_ecdh_encode_key(encoded_key, buf_len, &p);
  481. /* this generates a random private key */
  482. crypto_kpp_set_secret(kpp, encoded_key, buf_len);
  483. /* salt is now the public point of this private key */
  484. req = kpp_request_alloc(kpp, GFP_KERNEL);
  485. if (!req)
  486. goto out;
  487. kpp_request_set_input(req, NULL, 0);
  488. kpp_request_set_output(req, s, EC_PT_SZ*2);
  489. crypto_kpp_generate_public_key(req);
  490. /*
  491. * we're not done: now we have to compute the shared secret
  492. * which is our private key multiplied by the tpm_key public
  493. * point, we actually only take the x point and discard the y
  494. * point and feed it through KDFe to get the final secret salt
  495. */
  496. sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ);
  497. sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ);
  498. kpp_request_set_input(req, s, EC_PT_SZ*2);
  499. sg_init_one(d, auth->salt, EC_PT_SZ);
  500. kpp_request_set_output(req, d, EC_PT_SZ);
  501. crypto_kpp_compute_shared_secret(req);
  502. kpp_request_free(req);
  503. /*
  504. * pass the shared secret through KDFe for salt. Note salt
  505. * area is used both for input shared secret and output salt.
  506. * This works because KDFe fully consumes the secret before it
  507. * writes the salt
  508. */
  509. tpm2_KDFe(auth->salt, "SECRET", x, chip->null_ec_key_x, auth->salt);
  510. out:
  511. crypto_free_kpp(kpp);
  512. }
  513. /**
  514. * tpm_buf_fill_hmac_session() - finalize the session HMAC
  515. * @chip: the TPM chip structure
  516. * @buf: The buffer to be appended
  517. *
  518. * This command must not be called until all of the parameters have
  519. * been appended to @buf otherwise the computed HMAC will be
  520. * incorrect.
  521. *
  522. * This function computes and fills in the session HMAC using the
  523. * session key and, if TPM2_SA_DECRYPT was specified, computes the
  524. * encryption key and encrypts the first parameter of the command
  525. * buffer with it.
  526. *
  527. * Ends the authorization session on failure.
  528. */
  529. int tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
  530. {
  531. u32 cc, handles, val;
  532. struct tpm2_auth *auth = chip->auth;
  533. int i;
  534. struct tpm_header *head = (struct tpm_header *)buf->data;
  535. off_t offset_s = TPM_HEADER_SIZE, offset_p;
  536. u8 *hmac = NULL;
  537. u32 attrs;
  538. u8 cphash[SHA256_DIGEST_SIZE];
  539. struct sha256_ctx sctx;
  540. struct hmac_sha256_ctx hctx;
  541. int ret;
  542. if (!auth) {
  543. ret = -EIO;
  544. goto err;
  545. }
  546. /* save the command code in BE format */
  547. auth->ordinal = head->ordinal;
  548. cc = be32_to_cpu(head->ordinal);
  549. i = tpm2_find_cc(chip, cc);
  550. if (i < 0) {
  551. dev_err(&chip->dev, "command 0x%08x not found\n", cc);
  552. ret = -EIO;
  553. goto err;
  554. }
  555. attrs = chip->cc_attrs_tbl[i];
  556. handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0);
  557. /*
  558. * just check the names, it's easy to make mistakes. This
  559. * would happen if someone added a handle via
  560. * tpm_buf_append_u32() instead of tpm_buf_append_name()
  561. */
  562. for (i = 0; i < handles; i++) {
  563. u32 handle = tpm_buf_read_u32(buf, &offset_s);
  564. if (auth->name_h[i] != handle) {
  565. dev_err(&chip->dev, "invalid handle 0x%08x\n", handle);
  566. ret = -EIO;
  567. goto err;
  568. }
  569. }
  570. /* point offset_s to the start of the sessions */
  571. val = tpm_buf_read_u32(buf, &offset_s);
  572. /* point offset_p to the start of the parameters */
  573. offset_p = offset_s + val;
  574. for (i = 1; offset_s < offset_p; i++) {
