Message ID | 20191230173802.8731-4-James.Bottomley@HansenPartnership.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | TPM 2.0 trusted keys with attached policy | expand |
On Mon, 2019-12-30 at 09:37 -0800, James Bottomley wrote: > In TPM 1.2 an authorization was a 20 byte number. The spec actually > recommended you to hash variable length passwords and use the sha1 > hash as the authorization. Because the spec doesn't require this > hashing, the current authorization for trusted keys is a 40 digit hex > number. For TPM 2.0 the spec allows the passing in of variable length > passwords and passphrases directly, so we should allow that in trusted > keys for ease of use. Update the 'blobauth' parameter to take this > into account, so we can now use plain text passwords for the keys. > > so before > > keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258f" > > after: > > keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001" > > Note this is both and enhancement and a potential bug fix. The TPM > 2.0 spec requires us to strip leading zeros, meaning empyty > authorization is a zero length HMAC whereas we're currently passing in > 20 bytes of zeros. A lot of TPMs simply accept this as OK, but the > Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this patch > makes the Microsoft TPM emulator work with trusted keys. Even if for good reasons, you should be explicit when you make an API change that is not backwards compatible. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > --- > include/keys/trusted-type.h | 1 + > security/keys/trusted-keys/trusted_tpm1.c | 24 +++++++++++++++++++----- > security/keys/trusted-keys/trusted_tpm2.c | 9 +++++---- > 3 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h > index a94c03a61d8f..b2ed3481c6a0 100644 > --- a/include/keys/trusted-type.h > +++ b/include/keys/trusted-type.h > @@ -30,6 +30,7 @@ struct trusted_key_options { > uint16_t keytype; > uint32_t keyhandle; > unsigned char keyauth[TPM_DIGEST_SIZE]; > + uint32_t blobauth_len; > unsigned char blobauth[TPM_DIGEST_SIZE]; > uint32_t pcrinfo_len; > unsigned char pcrinfo[MAX_PCRINFO_SIZE]; > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c > index d2c5ec1e040b..ef15b6cda6ec 100644 > --- a/security/keys/trusted-keys/trusted_tpm1.c > +++ b/security/keys/trusted-keys/trusted_tpm1.c > @@ -781,12 +781,26 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > return -EINVAL; > break; > case Opt_blobauth: > - if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) > - return -EINVAL; > - res = hex2bin(opt->blobauth, args[0].from, > - SHA1_DIGEST_SIZE); > - if (res < 0) > + /* > + * TPM 1.2 authorizations are sha1 hashes > + * passed in as hex strings. TPM 2.0 > + * authorizations are simple passwords > + * (although it can take a hash as well) > + */ > + opt->blobauth_len = strlen(args[0].from); > + if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) { > + res = hex2bin(opt->blobauth, args[0].from, > + TPM_DIGEST_SIZE); > + if (res < 0) > + return -EINVAL; > + opt->blobauth_len = TPM_DIGEST_SIZE; > + } else if (tpm2 && > + opt->blobauth_len <= sizeof(opt->blobauth)) { > + memcpy(opt->blobauth, args[0].from, > + opt->blobauth_len); > + } else { > return -EINVAL; > + } I don't see any reason of packing conditional statements like this even if it has been done in the past. Makes the code only exhausting to read. I'd consider moving the whole code block to a static function of its own. Please also document to that function how the passphrase is handled in TPM 1.2 and TPM 2.0 (you can derive it from you commit message description) just to remind us how it is being handled when reviewing future patches. > break; > case Opt_migratable: > if (*args[0].from == '0') > diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c > index 08ec7f48f01d..11a331a94327 100644 > --- a/security/keys/trusted-keys/trusted_tpm2.c > +++ b/security/keys/trusted-keys/trusted_tpm2.c > @@ -91,10 +91,11 @@ int tpm2_seal_trusted(struct tpm_chip *chip, > TPM_DIGEST_SIZE); > > /* sensitive */ > - tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1); > + tpm_buf_append_u16(&buf, 4 + options->blobauth_len + payload->key_len + 1); > > - tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE); > - tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE); > + tpm_buf_append_u16(&buf, options->blobauth_len); Empty line. > + if (options->blobauth_len) > + tpm_buf_append(&buf, options->blobauth, options->blobauth_len); Empty line. > tpm_buf_append_u16(&buf, payload->key_len + 1); > tpm_buf_append(&buf, payload->key, payload->key_len); > tpm_buf_append_u8(&buf, payload->migratable); > @@ -258,7 +259,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, > NULL /* nonce */, 0, > TPM2_SA_CONTINUE_SESSION, > options->blobauth /* hmac */, > - TPM_DIGEST_SIZE); > + options->blobauth_len); > > rc = tpm_send(chip, buf.data, tpm_buf_length(&buf)); > if (rc > 0) /Jarkko
