| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151029174736.GA17311@intel.com>
Date: Thu, 29 Oct 2015 19:47:36 +0200
From: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To: Peter Huewe <peterhuewe@....de>,
Marcel Selhorst <tpmdd@...horst.net>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
David Howells <dhowells@...hat.com>
Cc: tpmdd-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
chris.j.arges@...onical.com, seth.forshee@...onical.com,
colin.king@...onical.com, josh@...htriplett.org,
Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Subject: Re: [PATCH v1 2/4] tpm: choose hash algorithm for sealing when using
TPM 2.0
On Thu, Oct 29, 2015 at 05:59:26PM +0200, Jarkko Sakkinen wrote:
> Added hash member to the struct trusted_key_options for choosing the
> hash algorithm and support for the following hash algorithms to the TPM
> 2.0 sealing code:
>
> * sha1
> * sha256
> * sha384
> * sha512
> * sm3-256
>
> The hash algorithm can be selected by using HASH_ALGO_* constants in
> include/uapi/linux/hash_info.h.
>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
> ---
> drivers/char/tpm/tpm.h | 10 +++++++---
> drivers/char/tpm/tpm2-cmd.c | 42 +++++++++++++++++++++++++++++++++++++++---
> include/keys/trusted-type.h | 1 +
> 3 files changed, 47 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index a4257a3..cdd49cd 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -83,16 +83,20 @@ enum tpm2_structures {
> };
>
> enum tpm2_return_codes {
> - TPM2_RC_INITIALIZE = 0x0100,
> - TPM2_RC_TESTING = 0x090A,
> + TPM2_RC_HASH = 0x0083, /* RC_FMT1 */
> + TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */
> TPM2_RC_DISABLED = 0x0120,
> + TPM2_RC_TESTING = 0x090A, /* RC_WARN */
> };
>
> enum tpm2_algorithms {
> TPM2_ALG_SHA1 = 0x0004,
> TPM2_ALG_KEYEDHASH = 0x0008,
> TPM2_ALG_SHA256 = 0x000B,
> - TPM2_ALG_NULL = 0x0010
> + TPM2_ALG_SHA384 = 0x000C,
> + TPM2_ALG_SHA512 = 0x000D,
> + TPM2_ALG_NULL = 0x0010,
> + TPM2_ALG_SM3_256 = 0x0012,
> };
>
> enum tpm2_command_codes {
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index bd7039f..bc2564e 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -16,6 +16,7 @@
> */
>
> #include "tpm.h"
> +#include <crypto/hash_info.h>
> #include <keys/trusted-type.h>
>
> enum tpm2_object_attributes {
> @@ -104,6 +105,21 @@ struct tpm2_cmd {
> union tpm2_cmd_params params;
> } __packed;
>
> +struct tpm2_hash {
> + unsigned int crypto_id;
> + unsigned int tpm_id;
> +};
> +
> +static struct tpm2_hash tpm2_hash_map[] = {
> + {HASH_ALGO_SHA1, TPM2_ALG_SHA1},
> + {HASH_ALGO_SHA256, TPM2_ALG_SHA256},
> + {HASH_ALGO_SHA384, TPM2_ALG_SHA384},
> + {HASH_ALGO_SHA512, TPM2_ALG_SHA512},
> + {HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},
> +};
> +
> +#define TPM2_HASH_COUNT (sizeof(tpm2_hash_map) / sizeof(tpm2_hash_map[1]))
> +
> /*
> * Array with one entry per ordinal defining the maximum amount
> * of time the chip could take to return the result. The values
> @@ -429,8 +445,24 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> {
> unsigned int blob_len;
> struct tpm_buf buf;
> + u32 hash = TPM2_ALG_SHA256;
> + int i;
> int rc;
>
> + if (options->hash) {
> + for (i = 0; i < TPM2_HASH_COUNT; i++) {
> + if (options->hash == tpm2_hash_map[i].crypto_id) {
> + hash = tpm2_hash_map[i].tpm_id;
> + dev_dbg(chip->pdev, "%s: hash: %s 0x%08X\n",
> + __func__, hash_algo_name[i], hash);
> + break;
> + }
> + }
> +
> + if (i == TPM2_HASH_COUNT)
> + return -EINVAL;
> + }
> +
> rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
> if (rc)
> return rc;
> @@ -454,7 +486,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> tpm_buf_append_u16(&buf, 14);
>
> tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
> - tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);
> + tpm_buf_append_u16(&buf, hash);
> tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
> tpm_buf_append_u16(&buf, 0); /* policy digest size */
> tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
> @@ -487,8 +519,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> out:
> tpm_buf_destroy(&buf);
>
> - if (rc > 0)
> - rc = -EPERM;
> + if (rc > 0) {
> + if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH)
> + rc = -EINVAL;
> + else
> + rc = -EPERM;
> + }
>
> return rc;
> }
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index f91ecd9..8fed58d 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -36,6 +36,7 @@ struct trusted_key_options {
> uint32_t pcrinfo_len;
> unsigned char pcrinfo[MAX_PCRINFO_SIZE];
> int pcrlock;
> + unsigned int hash;
uint32_t probably here just for the sake of consistency.
> };
>
> extern struct key_type key_type_trusted;
> --
> 2.5.0
>
/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists