Message ID | 20220504161439.4.I32591db064b6cdc91850d777f363c9d05c985b39@changeid (mailing list archive) |
---|---|
State | Superseded, archived |
Headers | show |
Series | Encrypted Hibernation | expand |
On Wed, May 04, 2022 at 04:20:56PM -0700, Evan Green wrote: > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c > index aa108bea6739b3..2975827c01bec0 100644 > --- a/security/keys/trusted-keys/trusted_tpm1.c > +++ b/security/keys/trusted-keys/trusted_tpm1.c > @@ -713,6 +713,7 @@ enum { > Opt_hash, > Opt_policydigest, > Opt_policyhandle, > + Opt_creationpcrs, > }; > > static const match_table_t key_tokens = { > @@ -725,6 +726,7 @@ static const match_table_t key_tokens = { > {Opt_hash, "hash=%s"}, > {Opt_policydigest, "policydigest=%s"}, > {Opt_policyhandle, "policyhandle=%s"}, > + {Opt_creationpcrs, "creationpcrs=%s"}, > {Opt_err, NULL} > }; > > @@ -858,6 +860,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > return -EINVAL; > opt->policyhandle = handle; > break; > + case Opt_creationpcrs: > + if (!tpm2) > + return -EINVAL; > + res = kstrtoint(args[0].from, 16, &opt->creation_pcrs); > + if (res < 0) > + return -EINVAL; > + break; I thought that TPM1 is deprecated. Are you sure you need more TPM1 features? - Eric
On Tue, Aug 2, 2022 at 4:00 PM Eric Biggers <ebiggers@kernel.org> wrote: > > On Wed, May 04, 2022 at 04:20:56PM -0700, Evan Green wrote: > > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c > > index aa108bea6739b3..2975827c01bec0 100644 > > --- a/security/keys/trusted-keys/trusted_tpm1.c > > +++ b/security/keys/trusted-keys/trusted_tpm1.c > > @@ -713,6 +713,7 @@ enum { > > Opt_hash, > > Opt_policydigest, > > Opt_policyhandle, > > + Opt_creationpcrs, > > }; > > > > static const match_table_t key_tokens = { > > @@ -725,6 +726,7 @@ static const match_table_t key_tokens = { > > {Opt_hash, "hash=%s"}, > > {Opt_policydigest, "policydigest=%s"}, > > {Opt_policyhandle, "policyhandle=%s"}, > > + {Opt_creationpcrs, "creationpcrs=%s"}, > > {Opt_err, NULL} > > }; > > > > @@ -858,6 +860,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > > return -EINVAL; > > opt->policyhandle = handle; > > break; > > + case Opt_creationpcrs: > > + if (!tpm2) > > + return -EINVAL; > > + res = kstrtoint(args[0].from, 16, &opt->creation_pcrs); > > + if (res < 0) > > + return -EINVAL; > > + break; > > I thought that TPM1 is deprecated. Are you sure you need more TPM1 features? It seems that trusted_tpm1.c is not just TPM1 functions, but also common functions that call TPM2 primitives. A few of these functions (like this getoptions()) seem to even error out if !tpm_is_tpm2(chip). -Evan
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index f614dad7de12f9..7215b067bf128f 100644 --- a/Documentation/security/keys/trusted-encrypted.rst +++ b/Documentation/security/keys/trusted-encrypted.rst @@ -170,6 +170,10 @@ Usage:: policyhandle= handle to an authorization policy session that defines the same policy and with the same hash algorithm as was used to seal the key. + creationpcrs= hex integer representing the set of PCR values to be + included in the PCR creation data. The bit corresponding + to each PCR should be 1 to be included, 0 to be ignored. + TPM2 only. "keyctl print" returns an ascii hex copy of the sealed key, which is in standard TPM_STORED_DATA format. The key length for new keys are always in bytes. diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index 8a793ae1ad9f70..b3ac4afe8ba987 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -54,6 +54,7 @@ struct trusted_key_options { uint32_t policydigest_len; unsigned char policydigest[MAX_DIGEST_SIZE]; uint32_t policyhandle; + uint32_t creation_pcrs; }; struct trusted_key_ops { diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index aa108bea6739b3..2975827c01bec0 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -713,6 +713,7 @@ enum { Opt_hash, Opt_policydigest, Opt_policyhandle, + Opt_creationpcrs, }; static const match_table_t key_tokens = { @@ -725,6 +726,7 @@ static const match_table_t key_tokens = { {Opt_hash, "hash=%s"}, {Opt_policydigest, "policydigest=%s"}, {Opt_policyhandle, "policyhandle=%s"}, + {Opt_creationpcrs, "creationpcrs=%s"}, {Opt_err, NULL} }; @@ -858,6 +860,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay, return -EINVAL; opt->policyhandle = handle; break; + case Opt_creationpcrs: + if (!tpm2) + return -EINVAL; + res = kstrtoint(args[0].from, 16, &opt->creation_pcrs); + if (res < 0) + return -EINVAL; + break; default: return -EINVAL; } diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 296a00f872ba40..b7ddb78e644d17 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -290,7 +290,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, struct tpm_buf buf; u32 hash; u32 flags; - int i; + int i, j; int rc; for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) { @@ -359,7 +359,28 @@ int tpm2_seal_trusted(struct tpm_chip *chip, tpm_buf_append_u16(&buf, 0); /* creation PCR */ - tpm_buf_append_u32(&buf, 0); + if (options->creation_pcrs) { + /* One bank */ + tpm_buf_append_u32(&buf, 1); + /* Which bank to use */ + tpm_buf_append_u16(&buf, hash); + /* Length of the PCR bitmask */ + tpm_buf_append_u8(&buf, 3); + /* PCR bitmask */ + for (i = 0; i < 3; i++) { + char tmp = 0; + + for (j = 0; j < 8; j++) { + char bit = (i * 8) + j; + + if (options->creation_pcrs & (1 << bit)) + tmp |= (1 << j); + } + tpm_buf_append_u8(&buf, tmp); + } + } else { + tpm_buf_append_u32(&buf, 0); + } if (buf.flags & TPM_BUF_OVERFLOW) { rc = -E2BIG;