| Message ID | 20230403214003.32093-10-James.Bottomley@HansenPartnership.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | add integrity and security to TPM2 transactions | expand |
On Mon, 2023-04-03 at 17:39 -0400, James Bottomley wrote: > tpm2_pcr_extend() is used by trusted keys to extend a PCR to prevent a > key from being re-loaded until the next reboot. To use this > functionality securely, that extend must be protected by a session > hmac. This patch adds HMAC protection so tampering with the > tpm2_pcr_extend() command in flight is detected. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> What the heck is "check"? The code change adds hmac pipeline for the command. I get the code change but the description is misleading as this does more than just add a check. > --- > drivers/char/tpm/tpm2-cmd.c | 27 ++++++++++----------------- > 1 file changed, 10 insertions(+), 17 deletions(-) > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index b0e72fb563d9..a53a843294ed 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -216,13 +216,6 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx, > return rc; > } > > -struct tpm2_null_auth_area { > - __be32 handle; > - __be16 nonce_size; > - u8 attributes; > - __be16 auth_size; > -} __packed; > - > /** > * tpm2_pcr_extend() - extend a PCR value > * > @@ -236,24 +229,22 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, > struct tpm_digest *digests) > { > struct tpm_buf buf; > - struct tpm2_null_auth_area auth_area; > int rc; > int i; > > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > + rc = tpm2_start_auth_session(chip); > if (rc) > return rc; > > - tpm_buf_append_u32(&buf, pcr_idx); > + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > + if (rc) { > + tpm2_end_auth_session(chip); > + return rc; > + } > > - auth_area.handle = cpu_to_be32(TPM2_RS_PW); > - auth_area.nonce_size = 0; > - auth_area.attributes = 0; > - auth_area.auth_size = 0; > + tpm_buf_append_name(chip, &buf, pcr_idx, NULL); > + tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); > > - tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); > - tpm_buf_append(&buf, (const unsigned char *)&auth_area, > - sizeof(auth_area)); > tpm_buf_append_u32(&buf, chip->nr_allocated_banks); > > for (i = 0; i < chip->nr_allocated_banks; i++) { > @@ -262,7 +253,9 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, > chip->allocated_banks[i].digest_size); > } > > + tpm_buf_fill_hmac_session(chip, &buf); > rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value"); > + rc = tpm_buf_check_hmac_response(chip, &buf, rc); > > tpm_buf_destroy(&buf); > BR, Jarkko
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index b0e72fb563d9..a53a843294ed 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -216,13 +216,6 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx, return rc; } -struct tpm2_null_auth_area { - __be32 handle; - __be16 nonce_size; - u8 attributes; - __be16 auth_size; -} __packed; - /** * tpm2_pcr_extend() - extend a PCR value * @@ -236,24 +229,22 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, struct tpm_digest *digests) { struct tpm_buf buf; - struct tpm2_null_auth_area auth_area; int rc; int i; - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); + rc = tpm2_start_auth_session(chip); if (rc) return rc; - tpm_buf_append_u32(&buf, pcr_idx); + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); + if (rc) { + tpm2_end_auth_session(chip); + return rc; + } - auth_area.handle = cpu_to_be32(TPM2_RS_PW); - auth_area.nonce_size = 0; - auth_area.attributes = 0; - auth_area.auth_size = 0; + tpm_buf_append_name(chip, &buf, pcr_idx, NULL); + tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); - tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); - tpm_buf_append(&buf, (const unsigned char *)&auth_area, - sizeof(auth_area)); tpm_buf_append_u32(&buf, chip->nr_allocated_banks); for (i = 0; i < chip->nr_allocated_banks; i++) { @@ -262,7 +253,9 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, chip->allocated_banks[i].digest_size); } + tpm_buf_fill_hmac_session(chip, &buf); rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value"); + rc = tpm_buf_check_hmac_response(chip, &buf, rc); tpm_buf_destroy(&buf);
tpm2_pcr_extend() is used by trusted keys to extend a PCR to prevent a key from being re-loaded until the next reboot. To use this functionality securely, that extend must be protected by a session hmac. This patch adds HMAC protection so tampering with the tpm2_pcr_extend() command in flight is detected. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> --- drivers/char/tpm/tpm2-cmd.c | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-)