projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tpm: Add the rest of the session HMAC API
[linux-2.6-block.git] / drivers / char / tpm / tpm2-sessions.c
CommitLineData
d2add27c
JB		 1// SPDX-License-Identifier: GPL-2.0
2
3/*
4 * Copyright (C) 2018 James.Bottomley@HansenPartnership.com
5 *
699e3efd
JB		 6 * Cryptographic helper routines for handling TPM2 sessions for
7 * authorization HMAC and request response encryption.
8 *
9 * The idea is to ensure that every TPM command is HMAC protected by a
10 * session, meaning in-flight tampering would be detected and in
11 * addition all sensitive inputs and responses should be encrypted.
12 *
13 * The basic way this works is to use a TPM feature called salted
14 * sessions where a random secret used in session construction is
15 * encrypted to the public part of a known TPM key. The problem is we
16 * have no known keys, so initially a primary Elliptic Curve key is
17 * derived from the NULL seed (we use EC because most TPMs generate
18 * these keys much faster than RSA ones). The curve used is NIST_P256
19 * because that's now mandated to be present in 'TCG TPM v2.0
20 * Provisioning Guidance'
21 *
22 * Threat problems: the initial TPM2_CreatePrimary is not (and cannot
23 * be) session protected, so a clever Man in the Middle could return a
24 * public key they control to this command and from there intercept
25 * and decode all subsequent session based transactions. The kernel
26 * cannot mitigate this threat but, after boot, userspace can get
27 * proof this has not happened by asking the TPM to certify the NULL
28 * key. This certification would chain back to the TPM Endorsement
29 * Certificate and prove the NULL seed primary had not been tampered
30 * with and thus all sessions must have been cryptographically secure.
31 * To assist with this, the initial NULL seed public key name is made
32 * available in a sysfs file.
33 *
34 * Use of these functions:
35 *
36 * The design is all the crypto, hash and hmac gunk is confined in this
37 * file and never needs to be seen even by the kernel internal user. To
38 * the user there's an init function tpm2_sessions_init() that needs to
39 * be called once per TPM which generates the NULL seed primary key.
40 *
41 * These are the usage functions:
42 *
43 * tpm2_start_auth_session() which allocates the opaque auth structure
44 * and gets a session from the TPM. This must be called before
45 * any of the following functions. The session is protected by a
46 * session_key which is derived from a random salt value
47 * encrypted to the NULL seed.
48 * tpm2_end_auth_session() kills the session and frees the resources.
49 * Under normal operation this function is done by
50 * tpm_buf_check_hmac_response(), so this is only to be used on
51 * error legs where the latter is not executed.
d0a25bb9
JB		 52 * tpm_buf_append_name() to add a handle to the buffer. This must be
53 * used in place of the usual tpm_buf_append_u32() for adding
54 * handles because handles have to be processed specially when
55 * calculating the HMAC. In particular, for NV, volatile and
56 * permanent objects you now need to provide the name.
1085b827
JB		 57 * tpm_buf_append_hmac_session() which appends the hmac session to the
58 * buf in the same way tpm_buf_append_auth does().
59 * tpm_buf_fill_hmac_session() This calculates the correct hash and
60 * places it in the buffer. It must be called after the complete
61 * command buffer is finalized so it can fill in the correct HMAC
62 * based on the parameters.
63 * tpm_buf_check_hmac_response() which checks the session response in
64 * the buffer and calculates what it should be. If there's a
65 * mismatch it will log a warning and return an error. If
66 * tpm_buf_append_hmac_session() did not specify
67 * TPM_SA_CONTINUE_SESSION then the session will be closed (if it
68 * hasn't been consumed) and the auth structure freed.
d2add27c
JB		 69 */
70
71#include "tpm.h"
699e3efd
JB		 72#include <linux/random.h>
73#include <linux/scatterlist.h>
d2add27c 74#include <asm/unaligned.h>
699e3efd
JB		 75#include <crypto/kpp.h>
76#include <crypto/ecdh.h>
033ee84e
JB		 77#include <crypto/hash.h>
78#include <crypto/hmac.h>
79
d0a25bb9
JB		 80/* maximum number of names the TPM must remember for authorization */
81#define AUTH_MAX_NAMES 3
82
699e3efd
JB		 83/*
84 * This is the structure that carries all the auth information (like
85 * session handle, nonces, session key and auth) from use to use it is
86 * designed to be opaque to anything outside.
87 */
88struct tpm2_auth {
89 u32 handle;
90 /*
91 * This has two meanings: before tpm_buf_fill_hmac_session()
92 * it marks the offset in the buffer of the start of the
93 * sessions (i.e. after all the handles). Once the buffer has
94 * been filled it markes the session number of our auth
95 * session so we can find it again in the response buffer.
