Re: [PATCH 2/6] tpm: add policy sessions

["Jarkko Sakkinen" <jarkko@kernel.org>]

Please rewrite short summray to something understandable. Perhaps
"tpm: authenticated policy sessions for TPM2" would be more to
the point.

On Fri May 24, 2024 at 4:04 PM EEST, James Bottomley wrote:
> TPM security uses hmac sessions to implement data protection and
  TPM2 sessions use HMAC ...

> integrity.  The hash algorithm of these sessions isn't exposed to the
> user (and doesn't depend on the object being authorized) so it is

Either remove the text in parentheses or rewrite it as a separate
sentence if it is relevant.

> currently fixed at a safe sha256.  Policy sessions may also be used
                            SHA-256

> for the same purpose and in addition, they can be used to express a
> rich policy language.  However, the session hash of policy sessions is
> defined to be the same as the name algorithm of the TPM object they're
> operating on, so we must update the session code to allow a variable

No information about the TPM object in question, which means no
rationale to bundle variable digest size to this patch. I know that
null key uses SHA-256 as name algorithm:

	/* name algorithm */
	if (val != TPM_ALG_SHA256)
		return -EINVAL;
	val = tpm_buf_read_u32(buf, &offset_t);

Please state what other TPM object might be in question.

Also, describe your changes in imperative form. This is also stated in
SubmittingPatches.

> hash algorithm instead of the fixed sha256 one.  Note that while this
> affects most of the code, the KDFe algorithm still uses a fixed sha256
> algorithm because it is define to follow the name algorithm of the
> salt encryption key (which is a key we derive from the null seed and
> set its name algorithm to sha256).

Split the long description to two paragraphs: one that describes the
motivation and one that describes the solution.

