Re: [PATCH v1 2/4] tpm: choose hash algorithm for sealing when using TPM 2.0

Jarkko Sakkinen Thu, 29 Oct 2015 10:48:07 -0700

On Thu, Oct 29, 2015 at 05:59:26PM +0200, Jarkko Sakkinen wrote:
> Added hash member to the struct trusted_key_options for choosing the
> hash algorithm and support for the following hash algorithms to the TPM
> 2.0 sealing code:
> 
> * sha1
> * sha256
> * sha384
> * sha512
> * sm3-256
> 
> The hash algorithm can be selected by using HASH_ALGO_* constants in
> include/uapi/linux/hash_info.h.
> 
> Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
> ---
>  drivers/char/tpm/tpm.h      | 10 +++++++---
>  drivers/char/tpm/tpm2-cmd.c | 42 +++++++++++++++++++++++++++++++++++++++---
>  include/keys/trusted-type.h |  1 +
>  3 files changed, 47 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index a4257a3..cdd49cd 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -83,16 +83,20 @@ enum tpm2_structures {
>  };
>  
>  enum tpm2_return_codes {
> -     TPM2_RC_INITIALIZE      = 0x0100,
> -     TPM2_RC_TESTING         = 0x090A,
> +     TPM2_RC_HASH            = 0x0083, /* RC_FMT1 */
> +     TPM2_RC_INITIALIZE      = 0x0100, /* RC_VER1 */
>       TPM2_RC_DISABLED        = 0x0120,
> +     TPM2_RC_TESTING         = 0x090A, /* RC_WARN */
>  };
>  
>  enum tpm2_algorithms {
>       TPM2_ALG_SHA1           = 0x0004,
>       TPM2_ALG_KEYEDHASH      = 0x0008,
>       TPM2_ALG_SHA256         = 0x000B,
> -     TPM2_ALG_NULL           = 0x0010
> +     TPM2_ALG_SHA384         = 0x000C,
> +     TPM2_ALG_SHA512         = 0x000D,
> +     TPM2_ALG_NULL           = 0x0010,
> +     TPM2_ALG_SM3_256        = 0x0012,
>  };
>  
>  enum tpm2_command_codes {
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index bd7039f..bc2564e 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -16,6 +16,7 @@
>   */
>  
>  #include "tpm.h"
> +#include <crypto/hash_info.h>
>  #include <keys/trusted-type.h>
>  
>  enum tpm2_object_attributes {
> @@ -104,6 +105,21 @@ struct tpm2_cmd {
>       union tpm2_cmd_params   params;
>  } __packed;
>  
> +struct tpm2_hash {
> +     unsigned int crypto_id;
> +     unsigned int tpm_id;
> +};
> +
> +static struct tpm2_hash tpm2_hash_map[] = {
> +     {HASH_ALGO_SHA1, TPM2_ALG_SHA1},
> +     {HASH_ALGO_SHA256, TPM2_ALG_SHA256},
> +     {HASH_ALGO_SHA384, TPM2_ALG_SHA384},
> +     {HASH_ALGO_SHA512, TPM2_ALG_SHA512},
> +     {HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},
> +};
> +
> +#define TPM2_HASH_COUNT (sizeof(tpm2_hash_map) / sizeof(tpm2_hash_map[1]))
> +
>  /*
>   * Array with one entry per ordinal defining the maximum amount
>   * of time the chip could take to return the result. The values
> @@ -429,8 +445,24 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  {
>       unsigned int blob_len;
>       struct tpm_buf buf;
> +     u32 hash = TPM2_ALG_SHA256;
> +     int i;
>       int rc;
>  
> +     if (options->hash) {
> +             for (i = 0; i < TPM2_HASH_COUNT; i++) {
> +                     if (options->hash == tpm2_hash_map[i].crypto_id) {
> +                             hash = tpm2_hash_map[i].tpm_id;
> +                             dev_dbg(chip->pdev, "%s: hash: %s 0x%08X\n",
> +                                     __func__, hash_algo_name[i], hash);
> +                             break;
> +                     }
> +             }
> +
> +             if (i == TPM2_HASH_COUNT)
> +                     return -EINVAL;
> +     }
> +
>       rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
>       if (rc)
>               return rc;
> @@ -454,7 +486,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>       tpm_buf_append_u16(&buf, 14);
>  
>       tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
> -     tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);
> +     tpm_buf_append_u16(&buf, hash);
>       tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH);
>       tpm_buf_append_u16(&buf, 0); /* policy digest size */
>       tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
> @@ -487,8 +519,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  out:
>       tpm_buf_destroy(&buf);
>  
> -     if (rc > 0)
> -             rc = -EPERM;
> +     if (rc > 0) {
> +             if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH)
> +                     rc = -EINVAL;
> +             else
> +                     rc = -EPERM;
> +     }
>  
>       return rc;
>  }
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index f91ecd9..8fed58d 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -36,6 +36,7 @@ struct trusted_key_options {
>       uint32_t pcrinfo_len;
>       unsigned char pcrinfo[MAX_PCRINFO_SIZE];
>       int pcrlock;
> +     unsigned int hash;


uint32_t probably here just for the sake of consistency.

>  };
>  
>  extern struct key_type key_type_trusted;
> -- 
> 2.5.0
> 

/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v1 2/4] tpm: choose hash algorithm for sealing when using TPM 2.0

Reply via email to