On Mon, 2020-01-06 at 23:45 +0200, Jarkko Sakkinen wrote: > On Mon, 2019-12-30 at 09:37 -0800, James Bottomley wrote: > > In TPM 1.2 an authorization was a 20 byte number. The spec actually > > recommended you to hash variable length passwords and use the sha1 > > hash as the authorization. Because the spec doesn't require this > > hashing, the current authorization for trusted keys is a 40 digit hex > > number. For TPM 2.0 the spec allows the passing in of variable length > > passwords and passphrases directly, so we should allow that in trusted > > keys for ease of use. Update the 'blobauth' parameter to take this > > into account, so we can now use plain text passwords for the keys. > > > > so before > > > > keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258f" > > > > after: > > > > keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001" > > > > Note this is both and enhancement and a potential bug fix. The TPM > > 2.0 spec requires us to strip leading zeros, meaning empyty > > authorization is a zero length HMAC whereas we're currently passing in > > 20 bytes of zeros. A lot of TPMs simply accept this as OK, but the > > Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this patch > > makes the Microsoft TPM emulator work with trusted keys. > > Even if for good reasons, you should be explicit when you make an API > change that is not backwards compatible. Also you have illformed abbrevation in your short summary. Should be TPM2, not tpm2. /Jarkko
On Mon, 2020-01-06 at 23:45 +0200, Jarkko Sakkinen wrote: > On Mon, 2019-12-30 at 09:37 -0800, James Bottomley wrote: > > In TPM 1.2 an authorization was a 20 byte number. The spec > > actually > > recommended you to hash variable length passwords and use the sha1 > > hash as the authorization. Because the spec doesn't require this > > hashing, the current authorization for trusted keys is a 40 digit > > hex number. For TPM 2.0 the spec allows the passing in of variable > > length passwords and passphrases directly, so we should allow that > > in trusted keys for ease of use. Update the 'blobauth' parameter > > to take this into account, so we can now use plain text passwords > > for the keys. > > > > so before > > > > keyctl add trusted kmk "new 32 > > blobauth=f572d396fae9206628714fb2ce00f72e94f2258f" > > > > after: > > > > keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001" > > > > Note this is both and enhancement and a potential bug fix. The TPM > > 2.0 spec requires us to strip leading zeros, meaning empyty > > authorization is a zero length HMAC whereas we're currently passing > > in 20 bytes of zeros. A lot of TPMs simply accept this as OK, but > > the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this > > patch makes the Microsoft TPM emulator work with trusted keys. > > Even if for good reasons, you should be explicit when you make an API > change that is not backwards compatible. This change should be backwards compatible. I've got a set of TPMs, one of which works both before and after and another which doesn't work before but does after, so all it does is increase the set of TPMs that work with the authorizations i.e. if the TPM worked before, it continues to work after. I think what happens in the TPMs that work before is that they explicily remove trailing zeros and ones that don't work before don't. Actually, the before form (20 hex bytes) still works in the after case ... I'll make that clear in the commit message. James