>
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> ---
>  drivers/char/tpm/tpm2-sessions.c | 307 +++++++++++++++++++------------
>  include/linux/tpm.h              |   6 +
>  2 files changed, 200 insertions(+), 113 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
> index ea8860661876..63c175b2165c 100644
> --- a/drivers/char/tpm/tpm2-sessions.c
> +++ b/drivers/char/tpm/tpm2-sessions.c
> @@ -105,10 +105,10 @@ struct tpm2_auth {
>  	/*
>  	 * the size here is variable and set by the size of our_nonce
>  	 * which must be between 16 and the name hash length. we set
> -	 * the maximum sha256 size for the greatest protection
> +	 * the maximum hash size for the greatest protection
>  	 */
> -	u8 our_nonce[SHA256_DIGEST_SIZE];
> -	u8 tpm_nonce[SHA256_DIGEST_SIZE];
> +	u8 our_nonce[HASH_MAX_DIGESTSIZE];
> +	u8 tpm_nonce[HASH_MAX_DIGESTSIZE];
>  	/*
>  	 * the salt is only used across the session command/response
>  	 * after that it can be used as a scratch area
> @@ -119,17 +119,15 @@ struct tpm2_auth {
>  		u8 scratch[AES_KEY_BYTES + AES_BLOCK_SIZE];
>  	};
>  	/*
> -	 * the session key and passphrase are the same size as the
> -	 * name digest (sha256 again).  The session key is constant
> -	 * for the use of the session and the passphrase can change
> -	 * with every invocation.
> -	 *
> -	 * Note: these fields must be adjacent and in this order
> -	 * because several HMAC/KDF schemes use the combination of the
> -	 * session_key and passphrase.
> +	 * The session_key and passphrase must be next to each other
> +	 * to allow us to hash them as a unit.  With a variable hash,
> +	 * this means that the passphrase must occur exactly one hash
> +	 * size after the session_key, so make session_key house both
> +	 * and passphrase is a pointer into where the passphrase
> +	 * begins in session_key.
>  	 */
> -	u8 session_key[SHA256_DIGEST_SIZE];
> -	u8 passphrase[SHA256_DIGEST_SIZE];
> +	u8 session_key[2*HASH_MAX_DIGESTSIZE];
> +	u8 *passphrase;
>  	int passphrase_len;
>  	struct crypto_aes_ctx aes_ctx;
>  	/* saved session attributes: */
> @@ -142,7 +140,8 @@ struct tpm2_auth {
>  	 * we must compute and remember
>  	 */
>  	u32 name_h[AUTH_MAX_NAMES];
> -	u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
> +	u8 name[AUTH_MAX_NAMES][2 + HASH_MAX_DIGESTSIZE];
> +	struct crypto_shash *tfm;
>  };
>  
>  /*
> @@ -161,34 +160,36 @@ static u8 name_size(const u8 *name)
>  }
>  
>  /*
> - * It turns out the crypto hmac(sha256) is hard for us to consume
> + * It turns out the crypto hmac(shaX) is hard for us to consume
>   * because it assumes a fixed key and the TPM seems to change the key
>   * on every operation, so we weld the hmac init and final functions in
>   * here to give it the same usage characteristics as a regular hash
>   */
> -static void tpm2_hmac_init(struct sha256_state *sctx, u8 *key, u32 key_len)
> +static void tpm2_hmac_init(struct shash_desc *sdesc, u8 *key, u32 key_len)
>  {
> -	u8 pad[SHA256_BLOCK_SIZE];
> +	const int block_size = crypto_shash_blocksize(sdesc->tfm);
> +	u8 pad[SHA512_BLOCK_SIZE];
>  	int i;
>  
> -	sha256_init(sctx);
> -	for (i = 0; i < sizeof(pad); i++) {
> +	crypto_shash_init(sdesc);
> +	for (i = 0; i < block_size; i++) {
>  		if (i < key_len)
>  			pad[i] = key[i];
>  		else
>  			pad[i] = 0;
>  		pad[i] ^= HMAC_IPAD_VALUE;
>  	}
> -	sha256_update(sctx, pad, sizeof(pad));
> +	crypto_shash_update(sdesc, pad, block_size);
>  }
>  
> -static void tpm2_hmac_final(struct sha256_state *sctx, u8 *key, u32 key_len,
> +static void tpm2_hmac_final(struct shash_desc *sdesc, u8 *key, u32 key_len,
>  			    u8 *out)
>  {
> -	u8 pad[SHA256_BLOCK_SIZE];
> +	const int block_size = crypto_shash_blocksize(sdesc->tfm);
> +	u8 pad[SHA512_BLOCK_SIZE];
>  	int i;
>  
> -	for (i = 0; i < sizeof(pad); i++) {
> +	for (i = 0; i < block_size; i++) {
>  		if (i < key_len)
>  			pad[i] = key[i];
