[PATCH v1 0/4] TPM2: select hash algorithm for a trusted key

[PATCH v1 0/4] TPM2: select hash algorithm for a trusted key

[Jarkko Sakkinen]

Jarkko Sakkinen (4):
  crypto: add entry for sm3-256
  tpm: choose hash algorithm for sealing when using TPM 2.0
  keys, trusted: select the hash algorithm
  keys, trusted: update documentation for 'hash=' option

 Documentation/security/keys-trusted-encrypted.txt |  3 ++
 crypto/hash_info.c                                |  2 ++
 drivers/char/tpm/tpm.h                            | 10 ++++--
 drivers/char/tpm/tpm2-cmd.c                       | 42 +++++++++++++++++++++--
 include/crypto/hash_info.h                        |  3 ++
 include/keys/trusted-type.h                       |  1 +
 include/uapi/linux/hash_info.h                    |  1 +
 security/keys/trusted.c                           | 20 ++++++++++-
 8 files changed, 75 insertions(+), 7 deletions(-)

-- 
2.5.0

[PATCH v1 1/4] crypto: add entry for sm3-256

[Jarkko Sakkinen]

Added entry for sm3-256 to the following tables:

* hash_algo_name
* hash_digest_size

Needed for TPM 2.0 trusted key sealing.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 crypto/hash_info.c             | 2 ++
 include/crypto/hash_info.h     | 3 +++
 include/uapi/linux/hash_info.h | 1 +
 3 files changed, 6 insertions(+)

diff --git a/crypto/hash_info.c b/crypto/hash_info.c
index 3e7ff46..6f3a113 100644
--- a/crypto/hash_info.c
+++ b/crypto/hash_info.c
@@ -31,6 +31,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = {
 	[HASH_ALGO_TGR_128]	= "tgr128",
 	[HASH_ALGO_TGR_160]	= "tgr160",
 	[HASH_ALGO_TGR_192]	= "tgr192",
+	[HASH_ALGO_SM3_256]	= "sm3-256",
 };
 EXPORT_SYMBOL_GPL(hash_algo_name);
 
@@ -52,5 +53,6 @@ const int hash_digest_size[HASH_ALGO__LAST] = {
 	[HASH_ALGO_TGR_128]	= TGR128_DIGEST_SIZE,
 	[HASH_ALGO_TGR_160]	= TGR160_DIGEST_SIZE,
 	[HASH_ALGO_TGR_192]	= TGR192_DIGEST_SIZE,
+	[HASH_ALGO_SM3_256]	= SM3_256_DIGEST_SIZE,
 };
 EXPORT_SYMBOL_GPL(hash_digest_size);
diff --git a/include/crypto/hash_info.h b/include/crypto/hash_info.h
index e1e5a3e..d86e050 100644
--- a/include/crypto/hash_info.h
+++ b/include/crypto/hash_info.h
@@ -34,6 +34,9 @@
 #define TGR160_DIGEST_SIZE 20
 #define TGR192_DIGEST_SIZE 24
 
+/* not defined in include/crypto/ */
+#define SM3_256_DIGEST_SIZE 32
+
 extern const char *const hash_algo_name[HASH_ALGO__LAST];
 extern const int hash_digest_size[HASH_ALGO__LAST];
 
diff --git a/include/uapi/linux/hash_info.h b/include/uapi/linux/hash_info.h
index ca18c45..ebf8fd8 100644
--- a/include/uapi/linux/hash_info.h
+++ b/include/uapi/linux/hash_info.h
@@ -31,6 +31,7 @@ enum hash_algo {
 	HASH_ALGO_TGR_128,
 	HASH_ALGO_TGR_160,
 	HASH_ALGO_TGR_192,
+	HASH_ALGO_SM3_256,
 	HASH_ALGO__LAST
 };
 
-- 
2.5.0

[PATCH v1 2/4] tpm: choose hash algorithm for sealing when using TPM 2.0

[Jarkko Sakkinen]

Added hash member to the struct trusted_key_options for choosing the
hash algorithm and support for the following hash algorithms to the TPM
2.0 sealing code:

