Re: [PATCH RFC] tpm: seal with a policy

2015-11-02 Thread Jarkko Sakkinen 
On Mon, Nov 02, 2015 at 07:48:42AM -0500, Mimi Zohar wrote:
> On Sat, 2015-10-31 at 17:53 +0200, Jarkko Sakkinen wrote:
> > Support for sealing with a policy.
> > 
> > Two new options for trusted keys:
> > 
> > * 'policydigest=': provide a policydigest for the seal operation.
> > * 'policyhandle=': provide handle for a policy session for unsealing.
> 
> Please expand the patch description explaining the motivation for these
> new options.  In what cases are they needed?  Are they system or session
> policies? 

They are session policies. By using TPM2 commands you can specify
conditions in which unseal should work like auth value, PCRs, localities
and so forth and combine these with logical connectors.

I'll think about this and write proper documentation.

> Mimi

/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH RFC] tpm: seal with a policy

2015-11-02 Thread Mimi Zohar 
On Sat, 2015-10-31 at 17:53 +0200, Jarkko Sakkinen wrote:
> Support for sealing with a policy.
> 
> Two new options for trusted keys:
> 
> * 'policydigest=': provide a policydigest for the seal operation.
> * 'policyhandle=': provide handle for a policy session for unsealing.

Please expand the patch description explaining the motivation for these
new options.  In what cases are they needed?  Are they system or session
policies? 

Mimi

> 
> Signed-off-by: Jarkko Sakkinen 
> ---
>  drivers/char/tpm/Kconfig|  1 +
>  drivers/char/tpm/tpm2-cmd.c | 20 +---
>  include/keys/trusted-type.h |  3 +++
>  security/keys/trusted.c | 26 --
>  4 files changed, 45 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> index 3b84a8b..bd86261 100644
> --- a/drivers/char/tpm/Kconfig
> +++ b/drivers/char/tpm/Kconfig
> @@ -6,6 +6,7 @@ menuconfig TCG_TPM
>   tristate "TPM Hardware Support"
>   depends on HAS_IOMEM
>   select SECURITYFS
> + select CRYPTO_HASH_INFO
>   ---help---
> If you have a TPM security chip in your system, which
> implements the Trusted Computing Group's specification,
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index b08a0b4..6f567c3 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -463,6 +463,9 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>   return -EINVAL;
>   }
> 
> + if (options->policydigest_len > hash_digest_size[options->hash])
> + return -EINVAL;
> +
>   rc = tpm_buf_init(, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
>   if (rc)
>   return rc;
> @@ -488,8 +491,17 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> 
>   tpm_buf_append_u16(, TPM2_ALG_KEYEDHASH);
>   tpm_buf_append_u16(, hash);
> - tpm_buf_append_u32(, TPM2_ATTR_USER_WITH_AUTH);
> - tpm_buf_append_u16(, 0); /* policy digest size */
> +
> + if (options->policydigest_len) {
> + tpm_buf_append_u32(, 0);
> + tpm_buf_append_u16(, options->policydigest_len);
> + tpm_buf_append(, options->policydigest,
> +options->policydigest_len);
> + } else {
> + tpm_buf_append_u32(, TPM2_ATTR_USER_WITH_AUTH);
> + tpm_buf_append_u16(, 0);
> + }
> +
>   tpm_buf_append_u16(, TPM2_ALG_NULL);
>   tpm_buf_append_u16(, 0);
> 
> @@ -617,7 +629,9 @@ static int tpm2_unseal(struct tpm_chip *chip,
>   return rc;
> 
>   tpm_buf_append_u32(, blob_handle);
> - tpm2_buf_append_auth(, TPM2_RS_PW,
> + tpm2_buf_append_auth(,
> +  options->policyhandle ?
> +  options->policyhandle : TPM2_RS_PW,
>NULL /* nonce */, 0,
>0 /* session_attributes */,
>options->blobauth /* hmac */,
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index a6a1008..e4beeca 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -37,6 +37,9 @@ struct trusted_key_options {
>   unsigned char pcrinfo[MAX_PCRINFO_SIZE];
>   int pcrlock;
>   uint32_t hash;
> + uint32_t policydigest_len;
> + unsigned char *policydigest;
> + uint32_t policyhandle;
>  };
> 
>  extern struct key_type key_type_trusted;
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 7a87bcd..ea043ff 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -713,6 +713,8 @@ enum {
>   Opt_keyhandle, Opt_keyauth, Opt_blobauth,
>   Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
>   Opt_hash,
> + Opt_policydigest,
> + Opt_policyhandle,
>  };
> 
>  static const match_table_t key_tokens = {
> @@ -726,6 +728,8 @@ static const match_table_t key_tokens = {
>   {Opt_pcrlock, "pcrlock=%s"},
>   {Opt_migratable, "migratable=%s"},
>   {Opt_hash, "hash=%s"},
> + {Opt_policydigest, "policydigest=%s"},
> + {Opt_policyhandle, "policyhandle=%s"},
>   {Opt_err, NULL}
>  };
> 
> @@ -804,6 +808,17 @@ static int getoptions(char *c, struct 
> trusted_key_payload *pay,
>   if (i == HASH_ALGO__LAST ||
>   (!res && i != HASH_ALGO_SHA1))
>   return -EINVAL;
> + case Opt_policydigest:
> + opt->policydigest_len = strlen(args[0].from);
> + opt->policydigest = kstrdup(args[0].from, GFP_KERNEL);
> + if (!opt->policydigest)
> + return -ENOMEM;
> + break;
> + case Opt_policyhandle:
> + res = kstrtoul(args[0].from, 16, );
> + if (res < 0)
> + return -EINVAL;
> + opt->policyhandle =

[PATCH RFC] tpm: seal with a policy

2015-10-31 Thread Jarkko Sakkinen 
Support for sealing with a policy.