>  		else
> @@ -197,35 +198,42 @@ static void tpm2_hmac_final(struct sha256_state *sctx, u8 *key, u32 key_len,
>  	}
>  
>  	/* collect the final hash;  use out as temporary storage */
> -	sha256_final(sctx, out);
> +	crypto_shash_final(sdesc, out);
>  
> -	sha256_init(sctx);
> -	sha256_update(sctx, pad, sizeof(pad));
> -	sha256_update(sctx, out, SHA256_DIGEST_SIZE);
> -	sha256_final(sctx, out);
> +	crypto_shash_init(sdesc);
> +	crypto_shash_update(sdesc, pad, block_size);
> +	crypto_shash_update(sdesc, out, crypto_shash_digestsize(sdesc->tfm));
> +	crypto_shash_final(sdesc, out);
>  }
>  
>  /*
> - * assume hash sha256 and nonces u, v of size SHA256_DIGEST_SIZE but
> + * assume hash sha256 and nonces u, v of hash digest size but
>   * otherwise standard tpm2_KDFa.  Note output is in bytes not bits.
>   */
>  static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
> -		      u8 *v, u32 bytes, u8 *out)
> +		      u8 *v, u32 bytes, u8 *out, struct shash_desc *sdesc)
>  {
>  	u32 counter = 1;
>  	const __be32 bits = cpu_to_be32(bytes * 8);
> +	const int digest_size = crypto_shash_digestsize(sdesc->tfm);
>  
>  	while (bytes > 0) {
> -		struct sha256_state sctx;
>  		__be32 c = cpu_to_be32(counter);
>  
> -		tpm2_hmac_init(&sctx, key, key_len);
> -		sha256_update(&sctx, (u8 *)&c, sizeof(c));
> -		sha256_update(&sctx, label, strlen(label)+1);
> -		sha256_update(&sctx, u, SHA256_DIGEST_SIZE);
> -		sha256_update(&sctx, v, SHA256_DIGEST_SIZE);
> -		sha256_update(&sctx, (u8 *)&bits, sizeof(bits));
> -		tpm2_hmac_final(&sctx, key, key_len, out);
> +		tpm2_hmac_init(sdesc, key, key_len);
> +		crypto_shash_update(sdesc, (u8 *)&c, sizeof(c));
> +		crypto_shash_update(sdesc, label, strlen(label)+1);
> +		crypto_shash_update(sdesc, u, digest_size);
> +		crypto_shash_update(sdesc, v, digest_size);
> +		crypto_shash_update(sdesc, (u8 *)&bits, sizeof(bits));
> +		if (bytes < digest_size) {
> +			u8 buf[HASH_MAX_DIGESTSIZE];
> +
> +			tpm2_hmac_final(sdesc, key, key_len, buf);
> +			memcpy(out, buf, bytes);
> +		} else {
> +			tpm2_hmac_final(sdesc, key, key_len, out);
> +		}
>  
>  		bytes -= SHA256_DIGEST_SIZE;
>  		counter++;
> @@ -236,9 +244,9 @@ static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
>  /*
>   * Somewhat of a bastardization of the real KDFe.  We're assuming
>   * we're working with known point sizes for the input parameters and
> - * the hash algorithm is fixed at sha256.  Because we know that the
> - * point size is 32 bytes like the hash size, there's no need to loop
> - * in this KDF.
> + * the hash algorithm is fixed at sha256 (name algorithm of the
> + * encrypting key).  Because we know that the point size is 32 bytes
> + * like the hash size, there's no need to loop in this KDF.
>   */
>  static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v,
>  		      u8 *out)
> @@ -370,9 +378,10 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
>  				 u8 attributes, u8 *passphrase,
>  				 int passphrase_len)
>  {
> -	u8 nonce[SHA256_DIGEST_SIZE];
> +	u8 nonce[HASH_MAX_DIGESTSIZE];
>  	u32 len;
>  	struct tpm2_auth *auth = chip->auth;
> +	const int digest_size = crypto_shash_digestsize(auth->tfm);
>  
>  	/*
>  	 * The Architecture Guide requires us to strip trailing zeros
> @@ -384,8 +393,14 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
>  
>  	auth->attrs = attributes;
>  	auth->passphrase_len = passphrase_len;
> -	if (passphrase_len)
> +	if (passphrase_len) {
> +		/*
> +		 * place the passphrase immediately adjacent to
> +		 * the session key
> +		 */
> +		auth->passphrase = auth->session_key + digest_size;
>  		memcpy(auth->passphrase, passphrase, passphrase_len);
> +	}
>  
>  	if (auth->session != tpm_buf_length(buf)) {
>  		/* we're not the first session */
> @@ -396,23 +411,23 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
>  		}
>  
>  		/* add our new session */