  575. u32 handle = tpm_buf_read_u32(buf, &offset_s);
  576. u16 len;
  577. u8 a;
  578. /* nonce (already in auth) */
  579. len = tpm_buf_read_u16(buf, &offset_s);
  580. offset_s += len;
  581. a = tpm_buf_read_u8(buf, &offset_s);
  582. len = tpm_buf_read_u16(buf, &offset_s);
  583. if (handle == auth->handle && auth->attrs == a) {
  584. hmac = &buf->data[offset_s];
  585. /*
  586. * save our session number so we know which
  587. * session in the response belongs to us
  588. */
  589. auth->session = i;
  590. }
  591. offset_s += len;
  592. }
  593. if (offset_s != offset_p) {
  594. dev_err(&chip->dev, "session length is incorrect\n");
  595. ret = -EIO;
  596. goto err;
  597. }
  598. if (!hmac) {
  599. dev_err(&chip->dev, "could not find HMAC session\n");
  600. ret = -EIO;
  601. goto err;
  602. }
  603. /* encrypt before HMAC */
  604. if (auth->attrs & TPM2_SA_DECRYPT) {
  605. u16 len;
  606. /* need key and IV */
  607. tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
  608. + auth->passphrase_len, "CFB", auth->our_nonce,
  609. auth->tpm_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
  610. auth->scratch);
  611. len = tpm_buf_read_u16(buf, &offset_p);
  612. aes_prepareenckey(&auth->aes_key, auth->scratch, AES_KEY_BYTES);
  613. aescfb_encrypt(&auth->aes_key, &buf->data[offset_p],
  614. &buf->data[offset_p], len,
  615. auth->scratch + AES_KEY_BYTES);
  616. /* reset p to beginning of parameters for HMAC */
  617. offset_p -= 2;
  618. }
  619. sha256_init(&sctx);
  620. /* ordinal is already BE */
  621. sha256_update(&sctx, (u8 *)&head->ordinal, sizeof(head->ordinal));
  622. /* add the handle names */
  623. for (i = 0; i < handles; i++) {
  624. enum tpm2_mso_type mso = tpm2_handle_mso(auth->name_h[i]);
  625. if (mso == TPM2_MSO_PERSISTENT ||
  626. mso == TPM2_MSO_VOLATILE ||
  627. mso == TPM2_MSO_NVRAM) {
  628. ret = name_size(auth->name[i]);
  629. if (ret < 0)
  630. goto err;
  631. sha256_update(&sctx, auth->name[i], ret);
  632. } else {
  633. __be32 h = cpu_to_be32(auth->name_h[i]);
  634. sha256_update(&sctx, (u8 *)&h, 4);
  635. }
  636. }
  637. if (offset_s != tpm_buf_length(buf))
  638. sha256_update(&sctx, &buf->data[offset_s],
  639. tpm_buf_length(buf) - offset_s);
  640. sha256_final(&sctx, cphash);
  641. /* now calculate the hmac */
  642. hmac_sha256_init_usingrawkey(&hctx, auth->session_key,
  643. sizeof(auth->session_key) +
  644. auth->passphrase_len);
  645. hmac_sha256_update(&hctx, cphash, sizeof(cphash));
  646. hmac_sha256_update(&hctx, auth->our_nonce, sizeof(auth->our_nonce));
  647. hmac_sha256_update(&hctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
  648. hmac_sha256_update(&hctx, &auth->attrs, 1);
  649. hmac_sha256_final(&hctx, hmac);
  650. return 0;
  651. err:
  652. tpm2_end_auth_session(chip);
  653. return ret;
  654. }
  655. EXPORT_SYMBOL(tpm_buf_fill_hmac_session);
  656. /**
  657. * tpm_buf_check_hmac_response() - check the TPM return HMAC for correctness
  658. * @chip: the TPM chip structure
  659. * @buf: the original command buffer (which now contains the response)
  660. * @rc: the return code from tpm_transmit_cmd
  661. *
  662. * If @rc is non zero, @buf may not contain an actual return, so @rc
  663. * is passed through as the return and the session cleaned up and
  664. * de-allocated if required (this is required if
  665. * TPM2_SA_CONTINUE_SESSION was not specified as a session flag).
  666. *
  667. * If @rc is zero, the response HMAC is computed against the returned
  668. * @buf and matched to the TPM one in the session area. If there is a
  669. * mismatch, an error is logged and -EINVAL returned.
