diff mbox series

[v0,2/8] keys-trusted: new cmd line option added

Message ID 20221006130837.17587-3-pankaj.gupta@nxp.com (mailing list archive)
State New
Headers show
Series Hardware Bound key added to Trusted Key-Ring | expand

Commit Message

Pankaj Gupta Oct. 6, 2022, 1:08 p.m. UTC
Changes done:
- new cmd line option "hw" needs to be suffix, to generate the
  hw bound key.
  for ex:
   $:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
   $:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s
- Key-payload, is added with two more information element specific to HBK
  -- flag 'is_hw_bound'
  -- structure 'struct hw_bound_key_info hbk_info'

Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
 include/keys/trusted-type.h               |  4 ++++
 security/keys/trusted-keys/trusted_core.c | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

Comments

Ben Boeckel Oct. 6, 2022, 12:37 p.m. UTC | #1
On Thu, Oct 06, 2022 at 18:38:31 +0530, Pankaj Gupta wrote:
> Changes done:
> - new cmd line option "hw" needs to be suffix, to generate the
>   hw bound key.

`Documentation/` is silent on this. Can you please add this there?

Other than that, is `hw` really a good name for this? Are there virtual
devices for these things that can make them not hardware in some way?
Is there a better name in such a case? Maybe something "device"
oriented?

--Ben
diff mbox series

Patch

diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 4eb64548a74f..bf58a204a974 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -7,6 +7,7 @@ 
 #ifndef _KEYS_TRUSTED_TYPE_H
 #define _KEYS_TRUSTED_TYPE_H
 
+#include <linux/hw_bound_key.h>
 #include <linux/key.h>
 #include <linux/rcupdate.h>
 #include <linux/tpm.h>
@@ -22,6 +23,7 @@ 
 #define MAX_BLOB_SIZE			512
 #define MAX_PCRINFO_SIZE		64
 #define MAX_DIGEST_SIZE			64
+#define HW_BOUND_KEY                    1
 
 struct trusted_key_payload {
 	struct rcu_head rcu;
@@ -29,6 +31,8 @@  struct trusted_key_payload {
 	unsigned int blob_len;
 	unsigned char migratable;
 	unsigned char old_format;
+	unsigned char is_hw_bound;
+	struct hw_bound_key_info hbk_info;
 	unsigned char key[MAX_KEY_SIZE + 1];
 	unsigned char blob[MAX_BLOB_SIZE];
 };
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index c6fc50d67214..cb1d56397ed0 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -79,6 +79,8 @@  static int datablob_parse(char **datablob, struct trusted_key_payload *p)
 	int key_cmd;
 	char *c;
 
+	p->is_hw_bound = !HW_BOUND_KEY;
+
 	/* main command */
 	c = strsep(datablob, " \t");
 	if (!c)
@@ -94,6 +96,13 @@  static int datablob_parse(char **datablob, struct trusted_key_payload *p)
 		if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
 			return -EINVAL;
 		p->key_len = keylen;
+		do {
+			/* Second argument onwards,
+			 * determine if tied to HW */
+			c = strsep(datablob, " \t");
+			if ((c != NULL) && (strcmp(c, "hw") == 0))
+				p->is_hw_bound = HW_BOUND_KEY;
+		} while (c != NULL);
 		ret = Opt_new;
 		break;
 	case Opt_load:
@@ -107,6 +116,13 @@  static int datablob_parse(char **datablob, struct trusted_key_payload *p)
 		ret = hex2bin(p->blob, c, p->blob_len);
 		if (ret < 0)
 			return -EINVAL;
+		do {
+			/* Second argument onwards,
+			 * determine if tied to HW */
+			c = strsep(datablob, " \t");
+			if ((c != NULL) && (strcmp(c, "hw") == 0))
+				p->is_hw_bound = HW_BOUND_KEY;
+		} while (c != NULL);
 		ret = Opt_load;
 		break;
 	case Opt_update: