[PATCH v2 0/3] TPM 2.0 trusted key features for v4.5

[PATCH v2 0/3] TPM 2.0 trusted key features for v4.5

[Jarkko Sakkinen]

These are the remaining features to enable trusted keys for TPM 2.0 that were
not finished by the v4.4 merge window. These patches enable authorization
policy based sealing (like using PCRs together with a password for example or
something more complicated) with a user selected hash algorithm.

Jarkko Sakkinen (3):
  keys, trusted: fix: *do not* allow duplicate key options
  keys, trusted: select hash algorithm for TPM2 chips
  keys, trusted: seal with a TPM2 authorization policy

 Documentation/security/keys-trusted-encrypted.txt | 31 +++++++-----
 crypto/hash_info.c                                |  2 +
 drivers/char/tpm/tpm.h                            | 10 ++--
 drivers/char/tpm/tpm2-cmd.c                       | 60 ++++++++++++++++++++---
 include/crypto/hash_info.h                        |  3 ++
 include/keys/trusted-type.h                       |  5 ++
 include/uapi/linux/hash_info.h                    |  1 +
 security/keys/Kconfig                             |  1 +
 security/keys/trusted.c                           | 56 ++++++++++++++++++++-
 9 files changed, 147 insertions(+), 22 deletions(-)

-- 
2.5.0

[PATCH v2 1/3] keys, trusted: fix: *do not* allow duplicate key options

[Jarkko Sakkinen]

The trusted keys option parsing allows specifying the same option
multiple times. The last option value specified is used.

This can be seen as a regression because:

* No gain.
* Could be problematic if there is be options dependent on other
  options.

Reported-by: James Morris James Morris <jmorris@namei.org>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 security/keys/trusted.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 903dace..7c183c7 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -736,11 +736,14 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 	int res;
 	unsigned long handle;
 	unsigned long lock;
+	unsigned long token_mask = 0;
 
 	while ((p = strsep(&c, " \t"))) {
 		if (*p == '\0' || *p == ' ' || *p == '\t')
 			continue;
 		token = match_token(p, key_tokens, args);
+		if (test_and_set_bit(token, &token_mask))
+			return -EINVAL;
 
 		switch (token) {
 		case Opt_pcrinfo:
-- 
2.5.0

Re: [PATCH v2 1/3] keys, trusted: fix: *do not* allow duplicate key options

[Mimi Zohar]

On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> The trusted keys option parsing allows specifying the same option
> multiple times. The last option value specified is used.
> 
> This can be seen as a regression because:
> 
> * No gain.
> * Could be problematic if there is be options dependent on other
>   options.

Thanks, Jarkko.   Although it should be obvious that patch limits the
number of times an option can be specified, you should explicitly
mention it in the patch description.

Mimi

> Reported-by: James Morris James Morris <jmorris@namei.org>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  security/keys/trusted.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 903dace..7c183c7 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -736,11 +736,14 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
>  	int res;
>  	unsigned long handle;
>  	unsigned long lock;
> +	unsigned long token_mask = 0;
> 
>  	while ((p = strsep(&c, " \t"))) {
>  		if (*p == '\0' || *p == ' ' || *p == '\t')
>  			continue;
>  		token = match_token(p, key_tokens, args);
> +		if (test_and_set_bit(token, &token_mask))
> +			return -EINVAL;
> 
>  		switch (token) {
>  		case Opt_pcrinfo:

Re: [PATCH v2 1/3] keys, trusted: fix: *do not* allow duplicate key options

[Jarkko Sakkinen]

On Mon, Dec 14, 2015 at 08:46:33AM -0500, Mimi Zohar wrote:
> On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> > The trusted keys option parsing allows specifying the same option
> > multiple times. The last option value specified is used.
> > 
> > This can be seen as a regression because:
> > 
> > * No gain.
> > * Could be problematic if there is be options dependent on other
> >   options.
> 
> Thanks, Jarkko.   Although it should be obvious that patch limits the
> number of times an option can be specified, you should explicitly
> mention it in the patch description.

OK, I'll update the commit message with this information before I send
the pull request. Thanks for the advice!

> Mimi

/Jarkko

> 
> > Reported-by: James Morris James Morris <jmorris@namei.org>
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > ---
> >  security/keys/trusted.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> > index 903dace..7c183c7 100644
> > --- a/security/keys/trusted.c
> > +++ b/security/keys/trusted.c
> > @@ -736,11 +736,14 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> >  	int res;
> >  	unsigned long handle;
> >  	unsigned long lock;
> > +	unsigned long token_mask = 0;
> > 
> >  	while ((p = strsep(&c, " \t"))) {
> >  		if (*p == '\0' || *p == ' ' || *p == '\t')
> >  			continue;
> >  		token = match_token(p, key_tokens, args);
> > +		if (test_and_set_bit(token, &token_mask))
> > +			return -EINVAL;
> > 
> >  		switch (token) {
> >  		case Opt_pcrinfo:
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 2/3] keys, trusted: select hash algorithm for TPM2 chips

[Jarkko Sakkinen]

Added 'hash=' option for selecting the hash algorithm for add_key()
syscall and documentation for it.

Added entry for sm3-256 to the following tables in order to support
TPM_ALG_SM3_256:

* hash_algo_name
* hash_digest_size

Includes support for the following hash algorithms:

* sha1
* sha256
* sha384
* sha512
* sm3-256

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
---
 Documentation/security/keys-trusted-encrypted.txt |  3 ++
 crypto/hash_info.c                                |  2 ++
 drivers/char/tpm/tpm.h                            | 10 +++++--
 drivers/char/tpm/tpm2-cmd.c                       | 36 +++++++++++++++++++++--
 include/crypto/hash_info.h                        |  3 ++
 include/keys/trusted-type.h                       |  1 +
 include/uapi/linux/hash_info.h                    |  1 +
 security/keys/Kconfig                             |  1 +
 security/keys/trusted.c                           | 27 ++++++++++++++++-
 9 files changed, 77 insertions(+), 7 deletions(-)

diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index e105ae9..fd2565b 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -38,6 +38,9 @@ Usage:
        pcrlock=	  pcr number to be extended to "lock" blob
        migratable= 0|1 indicating permission to reseal to new PCR values,
                    default 1 (resealing allowed)
+       hash=      hash algorithm name as a string. For TPM 1.x the only
+                  allowed value is sha1. For TPM 2.x the allowed values
+		  are sha1, sha256, sha384, sha512 and sm3-256.
 
 "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
 TPM_STORED_DATA format.  The key length for new keys are always in bytes.
diff --git a/crypto/hash_info.c b/crypto/hash_info.c
index 3e7ff46..7b1e0b1 100644
--- a/crypto/hash_info.c
+++ b/crypto/hash_info.c
@@ -31,6 +31,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = {
 	[HASH_ALGO_TGR_128]	= "tgr128",
 	[HASH_ALGO_TGR_160]	= "tgr160",
 	[HASH_ALGO_TGR_192]	= "tgr192",
+	[HASH_ALGO_SM3_256]	= "sm3-256",
 };
 EXPORT_SYMBOL_GPL(hash_algo_name);
 
@@ -52,5 +53,6 @@ const int hash_digest_size[HASH_ALGO__LAST] = {
 	[HASH_ALGO_TGR_128]	= TGR128_DIGEST_SIZE,
 	[HASH_ALGO_TGR_160]	= TGR160_DIGEST_SIZE,
 	[HASH_ALGO_TGR_192]	= TGR192_DIGEST_SIZE,
+	[HASH_ALGO_SM3_256]	= SM3256_DIGEST_SIZE,
 };
 EXPORT_SYMBOL_GPL(hash_digest_size);
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 347fc61..542a80c 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -83,16 +83,20 @@ enum tpm2_structures {
 };
 
 enum tpm2_return_codes {
-	TPM2_RC_INITIALIZE	= 0x0100,
-	TPM2_RC_TESTING		= 0x090A,
+	TPM2_RC_HASH		= 0x0083, /* RC_FMT1 */
+	TPM2_RC_INITIALIZE	= 0x0100, /* RC_VER1 */
 	TPM2_RC_DISABLED	= 0x0120,
+	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */
 };
 
 enum tpm2_algorithms {
 	TPM2_ALG_SHA1		= 0x0004,
 	TPM2_ALG_KEYEDHASH	= 0x0008,
 	TPM2_ALG_SHA256		= 0x000B,
-	TPM2_ALG_NULL		= 0x0010
+	TPM2_ALG_SHA384		= 0x000C,
+	TPM2_ALG_SHA512		= 0x000D,
+	TPM2_ALG_NULL		= 0x0010,
+	TPM2_ALG_SM3_256	= 0x0012,
 };
 
 enum tpm2_command_codes {
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index c121304..d9d0822 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -16,6 +16,7 @@
  */
 
 #include "tpm.h"
+#include <crypto/hash_info.h>
 #include <keys/trusted-type.h>
 
 enum tpm2_object_attributes {
@@ -104,6 +105,19 @@ struct tpm2_cmd {
 	union tpm2_cmd_params	params;
 } __packed;
 
+struct tpm2_hash {
+	unsigned int crypto_id;
+	unsigned int tpm_id;
+};
+
+static struct tpm2_hash tpm2_hash_map[] = {
+	{HASH_ALGO_SHA1, TPM2_ALG_SHA1},
+	{HASH_ALGO_SHA256, TPM2_ALG_SHA256},
+	{HASH_ALGO_SHA384, TPM2_ALG_SHA384},
+	{HASH_ALGO_SHA512, TPM2_ALG_SHA512},
+	{HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},
+};
+
 /*
  * Array with one entry per ordinal defining the maximum amount
  * of time the chip could take to return the result. The values
@@ -429,8 +443,20 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 {
 	unsigned int blob_len;
 	struct tpm_buf buf;
+	u32 hash;
+	int i;
 	int rc;
 
+	for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {
+		if (options->hash == tpm2_hash_map[i].crypto_id) {
+			hash = tpm2_hash_map[i].tpm_id;
+			break;
+		}
+	}
+
+	if (i == ARRAY_SIZE(tpm2_hash_map))
+		return -EINVAL;
+
 	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
 	if (rc)
 		return rc;
@@ -455,7 +481,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 	tpm_buf_append_u16(&buf, 14);
 
 	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
-	tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);
+	tpm_buf_append_u16(&buf, hash);
 	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
 	tpm_buf_append_u16(&buf, 0); /* policy digest size */
 	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
@@ -488,8 +514,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 out:
 	tpm_buf_destroy(&buf);
 
-	if (rc > 0)
-		rc = -EPERM;
+	if (rc > 0) {
+		if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH)
+			rc = -EINVAL;
+		else
+			rc = -EPERM;
+	}
 
 	return rc;
 }
diff --git a/include/crypto/hash_info.h b/include/crypto/hash_info.h
index e1e5a3e..56f217d 100644
--- a/include/crypto/hash_info.h
+++ b/include/crypto/hash_info.h
@@ -34,6 +34,9 @@
 #define TGR160_DIGEST_SIZE 20
 #define TGR192_DIGEST_SIZE 24
 
+/* not defined in include/crypto/ */
+#define SM3256_DIGEST_SIZE 32
+
 extern const char *const hash_algo_name[HASH_ALGO__LAST];
 extern const int hash_digest_size[HASH_ALGO__LAST];
 
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index f91ecd9..a6a1008 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -36,6 +36,7 @@ struct trusted_key_options {
 	uint32_t pcrinfo_len;
 	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
 	int pcrlock;
+	uint32_t hash;
 };
 
 extern struct key_type key_type_trusted;
diff --git a/include/uapi/linux/hash_info.h b/include/uapi/linux/hash_info.h
index ca18c45..ebf8fd8 100644
--- a/include/uapi/linux/hash_info.h
+++ b/include/uapi/linux/hash_info.h
@@ -31,6 +31,7 @@ enum hash_algo {
 	HASH_ALGO_TGR_128,
 	HASH_ALGO_TGR_160,
 	HASH_ALGO_TGR_192,
+	HASH_ALGO_SM3_256,
 	HASH_ALGO__LAST
 };
 
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index 72483b8..fe4d74e 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -54,6 +54,7 @@ config TRUSTED_KEYS
 	select CRYPTO
 	select CRYPTO_HMAC
 	select CRYPTO_SHA1
+	select CRYPTO_HASH_INFO
 	help
 	  This option provides support for creating, sealing, and unsealing
 	  keys in the kernel. Trusted keys are random number symmetric keys,
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 7c183c7..8f1300c 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -11,6 +11,7 @@
  * See Documentation/security/keys-trusted-encrypted.txt
  */
 
+#include <crypto/hash_info.h>
 #include <linux/uaccess.h>
 #include <linux/module.h>
 #include <linux/init.h>
@@ -710,7 +711,8 @@ enum {
 	Opt_err = -1,
 	Opt_new, Opt_load, Opt_update,
 	Opt_keyhandle, Opt_keyauth, Opt_blobauth,
-	Opt_pcrinfo, Opt_pcrlock, Opt_migratable
+	Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
+	Opt_hash,
 };
 
 static const match_table_t key_tokens = {
@@ -723,6 +725,7 @@ static const match_table_t key_tokens = {
 	{Opt_pcrinfo, "pcrinfo=%s"},
 	{Opt_pcrlock, "pcrlock=%s"},
 	{Opt_migratable, "migratable=%s"},
+	{Opt_hash, "hash=%s"},
 	{Opt_err, NULL}
 };
 
@@ -737,6 +740,14 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 	unsigned long handle;
 	unsigned long lock;
 	unsigned long token_mask = 0;
+	int i;
+	int tpm2;
+
+	tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
+	if (tpm2 < 0)
+		return tpm2;
+
+	opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
 
 	while ((p = strsep(&c, " \t"))) {
 		if (*p == '\0' || *p == ' ' || *p == '\t')
@@ -790,6 +801,20 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 				return -EINVAL;
 			opt->pcrlock = lock;
 			break;
+		case Opt_hash:
+			for (i = 0; i < HASH_ALGO__LAST; i++) {
+				if (!strcmp(args[0].from, hash_algo_name[i])) {
+					opt->hash = i;
+					break;
+				}
+			}
+			if (i == HASH_ALGO__LAST)
+				return -EINVAL;
+			if  (!tpm2 && i != HASH_ALGO_SHA1) {
+				pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
+				return -EINVAL;
+			}
+			break;
 		default:
 			return -EINVAL;
 		}
-- 
2.5.0

[PATCH v2 3/3] keys, trusted: seal with a TPM2 authorization policy

[Jarkko Sakkinen]

TPM2 supports authorization policies, which are essentially
combinational logic statements repsenting the conditions where the data
can be unsealed based on the TPM state. This patch enables to use
authorization policies to seal trusted keys.

Two following new options have been added for trusted keys:

* 'policydigest=': provide an auth policy digest for sealing.
* 'policyhandle=': provide a policy session handle for unsealing.

If 'hash=' option is supplied after 'policydigest=' option, this
will result an error because the state of the option would become
mixed.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
---
 Documentation/security/keys-trusted-encrypted.txt | 34 +++++++++++++----------
 drivers/char/tpm/tpm2-cmd.c                       | 24 +++++++++++++---
 include/keys/trusted-type.h                       |  4 +++
 security/keys/trusted.c                           | 26 +++++++++++++++++
 4 files changed, 70 insertions(+), 18 deletions(-)

diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index fd2565b..324ddf5 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -27,20 +27,26 @@ Usage:
     keyctl print keyid
 
     options:
-       keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
-       keyauth=	  ascii hex auth for sealing key default 0x00...i
-		  (40 ascii zeros)
-       blobauth=  ascii hex auth for sealed data default 0x00...
-		  (40 ascii zeros)
-       blobauth=  ascii hex auth for sealed data default 0x00...
-		  (40 ascii zeros)
-       pcrinfo=	  ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
-       pcrlock=	  pcr number to be extended to "lock" blob
-       migratable= 0|1 indicating permission to reseal to new PCR values,
-                   default 1 (resealing allowed)
-       hash=      hash algorithm name as a string. For TPM 1.x the only
-                  allowed value is sha1. For TPM 2.x the allowed values
-		  are sha1, sha256, sha384, sha512 and sm3-256.
+       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
+       keyauth=	     ascii hex auth for sealing key default 0x00...i
+                     (40 ascii zeros)
+       blobauth=     ascii hex auth for sealed data default 0x00...
+                     (40 ascii zeros)
+       blobauth=     ascii hex auth for sealed data default 0x00...
+                     (40 ascii zeros)
+       pcrinfo=	     ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
+       pcrlock=	     pcr number to be extended to "lock" blob
+       migratable=   0|1 indicating permission to reseal to new PCR values,
+                     default 1 (resealing allowed)
+       hash=         hash algorithm name as a string. For TPM 1.x the only
+                     allowed value is sha1. For TPM 2.x the allowed values
+                     are sha1, sha256, sha384, sha512 and sm3-256.
+       policydigest= digest for the authorization policy. must be calculated
+                     with the same hash algorithm as specified by the 'hash='
+                     option.
+       policyhandle= handle to an authorization policy session that defines the
+                     same policy and with the same hash algorithm as was used to
+                     seal the key.
 
 "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
 TPM_STORED_DATA format.  The key length for new keys are always in bytes.
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index d9d0822..45a6340 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -478,12 +478,26 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 	tpm_buf_append_u8(&buf, payload->migratable);
 
 	/* public */
-	tpm_buf_append_u16(&buf, 14);
+	if (options->policydigest)
+		tpm_buf_append_u16(&buf, 14 + options->digest_len);
+	else
+		tpm_buf_append_u16(&buf, 14);
 
 	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
 	tpm_buf_append_u16(&buf, hash);
-	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
-	tpm_buf_append_u16(&buf, 0); /* policy digest size */
+
+	/* policy */
+	if (options->policydigest) {
+		tpm_buf_append_u32(&buf, 0);
+		tpm_buf_append_u16(&buf, options->digest_len);
+		tpm_buf_append(&buf, options->policydigest,
+			       options->digest_len);
+	} else {
+		tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
+		tpm_buf_append_u16(&buf, 0);
+	}
+
+	/* public parameters */
 	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
 	tpm_buf_append_u16(&buf, 0);
 
@@ -613,7 +627,9 @@ static int tpm2_unseal(struct tpm_chip *chip,
 		return rc;
 
 	tpm_buf_append_u32(&buf, blob_handle);
-	tpm2_buf_append_auth(&buf, TPM2_RS_PW,
+	tpm2_buf_append_auth(&buf,
+			     options->policyhandle ?
+			     options->policyhandle : TPM2_RS_PW,
 			     NULL /* nonce */, 0,
 			     0 /* session_attributes */,
 			     options->blobauth /* hmac */,
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index a6a1008..42cf2d9 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -18,6 +18,7 @@
 #define MAX_KEY_SIZE			128
 #define MAX_BLOB_SIZE			512
 #define MAX_PCRINFO_SIZE		64
+#define MAX_DIGEST_SIZE			64
 
 struct trusted_key_payload {
 	struct rcu_head rcu;
@@ -37,6 +38,9 @@ struct trusted_key_options {
 	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
 	int pcrlock;
 	uint32_t hash;
+	uint32_t digest_len;
+	unsigned char policydigest[MAX_DIGEST_SIZE];
+	uint32_t policyhandle;
 };
 
 extern struct key_type key_type_trusted;
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 8f1300c..e15baf7 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -713,6 +713,8 @@ enum {
 	Opt_keyhandle, Opt_keyauth, Opt_blobauth,
 	Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
 	Opt_hash,
+	Opt_policydigest,
+	Opt_policyhandle,
 };
 
 static const match_table_t key_tokens = {
@@ -726,6 +728,8 @@ static const match_table_t key_tokens = {
 	{Opt_pcrlock, "pcrlock=%s"},
 	{Opt_migratable, "migratable=%s"},
 	{Opt_hash, "hash=%s"},
+	{Opt_policydigest, "policydigest=%s"},
+	{Opt_policyhandle, "policyhandle=%s"},
 	{Opt_err, NULL}
 };
 
@@ -748,6 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 		return tpm2;
 
 	opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
+	opt->digest_len = hash_digest_size[opt->hash];
 
 	while ((p = strsep(&c, " \t"))) {
 		if (*p == '\0' || *p == ' ' || *p == '\t')
@@ -802,9 +807,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 			opt->pcrlock = lock;
 			break;
 		case Opt_hash:
+			if (test_bit(Opt_policydigest, &token_mask))
+				return -EINVAL;
 			for (i = 0; i < HASH_ALGO__LAST; i++) {
 				if (!strcmp(args[0].from, hash_algo_name[i])) {
 					opt->hash = i;
+					opt->digest_len =
+						hash_digest_size[opt->hash];
 					break;
 				}
 			}
@@ -815,6 +824,23 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
 				return -EINVAL;
 			}
 			break;
+		case Opt_policydigest:
+			if (!tpm2 ||
+			    strlen(args[0].from) != (2 * opt->digest_len))
+				return -EINVAL;
+			res = hex2bin(opt->policydigest, args[0].from,
+				      opt->digest_len);
+			if (res < 0)
+				return -EINVAL;
+			break;
+		case Opt_policyhandle:
+			if (!tpm2)
+				return -EINVAL;
+			res = kstrtoul(args[0].from, 16, &handle);
+			if (res < 0)
+				return -EINVAL;
+			opt->policyhandle = handle;
+			break;
 		default:
 			return -EINVAL;
 		}
-- 
2.5.0

Re: [PATCH v2 3/3] keys, trusted: seal with a TPM2 authorization policy

[Mimi Zohar]

On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> TPM2 supports authorization policies, which are essentially
> combinational logic statements repsenting the conditions where the data
> can be unsealed based on the TPM state. This patch enables to use
> authorization policies to seal trusted keys.
> 
> Two following new options have been added for trusted keys:
> 
> * 'policydigest=': provide an auth policy digest for sealing.
> * 'policyhandle=': provide a policy session handle for unsealing.
> 
> If 'hash=' option is supplied after 'policydigest=' option, this
> will result an error because the state of the option would become
> mixed.
> 
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> Tested-by: Colin Ian King <colin.king@canonical.com>
> ---
>  Documentation/security/keys-trusted-encrypted.txt | 34 +++++++++++++----------
>  drivers/char/tpm/tpm2-cmd.c                       | 24 +++++++++++++---
>  include/keys/trusted-type.h                       |  4 +++
>  security/keys/trusted.c                           | 26 +++++++++++++++++
>  4 files changed, 70 insertions(+), 18 deletions(-)
> 
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index fd2565b..324ddf5 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -27,20 +27,26 @@ Usage:
>      keyctl print keyid
> 
>      options:
> -       keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> -       keyauth=	  ascii hex auth for sealing key default 0x00...i
> -		  (40 ascii zeros)
> -       blobauth=  ascii hex auth for sealed data default 0x00...
> -		  (40 ascii zeros)
> -       blobauth=  ascii hex auth for sealed data default 0x00...
> -		  (40 ascii zeros)
> -       pcrinfo=	  ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
> -       pcrlock=	  pcr number to be extended to "lock" blob
> -       migratable= 0|1 indicating permission to reseal to new PCR values,
> -                   default 1 (resealing allowed)
> -       hash=      hash algorithm name as a string. For TPM 1.x the only
> -                  allowed value is sha1. For TPM 2.x the allowed values
> -		  are sha1, sha256, sha384, sha512 and sm3-256.
> +       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
> +       keyauth=	     ascii hex auth for sealing key default 0x00...i
> +                     (40 ascii zeros)
> +       blobauth=     ascii hex auth for sealed data default 0x00...
> +                     (40 ascii zeros)
> +       blobauth=     ascii hex auth for sealed data default 0x00...
> +                     (40 ascii zeros)
> +       pcrinfo=	     ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
> +       pcrlock=	     pcr number to be extended to "lock" blob
> +       migratable=   0|1 indicating permission to reseal to new PCR values,
> +                     default 1 (resealing allowed)
> +       hash=         hash algorithm name as a string. For TPM 1.x the only
> +                     allowed value is sha1. For TPM 2.x the allowed values
> +                     are sha1, sha256, sha384, sha512 and sm3-256.
> +       policydigest= digest for the authorization policy. must be calculated
> +                     with the same hash algorithm as specified by the 'hash='
> +                     option.
> +       policyhandle= handle to an authorization policy session that defines the
> +                     same policy and with the same hash algorithm as was used to
> +                     seal the key.
> 
>  "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
>  TPM_STORED_DATA format.  The key length for new keys are always in bytes.
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index d9d0822..45a6340 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -478,12 +478,26 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  	tpm_buf_append_u8(&buf, payload->migratable);
> 
>  	/* public */
> -	tpm_buf_append_u16(&buf, 14);
> +	if (options->policydigest)
> +		tpm_buf_append_u16(&buf, 14 + options->digest_len);
> +	else
> +		tpm_buf_append_u16(&buf, 14);
> 
>  	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
>  	tpm_buf_append_u16(&buf, hash);
> -	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> -	tpm_buf_append_u16(&buf, 0); /* policy digest size */
> +
> +	/* policy */
> +	if (options->policydigest) {
> +		tpm_buf_append_u32(&buf, 0);
> +		tpm_buf_append_u16(&buf, options->digest_len);
> +		tpm_buf_append(&buf, options->policydigest,
> +			       options->digest_len);
> +	} else {
> +		tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> +		tpm_buf_append_u16(&buf, 0);
> +	}
> +
> +	/* public parameters */
>  	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
>  	tpm_buf_append_u16(&buf, 0);
> 
> @@ -613,7 +627,9 @@ static int tpm2_unseal(struct tpm_chip *chip,
>  		return rc;
> 
>  	tpm_buf_append_u32(&buf, blob_handle);
> -	tpm2_buf_append_auth(&buf, TPM2_RS_PW,
> +	tpm2_buf_append_auth(&buf,
> +			     options->policyhandle ?
> +			     options->policyhandle : TPM2_RS_PW,
>  			     NULL /* nonce */, 0,
>  			     0 /* session_attributes */,
>  			     options->blobauth /* hmac */,
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index a6a1008..42cf2d9 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -18,6 +18,7 @@
>  #define MAX_KEY_SIZE			128
>  #define MAX_BLOB_SIZE			512
>  #define MAX_PCRINFO_SIZE		64
> +#define MAX_DIGEST_SIZE			64
> 
>  struct trusted_key_payload {
>  	struct rcu_head rcu;
> @@ -37,6 +38,9 @@ struct trusted_key_options {
>  	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
>  	int pcrlock;
>  	uint32_t hash;
> +	uint32_t digest_len;
> +	unsigned char policydigest[MAX_DIGEST_SIZE];
> +	uint32_t policyhandle;
>  };
> 
>  extern struct key_type key_type_trusted;
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 8f1300c..e15baf7 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -713,6 +713,8 @@ enum {
>  	Opt_keyhandle, Opt_keyauth, Opt_blobauth,
>  	Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
>  	Opt_hash,
> +	Opt_policydigest,
> +	Opt_policyhandle,
>  };
> 
>  static const match_table_t key_tokens = {
> @@ -726,6 +728,8 @@ static const match_table_t key_tokens = {
>  	{Opt_pcrlock, "pcrlock=%s"},
>  	{Opt_migratable, "migratable=%s"},
>  	{Opt_hash, "hash=%s"},
> +	{Opt_policydigest, "policydigest=%s"},
> +	{Opt_policyhandle, "policyhandle=%s"},
>  	{Opt_err, NULL}
>  };
> 
> @@ -748,6 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
>  		return tpm2;
> 
>  	opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
> +	opt->digest_len = hash_digest_size[opt->hash];
> 
>  	while ((p = strsep(&c, " \t"))) {
>  		if (*p == '\0' || *p == ' ' || *p == '\t')
> @@ -802,9 +807,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
>  			opt->pcrlock = lock;
>  			break;
>  		case Opt_hash:
> +			if (test_bit(Opt_policydigest, &token_mask))
> +				return -EINVAL;

Thanks!  Definitely better than having the test at the end of the while
loop.

Mimi

>  			for (i = 0; i < HASH_ALGO__LAST; i++) {
>  				if (!strcmp(args[0].from, hash_algo_name[i])) {
>  					opt->hash = i;
> +					opt->digest_len =
> +						hash_digest_size[opt->hash];
>  					break;
>  				}
>  			}
> @@ -815,6 +824,23 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
>  				return -EINVAL;
>  			}
>  			break;
> +		case Opt_policydigest:
> +			if (!tpm2 ||
> +			    strlen(args[0].from) != (2 * opt->digest_len))
> +				return -EINVAL;
> +			res = hex2bin(opt->policydigest, args[0].from,
> +				      opt->digest_len);
> +			if (res < 0)
> +				return -EINVAL;
> +			break;
> +		case Opt_policyhandle:
> +			if (!tpm2)
> +				return -EINVAL;
> +			res = kstrtoul(args[0].from, 16, &handle);
> +			if (res < 0)
> +				return -EINVAL;
> +			opt->policyhandle = handle;
> +			break;
>  		default:
>  			return -EINVAL;
>  		}

Re: [PATCH v2 3/3] keys, trusted: seal with a TPM2 authorization policy

[Jarkko Sakkinen]

On Mon, Dec 14, 2015 at 08:49:00AM -0500, Mimi Zohar wrote:
> On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> > TPM2 supports authorization policies, which are essentially
> > combinational logic statements repsenting the conditions where the data
> > can be unsealed based on the TPM state. This patch enables to use
> > authorization policies to seal trusted keys.
> > 
> > Two following new options have been added for trusted keys:
> > 
> > * 'policydigest=': provide an auth policy digest for sealing.
> > * 'policyhandle=': provide a policy session handle for unsealing.
> > 
> > If 'hash=' option is supplied after 'policydigest=' option, this
> > will result an error because the state of the option would become
> > mixed.
> > 
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > Tested-by: Colin Ian King <colin.king@canonical.com>
> > ---
> >  Documentation/security/keys-trusted-encrypted.txt | 34 +++++++++++++----------
> >  drivers/char/tpm/tpm2-cmd.c                       | 24 +++++++++++++---
> >  include/keys/trusted-type.h                       |  4 +++
> >  security/keys/trusted.c                           | 26 +++++++++++++++++
> >  4 files changed, 70 insertions(+), 18 deletions(-)
> > 
> > diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> > index fd2565b..324ddf5 100644
> > --- a/Documentation/security/keys-trusted-encrypted.txt
> > +++ b/Documentation/security/keys-trusted-encrypted.txt
> > @@ -27,20 +27,26 @@ Usage:
> >      keyctl print keyid
> > 
> >      options:
> > -       keyhandle= ascii hex value of sealing key default 0x40000000 (SRK)
> > -       keyauth=	  ascii hex auth for sealing key default 0x00...i
> > -		  (40 ascii zeros)
> > -       blobauth=  ascii hex auth for sealed data default 0x00...
> > -		  (40 ascii zeros)
> > -       blobauth=  ascii hex auth for sealed data default 0x00...
> > -		  (40 ascii zeros)
> > -       pcrinfo=	  ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
> > -       pcrlock=	  pcr number to be extended to "lock" blob
> > -       migratable= 0|1 indicating permission to reseal to new PCR values,
> > -                   default 1 (resealing allowed)
> > -       hash=      hash algorithm name as a string. For TPM 1.x the only
> > -                  allowed value is sha1. For TPM 2.x the allowed values
> > -		  are sha1, sha256, sha384, sha512 and sm3-256.
> > +       keyhandle=    ascii hex value of sealing key default 0x40000000 (SRK)
> > +       keyauth=	     ascii hex auth for sealing key default 0x00...i
> > +                     (40 ascii zeros)
> > +       blobauth=     ascii hex auth for sealed data default 0x00...
> > +                     (40 ascii zeros)
> > +       blobauth=     ascii hex auth for sealed data default 0x00...
> > +                     (40 ascii zeros)
> > +       pcrinfo=	     ascii hex of PCR_INFO or PCR_INFO_LONG (no default)
> > +       pcrlock=	     pcr number to be extended to "lock" blob
> > +       migratable=   0|1 indicating permission to reseal to new PCR values,
> > +                     default 1 (resealing allowed)
> > +       hash=         hash algorithm name as a string. For TPM 1.x the only
> > +                     allowed value is sha1. For TPM 2.x the allowed values
> > +                     are sha1, sha256, sha384, sha512 and sm3-256.
> > +       policydigest= digest for the authorization policy. must be calculated
> > +                     with the same hash algorithm as specified by the 'hash='
> > +                     option.
> > +       policyhandle= handle to an authorization policy session that defines the
> > +                     same policy and with the same hash algorithm as was used to
> > +                     seal the key.
> > 
> >  "keyctl print" returns an ascii hex copy of the sealed key, which is in standard
> >  TPM_STORED_DATA format.  The key length for new keys are always in bytes.
> > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > index d9d0822..45a6340 100644
> > --- a/drivers/char/tpm/tpm2-cmd.c
> > +++ b/drivers/char/tpm/tpm2-cmd.c
> > @@ -478,12 +478,26 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> >  	tpm_buf_append_u8(&buf, payload->migratable);
> > 
> >  	/* public */
> > -	tpm_buf_append_u16(&buf, 14);
> > +	if (options->policydigest)
> > +		tpm_buf_append_u16(&buf, 14 + options->digest_len);
> > +	else
> > +		tpm_buf_append_u16(&buf, 14);
> > 
> >  	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
> >  	tpm_buf_append_u16(&buf, hash);
> > -	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> > -	tpm_buf_append_u16(&buf, 0); /* policy digest size */
> > +
> > +	/* policy */
> > +	if (options->policydigest) {
> > +		tpm_buf_append_u32(&buf, 0);
> > +		tpm_buf_append_u16(&buf, options->digest_len);
> > +		tpm_buf_append(&buf, options->policydigest,
> > +			       options->digest_len);
> > +	} else {
> > +		tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> > +		tpm_buf_append_u16(&buf, 0);
> > +	}
> > +
> > +	/* public parameters */
> >  	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
> >  	tpm_buf_append_u16(&buf, 0);
> > 
> > @@ -613,7 +627,9 @@ static int tpm2_unseal(struct tpm_chip *chip,
> >  		return rc;
> > 
> >  	tpm_buf_append_u32(&buf, blob_handle);
> > -	tpm2_buf_append_auth(&buf, TPM2_RS_PW,
> > +	tpm2_buf_append_auth(&buf,
> > +			     options->policyhandle ?
> > +			     options->policyhandle : TPM2_RS_PW,
> >  			     NULL /* nonce */, 0,
> >  			     0 /* session_attributes */,
> >  			     options->blobauth /* hmac */,
> > diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> > index a6a1008..42cf2d9 100644
> > --- a/include/keys/trusted-type.h
> > +++ b/include/keys/trusted-type.h
> > @@ -18,6 +18,7 @@
> >  #define MAX_KEY_SIZE			128
> >  #define MAX_BLOB_SIZE			512
> >  #define MAX_PCRINFO_SIZE		64
> > +#define MAX_DIGEST_SIZE			64
> > 
> >  struct trusted_key_payload {
> >  	struct rcu_head rcu;
> > @@ -37,6 +38,9 @@ struct trusted_key_options {
> >  	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
> >  	int pcrlock;
> >  	uint32_t hash;
> > +	uint32_t digest_len;
> > +	unsigned char policydigest[MAX_DIGEST_SIZE];
> > +	uint32_t policyhandle;
> >  };
> > 
> >  extern struct key_type key_type_trusted;
> > diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> > index 8f1300c..e15baf7 100644
> > --- a/security/keys/trusted.c
> > +++ b/security/keys/trusted.c
> > @@ -713,6 +713,8 @@ enum {
> >  	Opt_keyhandle, Opt_keyauth, Opt_blobauth,
> >  	Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
> >  	Opt_hash,
> > +	Opt_policydigest,
> > +	Opt_policyhandle,
> >  };
> > 
> >  static const match_table_t key_tokens = {
> > @@ -726,6 +728,8 @@ static const match_table_t key_tokens = {
> >  	{Opt_pcrlock, "pcrlock=%s"},
> >  	{Opt_migratable, "migratable=%s"},
> >  	{Opt_hash, "hash=%s"},
> > +	{Opt_policydigest, "policydigest=%s"},
> > +	{Opt_policyhandle, "policyhandle=%s"},
> >  	{Opt_err, NULL}
> >  };
> > 
> > @@ -748,6 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> >  		return tpm2;
> > 
> >  	opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
> > +	opt->digest_len = hash_digest_size[opt->hash];
> > 
> >  	while ((p = strsep(&c, " \t"))) {
> >  		if (*p == '\0' || *p == ' ' || *p == '\t')
> > @@ -802,9 +807,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> >  			opt->pcrlock = lock;
> >  			break;
> >  		case Opt_hash:
> > +			if (test_bit(Opt_policydigest, &token_mask))
> > +				return -EINVAL;
> 
> Thanks!  Definitely better than having the test at the end of the while
> loop.

Yup, retrospectively the previous version looked like a mess. This is
now nicely localized change that cannot easily break the existing
functionality.

> Mimi

/Jarkko

> 
> >  			for (i = 0; i < HASH_ALGO__LAST; i++) {
> >  				if (!strcmp(args[0].from, hash_algo_name[i])) {
> >  					opt->hash = i;
> > +					opt->digest_len =
> > +						hash_digest_size[opt->hash];
> >  					break;
> >  				}
> >  			}
> > @@ -815,6 +824,23 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> >  				return -EINVAL;
> >  			}
> >  			break;
> > +		case Opt_policydigest:
> > +			if (!tpm2 ||
> > +			    strlen(args[0].from) != (2 * opt->digest_len))
> > +				return -EINVAL;
> > +			res = hex2bin(opt->policydigest, args[0].from,
> > +				      opt->digest_len);
> > +			if (res < 0)
> > +				return -EINVAL;
> > +			break;
> > +		case Opt_policyhandle:
> > +			if (!tpm2)
> > +				return -EINVAL;
> > +			res = kstrtoul(args[0].from, 16, &handle);
> > +			if (res < 0)
> > +				return -EINVAL;
> > +			opt->policyhandle = handle;
> > +			break;
> >  		default:
> >  			return -EINVAL;
> >  		}
> 
>