  670. *
  671. * The reason for this is that the command issue and HMAC check
  672. * sequence should look like:
  673. *
  674. * rc = tpm_transmit_cmd(...);
  675. * rc = tpm_buf_check_hmac_response(&buf, auth, rc);
  676. * if (rc)
  677. * ...
  678. *
  679. * Which is easily layered into the current contrl flow.
  680. *
  681. * Returns: 0 on success or an error.
  682. */
  683. int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
  684. int rc)
  685. {
  686. struct tpm_header *head = (struct tpm_header *)buf->data;
  687. struct tpm2_auth *auth = chip->auth;
  688. off_t offset_s, offset_p;
  689. u8 rphash[SHA256_DIGEST_SIZE];
  690. u32 attrs, cc;
  691. struct sha256_ctx sctx;
  692. struct hmac_sha256_ctx hctx;
  693. u16 tag = be16_to_cpu(head->tag);
  694. int parm_len, len, i, handles;
  695. if (!auth)
  696. return rc;
  697. cc = be32_to_cpu(auth->ordinal);
  698. if (auth->session >= TPM_HEADER_SIZE) {
  699. WARN(1, "tpm session not filled correctly\n");
  700. goto out;
  701. }
  702. if (rc != 0)
  703. /* pass non success rc through and close the session */
  704. goto out;
  705. rc = -EINVAL;
  706. if (tag != TPM2_ST_SESSIONS) {
  707. dev_err(&chip->dev, "TPM: HMAC response check has no sessions tag\n");
  708. goto out;
  709. }
  710. i = tpm2_find_cc(chip, cc);
  711. if (i < 0)
  712. goto out;
  713. attrs = chip->cc_attrs_tbl[i];
  714. handles = (attrs >> TPM2_CC_ATTR_RHANDLE) & 1;
  715. /* point to area beyond handles */
  716. offset_s = TPM_HEADER_SIZE + handles * 4;
  717. parm_len = tpm_buf_read_u32(buf, &offset_s);
  718. offset_p = offset_s;
  719. offset_s += parm_len;
  720. /* skip over any sessions before ours */
  721. for (i = 0; i < auth->session - 1; i++) {
  722. len = tpm_buf_read_u16(buf, &offset_s);
  723. offset_s += len + 1;
  724. len = tpm_buf_read_u16(buf, &offset_s);
  725. offset_s += len;
  726. }
  727. /* TPM nonce */
  728. len = tpm_buf_read_u16(buf, &offset_s);
  729. if (offset_s + len > tpm_buf_length(buf))
  730. goto out;
  731. if (len != SHA256_DIGEST_SIZE)
  732. goto out;
  733. memcpy(auth->tpm_nonce, &buf->data[offset_s], len);
  734. offset_s += len;
  735. attrs = tpm_buf_read_u8(buf, &offset_s);
  736. len = tpm_buf_read_u16(buf, &offset_s);
  737. if (offset_s + len != tpm_buf_length(buf))
  738. goto out;
  739. if (len != SHA256_DIGEST_SIZE)
  740. goto out;
  741. /*
  742. * offset_s points to the HMAC. now calculate comparison, beginning
  743. * with rphash
  744. */
  745. sha256_init(&sctx);
  746. /* yes, I know this is now zero, but it's what the standard says */
  747. sha256_update(&sctx, (u8 *)&head->return_code,
  748. sizeof(head->return_code));
  749. /* ordinal is already BE */
  750. sha256_update(&sctx, (u8 *)&auth->ordinal, sizeof(auth->ordinal));
  751. sha256_update(&sctx, &buf->data[offset_p], parm_len);
  752. sha256_final(&sctx, rphash);
  753. /* now calculate the hmac */
  754. hmac_sha256_init_usingrawkey(&hctx, auth->session_key,
  755. sizeof(auth->session_key) +
  756. auth->passphrase_len);
  757. hmac_sha256_update(&hctx, rphash, sizeof(rphash));
  758. hmac_sha256_update(&hctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
  759. hmac_sha256_update(&hctx, auth->our_nonce, sizeof(auth->our_nonce));
  760. hmac_sha256_update(&hctx, &auth->attrs, 1);
  761. /* we're done with the rphash, so put our idea of the hmac there */
  762. hmac_sha256_final(&hctx, rphash);
  763. if (crypto_memneq(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE)) {
  764. dev_err(&chip->dev, "TPM: HMAC check failed\n");
  765. goto out;
  766. }
  767. rc = 0;
  768. /* now do response decryption */
  769. if (auth->attrs & TPM2_SA_ENCRYPT) {
  770. /* need key and IV */
  771. tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
  772. + auth->passphrase_len, "CFB", auth->tpm_nonce,
