1// SPDX-License-Identifier: GPL-2.0
2#define pr_fmt(fmt) "ASYM-TPM: "fmt
3#include <linux/slab.h>
4#include <linux/module.h>
5#include <linux/export.h>
6#include <linux/kernel.h>
7#include <linux/seq_file.h>
8#include <linux/scatterlist.h>
9#include <linux/tpm.h>
10#include <linux/tpm_command.h>
11#include <crypto/akcipher.h>
12#include <crypto/hash.h>
13#include <crypto/sha.h>
14#include <asm/unaligned.h>
15#include <keys/asymmetric-subtype.h>
16#include <keys/trusted.h>
17#include <crypto/asym_tpm_subtype.h>
18#include <crypto/public_key.h>
19
20#define TPM_ORD_FLUSHSPECIFIC 186
21#define TPM_ORD_LOADKEY2 65
22#define TPM_ORD_UNBIND 30
23#define TPM_ORD_SIGN 60
24#define TPM_LOADKEY2_SIZE 59
25#define TPM_FLUSHSPECIFIC_SIZE 18
26#define TPM_UNBIND_SIZE 63
27#define TPM_SIGN_SIZE 63
28
29#define TPM_RT_KEY 0x00000001
30
31/*
32 * Load a TPM key from the blob provided by userspace
33 */
34static int tpm_loadkey2(struct tpm_buf *tb,
35 uint32_t keyhandle, unsigned char *keyauth,
36 const unsigned char *keyblob, int keybloblen,
37 uint32_t *newhandle)
38{
39 unsigned char nonceodd[TPM_NONCE_SIZE];
40 unsigned char enonce[TPM_NONCE_SIZE];
41 unsigned char authdata[SHA1_DIGEST_SIZE];
42 uint32_t authhandle = 0;
43 unsigned char cont = 0;
44 uint32_t ordinal;
45 int ret;
46
47 ordinal = htonl(TPM_ORD_LOADKEY2);
48
49 /* session for loading the key */
50 ret = oiap(tb, &authhandle, enonce);
51 if (ret < 0) {
52 pr_info("oiap failed (%d)\n", ret);
53 return ret;
54 }
55
56 /* generate odd nonce */
57 ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
58 if (ret < 0) {
59 pr_info("tpm_get_random failed (%d)\n", ret);
60 return ret;
61 }
62
63 /* calculate authorization HMAC value */
64 ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
65 nonceodd, cont, sizeof(uint32_t), &ordinal,
66 keybloblen, keyblob, 0, 0);
67 if (ret < 0)
68 return ret;
69
70 /* build the request buffer */
71 INIT_BUF(tb);
72 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
73 store32(tb, TPM_LOADKEY2_SIZE + keybloblen);
74 store32(tb, TPM_ORD_LOADKEY2);
75 store32(tb, keyhandle);
76 storebytes(tb, keyblob, keybloblen);
77 store32(tb, authhandle);
78 storebytes(tb, nonceodd, TPM_NONCE_SIZE);
79 store8(tb, cont);
80 storebytes(tb, authdata, SHA1_DIGEST_SIZE);
81
82 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
83 if (ret < 0) {
84 pr_info("authhmac failed (%d)\n", ret);
85 return ret;
86 }
87
88 ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, keyauth,
89 SHA1_DIGEST_SIZE, 0, 0);
90 if (ret < 0) {
91 pr_info("TSS_checkhmac1 failed (%d)\n", ret);
92 return ret;
93 }
94
95 *newhandle = LOAD32(tb->data, TPM_DATA_OFFSET);
96 return 0;
97}
98
99/*
100 * Execute the FlushSpecific TPM command
101 */
102static int tpm_flushspecific(struct tpm_buf *tb, uint32_t handle)
103{
104 INIT_BUF(tb);
105 store16(tb, TPM_TAG_RQU_COMMAND);
106 store32(tb, TPM_FLUSHSPECIFIC_SIZE);
107 store32(tb, TPM_ORD_FLUSHSPECIFIC);
108 store32(tb, handle);
109 store32(tb, TPM_RT_KEY);
110
111 return trusted_tpm_send(tb->data, MAX_BUF_SIZE);
112}
113
114/*
115 * Decrypt a blob provided by userspace using a specific key handle.
116 * The handle is a well known handle or previously loaded by e.g. LoadKey2
117 */
118static int tpm_unbind(struct tpm_buf *tb,
119 uint32_t keyhandle, unsigned char *keyauth,
120 const unsigned char *blob, uint32_t bloblen,
121 void *out, uint32_t outlen)
122{
123 unsigned char nonceodd[TPM_NONCE_SIZE];
124 unsigned char enonce[TPM_NONCE_SIZE];
125 unsigned char authdata[SHA1_DIGEST_SIZE];
126 uint32_t authhandle = 0;
127 unsigned char cont = 0;
128 uint32_t ordinal;
129 uint32_t datalen;
130 int ret;
131
132 ordinal = htonl(TPM_ORD_UNBIND);
133 datalen = htonl(bloblen);
134
135 /* session for loading the key */
136 ret = oiap(tb, &authhandle, enonce);
137 if (ret < 0) {
138 pr_info("oiap failed (%d)\n", ret);
139 return ret;
140 }
141
142 /* generate odd nonce */
143 ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
144 if (ret < 0) {
145 pr_info("tpm_get_random failed (%d)\n", ret);
146 return ret;
147 }
148
149 /* calculate authorization HMAC value */
150 ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
151 nonceodd, cont, sizeof(uint32_t), &ordinal,
152 sizeof(uint32_t), &datalen,
153 bloblen, blob, 0, 0);
154 if (ret < 0)
155 return ret;
156
157 /* build the request buffer */
158 INIT_BUF(tb);
159 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
160 store32(tb, TPM_UNBIND_SIZE + bloblen);
161 store32(tb, TPM_ORD_UNBIND);
162 store32(tb, keyhandle);
163 store32(tb, bloblen);
164 storebytes(tb, blob, bloblen);
165 store32(tb, authhandle);
166 storebytes(tb, nonceodd, TPM_NONCE_SIZE);
167 store8(tb, cont);
168 storebytes(tb, authdata, SHA1_DIGEST_SIZE);
169
170 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
171 if (ret < 0) {
172 pr_info("authhmac failed (%d)\n", ret);
173 return ret;
174 }
175
176 datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
177
178 ret = TSS_checkhmac1(tb->data, ordinal, nonceodd,
179 keyauth, SHA1_DIGEST_SIZE,
180 sizeof(uint32_t), TPM_DATA_OFFSET,
181 datalen, TPM_DATA_OFFSET + sizeof(uint32_t),
182 0, 0);
183 if (ret < 0) {
184 pr_info("TSS_checkhmac1 failed (%d)\n", ret);
185 return ret;
186 }
187
188 memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
189 min(outlen, datalen));
190
191 return datalen;
192}
193
194/*
195 * Sign a blob provided by userspace (that has had the hash function applied)
196 * using a specific key handle. The handle is assumed to have been previously
197 * loaded by e.g. LoadKey2.
198 *
199 * Note that the key signature scheme of the used key should be set to
200 * TPM_SS_RSASSAPKCS1v15_DER. This allows the hashed input to be of any size
201 * up to key_length_in_bytes - 11 and not be limited to size 20 like the
202 * TPM_SS_RSASSAPKCS1v15_SHA1 signature scheme.