> -		len += 9 + 2 * SHA256_DIGEST_SIZE;
> +		len += 9 + 2 * digest_size;
>  		put_unaligned_be32(len, &buf->data[auth->session]);
>  	} else {
> -		tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE);
> +		tpm_buf_append_u32(buf, 9 + 2 * digest_size);
>  	}
>  
>  	/* random number for our nonce */
> -	get_random_bytes(nonce, sizeof(nonce));
> -	memcpy(auth->our_nonce, nonce, sizeof(nonce));
> +	get_random_bytes(nonce, digest_size);
> +	memcpy(auth->our_nonce, nonce, digest_size);
>  	tpm_buf_append_u32(buf, auth->handle);
>  	/* our new nonce */
> -	tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
> -	tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
> +	tpm_buf_append_u16(buf, digest_size);
> +	tpm_buf_append(buf, nonce, digest_size);
>  	tpm_buf_append_u8(buf, auth->attrs);
>  	/* and put a placeholder for the hmac */
> -	tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
> -	tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
> +	tpm_buf_append_u16(buf, digest_size);
> +	tpm_buf_append(buf, nonce, digest_size);
>  }
>  EXPORT_SYMBOL(tpm_buf_append_hmac_session);
>  
> @@ -443,8 +458,11 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
>  	off_t offset_s = TPM_HEADER_SIZE, offset_p;
>  	u8 *hmac = NULL;
>  	u32 attrs;
> -	u8 cphash[SHA256_DIGEST_SIZE];
> -	struct sha256_state sctx;
> +	const int digest_size = crypto_shash_digestsize(auth->tfm);
> +	u8 cphash[HASH_MAX_DIGESTSIZE];
> +	SHASH_DESC_ON_STACK(sdesc, auth->tfm);
> +
> +	sdesc->tfm = auth->tfm;
>  
>  	/* save the command code in BE format */
>  	auth->ordinal = head->ordinal;
> @@ -515,10 +533,10 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
>  		u16 len;
>  
>  		/* need key and IV */
> -		tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
> +		tpm2_KDFa(auth->session_key, digest_size
>  			  + auth->passphrase_len, "CFB", auth->our_nonce,
>  			  auth->tpm_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
> -			  auth->scratch);
> +			  auth->scratch, sdesc);
>  
>  		len = tpm_buf_read_u16(buf, &offset_p);
>  		aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES);
> @@ -529,9 +547,10 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
>  		offset_p -= 2;
>  	}
>  
> -	sha256_init(&sctx);
> +	crypto_shash_init(sdesc);
>  	/* ordinal is already BE */
> -	sha256_update(&sctx, (u8 *)&head->ordinal, sizeof(head->ordinal));
> +	crypto_shash_update(sdesc, (u8 *)&head->ordinal,
> +			    sizeof(head->ordinal));
>  	/* add the handle names */
>  	for (i = 0; i < handles; i++) {
>  		enum tpm2_mso_type mso = tpm2_handle_mso(auth->name_h[i]);
> @@ -539,27 +558,27 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
>  		if (mso == TPM2_MSO_PERSISTENT ||
>  		    mso == TPM2_MSO_VOLATILE ||
>  		    mso == TPM2_MSO_NVRAM) {
> -			sha256_update(&sctx, auth->name[i],
> -				      name_size(auth->name[i]));
> +			crypto_shash_update(sdesc, auth->name[i],
> +					    name_size(auth->name[i]));
>  		} else {
>  			__be32 h = cpu_to_be32(auth->name_h[i]);
>  
> -			sha256_update(&sctx, (u8 *)&h, 4);
> +			crypto_shash_update(sdesc, (u8 *)&h, 4);
>  		}
>  	}
>  	if (offset_s != tpm_buf_length(buf))
> -		sha256_update(&sctx, &buf->data[offset_s],
> -			      tpm_buf_length(buf) - offset_s);
> -	sha256_final(&sctx, cphash);
> +		crypto_shash_update(sdesc, &buf->data[offset_s],
> +				    tpm_buf_length(buf) - offset_s);
> +	crypto_shash_final(sdesc, cphash);
>  
>  	/* now calculate the hmac */
> -	tpm2_hmac_init(&sctx, auth->session_key, sizeof(auth->session_key)
> +	tpm2_hmac_init(sdesc, auth->session_key, digest_size
>  		       + auth->passphrase_len);
> -	sha256_update(&sctx, cphash, sizeof(cphash));
> -	sha256_update(&sctx, auth->our_nonce, sizeof(auth->our_nonce));
> -	sha256_update(&sctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
> -	sha256_update(&sctx, &auth->attrs, 1);
