[07/17] tpm2: add hmac checks to tpm2_pcr_extend()

Message ID	20200518172704.29608-8-prestwoj@gmail.com (mailing list archive)
State	New
Headers	show Return-Path: <SRS0=i8he=7A=vger.kernel.org=keyrings-owner@kernel.org> From: James Prestwood <prestwoj@gmail.com> To: keyrings@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com Subject: [PATCH 07/17] tpm2: add hmac checks to tpm2_pcr_extend() Date: Mon, 18 May 2020 10:26:54 -0700 Message-Id: <20200518172704.29608-8-prestwoj@gmail.com> In-Reply-To: <20200518172704.29608-1-prestwoj@gmail.com> References: <20200518172704.29608-1-prestwoj@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: keyrings-owner@vger.kernel.org Precedence: bulk
Series	Asymmetric key operations on TPM2 \| expand [00/17] Asymmetric key operations on TPM2 [01/17] tpm-buf: move from static inlines to real functions [02/17] tpm-buf: add handling for TPM2B types [03/17] tpm-buf: add cursor based functions for response parsing [04/17] tpm2-space: export the context save and load commands [05/17] tpm2-sessions: Add full HMAC and encrypt/decrypt session handling [06/17] tpm-buf: add tpm_buf_parameters() [07/17] tpm2: add hmac checks to tpm2_pcr_extend() [08/17] tpm2: add session encryption protection to tpm2_get_random() [09/17] trusted keys: Add session encryption protection to the seal/unseal path [10/17] tpm: add the null key name as a tpm2 sysfs variable [11/17] Documentation: add tpm-security.rst [12/17] oid_registry: Add TCG defined OIDS for TPM keys [13/17] tpm: tpm2-cmd: add driver API for RSA decryption [14/17] include: linux: tpm: expose tpm2_rsa_decrypt [15/17] include: crypto: add asym_tpm2_subtype definition [16/17] asymmetric_keys: add TPM2 ASN1 definition [17/17] asymmetric_keys: add tpm2 key parser/type

Message ID

20200518172704.29608-8-prestwoj@gmail.com (mailing list archive)

State

New

Headers

From: James Prestwood <prestwoj@gmail.com>
To: keyrings@vger.kernel.org
Cc: James.Bottomley@HansenPartnership.com
Subject: [PATCH 07/17] tpm2: add hmac checks to tpm2_pcr_extend()
Date: Mon, 18 May 2020 10:26:54 -0700
Message-Id: <20200518172704.29608-8-prestwoj@gmail.com>
In-Reply-To: <20200518172704.29608-1-prestwoj@gmail.com>
References: <20200518172704.29608-1-prestwoj@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: keyrings-owner@vger.kernel.org
Precedence: bulk

Series

Asymmetric key operations on TPM2 | expand

Commit Message

James Prestwood May 18, 2020, 5:26 p.m. UTC

From: James Bottomley <James.Bottomley@HansenPartnership.com>

We use tpm2_pcr_extend() in trusted keys to extend a PCR to prevent a
key from being re-loaded until the next reboot.  To use this
functionality securely, that extend must be protected by a session
hmac.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 drivers/char/tpm/tpm2-cmd.c | 28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 8d076c6752eb..b29824ae237c 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -218,13 +218,6 @@  int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
 	return rc;
 }
 
-struct tpm2_null_auth_area {
-	__be32  handle;
-	__be16  nonce_size;
-	u8  attributes;
-	__be16  auth_size;
-} __packed;
-
 /**
  * tpm2_pcr_extend() - extend a PCR value
  *
@@ -238,24 +231,23 @@  int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
 		    struct tpm_digest *digests)
 {
 	struct tpm_buf buf;
-	struct tpm2_null_auth_area auth_area;
+	struct tpm2_auth *auth;
 	int rc;
 	int i;
 
-	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND);
+	rc = tpm2_start_auth_session(chip, &auth);
 	if (rc)
 		return rc;
 
-	tpm_buf_append_u32(&buf, pcr_idx);
+	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND);
+	if (rc) {
+		tpm2_end_auth_session(auth);
+		return rc;
+	}
 
-	auth_area.handle = cpu_to_be32(TPM2_RS_PW);
-	auth_area.nonce_size = 0;
-	auth_area.attributes = 0;
-	auth_area.auth_size = 0;
+	tpm_buf_append_name(&buf, auth, pcr_idx, NULL);
+	tpm_buf_append_hmac_session(&buf, auth, 0, NULL, 0);
 
-	tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area));
-	tpm_buf_append(&buf, (const unsigned char *)&auth_area,
-		       sizeof(auth_area));
 	tpm_buf_append_u32(&buf, chip->nr_allocated_banks);
 
 	for (i = 0; i < chip->nr_allocated_banks; i++) {
@@ -264,7 +256,9 @@  int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
 			       chip->allocated_banks[i].digest_size);
 	}
 
+	tpm_buf_fill_hmac_session(&buf, auth);
 	rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value");
+	rc = tpm_buf_check_hmac_response(&buf, auth, rc);
 
 	tpm_buf_destroy(&buf);

[07/17] tpm2: add hmac checks to tpm2_pcr_extend()

Commit Message

Patch