| Message ID | 20231127190854.13310-17-James.Bottomley@HansenPartnership.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | add integrity and security to TPM2 transactions | expand |
On Mon Nov 27, 2023 at 9:08 PM EET, James Bottomley wrote: > This is the last component of encrypted tpm2 session handling that > allows us to verify from userspace that the key derived from the NULL > seed genuinely belongs to the TPM and has not been spoofed. > > The procedure for doing this involves creating an attestation identity > key (which requires verification of the TPM EK certificate) and then > using that AIK to sign a certification of the Elliptic Curve key over > the NULL seed. Userspace must create this EC Key using the parameters > prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if > this is done correctly the names will match and the TPM can then run a > TPM2_Certify operation on this derived primary key using the newly > created AIK. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > --- > drivers/char/tpm/tpm-sysfs.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c > index 54c71473aa29..403dffea4ea6 100644 > --- a/drivers/char/tpm/tpm-sysfs.c > +++ b/drivers/char/tpm/tpm-sysfs.c > @@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev, > } > static DEVICE_ATTR_RO(tpm_version_major); > > +#ifdef CONFIG_TPM_BUS_SECURITY > +static ssize_t null_name_show(struct device *dev, struct device_attribute *attr, > + char *buf) > +{ > + struct tpm_chip *chip = to_tpm_chip(dev); > + int size = TPM2_NAME_SIZE; > + > + bin2hex(buf, chip->tpmkeyname, size); "tpmkeyname" is not very descriptive name. Why not chip->null_name? > + size *= 2; > + buf[size++] = '\n'; > + return size; > +} > +static DEVICE_ATTR_RO(null_name); > +#endif > + > static struct attribute *tpm1_dev_attrs[] = { > &dev_attr_pubek.attr, > &dev_attr_pcrs.attr, > @@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = { > > static struct attribute *tpm2_dev_attrs[] = { > &dev_attr_tpm_version_major.attr, > +#ifdef CONFIG_TPM_BUS_SECURITY > + &dev_attr_null_name.attr, > +#endif > NULL > }; > I'm able to verify this in QEMU: # cat /sys/class/tpm/tpm0/null_name 000b66ec5f9ad1fa46c01707c5a8e67745147695901310e80438ff8f1b66dcf84bf2 I used swtpm in tis mode. Tested-by: Jarkko Sakkinen <jarkko@kernel.org> It is not possible to give tested-by to earlier patches before there's some split to smaller pieces. BR, Jarkko
On Mon Nov 27, 2023 at 9:08 PM EET, James Bottomley wrote: > This is the last component of encrypted tpm2 session handling that > allows us to verify from userspace that the key derived from the NULL > seed genuinely belongs to the TPM and has not been spoofed. > > The procedure for doing this involves creating an attestation identity > key (which requires verification of the TPM EK certificate) and then > using that AIK to sign a certification of the Elliptic Curve key over > the NULL seed. Userspace must create this EC Key using the parameters > prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if > this is done correctly the names will match and the TPM can then run a > TPM2_Certify operation on this derived primary key using the newly > created AIK. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > --- > drivers/char/tpm/tpm-sysfs.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c > index 54c71473aa29..403dffea4ea6 100644 > --- a/drivers/char/tpm/tpm-sysfs.c > +++ b/drivers/char/tpm/tpm-sysfs.c > @@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev, > } > static DEVICE_ATTR_RO(tpm_version_major); > > +#ifdef CONFIG_TPM_BUS_SECURITY After considering options TCG_TPM2_HMAC would be both dead obvious, i.e. you cannot get it wrong and along the lines of existing config flags. > +static ssize_t null_name_show(struct device *dev, struct device_attribute *attr, > + char *buf) > +{ > + struct tpm_chip *chip = to_tpm_chip(dev); > + int size = TPM2_NAME_SIZE; > + > + bin2hex(buf, chip->tpmkeyname, size); > + size *= 2; > + buf[size++] = '\n'; > + return size; > +} > +static DEVICE_ATTR_RO(null_name); > +#endif > + > static struct attribute *tpm1_dev_attrs[] = { > &dev_attr_pubek.attr, > &dev_attr_pcrs.attr, > @@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = { > > static struct attribute *tpm2_dev_attrs[] = { > &dev_attr_tpm_version_major.attr, > +#ifdef CONFIG_TPM_BUS_SECURITY > + &dev_attr_null_name.attr, > +#endif > NULL > }; > Otherwise, LGTM BR, Jarkko
diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c index 54c71473aa29..403dffea4ea6 100644 --- a/drivers/char/tpm/tpm-sysfs.c +++ b/drivers/char/tpm/tpm-sysfs.c @@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev, } static DEVICE_ATTR_RO(tpm_version_major); +#ifdef CONFIG_TPM_BUS_SECURITY +static ssize_t null_name_show(struct device *dev, struct device_attribute *attr, + char *buf) +{ + struct tpm_chip *chip = to_tpm_chip(dev); + int size = TPM2_NAME_SIZE; + + bin2hex(buf, chip->tpmkeyname, size); + size *= 2; + buf[size++] = '\n'; + return size; +} +static DEVICE_ATTR_RO(null_name); +#endif + static struct attribute *tpm1_dev_attrs[] = { &dev_attr_pubek.attr, &dev_attr_pcrs.attr, @@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = { static struct attribute *tpm2_dev_attrs[] = { &dev_attr_tpm_version_major.attr, +#ifdef CONFIG_TPM_BUS_SECURITY + &dev_attr_null_name.attr, +#endif NULL };
This is the last component of encrypted tpm2 session handling that allows us to verify from userspace that the key derived from the NULL seed genuinely belongs to the TPM and has not been spoofed. The procedure for doing this involves creating an attestation identity key (which requires verification of the TPM EK certificate) and then using that AIK to sign a certification of the Elliptic Curve key over the NULL seed. Userspace must create this EC Key using the parameters prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if this is done correctly the names will match and the TPM can then run a TPM2_Certify operation on this derived primary key using the newly created AIK. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> --- drivers/char/tpm/tpm-sysfs.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)