| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Oct 2022 18:38:31 +0530
From: Pankaj Gupta <pankaj.gupta@....com>
To: jarkko@...nel.org, a.fatoum@...gutronix.de, gilad@...yossef.com,
Jason@...c4.com, jejb@...ux.ibm.com, zohar@...ux.ibm.com,
dhowells@...hat.com, sumit.garg@...aro.org, david@...ma-star.at,
michael@...le.cc, john.ernberg@...ia.se, jmorris@...ei.org,
serge@...lyn.com, herbert@...dor.apana.org.au, davem@...emloft.net,
j.luebbe@...gutronix.de, ebiggers@...nel.org, richard@....at,
keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, sahil.malhotra@....com,
kshitiz.varshney@....com, horia.geanta@....com, V.Sethi@....com
Cc: Pankaj Gupta <pankaj.gupta@....com>
Subject: [PATCH v0 2/8] keys-trusted: new cmd line option added
Changes done:
- new cmd line option "hw" needs to be suffix, to generate the
hw bound key.
for ex:
$:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
$:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s
- Key-payload, is added with two more information element specific to HBK
-- flag 'is_hw_bound'
-- structure 'struct hw_bound_key_info hbk_info'
Signed-off-by: Pankaj Gupta <pankaj.gupta@....com>
---
include/keys/trusted-type.h | 4 ++++
security/keys/trusted-keys/trusted_core.c | 16 ++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 4eb64548a74f..bf58a204a974 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -7,6 +7,7 @@
#ifndef _KEYS_TRUSTED_TYPE_H
#define _KEYS_TRUSTED_TYPE_H
+#include <linux/hw_bound_key.h>
#include <linux/key.h>
#include <linux/rcupdate.h>
#include <linux/tpm.h>
@@ -22,6 +23,7 @@
#define MAX_BLOB_SIZE 512
#define MAX_PCRINFO_SIZE 64
#define MAX_DIGEST_SIZE 64
+#define HW_BOUND_KEY 1
struct trusted_key_payload {
struct rcu_head rcu;
@@ -29,6 +31,8 @@ struct trusted_key_payload {
unsigned int blob_len;
unsigned char migratable;
unsigned char old_format;
+ unsigned char is_hw_bound;
+ struct hw_bound_key_info hbk_info;
unsigned char key[MAX_KEY_SIZE + 1];
unsigned char blob[MAX_BLOB_SIZE];
};
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index c6fc50d67214..cb1d56397ed0 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
int key_cmd;
char *c;
+ p->is_hw_bound = !HW_BOUND_KEY;
+
/* main command */
c = strsep(datablob, " \t");
if (!c)
@@ -94,6 +96,13 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
return -EINVAL;
p->key_len = keylen;
+ do {
+ /* Second argument onwards,
+ * determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if ((c != NULL) && (strcmp(c, "hw") == 0))
+ p->is_hw_bound = HW_BOUND_KEY;
+ } while (c != NULL);
ret = Opt_new;
break;
case Opt_load:
@@ -107,6 +116,13 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
ret = hex2bin(p->blob, c, p->blob_len);
if (ret < 0)
return -EINVAL;
+ do {
+ /* Second argument onwards,
+ * determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if ((c != NULL) && (strcmp(c, "hw") == 0))
+ p->is_hw_bound = HW_BOUND_KEY;
+ } while (c != NULL);
ret = Opt_load;
break;
case Opt_update:
--
2.17.1
Powered by blists - more mailing lists