On Thu, Oct 29, 2015 at 05:59:26PM +0200, Jarkko Sakkinen wrote: > Added hash member to the struct trusted_key_options for choosing the > hash algorithm and support for the following hash algorithms to the TPM > 2.0 sealing code: > > * sha1 > * sha256 > * sha384 > * sha512 > * sm3-256 > > The hash algorithm can be selected by using HASH_ALGO_* constants in > include/uapi/linux/hash_info.h. > > Signed-off-by: Jarkko Sakkinen <[email protected]> > --- > drivers/char/tpm/tpm.h | 10 +++++++--- > drivers/char/tpm/tpm2-cmd.c | 42 +++++++++++++++++++++++++++++++++++++++--- > include/keys/trusted-type.h | 1 + > 3 files changed, 47 insertions(+), 6 deletions(-) > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index a4257a3..cdd49cd 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -83,16 +83,20 @@ enum tpm2_structures { > }; > > enum tpm2_return_codes { > - TPM2_RC_INITIALIZE = 0x0100, > - TPM2_RC_TESTING = 0x090A, > + TPM2_RC_HASH = 0x0083, /* RC_FMT1 */ > + TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */ > TPM2_RC_DISABLED = 0x0120, > + TPM2_RC_TESTING = 0x090A, /* RC_WARN */ > }; > > enum tpm2_algorithms { > TPM2_ALG_SHA1 = 0x0004, > TPM2_ALG_KEYEDHASH = 0x0008, > TPM2_ALG_SHA256 = 0x000B, > - TPM2_ALG_NULL = 0x0010 > + TPM2_ALG_SHA384 = 0x000C, > + TPM2_ALG_SHA512 = 0x000D, > + TPM2_ALG_NULL = 0x0010, > + TPM2_ALG_SM3_256 = 0x0012, > }; > > enum tpm2_command_codes { > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index bd7039f..bc2564e 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -16,6 +16,7 @@ > */ > > #include "tpm.h" > +#include <crypto/hash_info.h> > #include <keys/trusted-type.h> > > enum tpm2_object_attributes { > @@ -104,6 +105,21 @@ struct tpm2_cmd { > union tpm2_cmd_params params; > } __packed; > > +struct tpm2_hash { > + unsigned int crypto_id; > + unsigned int tpm_id; > +}; > + > +static struct tpm2_hash tpm2_hash_map[] = { > + {HASH_ALGO_SHA1, TPM2_ALG_SHA1}, > + {HASH_ALGO_SHA256, TPM2_ALG_SHA256}, > + {HASH_ALGO_SHA384, TPM2_ALG_SHA384}, > + {HASH_ALGO_SHA512, TPM2_ALG_SHA512}, > + {HASH_ALGO_SM3_256, TPM2_ALG_SM3_256}, > +}; > + > +#define TPM2_HASH_COUNT (sizeof(tpm2_hash_map) / sizeof(tpm2_hash_map[1])) > + > /* > * Array with one entry per ordinal defining the maximum amount > * of time the chip could take to return the result. The values > @@ -429,8 +445,24 @@ int tpm2_seal_trusted(struct tpm_chip *chip, > { > unsigned int blob_len; > struct tpm_buf buf; > + u32 hash = TPM2_ALG_SHA256; > + int i; > int rc; > > + if (options->hash) { > + for (i = 0; i < TPM2_HASH_COUNT; i++) { > + if (options->hash == tpm2_hash_map[i].crypto_id) { > + hash = tpm2_hash_map[i].tpm_id; > + dev_dbg(chip->pdev, "%s: hash: %s 0x%08X\n", > + __func__, hash_algo_name[i], hash); > + break; > + } > + } > + > + if (i == TPM2_HASH_COUNT) > + return -EINVAL; > + } > + > rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE); > if (rc) > return rc; > @@ -454,7 +486,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, > tpm_buf_append_u16(&buf, 14); > > tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH); > - tpm_buf_append_u16(&buf, TPM2_ALG_SHA256); > + tpm_buf_append_u16(&buf, hash); > tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH); > tpm_buf_append_u16(&buf, 0); /* policy digest size */ > tpm_buf_append_u16(&buf, TPM2_ALG_NULL); > @@ -487,8 +519,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip, > out: > tpm_buf_destroy(&buf); > > - if (rc > 0) > - rc = -EPERM; > + if (rc > 0) { > + if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH) > + rc = -EINVAL; > + else > + rc = -EPERM; > + } > > return rc; > } > diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h > index f91ecd9..8fed58d 100644 > --- a/include/keys/trusted-type.h > +++ b/include/keys/trusted-type.h > @@ -36,6 +36,7 @@ struct trusted_key_options { > uint32_t pcrinfo_len; > unsigned char pcrinfo[MAX_PCRINFO_SIZE]; > int pcrlock; > + unsigned int hash;
uint32_t probably here just for the sake of consistency. > }; > > extern struct key_type key_type_trusted; > -- > 2.5.0 > /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
