From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>,
<linux-integrity@vger.kernel.org>
Cc: <keyrings@vger.kernel.org>, "Ard Biesheuvel" <ardb@kernel.org>
Subject: Re: [PATCH v8 13/22] tpm: Add TCG mandated Key Derivation Functions (KDFs)
Date: Tue, 30 Apr 2024 01:37:40 +0300 [thread overview]
Message-ID: <D0WYT0L5251S.16P50NUSZCITR@kernel.org> (raw)
In-Reply-To: <20240429202811.13643-14-James.Bottomley@HansenPartnership.com>
On Mon Apr 29, 2024 at 11:28 PM EEST, James Bottomley wrote:
> The TCG mandates two Key derivation functions called KDFa and KDFe
> used to derive keys from seeds and elliptic curve points respectively.
> The definitions for these functions are found in the TPM 2.0 Library
> Specification Part 1 - Architecture Guide
>
> https://trustedcomputinggroup.org/resource/tpm-library-specification/
>
> Implement a cut down version of each of these functions sufficient to
> support the key derivation needs of HMAC sessions.
>
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
>
> ---
>
> v8: Add new patch containing KDFs
> ---
> drivers/char/tpm/Kconfig | 1 +
> drivers/char/tpm/tpm2-sessions.c | 105 +++++++++++++++++++++++++++++++
> 2 files changed, 106 insertions(+)
>
> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> index ab16d347579f..4873e6eae255 100644
> --- a/drivers/char/tpm/Kconfig
> +++ b/drivers/char/tpm/Kconfig
> @@ -30,6 +30,7 @@ if TCG_TPM
> config TCG_TPM2_HMAC
> bool "Use HMAC and encrypted transactions on the TPM bus"
> default y
> + select CRYPTO_LIB_SHA256
> help
> Setting this causes us to deploy a scheme which uses request
> and response HMACs in addition to encryption for
> diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
> index fc3f032df467..8429e596f1eb 100644
> --- a/drivers/char/tpm/tpm2-sessions.c
> +++ b/drivers/char/tpm/tpm2-sessions.c
> @@ -7,6 +7,111 @@
>
> #include "tpm.h"
> #include <asm/unaligned.h>
> +#include <crypto/hash.h>
> +#include <crypto/hmac.h>
> +
> +/*
> + * It turns out the crypto hmac(sha256) is hard for us to consume
> + * because it assumes a fixed key and the TPM seems to change the key
> + * on every operation, so we weld the hmac init and final functions in
> + * here to give it the same usage characteristics as a regular hash
> + */
> +static void tpm2_hmac_init(struct sha256_state *sctx, u8 *key, u32 key_len)
> +{
> + u8 pad[SHA256_BLOCK_SIZE];
> + int i;
> +
> + sha256_init(sctx);
> + for (i = 0; i < sizeof(pad); i++) {
> + if (i < key_len)
> + pad[i] = key[i];
> + else
> + pad[i] = 0;
> + pad[i] ^= HMAC_IPAD_VALUE;
> + }
> + sha256_update(sctx, pad, sizeof(pad));
> +}
> +
> +static void tpm2_hmac_final(struct sha256_state *sctx, u8 *key, u32 key_len,
> + u8 *out)
> +{
> + u8 pad[SHA256_BLOCK_SIZE];
> + int i;
> +
> + for (i = 0; i < sizeof(pad); i++) {
> + if (i < key_len)
> + pad[i] = key[i];
> + else
> + pad[i] = 0;
> + pad[i] ^= HMAC_OPAD_VALUE;
> + }
> +
> + /* collect the final hash; use out as temporary storage */
> + sha256_final(sctx, out);
> +
> + sha256_init(sctx);
> + sha256_update(sctx, pad, sizeof(pad));
> + sha256_update(sctx, out, SHA256_DIGEST_SIZE);
> + sha256_final(sctx, out);
> +}
> +
> +/*
> + * assume hash sha256 and nonces u, v of size SHA256_DIGEST_SIZE but
> + * otherwise standard tpm2_KDFa. Note output is in bytes not bits.
> + */
> +static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
> + u8 *v, u32 bytes, u8 *out)
> +{
> + u32 counter = 1;
> + const __be32 bits = cpu_to_be32(bytes * 8);
> +
> + while (bytes > 0) {
> + struct sha256_state sctx;
> + __be32 c = cpu_to_be32(counter);
> +
> + tpm2_hmac_init(&sctx, key, key_len);
> + sha256_update(&sctx, (u8 *)&c, sizeof(c));
> + sha256_update(&sctx, label, strlen(label)+1);
> + sha256_update(&sctx, u, SHA256_DIGEST_SIZE);
> + sha256_update(&sctx, v, SHA256_DIGEST_SIZE);
> + sha256_update(&sctx, (u8 *)&bits, sizeof(bits));
> + tpm2_hmac_final(&sctx, key, key_len, out);
> +
> + bytes -= SHA256_DIGEST_SIZE;
> + counter++;
> + out += SHA256_DIGEST_SIZE;
> + }
> +}
> +
> +/*
> + * Somewhat of a bastardization of the real KDFe. We're assuming
> + * we're working with known point sizes for the input parameters and
> + * the hash algorithm is fixed at sha256. Because we know that the
> + * point size is 32 bytes like the hash size, there's no need to loop
> + * in this KDF.
> + */
> +static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v,
> + u8 *out)
> +{
> + struct sha256_state sctx;
> + /*
> + * this should be an iterative counter, but because we know
> + * we're only taking 32 bytes for the point using a sha256
> + * hash which is also 32 bytes, there's only one loop
> + */
> + __be32 c = cpu_to_be32(1);
> +
> + sha256_init(&sctx);
> + /* counter (BE) */
> + sha256_update(&sctx, (u8 *)&c, sizeof(c));
> + /* secret value */
> + sha256_update(&sctx, z, EC_PT_SZ);
> + /* string including trailing zero */
> + sha256_update(&sctx, str, strlen(str)+1);
> + sha256_update(&sctx, pt_u, EC_PT_SZ);
> + sha256_update(&sctx, pt_v, EC_PT_SZ);
> + sha256_final(&sctx, out);
> +}
>
> /**
> * tpm2_parse_create_primary() - parse the data returned from TPM_CC_CREATE_PRIMARY
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
next prev parent reply other threads:[~2024-04-29 22:37 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-29 20:27 [PATCH v8 00/22] add integrity and security to TPM2 transactions James Bottomley
2024-04-29 20:27 ` [PATCH v8 01/22] tpm: Remove unused tpm_buf_tag() James Bottomley
2024-04-29 20:27 ` [PATCH v8 02/22] tpm: Remove tpm_send() James Bottomley
2024-04-29 20:27 ` [PATCH v8 03/22] tpm: Move buffer handling from static inlines to real functions James Bottomley
2024-04-29 20:27 ` [PATCH v8 04/22] tpm: Update struct tpm_buf documentation comments James Bottomley
2024-04-29 20:27 ` [PATCH v8 05/22] tpm: Store the length of the tpm_buf data separately James Bottomley
2024-04-29 20:27 ` [PATCH v8 06/22] tpm: TPM2B formatted buffers James Bottomley
2024-04-29 20:27 ` [PATCH v8 07/22] tpm: Add tpm_buf_read_{u8,u16,u32} James Bottomley
2024-04-29 20:27 ` [PATCH v8 08/22] KEYS: trusted: tpm2: Use struct tpm_buf for sized buffers James Bottomley
2024-04-29 20:27 ` [PATCH v8 09/22] crypto: lib - implement library version of AES in CFB mode James Bottomley
2024-04-29 20:27 ` [PATCH v8 10/22] tpm: add buffer function to point to returned parameters James Bottomley
2024-04-29 20:28 ` [PATCH v8 11/22] tpm: export the context save and load commands James Bottomley
2024-04-29 20:28 ` [PATCH v8 12/22] tpm: Add NULL primary creation James Bottomley
2024-04-29 22:37 ` Jarkko Sakkinen
2024-04-29 20:28 ` [PATCH v8 13/22] tpm: Add TCG mandated Key Derivation Functions (KDFs) James Bottomley
2024-04-29 22:37 ` Jarkko Sakkinen [this message]
2024-04-29 20:28 ` [PATCH v8 14/22] tpm: Add HMAC session start and end functions James Bottomley
2024-04-29 22:38 ` Jarkko Sakkinen
2024-04-30 16:49 ` Jarkko Sakkinen
2024-04-29 20:28 ` [PATCH v8 15/22] tpm: Add HMAC session name/handle append James Bottomley
2024-04-29 22:38 ` Jarkko Sakkinen
2024-04-29 20:28 ` [PATCH v8 16/22] tpm: Add the rest of the session HMAC API James Bottomley
2024-04-29 22:39 ` Jarkko Sakkinen
2024-04-29 20:28 ` [PATCH v8 17/22] tpm: add hmac checks to tpm2_pcr_extend() James Bottomley
2024-04-29 20:28 ` [PATCH v8 18/22] tpm: add session encryption protection to tpm2_get_random() James Bottomley
2024-05-17 0:25 ` Nícolas F. R. A. Prado
2024-05-17 1:59 ` James Bottomley
2024-05-17 7:20 ` Ard Biesheuvel
2024-05-17 8:26 ` Jarkko Sakkinen
2024-05-17 13:35 ` James Bottomley
2024-05-17 13:43 ` Ard Biesheuvel
2024-05-17 14:25 ` James Bottomley
2024-05-17 16:22 ` Nícolas F. R. A. Prado
2024-05-17 16:48 ` Jarkko Sakkinen
2024-05-18 4:31 ` Eric Biggers
2024-05-18 7:03 ` [PATCH] crypto: api - Do not load modules until algapi is ready Herbert Xu
2024-05-18 11:04 ` Jarkko Sakkinen
2024-05-18 12:32 ` Herbert Xu
2024-05-18 13:03 ` Jarkko Sakkinen
2024-05-18 13:07 ` James Bottomley
2024-05-19 4:19 ` Herbert Xu
2024-05-20 15:49 ` Nícolas F. R. A. Prado
2024-05-21 2:53 ` [v2 PATCH] crypto: api - Do not load modules if called by async probing Herbert Xu
2024-05-21 19:37 ` Nícolas F. R. A. Prado
2024-05-22 5:37 ` [v3 PATCH] hwrng: core - Remove add_early_randomness Herbert Xu
2024-05-22 11:51 ` Jarkko Sakkinen
2024-05-23 4:50 ` Herbert Xu
2024-05-22 19:19 ` Nícolas F. R. A. Prado
2024-05-22 22:53 ` Linus Torvalds
2024-05-23 4:49 ` Herbert Xu
2024-05-23 9:53 ` Jarkko Sakkinen
2024-05-23 9:58 ` Herbert Xu
2024-05-23 10:07 ` Jarkko Sakkinen
2024-05-23 10:02 ` Jarkko Sakkinen
2024-05-23 10:40 ` Torsten Duwe
2024-05-18 10:56 ` [PATCH v8 18/22] tpm: add session encryption protection to tpm2_get_random() Jarkko Sakkinen
2024-05-18 12:31 ` Herbert Xu
2024-04-29 20:28 ` [PATCH v8 19/22] KEYS: trusted: Add session encryption protection to the seal/unseal path James Bottomley
2024-04-29 20:28 ` [PATCH v8 20/22] tpm: add the null key name as a sysfs export James Bottomley
2024-04-29 20:28 ` [PATCH v8 21/22] Documentation: add tpm-security.rst James Bottomley
2024-04-29 20:28 ` [PATCH v8 22/22] tpm: disable the TPM if NULL name changes James Bottomley
2024-04-29 22:59 ` Jarkko Sakkinen
2024-04-29 23:34 ` Jarkko Sakkinen
2024-04-29 22:22 ` [PATCH v8 00/22] add integrity and security to TPM2 transactions Jarkko Sakkinen
2024-04-29 22:26 ` Jarkko Sakkinen
2024-04-29 23:49 ` Jarkko Sakkinen
2024-04-30 11:18 ` Stefan Berger
2024-04-30 18:37 ` Jarkko Sakkinen
2024-04-30 18:57 ` Stefan Berger
2024-04-30 19:23 ` James Bottomley
2024-04-30 21:48 ` Jarkko Sakkinen
2024-04-30 22:31 ` James Bottomley
2024-04-30 22:46 ` Jarkko Sakkinen
2024-04-30 23:10 ` Jarkko Sakkinen
2024-05-03 23:18 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D0WYT0L5251S.16P50NUSZCITR@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox