1// SPDX-License-Identifier: GPL-2.0
  2#define pr_fmt(fmt) "ASYM-TPM: "fmt
  3#include <linux/slab.h>
  4#include <linux/module.h>
  5#include <linux/export.h>
  6#include <linux/kernel.h>
  7#include <linux/seq_file.h>
  8#include <linux/scatterlist.h>
  9#include <linux/tpm.h>
 10#include <linux/tpm_command.h>
 11#include <crypto/akcipher.h>
 12#include <crypto/hash.h>
 13#include <crypto/sha.h>
 14#include <asm/unaligned.h>
 15#include <keys/asymmetric-subtype.h>
 16#include <keys/trusted_tpm.h>
 17#include <crypto/asym_tpm_subtype.h>
 18#include <crypto/public_key.h>
 19
 20#define TPM_ORD_FLUSHSPECIFIC	186
 21#define TPM_ORD_LOADKEY2	65
 22#define TPM_ORD_UNBIND		30
 23#define TPM_ORD_SIGN		60
 24
 25#define TPM_RT_KEY                      0x00000001
 26
 27/*
 28 * Load a TPM key from the blob provided by userspace
 29 */
 30static int tpm_loadkey2(struct tpm_buf *tb,
 31			uint32_t keyhandle, unsigned char *keyauth,
 32			const unsigned char *keyblob, int keybloblen,
 33			uint32_t *newhandle)
 34{
 35	unsigned char nonceodd[TPM_NONCE_SIZE];
 36	unsigned char enonce[TPM_NONCE_SIZE];
 37	unsigned char authdata[SHA1_DIGEST_SIZE];
 38	uint32_t authhandle = 0;
 39	unsigned char cont = 0;
 40	uint32_t ordinal;
 41	int ret;
 42
 43	ordinal = htonl(TPM_ORD_LOADKEY2);
 44
 45	/* session for loading the key */
 46	ret = oiap(tb, &authhandle, enonce);
 47	if (ret < 0) {
 48		pr_info("oiap failed (%d)\n", ret);
 49		return ret;
 50	}
 51
 52	/* generate odd nonce */
 53	ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
 54	if (ret < 0) {
 55		pr_info("tpm_get_random failed (%d)\n", ret);
 56		return ret;
 57	}
 58
 59	/* calculate authorization HMAC value */
 60	ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
 61			   nonceodd, cont, sizeof(uint32_t), &ordinal,
 62			   keybloblen, keyblob, 0, 0);
 63	if (ret < 0)
 64		return ret;
 65
 66	/* build the request buffer */
 67	tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_LOADKEY2);
 68	tpm_buf_append_u32(tb, keyhandle);
 69	tpm_buf_append(tb, keyblob, keybloblen);
 70	tpm_buf_append_u32(tb, authhandle);
 71	tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
 72	tpm_buf_append_u8(tb, cont);
 73	tpm_buf_append(tb, authdata, SHA1_DIGEST_SIZE);
 74
 75	ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
 76	if (ret < 0) {
 77		pr_info("authhmac failed (%d)\n", ret);
 78		return ret;
 79	}
 80
 81	ret = TSS_checkhmac1(tb->data, ordinal, nonceodd, keyauth,
 82			     SHA1_DIGEST_SIZE, 0, 0);
 83	if (ret < 0) {
 84		pr_info("TSS_checkhmac1 failed (%d)\n", ret);
 85		return ret;
 86	}
 87
 88	*newhandle = LOAD32(tb->data, TPM_DATA_OFFSET);
 89	return 0;
 90}
 91
 92/*
 93 * Execute the FlushSpecific TPM command
 94 */
 95static int tpm_flushspecific(struct tpm_buf *tb, uint32_t handle)
 96{
 97	tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_FLUSHSPECIFIC);
 98	tpm_buf_append_u32(tb, handle);
 99	tpm_buf_append_u32(tb, TPM_RT_KEY);
100
101	return trusted_tpm_send(tb->data, MAX_BUF_SIZE);
102}
103
104/*
105 * Decrypt a blob provided by userspace using a specific key handle.
106 * The handle is a well known handle or previously loaded by e.g. LoadKey2
107 */
108static int tpm_unbind(struct tpm_buf *tb,
109			uint32_t keyhandle, unsigned char *keyauth,
110			const unsigned char *blob, uint32_t bloblen,
111			void *out, uint32_t outlen)
112{
113	unsigned char nonceodd[TPM_NONCE_SIZE];
114	unsigned char enonce[TPM_NONCE_SIZE];
115	unsigned char authdata[SHA1_DIGEST_SIZE];
116	uint32_t authhandle = 0;
117	unsigned char cont = 0;
118	uint32_t ordinal;
119	uint32_t datalen;
120	int ret;
121
122	ordinal = htonl(TPM_ORD_UNBIND);
123	datalen = htonl(bloblen);
124
125	/* session for loading the key */
126	ret = oiap(tb, &authhandle, enonce);
127	if (ret < 0) {
128		pr_info("oiap failed (%d)\n", ret);
129		return ret;
130	}
131
132	/* generate odd nonce */
133	ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
134	if (ret < 0) {
135		pr_info("tpm_get_random failed (%d)\n", ret);
136		return ret;
137	}
138
139	/* calculate authorization HMAC value */
140	ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
141			   nonceodd, cont, sizeof(uint32_t), &ordinal,
142			   sizeof(uint32_t), &datalen,
143			   bloblen, blob, 0, 0);
144	if (ret < 0)
145		return ret;
146
147	/* build the request buffer */
148	tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_UNBIND);
149	tpm_buf_append_u32(tb, keyhandle);
150	tpm_buf_append_u32(tb, bloblen);
151	tpm_buf_append(tb, blob, bloblen);
152	tpm_buf_append_u32(tb, authhandle);
153	tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
154	tpm_buf_append_u8(tb, cont);
155	tpm_buf_append(tb, authdata, SHA1_DIGEST_SIZE);
156
157	ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
158	if (ret < 0) {
159		pr_info("authhmac failed (%d)\n", ret);
160		return ret;
161	}
162
163	datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
164
165	ret = TSS_checkhmac1(tb->data, ordinal, nonceodd,
166			     keyauth, SHA1_DIGEST_SIZE,
167			     sizeof(uint32_t), TPM_DATA_OFFSET,
168			     datalen, TPM_DATA_OFFSET + sizeof(uint32_t),
169			     0, 0);
170	if (ret < 0) {
171		pr_info("TSS_checkhmac1 failed (%d)\n", ret);
172		return ret;
173	}
174
175	memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
176	       min(outlen, datalen));
177
178	return datalen;
179}
180
181/*
182 * Sign a blob provided by userspace (that has had the hash function applied)
183 * using a specific key handle.  The handle is assumed to have been previously
184 * loaded by e.g. LoadKey2.
185 *
186 * Note that the key signature scheme of the used key should be set to
187 * TPM_SS_RSASSAPKCS1v15_DER.  This allows the hashed input to be of any size
188 * up to key_length_in_bytes - 11 and not be limited to size 20 like the
189 * TPM_SS_RSASSAPKCS1v15_SHA1 signature scheme.