96 *
97 * The two cases are distinguished because the first offset
98 * must always be greater than TPM_HEADER_SIZE and the second
99 * must be less than or equal to 5.
100 */
101 u32 session;
102 /*
103 * the size here is variable and set by the size of our_nonce
104 * which must be between 16 and the name hash length. we set
105 * the maximum sha256 size for the greatest protection
106 */
107 u8 our_nonce[SHA256_DIGEST_SIZE];
108 u8 tpm_nonce[SHA256_DIGEST_SIZE];
109 /*
110 * the salt is only used across the session command/response
111 * after that it can be used as a scratch area
112 */
113 union {
114 u8 salt[EC_PT_SZ];
115 /* scratch for key + IV */
116 u8 scratch[AES_KEY_BYTES + AES_BLOCK_SIZE];
117 };
1085b827
JB		 118 /*
119 * the session key and passphrase are the same size as the
120 * name digest (sha256 again). The session key is constant
121 * for the use of the session and the passphrase can change
122 * with every invocation.
123 *
124 * Note: these fields must be adjacent and in this order
125 * because several HMAC/KDF schemes use the combination of the
126 * session_key and passphrase.
127 */
699e3efd 128 u8 session_key[SHA256_DIGEST_SIZE];
1085b827
JB		 129 u8 passphrase[SHA256_DIGEST_SIZE];
130 int passphrase_len;
131 struct crypto_aes_ctx aes_ctx;
132 /* saved session attributes: */
133 u8 attrs;
134 __be32 ordinal;
d0a25bb9
JB		 135
136 /*
137 * memory for three authorization handles. We know them by
138 * handle, but they are part of the session by name, which
139 * we must compute and remember
140 */
141 u32 name_h[AUTH_MAX_NAMES];
142 u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
699e3efd
JB		 143};
144
d0a25bb9
JB		 145/*
146 * Name Size based on TPM algorithm (assumes no hash bigger than 255)
147 */
148static u8 name_size(const u8 *name)
149{
150 static u8 size_map[] = {
151 [TPM_ALG_SHA1] = SHA1_DIGEST_SIZE,
152 [TPM_ALG_SHA256] = SHA256_DIGEST_SIZE,
153 [TPM_ALG_SHA384] = SHA384_DIGEST_SIZE,
154 [TPM_ALG_SHA512] = SHA512_DIGEST_SIZE,
155 };
156 u16 alg = get_unaligned_be16(name);
157 return size_map[alg] + 2;
158}
159
033ee84e
JB		 160/*
161 * It turns out the crypto hmac(sha256) is hard for us to consume
162 * because it assumes a fixed key and the TPM seems to change the key
163 * on every operation, so we weld the hmac init and final functions in
164 * here to give it the same usage characteristics as a regular hash
165 */
166static void tpm2_hmac_init(struct sha256_state *sctx, u8 *key, u32 key_len)
167{
168 u8 pad[SHA256_BLOCK_SIZE];
169 int i;
170
171 sha256_init(sctx);
172 for (i = 0; i < sizeof(pad); i++) {
173 if (i < key_len)
174 pad[i] = key[i];
175 else
176 pad[i] = 0;
177 pad[i] ^= HMAC_IPAD_VALUE;
178 }
179 sha256_update(sctx, pad, sizeof(pad));
180}
181
182static void tpm2_hmac_final(struct sha256_state *sctx, u8 *key, u32 key_len,
183 u8 *out)
184{
185 u8 pad[SHA256_BLOCK_SIZE];
186 int i;
187
188 for (i = 0; i < sizeof(pad); i++) {
189 if (i < key_len)
190 pad[i] = key[i];
191 else
192 pad[i] = 0;
193 pad[i] ^= HMAC_OPAD_VALUE;
194 }
195
196 /* collect the final hash; use out as temporary storage */
197 sha256_final(sctx, out);
198
199 sha256_init(sctx);
200 sha256_update(sctx, pad, sizeof(pad));
201 sha256_update(sctx, out, SHA256_DIGEST_SIZE);
202 sha256_final(sctx, out);
203}
204
205/*
206 * assume hash sha256 and nonces u, v of size SHA256_DIGEST_SIZE but
207 * otherwise standard tpm2_KDFa. Note output is in bytes not bits.
