Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

keys, trusted: seal/unseal with TPM 2.0 chips

Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
We require explicit 'keyhandle=' option because there's no a fixed
storage root key inside TPM2 chips.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (on TPM 1.2)
Tested-by: Chris J Arges <chris.j.arges@canonical.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
Tested-by: Kevin Strasser <kevin.strasser@intel.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Jarkko Sakkinen 10 years ago
parent
954650efb7
commit
0fe5480303
1 changed files with 33 additions and 3 deletions
Split View Show Diff Stats
  1. 33 3
      security/keys/trusted.c

+ 33 - 3
security/keys/trusted.c
View File 

@@ -862,12 +862,19 @@ static int datablob_parse(char *datablob, struct trusted_key_payload *p,
 
 static struct trusted_key_options *trusted_options_alloc(void)
 
 {
 
 	struct trusted_key_options *options;
 
+	int tpm2;
 
+
 
+	tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
 
+	if (tpm2 < 0)
 
+		return NULL;
 
 
 	options = kzalloc(sizeof *options, GFP_KERNEL);
 
 	if (options) {
 
 		/* set any non-zero defaults */
 
 		options->keytype = SRK_keytype;
 
-		options->keyhandle = SRKHANDLE;
 
+
 
+		if (!tpm2)
 
+			options->keyhandle = SRKHANDLE;
 
 	}
 
 	return options;
 
 }
 
@@ -905,6 +912,11 @@ static int trusted_instantiate(struct key *key,
 
 	int ret = 0;
 
 	int key_cmd;
 
 	size_t key_len;
 
+	int tpm2;
 
+
 
+	tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
 
+	if (tpm2 < 0)
 
+		return tpm2;
 
 
 	if (datalen <= 0 || datalen > 32767 || !prep->data)
 
 		return -EINVAL;
 
@@ -932,12 +944,20 @@ static int trusted_instantiate(struct key *key,
 
 		goto out;
 
 	}
 
 
+	if (!options->keyhandle) {
 
+		ret = -EINVAL;
 
+		goto out;
 
+	}
 
+
 
 	dump_payload(payload);
 
 	dump_options(options);
 
 
 	switch (key_cmd) {
 
 	case Opt_load:
 
-		ret = key_unseal(payload, options);
 
+		if (tpm2)
 
+			ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
 
+		else
 
+			ret = key_unseal(payload, options);
 
 		dump_payload(payload);
 
 		dump_options(options);
 
 		if (ret < 0)
 
@@ -950,7 +970,10 @@ static int trusted_instantiate(struct key *key,
 
 			pr_info("trusted_key: key_create failed (%d)\n", ret);
 
 			goto out;
 
 		}
 
-		ret = key_seal(payload, options);
 
+		if (tpm2)
 
+			ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
 
+		else
 
+			ret = key_seal(payload, options);
 
 		if (ret < 0)
 
 			pr_info("trusted_key: key_seal failed (%d)\n", ret);
 
 		break;
 
@@ -1018,6 +1041,13 @@ static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 
 		kfree(new_p);
 
 		goto out;
 
 	}
 
+
 
+	if (!new_o->keyhandle) {
 
+		ret = -EINVAL;
 
+		kfree(new_p);
 
+		goto out;
 
+	}
 
+
 
 	/* copy old key values, and reseal with new pcrs */
 
 	new_p->migratable = p->migratable;
 
 	new_p->key_len = p->key_len;