190 */
191static int tpm_sign(struct tpm_buf *tb,
192		    uint32_t keyhandle, unsigned char *keyauth,
193		    const unsigned char *blob, uint32_t bloblen,
194		    void *out, uint32_t outlen)
195{
196	unsigned char nonceodd[TPM_NONCE_SIZE];
197	unsigned char enonce[TPM_NONCE_SIZE];
198	unsigned char authdata[SHA1_DIGEST_SIZE];
199	uint32_t authhandle = 0;
200	unsigned char cont = 0;
201	uint32_t ordinal;
202	uint32_t datalen;
203	int ret;
204
205	ordinal = htonl(TPM_ORD_SIGN);
206	datalen = htonl(bloblen);
207
208	/* session for loading the key */
209	ret = oiap(tb, &authhandle, enonce);
210	if (ret < 0) {
211		pr_info("oiap failed (%d)\n", ret);
212		return ret;
213	}
214
215	/* generate odd nonce */
216	ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
217	if (ret < 0) {
218		pr_info("tpm_get_random failed (%d)\n", ret);
219		return ret;
220	}
221
222	/* calculate authorization HMAC value */
223	ret = TSS_authhmac(authdata, keyauth, SHA1_DIGEST_SIZE, enonce,
224			   nonceodd, cont, sizeof(uint32_t), &ordinal,
225			   sizeof(uint32_t), &datalen,
226			   bloblen, blob, 0, 0);
227	if (ret < 0)
228		return ret;
229
230	/* build the request buffer */
231	tpm_buf_reset(tb, TPM_TAG_RQU_AUTH1_COMMAND, TPM_ORD_SIGN);
232	tpm_buf_append_u32(tb, keyhandle);
233	tpm_buf_append_u32(tb, bloblen);
234	tpm_buf_append(tb, blob, bloblen);
235	tpm_buf_append_u32(tb, authhandle);
236	tpm_buf_append(tb, nonceodd, TPM_NONCE_SIZE);
237	tpm_buf_append_u8(tb, cont);
238	tpm_buf_append(tb, authdata, SHA1_DIGEST_SIZE);
239
240	ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
241	if (ret < 0) {
242		pr_info("authhmac failed (%d)\n", ret);
243		return ret;
244	}
245
246	datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
247
248	ret = TSS_checkhmac1(tb->data, ordinal, nonceodd,
249			     keyauth, SHA1_DIGEST_SIZE,
250			     sizeof(uint32_t), TPM_DATA_OFFSET,
251			     datalen, TPM_DATA_OFFSET + sizeof(uint32_t),
252			     0, 0);
253	if (ret < 0) {
254		pr_info("TSS_checkhmac1 failed (%d)\n", ret);
255		return ret;
256	}
257
258	memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
259	       min(datalen, outlen));
260
261	return datalen;
262}
263
264/* Room to fit two u32 zeros for algo id and parameters length. */
265#define SETKEY_PARAMS_SIZE (sizeof(u32) * 2)
266
267/*
268 * Maximum buffer size for the BER/DER encoded public key.  The public key
269 * is of the form SEQUENCE { INTEGER n, INTEGER e } where n is a maximum 2048
270 * bit key and e is usually 65537
271 * The encoding overhead is:
272 * - max 4 bytes for SEQUENCE
273 *   - max 4 bytes for INTEGER n type/length
274 *     - 257 bytes of n
275 *   - max 2 bytes for INTEGER e type/length
276 *     - 3 bytes of e
277 * - 4+4 of zeros for set_pub_key parameters (SETKEY_PARAMS_SIZE)
278 */
279#define PUB_KEY_BUF_SIZE (4 + 4 + 257 + 2 + 3 + SETKEY_PARAMS_SIZE)
280
281/*
282 * Provide a part of a description of the key for /proc/keys.
283 */
284static void asym_tpm_describe(const struct key *asymmetric_key,
285			      struct seq_file *m)
286{
287	struct tpm_key *tk = asymmetric_key->payload.data[asym_crypto];
288
289	if (!tk)
290		return;
291
292	seq_printf(m, "TPM1.2/Blob");
293}
294
295static void asym_tpm_destroy(void *payload0, void *payload3)
296{
297	struct tpm_key *tk = payload0;
298
299	if (!tk)
300		return;
301
302	kfree(tk->blob);
303	tk->blob_len = 0;
304
305	kfree(tk);
306}
307
308/* How many bytes will it take to encode the length */
309static inline uint32_t definite_length(uint32_t len)
310{
311	if (len <= 127)
312		return 1;
313	if (len <= 255)
314		return 2;
315	return 3;
316}
317
318static inline uint8_t *encode_tag_length(uint8_t *buf, uint8_t tag,
319					 uint32_t len)
320{
321	*buf++ = tag;
322
323	if (len <= 127) {
324		buf[0] = len;
325		return buf + 1;
326	}
327
328	if (len <= 255) {
329		buf[0] = 0x81;
330		buf[1] = len;
331		return buf + 2;
332	}
333
334	buf[0] = 0x82;
335	put_unaligned_be16(len, buf + 1);
336	return buf + 3;
337}
338
339static uint32_t derive_pub_key(const void *pub_key, uint32_t len, uint8_t *buf)
340{
341	uint8_t *cur = buf;
342	uint32_t n_len = definite_length(len) + 1 + len + 1;
343	uint32_t e_len = definite_length(3) + 1 + 3;
344	uint8_t e[3] = { 0x01, 0x00, 0x01 };
345
346	/* SEQUENCE */
347	cur = encode_tag_length(cur, 0x30, n_len + e_len);
348	/* INTEGER n */
349	cur = encode_tag_length(cur, 0x02, len + 1);
350	cur[0] = 0x00;
351	memcpy(cur + 1, pub_key, len);
352	cur += len + 1;
353	cur = encode_tag_length(cur, 0x02, sizeof(e));
354	memcpy(cur, e, sizeof(e));
355	cur += sizeof(e);
356	/* Zero parameters to satisfy set_pub_key ABI. */
357	memset(cur, 0, SETKEY_PARAMS_SIZE);
358
359	return cur - buf;
360}
361
362/*
363 * Determine the crypto algorithm name.
