diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/digsig.c | 2 | ||||
| -rw-r--r-- | security/keys/trusted.c | 36 | ||||
| -rw-r--r-- | security/keys/trusted.h | 11 |
3 files changed, 34 insertions, 15 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 36fb6b527829..5be9ffbe90ba 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -105,7 +105,7 @@ int __init integrity_load_x509(const unsigned int id, const char *path) rc, ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED); + KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(key)) { rc = PTR_ERR(key); pr_err("Problem loading X.509 certificate (%d): %s\n", diff --git a/security/keys/trusted.c b/security/keys/trusted.c index c0594cb07ada..d3633cf17c7d 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -862,12 +862,19 @@ static int datablob_parse(char *datablob, struct trusted_key_payload *p, static struct trusted_key_options *trusted_options_alloc(void) { struct trusted_key_options *options; + int tpm2; + + tpm2 = tpm_is_tpm2(TPM_ANY_NUM); + if (tpm2 < 0) + return NULL; options = kzalloc(sizeof *options, GFP_KERNEL); if (options) { /* set any non-zero defaults */ options->keytype = SRK_keytype; - options->keyhandle = SRKHANDLE; + + if (!tpm2) + options->keyhandle = SRKHANDLE; } return options; } @@ -905,6 +912,11 @@ static int trusted_instantiate(struct key *key, int ret = 0; int key_cmd; size_t key_len; + int tpm2; + + tpm2 = tpm_is_tpm2(TPM_ANY_NUM); + if (tpm2 < 0) + return tpm2; if (datalen <= 0 || datalen > 32767 || !prep->data) return -EINVAL; @@ -932,12 +944,20 @@ static int trusted_instantiate(struct key *key, goto out; } + if (!options->keyhandle) { + ret = -EINVAL; + goto out; + } + dump_payload(payload); dump_options(options); switch (key_cmd) { case Opt_load: - ret = key_unseal(payload, options); + if (tpm2) + ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options); + else + ret = key_unseal(payload, options); dump_payload(payload); dump_options(options); if (ret < 0) @@ -950,7 +970,10 @@ static int trusted_instantiate(struct key *key, pr_info("trusted_key: key_create failed (%d)\n", ret); goto out; } - ret = key_seal(payload, options); + if (tpm2) + ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options); + else + ret = key_seal(payload, options); if (ret < 0) pr_info("trusted_key: key_seal failed (%d)\n", ret); break; @@ -1018,6 +1041,13 @@ static int trusted_update(struct key *key, struct key_preparsed_payload *prep) kfree(new_p); goto out; } + + if (!new_o->keyhandle) { + ret = -EINVAL; + kfree(new_p); + goto out; + } + /* copy old key values, and reseal with new pcrs */ new_p->migratable = p->migratable; new_p->key_len = p->key_len; diff --git a/security/keys/trusted.h b/security/keys/trusted.h index 3249fbd2b653..ff001a5dcb24 100644 --- a/security/keys/trusted.h +++ b/security/keys/trusted.h @@ -2,7 +2,6 @@ #define __TRUSTED_KEY_H /* implementation specific TPM constants */ -#define MAX_PCRINFO_SIZE 64 #define MAX_BUF_SIZE 512 #define TPM_GETRANDOM_SIZE 14 #define TPM_OSAP_SIZE 36 @@ -36,16 +35,6 @@ enum { SRK_keytype = 4 }; -struct trusted_key_options { - uint16_t keytype; - uint32_t keyhandle; - unsigned char keyauth[SHA1_DIGEST_SIZE]; - unsigned char blobauth[SHA1_DIGEST_SIZE]; - uint32_t pcrinfo_len; - unsigned char pcrinfo[MAX_PCRINFO_SIZE]; - int pcrlock; -}; - #define TPM_DEBUG 0 #if TPM_DEBUG |