> -	tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
> +	crypto_shash_update(sdesc, cphash, digest_size);
> +	crypto_shash_update(sdesc, auth->our_nonce, digest_size);
> +	crypto_shash_update(sdesc, auth->tpm_nonce, digest_size);
> +	crypto_shash_update(sdesc, &auth->attrs, 1);
> +	tpm2_hmac_final(sdesc, auth->session_key, digest_size
>  			+ auth->passphrase_len, hmac);
>  }
>  EXPORT_SYMBOL(tpm_buf_fill_hmac_session);
> @@ -695,12 +714,15 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
>  	struct tpm_header *head = (struct tpm_header *)buf->data;
>  	struct tpm2_auth *auth = chip->auth;
>  	off_t offset_s, offset_p;
> -	u8 rphash[SHA256_DIGEST_SIZE];
> +	const int digest_size = crypto_shash_digestsize(auth->tfm);
> +	u8 rphash[HASH_MAX_DIGESTSIZE];
>  	u32 attrs;
> -	struct sha256_state sctx;
>  	u16 tag = be16_to_cpu(head->tag);
>  	u32 cc = be32_to_cpu(auth->ordinal);
>  	int parm_len, len, i, handles;
> +	SHASH_DESC_ON_STACK(sdesc, auth->tfm);
> +
> +	sdesc->tfm = auth->tfm;
>  
>  	if (auth->session >= TPM_HEADER_SIZE) {
>  		WARN(1, "tpm session not filled correctly\n");
> @@ -739,7 +761,7 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
>  	len = tpm_buf_read_u16(buf, &offset_s);
>  	if (offset_s + len > tpm_buf_length(buf))
>  		goto out;
> -	if (len != SHA256_DIGEST_SIZE)
> +	if (len != digest_size)
>  		goto out;
>  	memcpy(auth->tpm_nonce, &buf->data[offset_s], len);
>  	offset_s += len;
> @@ -747,32 +769,32 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
>  	len = tpm_buf_read_u16(buf, &offset_s);
>  	if (offset_s + len != tpm_buf_length(buf))
>  		goto out;
> -	if (len != SHA256_DIGEST_SIZE)
> +	if (len != digest_size)
>  		goto out;
>  	/*
>  	 * offset_s points to the HMAC. now calculate comparison, beginning
>  	 * with rphash
>  	 */
> -	sha256_init(&sctx);
> +	crypto_shash_init(sdesc);
>  	/* yes, I know this is now zero, but it's what the standard says */
> -	sha256_update(&sctx, (u8 *)&head->return_code,
> -		      sizeof(head->return_code));
> +	crypto_shash_update(sdesc, (u8 *)&head->return_code,
> +			    sizeof(head->return_code));
>  	/* ordinal is already BE */
> -	sha256_update(&sctx, (u8 *)&auth->ordinal, sizeof(auth->ordinal));
> -	sha256_update(&sctx, &buf->data[offset_p], parm_len);
> -	sha256_final(&sctx, rphash);
> +	crypto_shash_update(sdesc, (u8 *)&auth->ordinal, sizeof(auth->ordinal));
> +	crypto_shash_update(sdesc, &buf->data[offset_p], parm_len);
> +	crypto_shash_final(sdesc, rphash);
>  
>  	/* now calculate the hmac */
> -	tpm2_hmac_init(&sctx, auth->session_key, sizeof(auth->session_key)
> +	tpm2_hmac_init(sdesc, auth->session_key, digest_size
>  		       + auth->passphrase_len);
> -	sha256_update(&sctx, rphash, sizeof(rphash));
> -	sha256_update(&sctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
> -	sha256_update(&sctx, auth->our_nonce, sizeof(auth->our_nonce));
> -	sha256_update(&sctx, &auth->attrs, 1);
> +	crypto_shash_update(sdesc, rphash, digest_size);
> +	crypto_shash_update(sdesc, auth->tpm_nonce, digest_size);
> +	crypto_shash_update(sdesc, auth->our_nonce, digest_size);
> +	crypto_shash_update(sdesc, &auth->attrs, 1);
>  	/* we're done with the rphash, so put our idea of the hmac there */
> -	tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
> +	tpm2_hmac_final(sdesc, auth->session_key, digest_size
>  			+ auth->passphrase_len, rphash);
> -	if (memcmp(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE) == 0) {
> +	if (memcmp(rphash, &buf->data[offset_s], digest_size) == 0) {
>  		rc = 0;
>  	} else {
>  		dev_err(&chip->dev, "TPM: HMAC check failed\n");
> @@ -782,10 +804,10 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
>  	/* now do response decryption */
>  	if (auth->attrs & TPM2_SA_ENCRYPT) {
>  		/* need key and IV */
> -		tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
> +		tpm2_KDFa(auth->session_key, digest_size