* sha1
* sha256
* sha384
* sha512
* sm3-256

The hash algorithm can be selected by using HASH_ALGO_* constants in
include/uapi/linux/hash_info.h.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/char/tpm/tpm.h      | 10 +++++++---
 drivers/char/tpm/tpm2-cmd.c | 42 +++++++++++++++++++++++++++++++++++++++---
 include/keys/trusted-type.h |  1 +
 3 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index a4257a3..cdd49cd 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -83,16 +83,20 @@ enum tpm2_structures {
 };
 
 enum tpm2_return_codes {
-	TPM2_RC_INITIALIZE	= 0x0100,
-	TPM2_RC_TESTING		= 0x090A,
+	TPM2_RC_HASH		= 0x0083, /* RC_FMT1 */
+	TPM2_RC_INITIALIZE	= 0x0100, /* RC_VER1 */
 	TPM2_RC_DISABLED	= 0x0120,
+	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */
 };
 
 enum tpm2_algorithms {
 	TPM2_ALG_SHA1		= 0x0004,
 	TPM2_ALG_KEYEDHASH	= 0x0008,
 	TPM2_ALG_SHA256		= 0x000B,
-	TPM2_ALG_NULL		= 0x0010
+	TPM2_ALG_SHA384		= 0x000C,
+	TPM2_ALG_SHA512		= 0x000D,
+	TPM2_ALG_NULL		= 0x0010,
+	TPM2_ALG_SM3_256	= 0x0012,
 };
 
 enum tpm2_command_codes {
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index bd7039f..bc2564e 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -16,6 +16,7 @@
  */
 
 #include "tpm.h"
+#include <crypto/hash_info.h>
 #include <keys/trusted-type.h>
 
 enum tpm2_object_attributes {
@@ -104,6 +105,21 @@ struct tpm2_cmd {
 	union tpm2_cmd_params	params;
 } __packed;
 
+struct tpm2_hash {
+	unsigned int crypto_id;
+	unsigned int tpm_id;
+};
+
+static struct tpm2_hash tpm2_hash_map[] = {
+	{HASH_ALGO_SHA1, TPM2_ALG_SHA1},
+	{HASH_ALGO_SHA256, TPM2_ALG_SHA256},
+	{HASH_ALGO_SHA384, TPM2_ALG_SHA384},
+	{HASH_ALGO_SHA512, TPM2_ALG_SHA512},
+	{HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},
+};
+
+#define TPM2_HASH_COUNT (sizeof(tpm2_hash_map) / sizeof(tpm2_hash_map[1]))
+
 /*
  * Array with one entry per ordinal defining the maximum amount
  * of time the chip could take to return the result. The values
@@ -429,8 +445,24 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 {
 	unsigned int blob_len;
 	struct tpm_buf buf;
+	u32 hash = TPM2_ALG_SHA256;
+	int i;
 	int rc;
 
+	if (options->hash) {
+		for (i = 0; i < TPM2_HASH_COUNT; i++) {
+			if (options->hash == tpm2_hash_map[i].crypto_id) {
+				hash = tpm2_hash_map[i].tpm_id;
+				dev_dbg(chip->pdev, "%s: hash: %s 0x%08X\n",
+					__func__, hash_algo_name[i], hash);
+				break;
+			}
+		}
+
+		if (i == TPM2_HASH_COUNT)
+			return -EINVAL;
+	}
+
 	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
 	if (rc)
 		return rc;
@@ -454,7 +486,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 	tpm_buf_append_u16(&buf, 14);
 
 	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
-	tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);
+	tpm_buf_append_u16(&buf, hash);
 	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
 	tpm_buf_append_u16(&buf, 0); /* policy digest size */
 	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
@@ -487,8 +519,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 out:
 	tpm_buf_destroy(&buf);
 
-	if (rc > 0)
-		rc = -EPERM;
+	if (rc > 0) {
+		if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH)
+			rc = -EINVAL;
+		else
+			rc = -EPERM;
+	}
 
 	return rc;
 }
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index f91ecd9..8fed58d 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -36,6 +36,7 @@ struct trusted_key_options {
 	uint32_t pcrinfo_len;
 	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
 	int pcrlock;
+	unsigned int hash;
 };
 
 extern struct key_type key_type_trusted;
-- 
2.5.0

[PATCH v1 3/4] keys, trusted: select the hash algorithm

[Jarkko Sakkinen]

Added 'hash=' option for selecting the hash algorithm for add_key()
syscall.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 security/keys/trusted.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index d3633cf..7a87bcd 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -11,6 +11,7 @@
  * See Documentation/security/keys-trusted-encrypted.txt
  */
 