364 */
365static int determine_akcipher(const char *encoding, const char *hash_algo,
366			      char alg_name[CRYPTO_MAX_ALG_NAME])
367{
368	if (strcmp(encoding, "pkcs1") == 0) {
369		if (!hash_algo) {
370			strcpy(alg_name, "pkcs1pad(rsa)");
371			return 0;
372		}
373
374		if (snprintf(alg_name, CRYPTO_MAX_ALG_NAME, "pkcs1pad(rsa,%s)",
375			     hash_algo) >= CRYPTO_MAX_ALG_NAME)
376			return -EINVAL;
377
378		return 0;
379	}
380
381	if (strcmp(encoding, "raw") == 0) {
382		strcpy(alg_name, "rsa");
383		return 0;
384	}
385
386	return -ENOPKG;
387}
388
389/*
390 * Query information about a key.
391 */
392static int tpm_key_query(const struct kernel_pkey_params *params,
393			 struct kernel_pkey_query *info)
394{
395	struct tpm_key *tk = params->key->payload.data[asym_crypto];
396	int ret;
397	char alg_name[CRYPTO_MAX_ALG_NAME];
398	struct crypto_akcipher *tfm;
399	uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
400	uint32_t der_pub_key_len;
401	int len;
402
403	/* TPM only works on private keys, public keys still done in software */
404	ret = determine_akcipher(params->encoding, params->hash_algo, alg_name);
405	if (ret < 0)
406		return ret;
407
408	tfm = crypto_alloc_akcipher(alg_name, 0, 0);
409	if (IS_ERR(tfm))
410		return PTR_ERR(tfm);
411
412	der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
413					 der_pub_key);
414
415	ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
416	if (ret < 0)
417		goto error_free_tfm;
418
419	len = crypto_akcipher_maxsize(tfm);
420
421	info->key_size = tk->key_len;
422	info->max_data_size = tk->key_len / 8;
423	info->max_sig_size = len;
424	info->max_enc_size = len;
425	info->max_dec_size = tk->key_len / 8;
426
427	info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT |
428			      KEYCTL_SUPPORTS_DECRYPT |
429			      KEYCTL_SUPPORTS_VERIFY |
430			      KEYCTL_SUPPORTS_SIGN;
431
432	ret = 0;
433error_free_tfm:
434	crypto_free_akcipher(tfm);
435	pr_devel("<==%s() = %d\n", __func__, ret);
436	return ret;
437}
438
439/*
440 * Encryption operation is performed with the public key.  Hence it is done
441 * in software
442 */
443static int tpm_key_encrypt(struct tpm_key *tk,
444			   struct kernel_pkey_params *params,
445			   const void *in, void *out)
446{
447	char alg_name[CRYPTO_MAX_ALG_NAME];
448	struct crypto_akcipher *tfm;
449	struct akcipher_request *req;
450	struct crypto_wait cwait;
451	struct scatterlist in_sg, out_sg;
452	uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
453	uint32_t der_pub_key_len;
454	int ret;
455
456	pr_devel("==>%s()\n", __func__);
457
458	ret = determine_akcipher(params->encoding, params->hash_algo, alg_name);
459	if (ret < 0)
460		return ret;
461
462	tfm = crypto_alloc_akcipher(alg_name, 0, 0);
463	if (IS_ERR(tfm))
464		return PTR_ERR(tfm);
465
466	der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
467					 der_pub_key);
468
469	ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
470	if (ret < 0)
471		goto error_free_tfm;
472
473	ret = -ENOMEM;
474	req = akcipher_request_alloc(tfm, GFP_KERNEL);
475	if (!req)
476		goto error_free_tfm;
477
478	sg_init_one(&in_sg, in, params->in_len);
479	sg_init_one(&out_sg, out, params->out_len);
480	akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len,
481				   params->out_len);
482	crypto_init_wait(&cwait);
483	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
484				      CRYPTO_TFM_REQ_MAY_SLEEP,
485				      crypto_req_done, &cwait);
486
487	ret = crypto_akcipher_encrypt(req);
488	ret = crypto_wait_req(ret, &cwait);
489
490	if (ret == 0)
491		ret = req->dst_len;
492
493	akcipher_request_free(req);
494error_free_tfm:
495	crypto_free_akcipher(tfm);
496	pr_devel("<==%s() = %d\n", __func__, ret);
497	return ret;
498}
499
500/*
501 * Decryption operation is performed with the private key in the TPM.
502 */
503static int tpm_key_decrypt(struct tpm_key *tk,
504			   struct kernel_pkey_params *params,
505			   const void *in, void *out)
506{
507	struct tpm_buf tb;
508	uint32_t keyhandle;
509	uint8_t srkauth[SHA1_DIGEST_SIZE];
510	uint8_t keyauth[SHA1_DIGEST_SIZE];
511	int r;
512
513	pr_devel("==>%s()\n", __func__);
514
515	if (params->hash_algo)
516		return -ENOPKG;
517
518	if (strcmp(params->encoding, "pkcs1"))
519		return -ENOPKG;
520
521	r = tpm_buf_init(&tb, 0, 0);
522	if (r)
523		return r;
524
525	/* TODO: Handle a non-all zero SRK authorization */
526	memset(srkauth, 0, sizeof(srkauth));
527
528	r = tpm_loadkey2(&tb, SRKHANDLE, srkauth,
529				tk->blob, tk->blob_len, &keyhandle);
530	if (r < 0) {
531		pr_devel("loadkey2 failed (%d)\n", r);
532		goto error;
533	}
534
535	/* TODO: Handle a non-all zero key authorization */
536	memset(keyauth, 0, sizeof(keyauth));
537
538	r = tpm_unbind(&tb, keyhandle, keyauth,
539		       in, params->in_len, out, params->out_len);
540	if (r < 0)
541		pr_devel("tpm_unbind failed (%d)\n", r);
542
543	if (tpm_flushspecific(&tb, keyhandle) < 0)
544		pr_devel("flushspecific failed (%d)\n", r);
545
546error:
547	tpm_buf_destroy(&tb);
548	pr_devel("<==%s() = %d\n", __func__, r);
549	return r;
550}
551
552/*
553 * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
554 */
555static const u8 digest_info_md5[] = {
556	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
557	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
558	0x05, 0x00, 0x04, 0x10
559};
560
561static const u8 digest_info_sha1[] = {
562	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
563	0x2b, 0x0e, 0x03, 0x02, 0x1a,
564	0x05, 0x00, 0x04, 0x14
565};
566
567static const u8 digest_info_rmd160[] = {
568	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
569	0x2b, 0x24, 0x03, 0x02, 0x01,
570	0x05, 0x00, 0x04, 0x14
571};
572
573static const u8 digest_info_sha224[] = {
574	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
575	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
576	0x05, 0x00, 0x04, 0x1c
577};
578
579static const u8 digest_info_sha256[] = {
580	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
581	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
582	0x05, 0x00, 0x04, 0x20
583};
584
585static const u8 digest_info_sha384[] = {
586	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
587	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
588	0x05, 0x00, 0x04, 0x30
589};
590
591static const u8 digest_info_sha512[] = {
592	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
593	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
594	0x05, 0x00, 0x04, 0x40
595};
596
597static const struct asn1_template {
598	const char	*name;
599	const u8	*data;
600	size_t		size;
601} asn1_templates[] = {
602#define _(X) { #X, digest_info_##X, sizeof(digest_info_##X) }
603	_(md5),
604	_(sha1),
605	_(rmd160),
606	_(sha256),
607	_(sha384),
608	_(sha512),
609	_(sha224),
610	{ NULL }
611#undef _
612};
613
614static const struct asn1_template *lookup_asn1(const char *name)
615{
616	const struct asn1_template *p;
617
618	for (p = asn1_templates; p->name; p++)
619		if (strcmp(name, p->name) == 0)
620			return p;
621	return NULL;
622}
623
624/*
625 * Sign operation is performed with the private key in the TPM.
626 */
627static int tpm_key_sign(struct tpm_key *tk,
628			struct kernel_pkey_params *params,
629			const void *in, void *out)
630{
631	struct tpm_buf tb;
632	uint32_t keyhandle;
633	uint8_t srkauth[SHA1_DIGEST_SIZE];
634	uint8_t keyauth[SHA1_DIGEST_SIZE];
635	void *asn1_wrapped = NULL;
636	uint32_t in_len = params->in_len;
637	int r;
638
639	pr_devel("==>%s()\n", __func__);
640
641	if (strcmp(params->encoding, "pkcs1"))
642		return -ENOPKG;
643
644	if (params->hash_algo) {
645		const struct asn1_template *asn1 =
646						lookup_asn1(params->hash_algo);
647
648		if (!asn1)
649			return -ENOPKG;
650
651		/* request enough space for the ASN.1 template + input hash */
652		asn1_wrapped = kzalloc(in_len + asn1->size, GFP_KERNEL);
653		if (!asn1_wrapped)
654			return -ENOMEM;
655
656		/* Copy ASN.1 template, then the input */
657		memcpy(asn1_wrapped, asn1->data, asn1->size);
658		memcpy(asn1_wrapped + asn1->size, in, in_len);
659
660		in = asn1_wrapped;
661		in_len += asn1->size;
662	}
663
664	if (in_len > tk->key_len / 8 - 11) {
665		r = -EOVERFLOW;
666		goto error_free_asn1_wrapped;
667	}
668
669	r = tpm_buf_init(&tb, 0, 0);
670	if (r)
671		goto error_free_asn1_wrapped;
672
673	/* TODO: Handle a non-all zero SRK authorization */
674	memset(srkauth, 0, sizeof(srkauth));
675
676	r = tpm_loadkey2(&tb, SRKHANDLE, srkauth,
677			 tk->blob, tk->blob_len, &keyhandle);
678	if (r < 0) {
679		pr_devel("loadkey2 failed (%d)\n", r);
680		goto error_free_tb;
681	}
682
683	/* TODO: Handle a non-all zero key authorization */
684	memset(keyauth, 0, sizeof(keyauth));
685
686	r = tpm_sign(&tb, keyhandle, keyauth, in, in_len, out, params->out_len);
687	if (r < 0)
688		pr_devel("tpm_sign failed (%d)\n", r);
689
690	if (tpm_flushspecific(&tb, keyhandle) < 0)
691		pr_devel("flushspecific failed (%d)\n", r);
692
693error_free_tb:
694	tpm_buf_destroy(&tb);
695error_free_asn1_wrapped:
696	kfree(asn1_wrapped);
697	pr_devel("<==%s() = %d\n", __func__, r);
698	return r;
699}
700
701/*
702 * Do encryption, decryption and signing ops.
703 */
704static int tpm_key_eds_op(struct kernel_pkey_params *params,
705			  const void *in, void *out)
706{
707	struct tpm_key *tk = params->key->payload.data[asym_crypto];
708	int ret = -EOPNOTSUPP;
709
710	/* Perform the encryption calculation. */
711	switch (params->op) {
712	case kernel_pkey_encrypt:
713		ret = tpm_key_encrypt(tk, params, in, out);
714		break;
715	case kernel_pkey_decrypt:
716		ret = tpm_key_decrypt(tk, params, in, out);
717		break;
718	case kernel_pkey_sign:
719		ret = tpm_key_sign(tk, params, in, out);
720		break;
721	default:
722		BUG();
723	}
724
725	return ret;
726}
727
728/*
729 * Verify a signature using a public key.
730 */
731static int tpm_key_verify_signature(const struct key *key,
732				    const struct public_key_signature *sig)
733{
734	const struct tpm_key *tk = key->payload.data[asym_crypto];
735	struct crypto_wait cwait;
736	struct crypto_akcipher *tfm;
737	struct akcipher_request *req;
738	struct scatterlist src_sg[2];
739	char alg_name[CRYPTO_MAX_ALG_NAME];
740	uint8_t der_pub_key[PUB_KEY_BUF_SIZE];
741	uint32_t der_pub_key_len;
742	int ret;
743
744	pr_devel("==>%s()\n", __func__);
745
746	BUG_ON(!tk);
747	BUG_ON(!sig);
748	BUG_ON(!sig->s);
749
750	if (!sig->digest)
751		return -ENOPKG;
752
753	ret = determine_akcipher(sig->encoding, sig->hash_algo, alg_name);
754	if (ret < 0)
755		return ret;
756
757	tfm = crypto_alloc_akcipher(alg_name, 0, 0);
758	if (IS_ERR(tfm))
759		return PTR_ERR(tfm);
760
761	der_pub_key_len = derive_pub_key(tk->pub_key, tk->pub_key_len,
762					 der_pub_key);
763
764	ret = crypto_akcipher_set_pub_key(tfm, der_pub_key, der_pub_key_len);
765	if (ret < 0)
766		goto error_free_tfm;
767
768	ret = -ENOMEM;
769	req = akcipher_request_alloc(tfm, GFP_KERNEL);
770	if (!req)
771		goto error_free_tfm;
772
773	sg_init_table(src_sg, 2);
774	sg_set_buf(&src_sg[0], sig->s, sig->s_size);
775	sg_set_buf(&src_sg[1], sig->digest, sig->digest_size);
776	akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size,
777				   sig->digest_size);
778	crypto_init_wait(&cwait);
779	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
780				      CRYPTO_TFM_REQ_MAY_SLEEP,
781				      crypto_req_done, &cwait);
782	ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
783
784	akcipher_request_free(req);
785error_free_tfm:
786	crypto_free_akcipher(tfm);
787	pr_devel("<==%s() = %d\n", __func__, ret);
788	if (WARN_ON_ONCE(ret > 0))
789		ret = -EINVAL;
790	return ret;
791}
792
793/*
794 * Parse enough information out of TPM_KEY structure:
795 * TPM_STRUCT_VER -> 4 bytes
796 * TPM_KEY_USAGE -> 2 bytes
797 * TPM_KEY_FLAGS -> 4 bytes
798 * TPM_AUTH_DATA_USAGE -> 1 byte
799 * TPM_KEY_PARMS -> variable
800 * UINT32 PCRInfoSize -> 4 bytes
801 * BYTE* -> PCRInfoSize bytes
802 * TPM_STORE_PUBKEY
803 * UINT32 encDataSize;
804 * BYTE* -> encDataSize;
805 *
806 * TPM_KEY_PARMS:
807 * TPM_ALGORITHM_ID -> 4 bytes
808 * TPM_ENC_SCHEME -> 2 bytes
809 * TPM_SIG_SCHEME -> 2 bytes
810 * UINT32 parmSize -> 4 bytes
811 * BYTE* -> variable
812 */
813static int extract_key_parameters(struct tpm_key *tk)
814{
815	const void *cur = tk->blob;