203 */
204static int tpm_sign(struct tpm_buf *tb,
205 uint32_t keyhandle, unsigned char *keyauth,
206 const unsigned char *blob, uint32_t bloblen,
207 void *out, uint32_t outlen)
208{
209 unsigned char nonceodd[TPM_NONCE_SIZE];
210 unsigned char enonce[TPM_NONCE_SIZE];
211 unsigned char authdata[SHA1_DIGEST_SIZE];
212 uint32_t authhandle = 0;
213 unsigned char cont = 0;
214 uint32_t ordinal;
215 uint32_t datalen;
216 int ret;
217
218 ordinal = htonl(TPM_ORD_SIGN);
219 datalen = htonl(bloblen);
220
221 /* session for loading the key */
222 ret = oiap(tb, &authhandle, enonce);
223 if (ret < 0) {
224 pr_info("oiap failed (%d)\n", ret);
225 return ret;
226 }
227
228 /* generate odd nonce */
229 ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
230 if (ret < 0) {
231 pr_info("tpm_get_random failed (%d)\n", ret);
232 return ret;
233 }
234
235 /* calculate authorization HMAC value */
236 ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
237 nonceodd, cont, sizeof(uint32_t), &ordinal,
238 sizeof(uint32_t), &datalen,
239 bloblen, blob, 0, 0);
240 if (ret < 0)
241 return ret;
242
243 /* build the request buffer */
244 INIT_BUF(tb);
245 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
246 store32(tb, TPM_SIGN_SIZE + bloblen);
247 store32(tb, TPM_ORD_SIGN);
248 store32(tb, keyhandle);
249 store32(tb, bloblen);
250 storebytes(tb, blob, bloblen);
251 store32(tb, authhandle);
252 storebytes(tb, nonceodd, TPM_NONCE_SIZE);
253 store8(tb, cont);
254 storebytes(tb, authdata, SHA1_DIGEST_SIZE);
255
256 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
257 if (ret < 0) {
258 pr_info("authhmac failed (%d)\n", ret);
259 return ret;
260 }
261
262 datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
263
264 ret = TSS_checkhmac1(tb->data, ordinal, nonceodd,
265 keyauth, SHA1_DIGEST_SIZE,
266 sizeof(uint32_t), TPM_DATA_OFFSET,
267 datalen, TPM_DATA_OFFSET + sizeof(uint32_t),
268 0, 0);
269 if (ret < 0) {
270 pr_info("TSS_checkhmac1 failed (%d)\n", ret);
271 return ret;
272 }
273
274 memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
275 min(datalen, outlen));
276
277 return datalen;
278}
279/*
280 * Maximum buffer size for the BER/DER encoded public key. The public key
281 * is of the form SEQUENCE { INTEGER n, INTEGER e } where n is a maximum 2048
282 * bit key and e is usually 65537
283 * The encoding overhead is:
284 * - max 4 bytes for SEQUENCE
285 * - max 4 bytes for INTEGER n type/length
286 * - 257 bytes of n
287 * - max 2 bytes for INTEGER e type/length
288 * - 3 bytes of e
289 */
290#define PUB_KEY_BUF_SIZE (4 + 4 + 257 + 2 + 3)
291
292/*
293 * Provide a part of a description of the key for /proc/keys.
294 */
295static void asym_tpm_describe(const struct key *asymmetric_key,
296 struct seq_file *m)
297{
298 struct tpm_key *tk = asymmetric_key->payload.data[asym_crypto];
299
300 if (!tk)
301 return;
302
303 seq_printf(m, "TPM1.2/Blob");
304}
305
306static void asym_tpm_destroy(void *payload0, void *payload3)
307{
308 struct tpm_key *tk = payload0;
309
310 if (!tk)
311 return;
312
313 kfree(tk->blob);
314 tk->blob_len = 0;
315
316 kfree(tk);
317}
318
319/* How many bytes will it take to encode the length */
320static inline uint32_t definite_length(uint32_t len)
321{
322 if (len <= 127)
323 return 1;
324 if (len <= 255)
325 return 2;
326 return 3;
327}
328
329static inline uint8_t *encode_tag_length(uint8_t *buf, uint8_t tag,
330 uint32_t len)
331{
332 *buf++ = tag;
333
334 if (len <= 127) {
335 buf[0] = len;
336 return buf + 1;
337 }
338
339 if (len <= 255) {
340 buf[0] = 0x81;
341 buf[1] = len;
342 return buf + 2;
343 }
344
345 buf[0] = 0x82;
346 put_unaligned_be16(len, buf + 1);
347 return buf + 3;
348}
349
350static uint32_t derive_pub_key(const void *pub_key, uint32_t len, uint8_t *buf)
351{
352 uint8_t *cur = buf;
353 uint32_t n_len = definite_length(len) + 1 + len + 1;
354 uint32_t e_len = definite_length(3) + 1 + 3;
355 uint8_t e[3] = { 0x01, 0x00, 0x01 };
356
357 /* SEQUENCE */
358 cur = encode_tag_length(cur, 0x30, n_len + e_len);
359 /* INTEGER n */
360 cur = encode_tag_length(cur, 0x02, len + 1);
361 cur[0] = 0x00;
362 memcpy(cur + 1, pub_key, len);
363 cur += len + 1;
364 cur = encode_tag_length(cur, 0x02, sizeof(e));
365 memcpy(cur, e, sizeof(e));
366 cur += sizeof(e);
367
368 return cur - buf;
369}
370
371/*
372 * Determine the crypto algorithm name.
373 */
374static int determine_akcipher(const char *encoding, const char *hash_algo,
375 char alg_name[CRYPTO_MAX_ALG_NAME])
376{
377 if (strcmp(encoding, "pkcs1") == 0) {
378 if (!hash_algo) {
379 strcpy(alg_name, "pkcs1pad(rsa)");
380 return 0;
381 }
382
383 if (snprintf(alg_name, CRYPTO_MAX_ALG_NAME, "pkcs1pad(rsa,%s)",
384 hash_algo) >= CRYPTO_MAX_ALG_NAME)
385 return -EINVAL;
386
387 return 0;
388 }
389
390 if (strcmp(encoding, "raw") == 0) {
391 strcpy(alg_name, "rsa");
392 return 0;
393 }
394
395 return -ENOPKG;
396}
397
398/*
399 * Query information about a key.
400 */
401static int tpm_key_query(const struct kernel_pkey_params *params,
402 struct kernel_pkey_query *info)
403{
404 struct tpm_key *tk = params->key->payload.data[asym_crypto];
405 int ret;
406 char alg_name[CRYPTO_MAX_ALG_NAME];
407 struct crypto_akcipher *tfm;
408 uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
409 uint32_t der_pub_key_len;
410 int len;
411
412 /* TPM only works on private keys, public keys still done in software */
413 ret = determine_akcipher(params->encoding, params->hash_algo, alg_name);
414 if (ret < 0)
415 return ret;
416
417 tfm = crypto_alloc_akcipher(alg_name, 0, 0);
418 if (IS_ERR(tfm))
419 return PTR_ERR(tfm);
420
421 der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
422 der_pub_key);
423
424 ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
425 if (ret < 0)
426 goto error_free_tfm;
427
428 len = crypto_akcipher_maxsize(tfm);
429
430 info->key_size = tk->key_len;
431 info->max_data_size = tk->key_len / 8;
432 info->max_sig_size = len;
433 info->max_enc_size = len;
434 info->max_dec_size = tk->key_len / 8;
435
436 info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT |
437 KEYCTL_SUPPORTS_DECRYPT |
438 KEYCTL_SUPPORTS_VERIFY |
439 KEYCTL_SUPPORTS_SIGN;
440
441 ret = 0;
442error_free_tfm:
443 crypto_free_akcipher(tfm);
444 pr_devel("<==%s() = %d\n", __func__, ret);
445 return ret;
446}
447
448/*
449 * Encryption operation is performed with the public key. Hence it is done
450 * in software
451 */
452static int tpm_key_encrypt(struct tpm_key *tk,
453 struct kernel_pkey_params *params,
454 const void *in, void *out)
455{
456 char alg_name[CRYPTO_MAX_ALG_NAME];
457 struct crypto_akcipher *tfm;
458 struct akcipher_request *req;
459 struct crypto_wait cwait;
460 struct scatterlist in_sg, out_sg;
461 uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
462 uint32_t der_pub_key_len;
463 int ret;
464
465 pr_devel("==>%s()\n", __func__);
466
467 ret = determine_akcipher(params->encoding, params->hash_algo, alg_name);
468 if (ret < 0)
469 return ret;
470
471 tfm = crypto_alloc_akcipher(alg_name, 0, 0);
472 if (IS_ERR(tfm))
473 return PTR_ERR(tfm);
474
475 der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
476 der_pub_key);
477
478 ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
479 if (ret < 0)
480 goto error_free_tfm;
481
482 req = akcipher_request_alloc(tfm, GFP_KERNEL);
483 if (!req)
484 goto error_free_tfm;
485
486 sg_init_one(&in_sg, in, params->in_len);
487 sg_init_one(&out_sg, out, params->out_len);
488 akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len,
489 params->out_len);
490 crypto_init_wait(&cwait);
491 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
492 CRYPTO_TFM_REQ_MAY_SLEEP,
493 crypto_req_done, &cwait);
494
495 ret = crypto_akcipher_encrypt(req);
496 ret = crypto_wait_req(ret, &cwait);
497
498 if (ret == 0)
499 ret = req->dst_len;
500
501 akcipher_request_free(req);
502error_free_tfm:
503 crypto_free_akcipher(tfm);
504 pr_devel("<==%s() = %d\n", __func__, ret);
505 return ret;
506}
507
508/*
509 * Decryption operation is performed with the private key in the TPM.
510 */
511static int tpm_key_decrypt(struct tpm_key *tk,
512 struct kernel_pkey_params *params,
513 const void *in, void *out)
514{
515 struct tpm_buf *tb;
516 uint32_t keyhandle;
517 uint8_t srkauth[SHA1_DIGEST_SIZE];
518 uint8_t keyauth[SHA1_DIGEST_SIZE];
519 int r;
520
521 pr_devel("==>%s()\n", __func__);
522
523 if (params->hash_algo)
524 return -ENOPKG;
525
526 if (strcmp(params->encoding, "pkcs1"))
527 return -ENOPKG;
528
529 tb = kzalloc(sizeof(*tb), GFP_KERNEL);
530 if (!tb)
531 return -ENOMEM;
532
533 /* TODO: Handle a non-all zero SRK authorization */
534 memset(srkauth, 0, sizeof(srkauth));
535
536 r = tpm_loadkey2(tb, SRKHANDLE, srkauth,
537 tk->blob, tk->blob_len, &keyhandle);
538 if (r < 0) {
539 pr_devel("loadkey2 failed (%d)\n", r);
540 goto error;
541 }
542
543 /* TODO: Handle a non-all zero key authorization */
544 memset(keyauth, 0, sizeof(keyauth));
545
546 r = tpm_unbind(tb, keyhandle, keyauth,
547 in, params->in_len, out, params->out_len);
548 if (r < 0)
549 pr_devel("tpm_unbind failed (%d)\n", r);
550
551 if (tpm_flushspecific(tb, keyhandle) < 0)
552 pr_devel("flushspecific failed (%d)\n", r);
553
554error:
555 kzfree(tb);
556 pr_devel("<==%s() = %d\n", __func__, r);
557 return r;
558}
559
560/*
561 * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
562 */
563static const u8 digest_info_md5[] = {
564 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
565 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
566 0x05, 0x00, 0x04, 0x10
567};
568
569static const u8 digest_info_sha1[] = {
570 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
571 0x2b, 0x0e, 0x03, 0x02, 0x1a,
572 0x05, 0x00, 0x04, 0x14
573};
574
575static const u8 digest_info_rmd160[] = {
576 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
577 0x2b, 0x24, 0x03, 0x02, 0x01,
578 0x05, 0x00, 0x04, 0x14
579};
580
581static const u8 digest_info_sha224[] = {
582 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
583 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
584 0x05, 0x00, 0x04, 0x1c
585};
586
587static const u8 digest_info_sha256[] = {
588 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
589 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
590 0x05, 0x00, 0x04, 0x20
591};
592
593static const u8 digest_info_sha384[] = {
594 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
595 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
596 0x05, 0x00, 0x04, 0x30
597};
598
599static const u8 digest_info_sha512[] = {
600 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
601 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
602 0x05, 0x00, 0x04, 0x40
603};
604
605static const struct asn1_template {
606 const char *name;
607 const u8 *data;
608 size_t size;
609} asn1_templates[] = {
610#define _(X) { #X, digest_info_##X, sizeof(digest_info_##X) }
611 _(md5),
612 _(sha1),
613 _(rmd160),
614 _(sha256),
615 _(sha384),
616 _(sha512),
617 _(sha224),
618 { NULL }
619#undef _
620};
621
622static const struct asn1_template *lookup_asn1(const char *name)
623{
624 const struct asn1_template *p;
625
626 for (p = asn1_templates; p->name; p++)
627 if (strcmp(name, p->name) == 0)
628 return p;
629 return NULL;
630}
631
632/*
633 * Sign operation is performed with the private key in the TPM.
634 */
635static int tpm_key_sign(struct tpm_key *tk,
636 struct kernel_pkey_params *params,
637 const void *in, void *out)
638{
639 struct tpm_buf *tb;
640 uint32_t keyhandle;
641 uint8_t srkauth[SHA1_DIGEST_SIZE];
642 uint8_t keyauth[SHA1_DIGEST_SIZE];
643 void *asn1_wrapped = NULL;
644 uint32_t in_len = params->in_len;
645 int r;
646
647 pr_devel("==>%s()\n", __func__);
648
649 if (strcmp(params->encoding, "pkcs1"))
650 return -ENOPKG;
651
652 if (params->hash_algo) {
653 const struct asn1_template *asn1 =
654 lookup_asn1(params->hash_algo);
655
656 if (!asn1)
657 return -ENOPKG;
658
659 /* request enough space for the ASN.1 template + input hash */
660 asn1_wrapped = kzalloc(in_len + asn1->size, GFP_KERNEL);
661 if (!asn1_wrapped)
662 return -ENOMEM;
663
664 /* Copy ASN.1 template, then the input */
665 memcpy(asn1_wrapped, asn1->data, asn1->size);
666 memcpy(asn1_wrapped + asn1->size, in, in_len);
667
668 in = asn1_wrapped;
669 in_len += asn1->size;
670 }
671
672 if (in_len > tk->key_len / 8 - 11) {
673 r = -EOVERFLOW;
674 goto error_free_asn1_wrapped;
675 }
676
677 r = -ENOMEM;
678 tb = kzalloc(sizeof(*tb), GFP_KERNEL);
679 if (!tb)
680 goto error_free_asn1_wrapped;
681
682 /* TODO: Handle a non-all zero SRK authorization */
683 memset(srkauth, 0, sizeof(srkauth));
684
685 r = tpm_loadkey2(tb, SRKHANDLE, srkauth,
686 tk->blob, tk->blob_len, &keyhandle);
687 if (r < 0) {
688 pr_devel("loadkey2 failed (%d)\n", r);
689 goto error_free_tb;
690 }
691
692 /* TODO: Handle a non-all zero key authorization */
693 memset(keyauth, 0, sizeof(keyauth));
694
695 r = tpm_sign(tb, keyhandle, keyauth, in, in_len, out, params->out_len);
696 if (r < 0)
697 pr_devel("tpm_sign failed (%d)\n", r);
698
699 if (tpm_flushspecific(tb, keyhandle) < 0)
700 pr_devel("flushspecific failed (%d)\n", r);
701
702error_free_tb:
703 kzfree(tb);
704error_free_asn1_wrapped:
705 kfree(asn1_wrapped);
706 pr_devel("<==%s() = %d\n", __func__, r);
707 return r;
708}
709
710/*
711 * Do encryption, decryption and signing ops.
712 */
713static int tpm_key_eds_op(struct kernel_pkey_params *params,
714 const void *in, void *out)
715{
716 struct tpm_key *tk = params->key->payload.data[asym_crypto];
717 int ret = -EOPNOTSUPP;
718
719 /* Perform the encryption calculation. */
720 switch (params->op) {
721 case kernel_pkey_encrypt:
722 ret = tpm_key_encrypt(tk, params, in, out);
723 break;
724 case kernel_pkey_decrypt:
725 ret = tpm_key_decrypt(tk, params, in, out);
726 break;
727 case kernel_pkey_sign:
728 ret = tpm_key_sign(tk, params, in, out);
729 break;
730 default:
731 BUG();
732 }
733
734 return ret;
735}
736
737/*
738 * Verify a signature using a public key.
739 */
740static int tpm_key_verify_signature(const struct key *key,
741 const struct public_key_signature *sig)
742{
743 const struct tpm_key *tk = key->payload.data[asym_crypto];
744 struct crypto_wait cwait;
745 struct crypto_akcipher *tfm;
746 struct akcipher_request *req;
747 struct scatterlist sig_sg, digest_sg;
748 char alg_name[CRYPTO_MAX_ALG_NAME];
749 uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
750 uint32_t der_pub_key_len;
751 void *output;
752 unsigned int outlen;
753 int ret;
754
755 pr_devel("==>%s()\n", __func__);
756
757 BUG_ON(!tk);
758 BUG_ON(!sig);
759 BUG_ON(!sig->s);
760
761 if (!sig->digest)
762 return -ENOPKG;
763
764 ret = determine_akcipher(sig->encoding, sig->hash_algo, alg_name);
765 if (ret < 0)
766 return ret;
767
768 tfm = crypto_alloc_akcipher(alg_name, 0, 0);
769 if (IS_ERR(tfm))
770 return PTR_ERR(tfm);
771
772 der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
773 der_pub_key);
774
775 ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
776 if (ret < 0)
777 goto error_free_tfm;
778
779 ret = -ENOMEM;
780 req = akcipher_request_alloc(tfm, GFP_KERNEL);
781 if (!req)
782 goto error_free_tfm;
783
784 ret = -ENOMEM;
785 outlen = crypto_akcipher_maxsize(tfm);
786 output = kmalloc(outlen, GFP_KERNEL);
787 if (!output)
788 goto error_free_req;
789
790 sg_init_one(&sig_sg, sig->s, sig->s_size);
791 sg_init_one(&digest_sg, output, outlen);
792 akcipher_request_set_crypt(req, &sig_sg, &digest_sg, sig->s_size,
793 outlen);
794 crypto_init_wait(&cwait);
795 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
796 CRYPTO_TFM_REQ_MAY_SLEEP,
797 crypto_req_done, &cwait);
798
799 /* Perform the verification calculation. This doesn't actually do the
800 * verification, but rather calculates the hash expected by the
801 * signature and returns that to us.
802 */
803 ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
804 if (ret)
805 goto out_free_output;
806
807 /* Do the actual verification step. */
808 if (req->dst_len != sig->digest_size ||
809 memcmp(sig->digest, output, sig->digest_size) != 0)
810 ret = -EKEYREJECTED;
811
812out_free_output:
813 kfree(output);
814error_free_req:
815 akcipher_request_free(req);
816error_free_tfm:
817 crypto_free_akcipher(tfm);
818 pr_devel("<==%s() = %d\n", __func__, ret);
819 if (WARN_ON_ONCE(ret > 0))
820 ret = -EINVAL;
821 return ret;
822}
823
824/*
825 * Parse enough information out of TPM_KEY structure:
826 * TPM_STRUCT_VER -> 4 bytes
827 * TPM_KEY_USAGE -> 2 bytes
828 * TPM_KEY_FLAGS -> 4 bytes
829 * TPM_AUTH_DATA_USAGE -> 1 byte
830 * TPM_KEY_PARMS -> variable
831 * UINT32 PCRInfoSize -> 4 bytes
832 * BYTE* -> PCRInfoSize bytes
833 * TPM_STORE_PUBKEY
834 * UINT32 encDataSize;
835 * BYTE* -> encDataSize;
836 *
837 * TPM_KEY_PARMS:
838 * TPM_ALGORITHM_ID -> 4 bytes
839 * TPM_ENC_SCHEME -> 2 bytes
840 * TPM_SIG_SCHEME -> 2 bytes
841 * UINT32 parmSize -> 4 bytes
842 * BYTE* -> variable
843 */
844static int extract_key_parameters(struct tpm_key *tk)
845{
846 const void *cur = tk->blob;
847 uint32_t len = tk->blob_len;