  773. auth->our_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
  774. auth->scratch);
  775. len = tpm_buf_read_u16(buf, &offset_p);
  776. aes_prepareenckey(&auth->aes_key, auth->scratch, AES_KEY_BYTES);
  777. aescfb_decrypt(&auth->aes_key, &buf->data[offset_p],
  778. &buf->data[offset_p], len,
  779. auth->scratch + AES_KEY_BYTES);
  780. }
  781. out:
  782. if ((auth->attrs & TPM2_SA_CONTINUE_SESSION) == 0) {
  783. if (rc)
  784. /* manually close the session if it wasn't consumed */
  785. tpm2_flush_context(chip, auth->handle);
  786. kfree_sensitive(auth);
  787. chip->auth = NULL;
  788. } else {
  789. /* reset for next use */
  790. auth->session = TPM_HEADER_SIZE;
  791. }
  792. return rc;
  793. }
  794. EXPORT_SYMBOL(tpm_buf_check_hmac_response);
  795. /**
  796. * tpm2_end_auth_session() - kill the allocated auth session
  797. * @chip: the TPM chip structure
  798. *
  799. * ends the session started by tpm2_start_auth_session and frees all
  800. * the resources. Under normal conditions,
  801. * tpm_buf_check_hmac_response() will correctly end the session if
  802. * required, so this function is only for use in error legs that will
  803. * bypass the normal invocation of tpm_buf_check_hmac_response().
  804. */
  805. void tpm2_end_auth_session(struct tpm_chip *chip)
  806. {
  807. struct tpm2_auth *auth = chip->auth;
  808. if (!auth)
  809. return;
  810. tpm2_flush_context(chip, auth->handle);
  811. kfree_sensitive(auth);
  812. chip->auth = NULL;
  813. }
  814. EXPORT_SYMBOL(tpm2_end_auth_session);
  815. static int tpm2_parse_start_auth_session(struct tpm2_auth *auth,
  816. struct tpm_buf *buf)
  817. {
  818. struct tpm_header *head = (struct tpm_header *)buf->data;
  819. u32 tot_len = be32_to_cpu(head->length);
  820. off_t offset = TPM_HEADER_SIZE;
  821. u32 val;
  822. /* we're starting after the header so adjust the length */
  823. tot_len -= TPM_HEADER_SIZE;
  824. /* should have handle plus nonce */
  825. if (tot_len != 4 + 2 + sizeof(auth->tpm_nonce))
  826. return -EINVAL;
  827. auth->handle = tpm_buf_read_u32(buf, &offset);
  828. val = tpm_buf_read_u16(buf, &offset);
  829. if (val != sizeof(auth->tpm_nonce))
  830. return -EINVAL;
  831. memcpy(auth->tpm_nonce, &buf->data[offset], sizeof(auth->tpm_nonce));
  832. /* now compute the session key from the nonces */
  833. tpm2_KDFa(auth->salt, sizeof(auth->salt), "ATH", auth->tpm_nonce,
  834. auth->our_nonce, sizeof(auth->session_key),
  835. auth->session_key);
  836. return 0;
  837. }
  838. static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
  839. {
  840. unsigned int offset = 0; /* dummy offset for null seed context */
  841. u8 name[SHA256_DIGEST_SIZE + 2];
  842. u32 tmp_null_key;
  843. int rc;
  844. rc = tpm2_load_context(chip, chip->null_key_context, &offset,
  845. &tmp_null_key);
  846. if (rc != -EINVAL) {
  847. if (!rc)
  848. *null_key = tmp_null_key;
  849. goto err;
  850. }
  851. /* Try to re-create null key, given the integrity failure: */
  852. rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name);
  853. if (rc)
  854. goto err;
  855. /* Return null key if the name has not been changed: */
  856. if (!memcmp(name, chip->null_key_name, sizeof(name))) {
  857. *null_key = tmp_null_key;
  858. return 0;
  859. }
  860. /* Deduce from the name change TPM interference: */
  861. dev_err(&chip->dev, "null key integrity check failed\n");
  862. tpm2_flush_context(chip, tmp_null_key);
  863. err:
  864. if (rc) {
  865. chip->flags |= TPM_CHIP_FLAG_DISABLE;
  866. rc = -ENODEV;
  867. }
  868. return rc;
  869. }
  870. /**
  871. * tpm2_start_auth_session() - Create an a HMAC authentication session
  872. * @chip: A TPM chip
  873. *
  874. * Loads the ephemeral key (null seed), and starts an HMAC authenticated
  875. * session. The null seed is flushed before the return.