816	uint32_t len = tk->blob_len;
817	const void *pub_key;
818	uint32_t sz;
819	uint32_t key_len;
820
821	if (len < 11)
822		return -EBADMSG;
823
824	/* Ensure this is a legacy key */
825	if (get_unaligned_be16(cur + 4) != 0x0015)
826		return -EBADMSG;
827
828	/* Skip to TPM_KEY_PARMS */
829	cur += 11;
830	len -= 11;
831
832	if (len < 12)
833		return -EBADMSG;
834
835	/* Make sure this is an RSA key */
836	if (get_unaligned_be32(cur) != 0x00000001)
837		return -EBADMSG;
838
839	/* Make sure this is TPM_ES_RSAESPKCSv15 encoding scheme */
840	if (get_unaligned_be16(cur + 4) != 0x0002)
841		return -EBADMSG;
842
843	/* Make sure this is TPM_SS_RSASSAPKCS1v15_DER signature scheme */
844	if (get_unaligned_be16(cur + 6) != 0x0003)
845		return -EBADMSG;
846
847	sz = get_unaligned_be32(cur + 8);
848	if (len < sz + 12)
849		return -EBADMSG;
850
851	/* Move to TPM_RSA_KEY_PARMS */
852	len -= 12;
853	cur += 12;
854
855	/* Grab the RSA key length */
856	key_len = get_unaligned_be32(cur);
857
858	switch (key_len) {
859	case 512:
860	case 1024:
861	case 1536:
862	case 2048:
863		break;
864	default:
865		return -EINVAL;
866	}
867
868	/* Move just past TPM_KEY_PARMS */
869	cur += sz;
870	len -= sz;
871
872	if (len < 4)
873		return -EBADMSG;
874
875	sz = get_unaligned_be32(cur);
876	if (len < 4 + sz)
877		return -EBADMSG;
878
879	/* Move to TPM_STORE_PUBKEY */
880	cur += 4 + sz;
881	len -= 4 + sz;
882
883	/* Grab the size of the public key, it should jive with the key size */
884	sz = get_unaligned_be32(cur);
885	if (sz > 256)
886		return -EINVAL;
887
888	pub_key = cur + 4;
889
890	tk->key_len = key_len;
891	tk->pub_key = pub_key;
892	tk->pub_key_len = sz;
893
894	return 0;
895}
896
897/* Given the blob, parse it and load it into the TPM */
898struct tpm_key *tpm_key_create(const void *blob, uint32_t blob_len)
899{
900	int r;
901	struct tpm_key *tk;
902
903	r = tpm_is_tpm2(NULL);
904	if (r < 0)
905		goto error;
906
907	/* We don't support TPM2 yet */
908	if (r > 0) {
909		r = -ENODEV;
910		goto error;
911	}
912
913	r = -ENOMEM;
914	tk = kzalloc(sizeof(struct tpm_key), GFP_KERNEL);
915	if (!tk)
916		goto error;
917
918	tk->blob = kmemdup(blob, blob_len, GFP_KERNEL);
919	if (!tk->blob)
920		goto error_memdup;
921
922	tk->blob_len = blob_len;
923
924	r = extract_key_parameters(tk);
925	if (r < 0)
926		goto error_extract;
927
928	return tk;
929
930error_extract:
931	kfree(tk->blob);
932	tk->blob_len = 0;
933error_memdup:
934	kfree(tk);
935error:
936	return ERR_PTR(r);
937}
938EXPORT_SYMBOL_GPL(tpm_key_create);
939
940/*
941 * TPM-based asymmetric key subtype
942 */
943struct asymmetric_key_subtype asym_tpm_subtype = {
944	.owner			= THIS_MODULE,
945	.name			= "asym_tpm",
946	.name_len		= sizeof("asym_tpm") - 1,
947	.describe		= asym_tpm_describe,
948	.destroy		= asym_tpm_destroy,
949	.query			= tpm_key_query,
950	.eds_op			= tpm_key_eds_op,
951	.verify_signature	= tpm_key_verify_signature,
952};
953EXPORT_SYMBOL_GPL(asym_tpm_subtype);
954
955MODULE_DESCRIPTION("TPM based asymmetric key subtype");
956MODULE_AUTHOR("Intel Corporation");
957MODULE_LICENSE("GPL v2");