848 const void *pub_key;
849 uint32_t sz;
850 uint32_t key_len;
851
852 if (len < 11)
853 return -EBADMSG;
854
855 /* Ensure this is a legacy key */
856 if (get_unaligned_be16(cur + 4) != 0x0015)
857 return -EBADMSG;
858
859 /* Skip to TPM_KEY_PARMS */
860 cur += 11;
861 len -= 11;
862
863 if (len < 12)
864 return -EBADMSG;
865
866 /* Make sure this is an RSA key */
867 if (get_unaligned_be32(cur) != 0x00000001)
868 return -EBADMSG;
869
870 /* Make sure this is TPM_ES_RSAESPKCSv15 encoding scheme */
871 if (get_unaligned_be16(cur + 4) != 0x0002)
872 return -EBADMSG;
873
874 /* Make sure this is TPM_SS_RSASSAPKCS1v15_DER signature scheme */
875 if (get_unaligned_be16(cur + 6) != 0x0003)
876 return -EBADMSG;
877
878 sz = get_unaligned_be32(cur + 8);
879 if (len < sz + 12)
880 return -EBADMSG;
881
882 /* Move to TPM_RSA_KEY_PARMS */
883 len -= 12;
884 cur += 12;
885
886 /* Grab the RSA key length */
887 key_len = get_unaligned_be32(cur);
888
889 switch (key_len) {
890 case 512:
891 case 1024:
892 case 1536:
893 case 2048:
894 break;
895 default:
896 return -EINVAL;
897 }
898
899 /* Move just past TPM_KEY_PARMS */
900 cur += sz;
901 len -= sz;
902
903 if (len < 4)
904 return -EBADMSG;
905
906 sz = get_unaligned_be32(cur);
907 if (len < 4 + sz)
908 return -EBADMSG;
909
910 /* Move to TPM_STORE_PUBKEY */
911 cur += 4 + sz;
912 len -= 4 + sz;
913
914 /* Grab the size of the public key, it should jive with the key size */
915 sz = get_unaligned_be32(cur);
916 if (sz > 256)
917 return -EINVAL;
918
919 pub_key = cur + 4;
920
921 tk->key_len = key_len;
922 tk->pub_key = pub_key;
923 tk->pub_key_len = sz;
924
925 return 0;
926}
927
928/* Given the blob, parse it and load it into the TPM */
929struct tpm_key *tpm_key_create(const void *blob, uint32_t blob_len)
930{
931 int r;
932 struct tpm_key *tk;
933
934 r = tpm_is_tpm2(NULL);
935 if (r < 0)
936 goto error;
937
938 /* We don't support TPM2 yet */
939 if (r > 0) {
940 r = -ENODEV;
941 goto error;
942 }
943
944 r = -ENOMEM;
945 tk = kzalloc(sizeof(struct tpm_key), GFP_KERNEL);
946 if (!tk)
947 goto error;
948
949 tk->blob = kmemdup(blob, blob_len, GFP_KERNEL);
950 if (!tk->blob)
951 goto error_memdup;
952
953 tk->blob_len = blob_len;
954
955 r = extract_key_parameters(tk);
956 if (r < 0)
957 goto error_extract;
958
959 return tk;
960
961error_extract:
962 kfree(tk->blob);
963 tk->blob_len = 0;
964error_memdup:
965 kfree(tk);
966error:
967 return ERR_PTR(r);
968}
969EXPORT_SYMBOL_GPL(tpm_key_create);
970
971/*
972 * TPM-based asymmetric key subtype
973 */
974struct asymmetric_key_subtype asym_tpm_subtype = {
975 .owner = THIS_MODULE,
976 .name = "asym_tpm",
977 .name_len = sizeof("asym_tpm") - 1,
978 .describe = asym_tpm_describe,
979 .destroy = asym_tpm_destroy,
980 .query = tpm_key_query,
981 .eds_op = tpm_key_eds_op,
982 .verify_signature = tpm_key_verify_signature,
983};
984EXPORT_SYMBOL_GPL(asym_tpm_subtype);
985
986MODULE_DESCRIPTION("TPM based asymmetric key subtype");
987MODULE_AUTHOR("Intel Corporation");
988MODULE_LICENSE("GPL v2");
989