keys, trusted: seal/unseal with TPM 2.0 chips

Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips. We require explicit 'keyhandle=' option because there's no a fixed storage root key inside TPM2 chips. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de> Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (on TPM 1.2) Tested-by: Chris J Arges <chris.j.arges@canonical.com> Tested-by: Colin Ian King <colin.king@canonical.com> Tested-by: Kevin Strasser <kevin.strasser@intel.com> Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
author: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> 2015-06-26 15:28:26 -0400
committer: Peter Huewe <peterhuewe@gmx.de> 2015-10-18 19:01:22 -0400
commit: 0fe5480303a1657b328a0a389f8d99249d9961f5 (patch)
tree: 62a6478cf40f80f74d9f765c5e39a241eb385427 /security/keys
parent: 954650efb79f99d5c817c121bb0a7c6c53362048 (diff)
1 files changed, 33 insertions, 3 deletions
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index c0594cb07ada..d3633cf17c7d 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -862,12 +862,19 @@ static int datablob_parse(char *datablob, struct trusted_key_payload *p,
 static struct trusted_key_options *trusted_options_alloc(void)
 {
        struct trusted_key_options *options;
+        int tpm2;
+        tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
+        if (tpm2 < 0)
+                return NULL;
        options = kzalloc(sizeof *options, GFP_KERNEL);
        if (options) {
                /* set any non-zero defaults */
                options->keytype = SRK_keytype;
-                options->keyhandle = SRKHANDLE;
+                if (!tpm2)
+                        options->keyhandle = SRKHANDLE;
        }
        return options;
 }
@@ -905,6 +912,11 @@ static int trusted_instantiate(struct key *key,
        int ret = 0;
        int key_cmd;
        size_t key_len;
+        int tpm2;
+        tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
+        if (tpm2 < 0)
+                return tpm2;
        if (datalen <= 0 || datalen > 32767 || !prep->data)
                return -EINVAL;
@@ -932,12 +944,20 @@ static int trusted_instantiate(struct key *key,
                goto out;
        }
+        if (!options->keyhandle) {
+                ret = -EINVAL;
+                goto out;
+        }
        dump_payload(payload);
        dump_options(options);
        switch (key_cmd) {
        case Opt_load:
-                ret = key_unseal(payload, options);
+                if (tpm2)
+                        ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
+                else
+                        ret = key_unseal(payload, options);
                dump_payload(payload);
                dump_options(options);
                if (ret < 0)
@@ -950,7 +970,10 @@ static int trusted_instantiate(struct key *key,
                        pr_info("trusted_key: key_create failed (%d)\n", ret);
                        goto out;
                }
-                ret = key_seal(payload, options);
+                if (tpm2)
+                        ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
+                else
+                        ret = key_seal(payload, options);
                if (ret < 0)
                        pr_info("trusted_key: key_seal failed (%d)\n", ret);
                break;
@@ -1018,6 +1041,13 @@ static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
                kfree(new_p);
                goto out;
        }
+        if (!new_o->keyhandle) {
+                ret = -EINVAL;
+                kfree(new_p);
+                goto out;
+        }
        /* copy old key values, and reseal with new pcrs */
        new_p->migratable = p->migratable;
        new_p->key_len = p->key_len;
author	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>	2015-06-26 15:28:26 -0400
committer	Peter Huewe <peterhuewe@gmx.de>	2015-10-18 19:01:22 -0400
commit	0fe5480303a1657b328a0a389f8d99249d9961f5 (patch)
tree	62a6478cf40f80f74d9f765c5e39a241eb385427 /security/keys
parent	954650efb79f99d5c817c121bb0a7c6c53362048 (diff)

diff --git a/security/keys/trusted.c b/security/keys/trusted.c index c0594cb07ada..d3633cf17c7d 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c
@@ -862,12 +862,19 @@ static int datablob_parse(char datablob, struct trusted_key_payload p,
862	static struct trusted_key_options *trusted_options_alloc(void)	862	static struct trusted_key_options *trusted_options_alloc(void)
863	{	863	{
864	struct trusted_key_options *options;	864	struct trusted_key_options *options;
		865	int tpm2;
		866
		867	tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
		868	if (tpm2 < 0)
		869	return NULL;
865		870
866	options = kzalloc(sizeof *options, GFP_KERNEL);	871	options = kzalloc(sizeof *options, GFP_KERNEL);
867	if (options) {	872	if (options) {
868	/* set any non-zero defaults */	873	/* set any non-zero defaults */
869	options->keytype = SRK_keytype;	874	options->keytype = SRK_keytype;
870	options->keyhandle = SRKHANDLE;	875
		876	if (!tpm2)
		877	options->keyhandle = SRKHANDLE;
871	}	878	}
872	return options;	879	return options;
873	}	880	}
@@ -905,6 +912,11 @@ static int trusted_instantiate(struct key *key,
905	int ret = 0;	912	int ret = 0;
906	int key_cmd;	913	int key_cmd;
907	size_t key_len;	914	size_t key_len;
		915	int tpm2;
		916
		917	tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
		918	if (tpm2 < 0)
		919	return tpm2;
908		920
909	if (datalen <= 0 \|\| datalen > 32767 \|\| !prep->data)	921	if (datalen <= 0 \|\| datalen > 32767 \|\| !prep->data)
910	return -EINVAL;	922	return -EINVAL;
@@ -932,12 +944,20 @@ static int trusted_instantiate(struct key *key,
932	goto out;	944	goto out;
933	}	945	}
934		946
		947	if (!options->keyhandle) {
		948	ret = -EINVAL;
		949	goto out;
		950	}
		951
935	dump_payload(payload);	952	dump_payload(payload);
936	dump_options(options);	953	dump_options(options);
937		954
938	switch (key_cmd) {	955	switch (key_cmd) {
939	case Opt_load:	956	case Opt_load:
940	ret = key_unseal(payload, options);	957	if (tpm2)
		958	ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
		959	else
		960	ret = key_unseal(payload, options);
941	dump_payload(payload);	961	dump_payload(payload);
942	dump_options(options);	962	dump_options(options);
943	if (ret < 0)	963	if (ret < 0)
@@ -950,7 +970,10 @@ static int trusted_instantiate(struct key *key,
950	pr_info("trusted_key: key_create failed (%d)\n", ret);	970	pr_info("trusted_key: key_create failed (%d)\n", ret);
951	goto out;	971	goto out;
952	}	972	}
953	ret = key_seal(payload, options);	973	if (tpm2)
		974	ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
		975	else
		976	ret = key_seal(payload, options);
954	if (ret < 0)	977	if (ret < 0)
955	pr_info("trusted_key: key_seal failed (%d)\n", ret);	978	pr_info("trusted_key: key_seal failed (%d)\n", ret);
956	break;	979	break;
@@ -1018,6 +1041,13 @@ static int trusted_update(struct key key, struct key_preparsed_payload prep)
1018	kfree(new_p);	1041	kfree(new_p);
1019	goto out;	1042	goto out;
1020	}	1043	}
		1044
		1045	if (!new_o->keyhandle) {
		1046	ret = -EINVAL;
		1047	kfree(new_p);
		1048	goto out;
		1049	}
		1050
1021	/* copy old key values, and reseal with new pcrs */	1051	/* copy old key values, and reseal with new pcrs */
1022	new_p->migratable = p->migratable;	1052	new_p->migratable = p->migratable;
1023	new_p->key_len = p->key_len;	1053	new_p->key_len = p->key_len;