Message ID | 20210127190617.17564-4-James.Bottomley@HansenPartnership.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | TPM 2.0 trusted key rework | expand |
James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
> keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258fkeyhandle=81000001" @u
I presume there should be a space in there?
David
On Wed, 2021-02-10 at 15:58 +0000, David Howells wrote: > James Bottomley <James.Bottomley@HansenPartnership.com> wrote: > > > keyctl add trusted kmk "new 32 > > blobauth=f572d396fae9206628714fb2ce00f72e94f2258fkeyhandle=81000001 > > " @u > > I presume there should be a space in there? Um, yes. My screen wraps at 80 characters which has keyhandle= conveniently on the next line. James
On Wed, Feb 10, 2021 at 08:12:19AM -0800, James Bottomley wrote: > On Wed, 2021-02-10 at 15:58 +0000, David Howells wrote: > > James Bottomley <James.Bottomley@HansenPartnership.com> wrote: > > > > > keyctl add trusted kmk "new 32 > > > blobauth=f572d396fae9206628714fb2ce00f72e94f2258fkeyhandle=81000001 > > > " @u > > > > I presume there should be a space in there? > > Um, yes. My screen wraps at 80 characters which has keyhandle= > conveniently on the next line. > > James Please send a new revision. There was already two checkpatch errors I had to fix manually and also found 3rd issue when working with Sumit's patches: trusted-y += trusted_tpm2.o tpm2key.asn1.o Please line these up like trusted-y += trusted_tpm2.o trusted-y += tpm2key.asn1.o Is coherent with the line adding trusted_tpm1.o, and makes merging new features easier (e.g. TEE). I dropped current patches. /Jarkko
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index a94c03a61d8f..b2ed3481c6a0 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -30,6 +30,7 @@ struct trusted_key_options { uint16_t keytype; uint32_t keyhandle; unsigned char keyauth[TPM_DIGEST_SIZE]; + uint32_t blobauth_len; unsigned char blobauth[TPM_DIGEST_SIZE]; uint32_t pcrinfo_len; unsigned char pcrinfo[MAX_PCRINFO_SIZE]; diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 74d82093cbaa..f81637521a04 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -781,13 +781,33 @@ static int getoptions(char *c, struct trusted_key_payload *pay, return -EINVAL; break; case Opt_blobauth: - if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE) - return -EINVAL; - res = hex2bin(opt->blobauth, args[0].from, - SHA1_DIGEST_SIZE); - if (res < 0) - return -EINVAL; + /* + * TPM 1.2 authorizations are sha1 hashes passed in as + * hex strings. TPM 2.0 authorizations are simple + * passwords (although it can take a hash as well) + */ + opt->blobauth_len = strlen(args[0].from); + + if (opt->blobauth_len == 2 * TPM_DIGEST_SIZE) { + res = hex2bin(opt->blobauth, args[0].from, + TPM_DIGEST_SIZE); + if (res < 0) + return -EINVAL; + + opt->blobauth_len = TPM_DIGEST_SIZE; + break; + } + + if (tpm2 && opt->blobauth_len <= sizeof(opt->blobauth)) { + memcpy(opt->blobauth, args[0].from, + opt->blobauth_len); + break; + } + + return -EINVAL; + break; + case Opt_migratable: if (*args[0].from == '0') pay->migratable = 0; diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 38bb33333cdf..6c6dd88d7bf6 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -91,10 +91,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip, TPM_DIGEST_SIZE); /* sensitive */ - tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1); + tpm_buf_append_u16(&buf, 4 + options->blobauth_len + payload->key_len + 1); + + tpm_buf_append_u16(&buf, options->blobauth_len); + if (options->blobauth_len) + tpm_buf_append(&buf, options->blobauth, options->blobauth_len); - tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE); - tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE); tpm_buf_append_u16(&buf, payload->key_len + 1); tpm_buf_append(&buf, payload->key, payload->key_len); tpm_buf_append_u8(&buf, payload->migratable); @@ -258,7 +260,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, NULL /* nonce */, 0, TPM2_SA_CONTINUE_SESSION, options->blobauth /* hmac */, - TPM_DIGEST_SIZE); + options->blobauth_len); rc = tpm_send(chip, buf.data, tpm_buf_length(&buf)); if (rc > 0)