+#include <crypto/hash_info.h>
 #include <linux/uaccess.h>
 #include <linux/module.h>
 #include <linux/init.h>
@@ -710,7 +711,8 @@ enum {
 	Opt_err = -1,
 	Opt_new, Opt_load, Opt_update,
 	Opt_keyhandle, Opt_keyauth, Opt_blobauth,
-	Opt_pcrinfo, Opt_pcrlock, Opt_migratable
+	Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
+	Opt_hash,
 };
 
 static const match_table_t key_tokens = {
@@ -723,6 +725,7 @@ static const match_table_t key_tokens = {
 	{Opt_pcrinfo, "pcrinfo=%s"},
 	{Opt_pcrlock, "pcrlock=%s"},
 	{Opt_migratable, "migratable=%s"},
+	{Opt_hash, "hash=%s"},
 	{Opt_err, NULL}
 };
 
@@ -736,6 +739,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 	int res;
 	unsigned long handle;
 	unsigned long lock;
+	int i;
 
 	while ((p = strsep(&c, " \t"))) {
 		if (*p == '\0' || *p == ' ' || *p == '\t')
@@ -787,6 +791,20 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 				return -EINVAL;
 			opt->pcrlock = lock;
 			break;
+		case Opt_hash:
+			for (i = 0; i < HASH_ALGO__LAST; i++) {
+				if (!strcmp(args[0].from, hash_algo_name[i])) {
+					opt->hash = i;
+					break;
+				}
+			}
+			res = tpm_is_tpm2(TPM_ANY_NUM);
+			if (res < 0)
+				return res;
+			if (i == HASH_ALGO__LAST ||
+			    (!res && i != HASH_ALGO_SHA1))
+				return -EINVAL;
+			break;
 		default:
 			return -EINVAL;
 		}
-- 
2.5.0

[PATCH v1 4/4] keys, trusted: update documentation for 'hash=' option

[Jarkko Sakkinen]

Documented 'hash=' option.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 Documentation/security/keys-trusted-encrypted.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index e105ae9..fd2565b 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -38,6 +38,9 @@ Usage:
        pcrlock=	  pcr number to be extended to "lock" blob
        migratable= 0|1 indicating permission to reseal to new PCR values,
                    default 1 (resealing allowed)
+       hash=      hash algorithm name as a string. For TPM 1.x the only
+                  allowed value is sha1. For TPM 2.x the allowed values
+		  are sha1, sha256, sha384, sha512 and sm3-256.
 
 "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
 TPM_STORED_DATA format.  The key length for new keys are always in bytes.
-- 
2.5.0

Re: [PATCH v1 2/4] tpm: choose hash algorithm for sealing when using TPM 2.0

[Jarkko Sakkinen]