  876. *
  877. * Returns zero on success, or a POSIX error code.
  878. */
  879. int tpm2_start_auth_session(struct tpm_chip *chip)
  880. {
  881. struct tpm2_auth *auth;
  882. struct tpm_buf buf;
  883. u32 null_key;
  884. int rc;
  885. if (chip->auth) {
  886. dev_dbg_once(&chip->dev, "auth session is active\n");
  887. return 0;
  888. }
  889. auth = kzalloc_obj(*auth);
  890. if (!auth)
  891. return -ENOMEM;
  892. rc = tpm2_load_null(chip, &null_key);
  893. if (rc)
  894. goto out;
  895. auth->session = TPM_HEADER_SIZE;
  896. rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS);
  897. if (rc)
  898. goto out;
  899. /* salt key handle */
  900. tpm_buf_append_u32(&buf, null_key);
  901. /* bind key handle */
  902. tpm_buf_append_u32(&buf, TPM2_RH_NULL);
  903. /* nonce caller */
  904. get_random_bytes(auth->our_nonce, sizeof(auth->our_nonce));
  905. tpm_buf_append_u16(&buf, sizeof(auth->our_nonce));
  906. tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce));
  907. /* append encrypted salt and squirrel away unencrypted in auth */
  908. tpm_buf_append_salt(&buf, chip, auth);
  909. /* session type (HMAC, audit or policy) */
  910. tpm_buf_append_u8(&buf, TPM2_SE_HMAC);
  911. /* symmetric encryption parameters */
  912. /* symmetric algorithm */
  913. tpm_buf_append_u16(&buf, TPM_ALG_AES);
  914. /* bits for symmetric algorithm */
  915. tpm_buf_append_u16(&buf, AES_KEY_BITS);
  916. /* symmetric algorithm mode (must be CFB) */
  917. tpm_buf_append_u16(&buf, TPM_ALG_CFB);
  918. /* hash algorithm for session */
  919. tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
  920. rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
  921. tpm2_flush_context(chip, null_key);
  922. if (rc == TPM2_RC_SUCCESS)
  923. rc = tpm2_parse_start_auth_session(auth, &buf);
  924. tpm_buf_destroy(&buf);
  925. if (rc == TPM2_RC_SUCCESS) {
  926. chip->auth = auth;
  927. return 0;
  928. }
  929. out:
  930. kfree_sensitive(auth);
  931. return rc;
  932. }
  933. EXPORT_SYMBOL(tpm2_start_auth_session);
  934. /*
  935. * A mask containing the object attributes for the kernel held null primary key
  936. * used in HMAC encryption. For more information on specific attributes look up
  937. * to "8.3 TPMA_OBJECT (Object Attributes)".
  938. */
  939. #define TPM2_OA_NULL_KEY ( \
  940. TPM2_OA_NO_DA | \
  941. TPM2_OA_FIXED_TPM | \
  942. TPM2_OA_FIXED_PARENT | \
  943. TPM2_OA_SENSITIVE_DATA_ORIGIN | \
  944. TPM2_OA_USER_WITH_AUTH | \
  945. TPM2_OA_DECRYPT | \
  946. TPM2_OA_RESTRICTED)
  947. /**
  948. * tpm2_parse_create_primary() - parse the data returned from TPM_CC_CREATE_PRIMARY
  949. *
  950. * @chip: The TPM the primary was created under
  951. * @buf: The response buffer from the chip
  952. * @handle: pointer to be filled in with the return handle of the primary
  953. * @hierarchy: The hierarchy the primary was created for
  954. * @name: pointer to be filled in with the primary key name
  955. *
  956. * Return:
  957. * * 0 - OK
  958. * * -errno - A system error
  959. * * TPM_RC - A TPM error
  960. */
  961. static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
  962. u32 *handle, u32 hierarchy, u8 *name)
  963. {
  964. struct tpm_header *head = (struct tpm_header *)buf->data;
  965. off_t offset_r = TPM_HEADER_SIZE, offset_t;
  966. u16 len = TPM_HEADER_SIZE;
  967. u32 total_len = be32_to_cpu(head->length);
  968. u32 val, param_len, keyhandle;
  969. keyhandle = tpm_buf_read_u32(buf, &offset_r);
  970. if (handle)
  971. *handle = keyhandle;
  972. else
  973. tpm2_flush_context(chip, keyhandle);
  974. param_len = tpm_buf_read_u32(buf, &offset_r);
  975. /*
  976. * param_len doesn't include the header, but all the other
  977. * lengths and offsets do, so add it to parm len to make
  978. * the comparisons easier
  979. */
  980. param_len += TPM_HEADER_SIZE;
  981. if (param_len + 8 > total_len)
  982. return -EINVAL;
  983. len = tpm_buf_read_u16(buf, &offset_r);
  984. offset_t = offset_r;
  985. if (name) {
  986. /*
  987. * now we have the public area, compute the name of
  988. * the object
  989. */
  990. put_unaligned_be16(TPM_ALG_SHA256, name);
  991. sha256(&buf->data[offset_r], len, name + 2);
  992. }
  993. /* validate the public key */
  994. val = tpm_buf_read_u16(buf, &offset_t);
  995. /* key type (must be what we asked for) */
  996. if (val != TPM_ALG_ECC)
  997. return -EINVAL;
  998. val = tpm_buf_read_u16(buf, &offset_t);
  999. /* name algorithm */
  1000. if (val != TPM_ALG_SHA256)
  1001. return -EINVAL;
  1002. val = tpm_buf_read_u32(buf, &offset_t);
  1003. /* object properties */
  1004. if (val != TPM2_OA_NULL_KEY)
  1005. return -EINVAL;
  1006. /* auth policy (empty) */
  1007. val = tpm_buf_read_u16(buf, &offset_t);
  1008. if (val != 0)
  1009. return -EINVAL;
  1010. /* symmetric key parameters */
  1011. val = tpm_buf_read_u16(buf, &offset_t);
  1012. if (val != TPM_ALG_AES)
  1013. return -EINVAL;
  1014. /* symmetric key length */
  1015. val = tpm_buf_read_u16(buf, &offset_t);
  1016. if (val != AES_KEY_BITS)
  1017. return -EINVAL;
  1018. /* symmetric encryption scheme */
  1019. val = tpm_buf_read_u16(buf, &offset_t);
  1020. if (val != TPM_ALG_CFB)
  1021. return -EINVAL;
  1022. /* signing scheme */
  1023. val = tpm_buf_read_u16(buf, &offset_t);
  1024. if (val != TPM_ALG_NULL)
  1025. return -EINVAL;
  1026. /* ECC Curve */
  1027. val = tpm_buf_read_u16(buf, &offset_t);
  1028. if (val != TPM2_ECC_NIST_P256)
  1029. return -EINVAL;
  1030. /* KDF Scheme */
  1031. val = tpm_buf_read_u16(buf, &offset_t);
  1032. if (val != TPM_ALG_NULL)
  1033. return -EINVAL;
  1034. /* extract public key (x and y points) */
  1035. val = tpm_buf_read_u16(buf, &offset_t);
  1036. if (val != EC_PT_SZ)
  1037. return -EINVAL;
  1038. memcpy(chip->null_ec_key_x, &buf->data[offset_t], val);
  1039. offset_t += val;
  1040. val = tpm_buf_read_u16(buf, &offset_t);
  1041. if (val != EC_PT_SZ)
  1042. return -EINVAL;
  1043. memcpy(chip->null_ec_key_y, &buf->data[offset_t], val);
  1044. offset_t += val;
  1045. /* original length of the whole TPM2B */
  1046. offset_r += len;
  1047. /* should have exactly consumed the TPM2B public structure */
  1048. if (offset_t != offset_r)
  1049. return -EINVAL;
  1050. if (offset_r > param_len)
  1051. return -EINVAL;
  1052. /* creation data (skip) */
  1053. len = tpm_buf_read_u16(buf, &offset_r);
  1054. offset_r += len;
  1055. if (offset_r > param_len)
  1056. return -EINVAL;
  1057. /* creation digest (must be sha256) */
  1058. len = tpm_buf_read_u16(buf, &offset_r);
  1059. offset_r += len;
  1060. if (len != SHA256_DIGEST_SIZE || offset_r > param_len)
  1061. return -EINVAL;
  1062. /* TPMT_TK_CREATION follows */
  1063. /* tag, must be TPM_ST_CREATION (0x8021) */
  1064. val = tpm_buf_read_u16(buf, &offset_r);
  1065. if (val != TPM2_ST_CREATION || offset_r > param_len)
  1066. return -EINVAL;
  1067. /* hierarchy */
  1068. val = tpm_buf_read_u32(buf, &offset_r);
  1069. if (val != hierarchy || offset_r > param_len)
  1070. return -EINVAL;
  1071. /* the ticket digest HMAC (might not be sha256) */
  1072. len = tpm_buf_read_u16(buf, &offset_r);
  1073. offset_r += len;
  1074. if (offset_r > param_len)
  1075. return -EINVAL;
  1076. /*
  1077. * finally we have the name, which is a sha256 digest plus a 2
  1078. * byte algorithm type
  1079. */
  1080. len = tpm_buf_read_u16(buf, &offset_r);
  1081. if (offset_r + len != param_len + 8)
  1082. return -EINVAL;
  1083. if (len != SHA256_DIGEST_SIZE + 2)
  1084. return -EINVAL;
  1085. if (memcmp(chip->null_key_name, &buf->data[offset_r],
  1086. SHA256_DIGEST_SIZE + 2) != 0) {
  1087. dev_err(&chip->dev, "NULL Seed name comparison failed\n");
  1088. return -EINVAL;
  1089. }
  1090. return 0;
  1091. }
  1092. /**
  1093. * tpm2_create_primary() - create a primary key using a fixed P-256 template
  1094. *
  1095. * @chip: the TPM chip to create under
  1096. * @hierarchy: The hierarchy handle to create under
  1097. * @handle: The returned volatile handle on success
  1098. * @name: The name of the returned key
  1099. *
  1100. * For platforms that might not have a persistent primary, this can be
  1101. * used to create one quickly on the fly (it uses Elliptic Curve not
  1102. * RSA, so even slow TPMs can create one fast). The template uses the
  1103. * TCG mandated H one for non-endorsement ECC primaries, i.e. P-256
  1104. * elliptic curve (the only current one all TPM2s are required to
  1105. * have) a sha256 name hash and no policy.
