From patchwork Fri Dec 9 16:06:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 13069954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D0C9C4332F for ; Fri, 9 Dec 2022 16:11:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229619AbiLIQLu (ORCPT ); Fri, 9 Dec 2022 11:11:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229733AbiLIQLh (ORCPT ); Fri, 9 Dec 2022 11:11:37 -0500 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4867C8D18F; Fri, 9 Dec 2022 08:11:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1670602297; bh=zxOEdwuaalwNHiGC2e67a2mJ2T7BWRsyBWZcOivzm1I=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References:From; b=mgQud3TvrGte2OcffE2jW+OjJegNvlS76LZL06TAkY2/54RNVg2ZikHp2VuV0oWQf VsN6jbF56dG8D6VBuUZO1Diq7Zi/N2Mikp3gIFkSapDe0P/63dDH5RyZTXDDaw6vCT Hpk85x8PolnGvlyWUI5qlFMde/VgTTxduOd8LeWQ= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 153371285ED4; Fri, 9 Dec 2022 11:11:37 -0500 (EST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sa9bGXVMIw14; Fri, 9 Dec 2022 11:11:37 -0500 (EST) Received: from lingrow.int.hansenpartnership.com (unknown [153.66.160.227]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 76A5C1285E6B; Fri, 9 Dec 2022 11:11:36 -0500 (EST) From: James Bottomley To: linux-integrity@vger.kernel.org Cc: Ard Biesheuvel , Jarkko Sakkinen , keyrings@vger.kernel.org Subject: [PATCH 10/11] tpm: add the null key name as a sysfs export Date: Fri, 9 Dec 2022 11:06:10 -0500 Message-Id: <20221209160611.30207-11-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20221209160611.30207-1-James.Bottomley@HansenPartnership.com> References: <20221209160611.30207-1-James.Bottomley@HansenPartnership.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org This is the last component of encrypted tpm2 session handling that allows us to verify from userspace that the key derived from the NULL seed genuinely belongs to the TPM and has not been spoofed. The procedure for doing this involves creating an attestation identity key (which requires verification of the TPM EK certificate) and then using that AIK to sign a certification of the Elliptic Curve key over the NULL seed. Userspace must create this EC Key using the parameters prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if this is done correctly the names will match and the TPM can then run a TPM2_Certify operation on this derived primary key using the newly created AIK. Signed-off-by: James Bottomley --- drivers/char/tpm/tpm-sysfs.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c index 54c71473aa29..27a16addab93 100644 --- a/drivers/char/tpm/tpm-sysfs.c +++ b/drivers/char/tpm/tpm-sysfs.c @@ -309,6 +309,19 @@ static ssize_t tpm_version_major_show(struct device *dev, } static DEVICE_ATTR_RO(tpm_version_major); +static ssize_t null_name_show(struct device *dev, struct device_attribute *attr, + char *buf) +{ + struct tpm_chip *chip = to_tpm_chip(dev); + int size = TPM2_NAME_SIZE; + + bin2hex(buf, chip->tpmkeyname, size); + size *= 2; + buf[size++] = '\n'; + return size; +} +static DEVICE_ATTR_RO(null_name); + static struct attribute *tpm1_dev_attrs[] = { &dev_attr_pubek.attr, &dev_attr_pcrs.attr, @@ -326,6 +339,7 @@ static struct attribute *tpm1_dev_attrs[] = { static struct attribute *tpm2_dev_attrs[] = { &dev_attr_tpm_version_major.attr, + &dev_attr_null_name.attr, NULL };