From patchwork Fri Oct 30 11:35:07 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 538274 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46A68140D86 for ; Fri, 30 Oct 2015 22:35:37 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Zs7y1-0004mk-AK; Fri, 30 Oct 2015 11:35:33 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Zs7y0-0004mc-82 for tpmdd-devel@lists.sourceforge.net; Fri, 30 Oct 2015 11:35:32 +0000 X-ACL-Warn: Received: from mga09.intel.com ([134.134.136.24]) by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1Zs7xz-0001ic-2y for tpmdd-devel@lists.sourceforge.net; Fri, 30 Oct 2015 11:35:32 +0000 Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP; 30 Oct 2015 04:35:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,217,1444719600"; d="scan'208";a="674994344" Received: from jsakkine-mobl1.tm.intel.com (HELO localhost) ([10.237.48.143]) by orsmga003.jf.intel.com with ESMTP; 30 Oct 2015 04:35:20 -0700 From: Jarkko Sakkinen To: Peter Huewe , Marcel Selhorst , Mimi Zohar , David Howells Date: Fri, 30 Oct 2015 13:35:07 +0200 Message-Id: <1446204910-29948-2-git-send-email-jarkko.sakkinen@linux.intel.com> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1446204910-29948-1-git-send-email-jarkko.sakkinen@linux.intel.com> References: <1446204910-29948-1-git-send-email-jarkko.sakkinen@linux.intel.com> X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.4 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1Zs7xz-0001ic-2y Cc: Jonathan Corbet , "open list:DOCUMENTATION" , David Safford , linux-kernel@vger.kernel.org, josh@joshtriplett.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, keyrings@vger.kernel.org, James Morris , colin.king@canonical.com, "Serge E. Hallyn" , chris.j.arges@canonical.com Subject: [tpmdd-devel] [PATCH v2 1/3] keys, trusted: select the hash algorithm X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: tpmdd-devel-bounces@lists.sourceforge.net Added 'hash=' option for selecting the hash algorithm for add_key() syscall and documentation for it. Signed-off-by: Jarkko Sakkinen --- Documentation/security/keys-trusted-encrypted.txt | 3 +++ include/keys/trusted-type.h | 1 + security/keys/Kconfig | 1 + security/keys/trusted.c | 20 +++++++++++++++++++- 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt index e105ae9..fd2565b 100644 --- a/Documentation/security/keys-trusted-encrypted.txt +++ b/Documentation/security/keys-trusted-encrypted.txt @@ -38,6 +38,9 @@ Usage: pcrlock= pcr number to be extended to "lock" blob migratable= 0|1 indicating permission to reseal to new PCR values, default 1 (resealing allowed) + hash= hash algorithm name as a string. For TPM 1.x the only + allowed value is sha1. For TPM 2.x the allowed values + are sha1, sha256, sha384, sha512 and sm3-256. "keyctl print" returns an ascii hex copy of the sealed key, which is in standard TPM_STORED_DATA format. The key length for new keys are always in bytes. diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index f91ecd9..a6a1008 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -36,6 +36,7 @@ struct trusted_key_options { uint32_t pcrinfo_len; unsigned char pcrinfo[MAX_PCRINFO_SIZE]; int pcrlock; + uint32_t hash; }; extern struct key_type key_type_trusted; diff --git a/security/keys/Kconfig b/security/keys/Kconfig index 72483b8..fe4d74e 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -54,6 +54,7 @@ config TRUSTED_KEYS select CRYPTO select CRYPTO_HMAC select CRYPTO_SHA1 + select CRYPTO_HASH_INFO help This option provides support for creating, sealing, and unsealing keys in the kernel. Trusted keys are random number symmetric keys, diff --git a/security/keys/trusted.c b/security/keys/trusted.c index d3633cf..7a87bcd 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -11,6 +11,7 @@ * See Documentation/security/keys-trusted-encrypted.txt */ +#include #include #include #include @@ -710,7 +711,8 @@ enum { Opt_err = -1, Opt_new, Opt_load, Opt_update, Opt_keyhandle, Opt_keyauth, Opt_blobauth, - Opt_pcrinfo, Opt_pcrlock, Opt_migratable + Opt_pcrinfo, Opt_pcrlock, Opt_migratable, + Opt_hash, }; static const match_table_t key_tokens = { @@ -723,6 +725,7 @@ static const match_table_t key_tokens = { {Opt_pcrinfo, "pcrinfo=%s"}, {Opt_pcrlock, "pcrlock=%s"}, {Opt_migratable, "migratable=%s"}, + {Opt_hash, "hash=%s"}, {Opt_err, NULL} }; @@ -736,6 +739,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, int res; unsigned long handle; unsigned long lock; + int i; while ((p = strsep(&c, " \t"))) { if (*p == '\0' || *p == ' ' || *p == '\t') @@ -787,6 +791,20 @@ static int getoptions(char *c, struct trusted_key_payload *pay, return -EINVAL; opt->pcrlock = lock; break; + case Opt_hash: + for (i = 0; i < HASH_ALGO__LAST; i++) { + if (!strcmp(args[0].from, hash_algo_name[i])) { + opt->hash = i; + break; + } + } + res = tpm_is_tpm2(TPM_ANY_NUM); + if (res < 0) + return res; + if (i == HASH_ALGO__LAST || + (!res && i != HASH_ALGO_SHA1)) + return -EINVAL; + break; default: return -EINVAL; }