Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5ca4c20c authored by Jarkko Sakkinen's avatar Jarkko Sakkinen
Browse files

keys, trusted: select hash algorithm for TPM2 chips 



Added 'hash=' option for selecting the hash algorithm for add_key()
syscall and documentation for it.

Added entry for sm3-256 to the following tables in order to support
TPM_ALG_SM3_256:

* hash_algo_name
* hash_digest_size

Includes support for the following hash algorithms:

* sha1
* sha256
* sha384
* sha512
* sm3-256

Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: default avatarColin Ian King <colin.king@canonical.com>
Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
Reviewed-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: default avatarPeter Huewe <peterhuewe@gmx.de>
parent 5208cc83

Documentation/security/keys-trusted-encrypted.txt

+3 −0
Original line number Diff line number Diff line
@@ -38,6 +38,9 @@ Usage: 
       pcrlock=	  pcr number to be extended to "lock" blob

       migratable= 0|1 indicating permission to reseal to new PCR values,

                   default 1 (resealing allowed)

       hash=      hash algorithm name as a string. For TPM 1.x the only

                  allowed value is sha1. For TPM 2.x the allowed values

		  are sha1, sha256, sha384, sha512 and sm3-256.



"keyctl print" returns an ascii hex copy of the sealed key, which is in standard

TPM_STORED_DATA format.  The key length for new keys are always in bytes.

crypto/hash_info.c

+2 −0
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = { 
	[HASH_ALGO_TGR_128]	= "tgr128",

	[HASH_ALGO_TGR_160]	= "tgr160",

	[HASH_ALGO_TGR_192]	= "tgr192",

	[HASH_ALGO_SM3_256]	= "sm3-256",

};

EXPORT_SYMBOL_GPL(hash_algo_name);
@@ -52,5 +53,6 @@ const int hash_digest_size[HASH_ALGO__LAST] = { 
	[HASH_ALGO_TGR_128]	= TGR128_DIGEST_SIZE,

	[HASH_ALGO_TGR_160]	= TGR160_DIGEST_SIZE,

	[HASH_ALGO_TGR_192]	= TGR192_DIGEST_SIZE,

	[HASH_ALGO_SM3_256]	= SM3256_DIGEST_SIZE,

};

EXPORT_SYMBOL_GPL(hash_digest_size);

drivers/char/tpm/tpm.h

+7 −3
Original line number Diff line number Diff line
@@ -83,16 +83,20 @@ enum tpm2_structures { 
};



enum tpm2_return_codes {

	TPM2_RC_INITIALIZE	= 0x0100,

	TPM2_RC_TESTING		= 0x090A,

	TPM2_RC_HASH		= 0x0083, /* RC_FMT1 */

	TPM2_RC_INITIALIZE	= 0x0100, /* RC_VER1 */

	TPM2_RC_DISABLED	= 0x0120,

	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */

};



enum tpm2_algorithms {

	TPM2_ALG_SHA1		= 0x0004,

	TPM2_ALG_KEYEDHASH	= 0x0008,

	TPM2_ALG_SHA256		= 0x000B,

	TPM2_ALG_NULL		= 0x0010

	TPM2_ALG_SHA384		= 0x000C,

	TPM2_ALG_SHA512		= 0x000D,

	TPM2_ALG_NULL		= 0x0010,

	TPM2_ALG_SM3_256	= 0x0012,

};



enum tpm2_command_codes {

drivers/char/tpm/tpm2-cmd.c

+33 −3
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 
 */



#include "tpm.h"

#include <crypto/hash_info.h>

#include <keys/trusted-type.h>



enum tpm2_object_attributes {
@@ -104,6 +105,19 @@ struct tpm2_cmd { 
	union tpm2_cmd_params	params;

} __packed;



struct tpm2_hash {

	unsigned int crypto_id;

	unsigned int tpm_id;

};



static struct tpm2_hash tpm2_hash_map[] = {

	{HASH_ALGO_SHA1, TPM2_ALG_SHA1},

	{HASH_ALGO_SHA256, TPM2_ALG_SHA256},

	{HASH_ALGO_SHA384, TPM2_ALG_SHA384},

	{HASH_ALGO_SHA512, TPM2_ALG_SHA512},

	{HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},

};



/*

 * Array with one entry per ordinal defining the maximum amount

 * of time the chip could take to return the result. The values
@@ -429,8 +443,20 @@ int tpm2_seal_trusted(struct tpm_chip *chip, 
{

	unsigned int blob_len;

	struct tpm_buf buf;

	u32 hash;

	int i;

	int rc;



	for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {

		if (options->hash == tpm2_hash_map[i].crypto_id) {

			hash = tpm2_hash_map[i].tpm_id;

			break;

		}

	}



	if (i == ARRAY_SIZE(tpm2_hash_map))

		return -EINVAL;



	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);

	if (rc)

		return rc;
@@ -455,7 +481,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, 
	tpm_buf_append_u16(&buf, 14);



	tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);

	tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);

	tpm_buf_append_u16(&buf, hash);

	tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);

	tpm_buf_append_u16(&buf, 0); /* policy digest size */

	tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
@@ -488,8 +514,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip, 
out:

	tpm_buf_destroy(&buf);



	if (rc > 0)

	if (rc > 0) {

		if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH)

			rc = -EINVAL;

		else

			rc = -EPERM;

	}



	return rc;

}

include/crypto/hash_info.h

+3 −0
Original line number Diff line number Diff line
@@ -34,6 +34,9 @@ 
#define TGR160_DIGEST_SIZE 20

#define TGR192_DIGEST_SIZE 24



/* not defined in include/crypto/ */

#define SM3256_DIGEST_SIZE 32



extern const char *const hash_algo_name[HASH_ALGO__LAST];

extern const int hash_digest_size[HASH_ALGO__LAST];