>  			  + auth->passphrase_len, "CFB", auth->tpm_nonce,
>  			  auth->our_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
> -			  auth->scratch);
> +			  auth->scratch, sdesc);
>  
>  		len = tpm_buf_read_u16(buf, &offset_p);
>  		aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES);
> @@ -799,6 +821,7 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
>  		if (rc)
>  			/* manually close the session if it wasn't consumed */
>  			tpm2_flush_context(chip, auth->handle);
> +		crypto_free_shash(auth->tfm);
>  		memzero_explicit(auth, sizeof(*auth));
>  	} else {
>  		/* reset for next use  */
> @@ -821,8 +844,11 @@ EXPORT_SYMBOL(tpm_buf_check_hmac_response);
>   */
>  void tpm2_end_auth_session(struct tpm_chip *chip)
>  {
> -	tpm2_flush_context(chip, chip->auth->handle);
> -	memzero_explicit(chip->auth, sizeof(*chip->auth));
> +	struct tpm2_auth *auth = chip->auth;
> +
> +	tpm2_flush_context(chip, auth->handle);
> +	crypto_free_shash(auth->tfm);
> +	memzero_explicit(auth, sizeof(*auth));
>  }
>  EXPORT_SYMBOL(tpm2_end_auth_session);
>  
> @@ -833,23 +859,26 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth,
>  	u32 tot_len = be32_to_cpu(head->length);
>  	off_t offset = TPM_HEADER_SIZE;
>  	u32 val;
> +	const int digest_size = crypto_shash_digestsize(auth->tfm);
> +	SHASH_DESC_ON_STACK(sdesc, auth->tfm);
> +
> +	sdesc->tfm = auth->tfm;
>  
>  	/* we're starting after the header so adjust the length */
>  	tot_len -= TPM_HEADER_SIZE;
>  
>  	/* should have handle plus nonce */
> -	if (tot_len != 4 + 2 + sizeof(auth->tpm_nonce))
> +	if (tot_len != 4 + 2 + digest_size)
>  		return -EINVAL;
>  
>  	auth->handle = tpm_buf_read_u32(buf, &offset);
>  	val = tpm_buf_read_u16(buf, &offset);
> -	if (val != sizeof(auth->tpm_nonce))
> +	if (val != digest_size)
>  		return -EINVAL;
> -	memcpy(auth->tpm_nonce, &buf->data[offset], sizeof(auth->tpm_nonce));
> +	memcpy(auth->tpm_nonce, &buf->data[offset], digest_size);
>  	/* now compute the session key from the nonces */
>  	tpm2_KDFa(auth->salt, sizeof(auth->salt), "ATH", auth->tpm_nonce,
> -		  auth->our_nonce, sizeof(auth->session_key),
> -		  auth->session_key);
> +		  auth->our_nonce, digest_size, auth->session_key, sdesc);
>  
>  	return 0;
>  }
> @@ -885,24 +914,23 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
>  	return rc;
>  }
>  
> -/**
> - * tpm2_start_auth_session() - create a HMAC authentication session with the TPM
> - * @chip: the TPM chip structure to create the session with
> - *
> - * This function loads the NULL seed from its saved context and starts
> - * an authentication session on the null seed, fills in the
> - * @chip->auth structure to contain all the session details necessary
> - * for performing the HMAC, encrypt and decrypt operations and
> - * returns.  The NULL seed is flushed before this function returns.
> - *
> - * Return: zero on success or actual error encountered.
> - */
> -int tpm2_start_auth_session(struct tpm_chip *chip)
> +static int __tpm2_start_session(struct tpm_chip *chip, u8 type, u16 hash)
>  {
>  	struct tpm_buf buf;
>  	struct tpm2_auth *auth = chip->auth;
>  	int rc;
>  	u32 null_key;
> +	int tpm_hash = tpm2_crypto_to_alg(hash);
> +	int digest_size;
> +
> +	if (tpm_hash < 0)
> +		return -EINVAL;
> +
> +	auth->tfm = crypto_alloc_shash(hash_algo_name[hash], 0, 0);
> +	if (IS_ERR(auth->tfm))
> +		return PTR_ERR(auth->tfm);
> +
> +	digest_size = crypto_shash_digestsize(auth->tfm);
>  
>  	rc = tpm2_load_null(chip, &null_key);
>  	if (rc)
> @@ -919,14 +947,14 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
>  	/* bind key handle */
>  	tpm_buf_append_u32(&buf, TPM2_RH_NULL);
>  	/* nonce caller */
> -	get_random_bytes(auth->our_nonce, sizeof(auth->our_nonce));
> -	tpm_buf_append_u16(&buf, sizeof(auth->our_nonce));
> -	tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce));
> +	get_random_bytes(auth->our_nonce, digest_size);
> +	tpm_buf_append_u16(&buf, digest_size);
> +	tpm_buf_append(&buf, auth->our_nonce, digest_size);
>  
>  	/* append encrypted salt and squirrel away unencrypted in auth */
>  	tpm_buf_append_salt(&buf, chip);
>  	/* session type (HMAC, audit or policy) */
> -	tpm_buf_append_u8(&buf, TPM2_SE_HMAC);
> +	tpm_buf_append_u8(&buf, type);
>  
>  	/* symmetric encryption parameters */
>  	/* symmetric algorithm */
> @@ -936,7 +964,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
>  	/* symmetric algorithm mode (must be CFB) */
>  	tpm_buf_append_u16(&buf, TPM_ALG_CFB);
>  	/* hash algorithm for session */
> -	tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
> +	tpm_buf_append_u16(&buf, tpm_hash);
>  
>  	rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
>  	tpm2_flush_context(chip, null_key);
> @@ -949,11 +977,64 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
>  	if (rc)
>  		goto out;
>  
> +	return rc;
> +
>   out:
> +	crypto_free_shash(auth->tfm);
> +	auth->tfm = NULL;
> +
>  	return rc;
>  }
> +
> +/**
> + * tpm2_start_auth_session() - create a HMAC authentication session with the TPM
> + * @chip: the TPM chip structure to create the session with
> + *
> + * This function loads the NULL seed from its saved context and starts
> + * an authentication session on the null seed, fills in the
> + * @chip->auth structure to contain all the session details necessary
> + * for performing the HMAC, encrypt and decrypt operations and
> + * returns.  The NULL seed is flushed before this function returns.
> + *
> + * Return: zero on success or actual error encountered.
> + */
> +int tpm2_start_auth_session(struct tpm_chip *chip)
> +{
> +	return __tpm2_start_session(chip, TPM2_SE_HMAC, HASH_ALGO_SHA256);
> +}
>  EXPORT_SYMBOL(tpm2_start_auth_session);
>  
> +/**
> + * tpm2_start_policy_session - create a policy session with the TPM
> + * @chip: the TPM chip structure to create the session with
> + * @handle: the policy session handle
> + * @hash: the crypto subsystem hash algorithm for the policy
> + *
> + * This function loads the NULL seed from its saved context and starts
> + * a policy session on the null seed, fills in the @chip->auth
> + * structure to contain all the session details necessary for
> + * performing the HMAC, encrypt and decrypt operations and returns.
> + * The NULL seed is flushed before this function returns.
> + *
> + * Note the hash algorthim has to match the name algorithm of the TPM
> + * object the policy will be used to authorize.
> + *
> + * Return: zero on success or actual error encountered.
> + */
> +int tpm2_start_policy_session(struct tpm_chip *chip, u32 *handle, u8 hash)
> +{
> +	int rc;
> +
> +	rc = __tpm2_start_session(chip, TPM2_SE_POLICY, hash);
> +	if (rc)
> +		return rc;
> +
> +	*handle = chip->auth->handle;
> +
> +	return rc;
> +}
> +EXPORT_SYMBOL(tpm2_start_policy_session);
> +
>  /**
>   * tpm2_parse_create_primary() - parse the data returned from TPM_CC_CREATE_PRIMARY
>   *
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index 07f532456a0c..dc2dd98cf104 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -560,6 +560,7 @@ static inline void tpm_buf_append_empty_auth(struct tpm_buf *buf, u32 handle)
>  #ifdef CONFIG_TCG_TPM2_HMAC
>  
>  int tpm2_start_auth_session(struct tpm_chip *chip);
> +int tpm2_start_policy_session(struct tpm_chip *chip, u32 *handle, u8 hash);
>  void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf,
>  			 u32 handle, u8 *name);
>  void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
> @@ -585,6 +586,11 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip)
>  {
>  	return 0;
>  }
> +static inline int tpm2_start_policy_session(struct tpm_chip *chip, u32 *handle,
> +					    u8 hash)
> +{
> +	return -EINVAL;
> +}
>  static inline void tpm2_end_auth_session(struct tpm_chip *chip)
>  {
>  }


BR, Jarkko