Two new options for trusted keys:

* 'policydigest=': provide a policydigest for the seal operation.
* 'policyhandle=': provide handle for a policy session for unsealing.

Signed-off-by: Jarkko Sakkinen 
---
 drivers/char/tpm/Kconfig|  1 +
 drivers/char/tpm/tpm2-cmd.c | 20 +---
 include/keys/trusted-type.h |  3 +++
 security/keys/trusted.c | 26 --
 4 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
index 3b84a8b..bd86261 100644
--- a/drivers/char/tpm/Kconfig
+++ b/drivers/char/tpm/Kconfig
@@ -6,6 +6,7 @@ menuconfig TCG_TPM
tristate "TPM Hardware Support"
depends on HAS_IOMEM
select SECURITYFS
+   select CRYPTO_HASH_INFO
---help---
  If you have a TPM security chip in your system, which
  implements the Trusted Computing Group's specification,
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index b08a0b4..6f567c3 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -463,6 +463,9 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
return -EINVAL;
}
 
+   if (options->policydigest_len > hash_digest_size[options->hash])
+   return -EINVAL;
+
rc = tpm_buf_init(, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
if (rc)
return rc;
@@ -488,8 +491,17 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 
tpm_buf_append_u16(, TPM2_ALG_KEYEDHASH);
tpm_buf_append_u16(, hash);
-   tpm_buf_append_u32(, TPM2_ATTR_USER_WITH_AUTH);
-   tpm_buf_append_u16(, 0); /* policy digest size */
+
+   if (options->policydigest_len) {
+   tpm_buf_append_u32(, 0);
+   tpm_buf_append_u16(, options->policydigest_len);
+   tpm_buf_append(, options->policydigest,
+  options->policydigest_len);
+   } else {
+   tpm_buf_append_u32(, TPM2_ATTR_USER_WITH_AUTH);
+   tpm_buf_append_u16(, 0);
+   }
+
tpm_buf_append_u16(, TPM2_ALG_NULL);
tpm_buf_append_u16(, 0);
 
@@ -617,7 +629,9 @@ static int tpm2_unseal(struct tpm_chip *chip,
return rc;
 
tpm_buf_append_u32(, blob_handle);
-   tpm2_buf_append_auth(, TPM2_RS_PW,
+   tpm2_buf_append_auth(,
+options->policyhandle ?
+options->policyhandle : TPM2_RS_PW,
 NULL /* nonce */, 0,
 0 /* session_attributes */,
 options->blobauth /* hmac */,
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index a6a1008..e4beeca 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -37,6 +37,9 @@ struct trusted_key_options {
unsigned char pcrinfo[MAX_PCRINFO_SIZE];
int pcrlock;
uint32_t hash;
+   uint32_t policydigest_len;
+   unsigned char *policydigest;
+   uint32_t policyhandle;
 };
 
 extern struct key_type key_type_trusted;
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 7a87bcd..ea043ff 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -713,6 +713,8 @@ enum {
Opt_keyhandle, Opt_keyauth, Opt_blobauth,
Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
Opt_hash,
+   Opt_policydigest,
+   Opt_policyhandle,
 };
 
 static const match_table_t key_tokens = {
@@ -726,6 +728,8 @@ static const match_table_t key_tokens = {
{Opt_pcrlock, "pcrlock=%s"},
{Opt_migratable, "migratable=%s"},
{Opt_hash, "hash=%s"},
+   {Opt_policydigest, "policydigest=%s"},
+   {Opt_policyhandle, "policyhandle=%s"},
{Opt_err, NULL}
 };
 
@@ -804,6 +808,17 @@ static int getoptions(char *c, struct trusted_key_payload 
*pay,
if (i == HASH_ALGO__LAST ||
(!res && i != HASH_ALGO_SHA1))
return -EINVAL;
+   case Opt_policydigest:
+   opt->policydigest_len = strlen(args[0].from);
+   opt->policydigest = kstrdup(args[0].from, GFP_KERNEL);
+   if (!opt->policydigest)
+   return -ENOMEM;
+   break;
+   case Opt_policyhandle:
+   res = kstrtoul(args[0].from, 16, );
+   if (res < 0)
+   return -EINVAL;
+   opt->policyhandle = handle;
break;
default:
return -EINVAL;
@@ -897,6 +912,13 @@ static struct trusted_key_options 
*trusted_options_alloc(void)
return options;
 }
 
+static void trusted_options_free(struct trusted_key_options *options)
+{
+   if (options->policydigest)