On Thu, Oct 29, 2015 at 05:59:26PM +0200, Jarkko Sakkinen wrote:
> Added hash member to the struct trusted_key_options for choosing the
> hash algorithm and support for the following hash algorithms to the TPM
> 2.0 sealing code:
> 
> * sha1
> * sha256
> * sha384
> * sha512
> * sm3-256
> 
> The hash algorithm can be selected by using HASH_ALGO_* constants in
> include/uapi/linux/hash_info.h.
> 
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  drivers/char/tpm/tpm.h      | 10 +++++++---
>  drivers/char/tpm/tpm2-cmd.c | 42 +++++++++++++++++++++++++++++++++++++++---
>  include/keys/trusted-type.h |  1 +
>  3 files changed, 47 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index a4257a3..cdd49cd 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -83,16 +83,20 @@ enum tpm2_structures {
>  };
>  
>  enum tpm2_return_codes {
> -	TPM2_RC_INITIALIZE	= 0x0100,
> -	TPM2_RC_TESTING		= 0x090A,
> +	TPM2_RC_HASH		= 0x0083, /* RC_FMT1 */
> +	TPM2_RC_INITIALIZE	= 0x0100, /* RC_VER1 */
>  	TPM2_RC_DISABLED	= 0x0120,
> +	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */
>  };
>  
>  enum tpm2_algorithms {
>  	TPM2_ALG_SHA1		= 0x0004,
>  	TPM2_ALG_KEYEDHASH	= 0x0008,
>  	TPM2_ALG_SHA256		= 0x000B,
> -	TPM2_ALG_NULL		= 0x0010
> +	TPM2_ALG_SHA384		= 0x000C,
> +	TPM2_ALG_SHA512		= 0x000D,
> +	TPM2_ALG_NULL		= 0x0010,
> +	TPM2_ALG_SM3_256	= 0x0012,
>  };
>  
>  enum tpm2_command_codes {
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index bd7039f..bc2564e 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -16,6 +16,7 @@
>   */
>  
>  #include "tpm.h"
> +#include <crypto/hash_info.h>
>  #include <keys/trusted-type.h>
>  
>  enum tpm2_object_attributes {
> @@ -104,6 +105,21 @@ struct tpm2_cmd {
>  	union tpm2_cmd_params	params;
>  } __packed;
>  
> +struct tpm2_hash {
> +	unsigned int crypto_id;
> +	unsigned int tpm_id;
> +};
> +
> +static struct tpm2_hash tpm2_hash_map[] = {
> +	{HASH_ALGO_SHA1, TPM2_ALG_SHA1},
> +	{HASH_ALGO_SHA256, TPM2_ALG_SHA256},
> +	{HASH_ALGO_SHA384, TPM2_ALG_SHA384},
> +	{HASH_ALGO_SHA512, TPM2_ALG_SHA512},
> +	{HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},
> +};
> +
> +#define TPM2_HASH_COUNT (sizeof(tpm2_hash_map) / sizeof(tpm2_hash_map[1]))
> +
>  /*
>   * Array with one entry per ordinal defining the maximum amount
>   * of time the chip could take to return the result. The values
> @@ -429,8 +445,24 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  {
>  	unsigned int blob_len;
>  	struct tpm_buf buf;
> +	u32 hash = TPM2_ALG_SHA256;
> +	int i;
>  	int rc;
>  
> +	if (options->hash) {
> +		for (i = 0; i < TPM2_HASH_COUNT; i++) {
> +			if (options->hash == tpm2_hash_map[i].crypto_id) {
> +				hash = tpm2_hash_map[i].tpm_id;
> +				dev_dbg(chip->pdev, "%s: hash: %s 0x%08X\n",
> +					__func__, hash_algo_name[i], hash);
> +				break;
> +			}
> +		}
> +
> +		if (i == TPM2_HASH_COUNT)
> +			return -EINVAL;
> +	}
> +
>  	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
>  	if (rc)
>  		return rc;
> @@ -454,7 +486,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  	tpm_buf_append_u16(&buf, 14);
>  
>  	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
> -	tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);
> +	tpm_buf_append_u16(&buf, hash);
>  	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
>  	tpm_buf_append_u16(&buf, 0); /* policy digest size */
>  	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
> @@ -487,8 +519,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  out:
>  	tpm_buf_destroy(&buf);
>  
> -	if (rc > 0)
> -		rc = -EPERM;
> +	if (rc > 0) {
> +		if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH)
> +			rc = -EINVAL;
> +		else
> +			rc = -EPERM;
> +	}
>  
>  	return rc;
>  }
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index f91ecd9..8fed58d 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -36,6 +36,7 @@ struct trusted_key_options {
>  	uint32_t pcrinfo_len;
>  	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
>  	int pcrlock;
> +	unsigned int hash;

uint32_t probably here just for the sake of consistency.

>  };
>  
>  extern struct key_type key_type_trusted;
> -- 
> 2.5.0
> 

/Jarkko

Re: [PATCH v1 3/4] keys, trusted: select the hash algorithm

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]

Hi Jarkko,

[auto build test ERROR on next-20151022 -- if it's inappropriate base, please suggest rules for selecting the more suitable base]

url:    https://github.com/0day-ci/linux/commits/Jarkko-Sakkinen/TPM2-select-hash-algorithm-for-a-trusted-key/20151030-000439
config: x86_64-acpi-redef (attached as .config)
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All errors (new ones prefixed by >>):

   security/built-in.o: In function `getoptions.isra.0':
>> trusted.c:(.text+0x6678): undefined reference to `hash_algo_name'

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 27074 bytes --]

Re: [PATCH v1 4/4] keys, trusted: update documentation for 'hash=' option

[Mimi Zohar]

On Thu, 2015-10-29 at 17:59 +0200, Jarkko Sakkinen wrote:
> Documented 'hash=' option.

No reason for a separate patch.  Please squash this patch with the one
that introduced the new option.

Mimi

> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  Documentation/security/keys-trusted-encrypted.txt | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index e105ae9..fd2565b 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -38,6 +38,9 @@ Usage:
>         pcrlock=	  pcr number to be extended to "lock" blob
>         migratable= 0|1 indicating permission to reseal to new PCR values,
>                     default 1 (resealing allowed)
> +       hash=      hash algorithm name as a string. For TPM 1.x the only
> +                  allowed value is sha1. For TPM 2.x the allowed values
> +		  are sha1, sha256, sha384, sha512 and sm3-256.
> 
>  "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
>  TPM_STORED_DATA format.  The key length for new keys are always in bytes.