  1106. *
  1107. * Return:
  1108. * * 0 - OK
  1109. * * -errno - A system error
  1110. * * TPM_RC - A TPM error
  1111. */
  1112. static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
  1113. u32 *handle, u8 *name)
  1114. {
  1115. int rc;
  1116. struct tpm_buf buf;
  1117. struct tpm_buf template;
  1118. rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE_PRIMARY);
  1119. if (rc)
  1120. return rc;
  1121. rc = tpm_buf_init_sized(&template);
  1122. if (rc) {
  1123. tpm_buf_destroy(&buf);
  1124. return rc;
  1125. }
  1126. /*
  1127. * create the template. Note: in order for userspace to
  1128. * verify the security of the system, it will have to create
  1129. * and certify this NULL primary, meaning all the template
  1130. * parameters will have to be identical, so conform exactly to
  1131. * the TCG TPM v2.0 Provisioning Guidance for the SRK ECC
  1132. * key H template (H has zero size unique points)
  1133. */
  1134. /* key type */
  1135. tpm_buf_append_u16(&template, TPM_ALG_ECC);
  1136. /* name algorithm */
  1137. tpm_buf_append_u16(&template, TPM_ALG_SHA256);
  1138. /* object properties */
  1139. tpm_buf_append_u32(&template, TPM2_OA_NULL_KEY);
  1140. /* sauth policy (empty) */
  1141. tpm_buf_append_u16(&template, 0);
  1142. /* BEGIN parameters: key specific; for ECC*/
  1143. /* symmetric algorithm */
  1144. tpm_buf_append_u16(&template, TPM_ALG_AES);
  1145. /* bits for symmetric algorithm */
  1146. tpm_buf_append_u16(&template, AES_KEY_BITS);
  1147. /* algorithm mode (must be CFB) */
  1148. tpm_buf_append_u16(&template, TPM_ALG_CFB);
  1149. /* scheme (NULL means any scheme) */
  1150. tpm_buf_append_u16(&template, TPM_ALG_NULL);
  1151. /* ECC Curve ID */
  1152. tpm_buf_append_u16(&template, TPM2_ECC_NIST_P256);
  1153. /* KDF Scheme */
  1154. tpm_buf_append_u16(&template, TPM_ALG_NULL);
  1155. /* unique: key specific; for ECC it is two zero size points */
  1156. tpm_buf_append_u16(&template, 0);
  1157. tpm_buf_append_u16(&template, 0);
  1158. /* END parameters */
  1159. /* primary handle */
  1160. tpm_buf_append_u32(&buf, hierarchy);
  1161. tpm_buf_append_empty_auth(&buf, TPM2_RS_PW);
  1162. /* sensitive create size is 4 for two empty buffers */
  1163. tpm_buf_append_u16(&buf, 4);
  1164. /* sensitive create auth data (empty) */
  1165. tpm_buf_append_u16(&buf, 0);
  1166. /* sensitive create sensitive data (empty) */
  1167. tpm_buf_append_u16(&buf, 0);
  1168. /* the public template */
  1169. tpm_buf_append(&buf, template.data, template.length);
  1170. tpm_buf_destroy(&template);
  1171. /* outside info (empty) */
  1172. tpm_buf_append_u16(&buf, 0);
  1173. /* creation PCR (none) */
  1174. tpm_buf_append_u32(&buf, 0);
  1175. rc = tpm_transmit_cmd(chip, &buf, 0,
  1176. "attempting to create NULL primary");
  1177. if (rc == TPM2_RC_SUCCESS)
  1178. rc = tpm2_parse_create_primary(chip, &buf, handle, hierarchy,
  1179. name);
  1180. tpm_buf_destroy(&buf);
  1181. return rc;
  1182. }
  1183. static int tpm2_create_null_primary(struct tpm_chip *chip)
  1184. {
  1185. u32 null_key;
  1186. int rc;
  1187. rc = tpm2_create_primary(chip, TPM2_RH_NULL, &null_key,
  1188. chip->null_key_name);
  1189. if (rc == TPM2_RC_SUCCESS) {
  1190. unsigned int offset = 0; /* dummy offset for null key context */
  1191. rc = tpm2_save_context(chip, null_key, chip->null_key_context,
  1192. sizeof(chip->null_key_context), &offset);
  1193. tpm2_flush_context(chip, null_key);
  1194. }
  1195. return rc;
  1196. }
  1197. /**
  1198. * tpm2_sessions_init() - start of day initialization for the sessions code
  1199. * @chip: TPM chip
  1200. *
  1201. * Derive and context save the null primary and allocate memory in the
  1202. * struct tpm_chip for the authorizations.
  1203. *
  1204. * Return:
  1205. * * 0 - OK
  1206. * * -errno - A system error
  1207. * * TPM_RC - A TPM error
  1208. */
  1209. int tpm2_sessions_init(struct tpm_chip *chip)
  1210. {
  1211. int rc;
  1212. rc = tpm2_create_null_primary(chip);
  1213. if (rc) {
  1214. dev_err(&chip->dev, "null key creation failed with %d\n", rc);
  1215. return rc;
  1216. }
  1217. return rc;
  1218. }
  1219. #endif /* CONFIG_TCG_TPM2_HMAC */