On Mon, 2020-01-06 at 17:08 -0800, James Bottomley wrote: > > Even if for good reasons, you should be explicit when you make an API > > change that is not backwards compatible. > > This change should be backwards compatible. I've got a set of TPMs, > one of which works both before and after and another which doesn't work > before but does after, so all it does is increase the set of TPMs that > work with the authorizations i.e. if the TPM worked before, it > continues to work after. > > I think what happens in the TPMs that work before is that they > explicily remove trailing zeros and ones that don't work before don't. > > Actually, the before form (20 hex bytes) still works in the after case > ... I'll make that clear in the commit message. OK, got it, thanks! Yeah, obviously would not hurt to be bit more explicit. /Jarkko
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index a94c03a61d8f..b2ed3481c6a0 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -30,6 +30,7 @@ struct trusted_key_options { uint16_t keytype; uint32_t keyhandle; unsigned char keyauth[TPM_DIGEST_SIZE]; + uint32_t blobauth_len; unsigned char blobauth[TPM_DIGEST_SIZE]; uint32_t pcrinfo_len; unsigned char pcrinfo[MAX_PCRINFO_SIZE]; diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index d2c5ec1e040b..ef15b6cda6ec 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -781,12 +781,26 @@ static int getoptions(char *c, struct trusted_key_payload *pay, return -EINVAL; break; case Opt_blobauth: - if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) - return -EINVAL; - res = hex2bin(opt->blobauth, args[0].from, - SHA1_DIGEST_SIZE); - if (res < 0) + /* + * TPM 1.2 authorizations are sha1 hashes + * passed in as hex strings. TPM 2.0 + * authorizations are simple passwords + * (although it can take a hash as well) + */ + opt->blobauth_len = strlen(args[0].from); + if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) { + res = hex2bin(opt->blobauth, args[0].from, + TPM_DIGEST_SIZE); + if (res < 0) + return -EINVAL; + opt->blobauth_len = TPM_DIGEST_SIZE; + } else if (tpm2 && + opt->blobauth_len <= sizeof(opt->blobauth)) { + memcpy(opt->blobauth, args[0].from, + opt->blobauth_len); + } else { return -EINVAL; + } break; case Opt_migratable: if (*args[0].from == '0') diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 08ec7f48f01d..11a331a94327 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -91,10 +91,11 @@ int tpm2_seal_trusted(struct tpm_chip *chip, TPM_DIGEST_SIZE); /* sensitive */ - tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1); + tpm_buf_append_u16(&buf, 4 + options->blobauth_len + payload->key_len + 1); - tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE); - tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE); + tpm_buf_append_u16(&buf, options->blobauth_len); + if (options->blobauth_len) + tpm_buf_append(&buf, options->blobauth, options->blobauth_len); tpm_buf_append_u16(&buf, payload->key_len + 1); tpm_buf_append(&buf, payload->key, payload->key_len); tpm_buf_append_u8(&buf, payload->migratable); @@ -258,7 +259,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, NULL /* nonce */, 0, TPM2_SA_CONTINUE_SESSION, options->blobauth /* hmac */, - TPM_DIGEST_SIZE); + options->blobauth_len); rc = tpm_send(chip, buf.data, tpm_buf_length(&buf)); if (rc > 0)
In TPM 1.2 an authorization was a 20 byte number. The spec actually recommended you to hash variable length passwords and use the sha1 hash as the authorization. Because the spec doesn't require this hashing, the current authorization for trusted keys is a 40 digit hex number. For TPM 2.0 the spec allows the passing in of variable length passwords and passphrases directly, so we should allow that in trusted keys for ease of use. Update the 'blobauth' parameter to take this into account, so we can now use plain text passwords for the keys. so before keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258f" after: keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001" Note this is both and enhancement and a potential bug fix. The TPM 2.0 spec requires us to strip leading zeros, meaning empyty authorization is a zero length HMAC whereas we're currently passing in 20 bytes of zeros. A lot of TPMs simply accept this as OK, but the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this patch makes the Microsoft TPM emulator work with trusted keys. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> --- include/keys/trusted-type.h | 1 + security/keys/trusted-keys/trusted_tpm1.c | 24 +++++++++++++++++++----- security/keys/trusted-keys/trusted_tpm2.c | 9 +++++---- 3 files changed, 25 insertions(+), 9 deletions(-)