Re: [PATCH v1 3/4] keys, trusted: select the hash algorithm

[Mimi Zohar]

On Thu, 2015-10-29 at 17:59 +0200, Jarkko Sakkinen wrote:
> Added 'hash=' option for selecting the hash algorithm for add_key()
> syscall.
> 
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  security/keys/trusted.c | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index d3633cf..7a87bcd 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -11,6 +11,7 @@
>   * See Documentation/security/keys-trusted-encrypted.txt
>   */
> 
> +#include <crypto/hash_info.h>

This introduces a Kconfig dependency on CRYPTO_HASH_INFO. 

Mimi

>  #include <linux/uaccess.h>
>  #include <linux/module.h>
>  #include <linux/init.h>
> @@ -710,7 +711,8 @@ enum {
>  	Opt_err = -1,
>  	Opt_new, Opt_load, Opt_update,
>  	Opt_keyhandle, Opt_keyauth, Opt_blobauth,
> -	Opt_pcrinfo, Opt_pcrlock, Opt_migratable
> +	Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
> +	Opt_hash,
>  };
> 
>  static const match_table_t key_tokens = {
> @@ -723,6 +725,7 @@ static const match_table_t key_tokens = {
>  	{Opt_pcrinfo, "pcrinfo=%s"},
>  	{Opt_pcrlock, "pcrlock=%s"},
>  	{Opt_migratable, "migratable=%s"},
> +	{Opt_hash, "hash=%s"},
>  	{Opt_err, NULL}
>  };
> 
> @@ -736,6 +739,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
>  	int res;
>  	unsigned long handle;
>  	unsigned long lock;
> +	int i;
> 
>  	while ((p = strsep(&c, " \t"))) {
>  		if (*p == '\0' || *p == ' ' || *p == '\t')
> @@ -787,6 +791,20 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
>  				return -EINVAL;
>  			opt->pcrlock = lock;
>  			break;
> +		case Opt_hash:
> +			for (i = 0; i < HASH_ALGO__LAST; i++) {
> +				if (!strcmp(args[0].from, hash_algo_name[i])) {
> +					opt->hash = i;
> +					break;
> +				}
> +			}
> +			res = tpm_is_tpm2(TPM_ANY_NUM);
> +			if (res < 0)
> +				return res;
> +			if (i == HASH_ALGO__LAST ||
> +			    (!res && i != HASH_ALGO_SHA1))
> +				return -EINVAL;
> +			break;
>  		default:
>  			return -EINVAL;
>  		}

Re: [PATCH v1 4/4] keys, trusted: update documentation for 'hash=' option

[Jarkko Sakkinen]

On Thu, Oct 29, 2015 at 03:26:02PM -0400, Mimi Zohar wrote:
> On Thu, 2015-10-29 at 17:59 +0200, Jarkko Sakkinen wrote:
> > Documented 'hash=' option.
> 
> No reason for a separate patch.  Please squash this patch with the one
> that introduced the new option.

Right. I'm going to do this and also swapping the order of patches (from
"1.  tpm 2. trusted" to "1. trusted 2. tpm") so that they can be tested
separately (and thereby also moving change to trusted_key_option to
"trusted" patch).

> Mimi

/Jarkko

Re: [PATCH v1 3/4] keys, trusted: select the hash algorithm

[Jarkko Sakkinen]

On Thu, Oct 29, 2015 at 03:37:20PM -0400, Mimi Zohar wrote:
> On Thu, 2015-10-29 at 17:59 +0200, Jarkko Sakkinen wrote:
> > Added 'hash=' option for selecting the hash algorithm for add_key()
> > syscall.
> > 
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > ---
> >  security/keys/trusted.c | 20 +++++++++++++++++++-
> >  1 file changed, 19 insertions(+), 1 deletion(-)
> > 
> > diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> > index d3633cf..7a87bcd 100644
> > --- a/security/keys/trusted.c
> > +++ b/security/keys/trusted.c
> > @@ -11,6 +11,7 @@
> >   * See Documentation/security/keys-trusted-encrypted.txt
> >   */
> > 
> > +#include <crypto/hash_info.h>
> 
> This introduces a Kconfig dependency on CRYPTO_HASH_INFO. 

Thanks. I'll add it. Got also build error from kbuild bot. I'll use that
config to reproduce and fix this error.

> Mimi

/Jarkko