208 */
209static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
210 u8 *v, u32 bytes, u8 *out)
211{
212 u32 counter = 1;
213 const __be32 bits = cpu_to_be32(bytes * 8);
214
215 while (bytes > 0) {
216 struct sha256_state sctx;
217 __be32 c = cpu_to_be32(counter);
218
219 tpm2_hmac_init(&sctx, key, key_len);
220 sha256_update(&sctx, (u8 *)&c, sizeof(c));
221 sha256_update(&sctx, label, strlen(label)+1);
222 sha256_update(&sctx, u, SHA256_DIGEST_SIZE);
223 sha256_update(&sctx, v, SHA256_DIGEST_SIZE);
224 sha256_update(&sctx, (u8 *)&bits, sizeof(bits));
225 tpm2_hmac_final(&sctx, key, key_len, out);
226
227 bytes -= SHA256_DIGEST_SIZE;
228 counter++;
229 out += SHA256_DIGEST_SIZE;
230 }
231}
232
233/*
234 * Somewhat of a bastardization of the real KDFe. We're assuming
235 * we're working with known point sizes for the input parameters and
236 * the hash algorithm is fixed at sha256. Because we know that the
237 * point size is 32 bytes like the hash size, there's no need to loop
238 * in this KDF.
239 */
240static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v,
241 u8 *out)
242{
243 struct sha256_state sctx;
244 /*
245 * this should be an iterative counter, but because we know
246 * we're only taking 32 bytes for the point using a sha256
247 * hash which is also 32 bytes, there's only one loop
248 */
249 __be32 c = cpu_to_be32(1);
250
251 sha256_init(&sctx);
252 /* counter (BE) */
253 sha256_update(&sctx, (u8 *)&c, sizeof(c));
254 /* secret value */
255 sha256_update(&sctx, z, EC_PT_SZ);
256 /* string including trailing zero */
257 sha256_update(&sctx, str, strlen(str)+1);
258 sha256_update(&sctx, pt_u, EC_PT_SZ);
259 sha256_update(&sctx, pt_v, EC_PT_SZ);
260 sha256_final(&sctx, out);
261}
d2add27c 262
699e3efd
JB		 263static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip)
264{
265 struct crypto_kpp *kpp;
266 struct kpp_request *req;
267 struct scatterlist s[2], d[1];
268 struct ecdh p = {0};
269 u8 encoded_key[EC_PT_SZ], *x, *y;
270 unsigned int buf_len;
271
272 /* secret is two sized points */
273 tpm_buf_append_u16(buf, (EC_PT_SZ + 2)*2);
274 /*
275 * we cheat here and append uninitialized data to form
276 * the points. All we care about is getting the two
277 * co-ordinate pointers, which will be used to overwrite
278 * the uninitialized data
279 */
280 tpm_buf_append_u16(buf, EC_PT_SZ);
281 x = &buf->data[tpm_buf_length(buf)];
282 tpm_buf_append(buf, encoded_key, EC_PT_SZ);
283 tpm_buf_append_u16(buf, EC_PT_SZ);
284 y = &buf->data[tpm_buf_length(buf)];
285 tpm_buf_append(buf, encoded_key, EC_PT_SZ);
286 sg_init_table(s, 2);
287 sg_set_buf(&s[0], x, EC_PT_SZ);
288 sg_set_buf(&s[1], y, EC_PT_SZ);
289
290 kpp = crypto_alloc_kpp("ecdh-nist-p256", CRYPTO_ALG_INTERNAL, 0);
291 if (IS_ERR(kpp)) {
292 dev_err(&chip->dev, "crypto ecdh allocation failed\n");
293 return;
294 }
295
296 buf_len = crypto_ecdh_key_len(&p);
297 if (sizeof(encoded_key) < buf_len) {
298 dev_err(&chip->dev, "salt buffer too small needs %d\n",
299 buf_len);
300 goto out;
301 }
302 crypto_ecdh_encode_key(encoded_key, buf_len, &p);
303 /* this generates a random private key */
304 crypto_kpp_set_secret(kpp, encoded_key, buf_len);
305
306 /* salt is now the public point of this private key */
307 req = kpp_request_alloc(kpp, GFP_KERNEL);
308 if (!req)
309 goto out;
310 kpp_request_set_input(req, NULL, 0);
311 kpp_request_set_output(req, s, EC_PT_SZ*2);
312 crypto_kpp_generate_public_key(req);
313 /*
314 * we're not done: now we have to compute the shared secret
315 * which is our private key multiplied by the tpm_key public
316 * point, we actually only take the x point and discard the y
317 * point and feed it through KDFe to get the final secret salt
318 */
319 sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ);
320 sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ);
321 kpp_request_set_input(req, s, EC_PT_SZ*2);
322 sg_init_one(d, chip->auth->salt, EC_PT_SZ);
323 kpp_request_set_output(req, d, EC_PT_SZ);
324 crypto_kpp_compute_shared_secret(req);
325 kpp_request_free(req);
326
327 /*
328 * pass the shared secret through KDFe for salt. Note salt
329 * area is used both for input shared secret and output salt.
330 * This works because KDFe fully consumes the secret before it
331 * writes the salt
332 */
333 tpm2_KDFe(chip->auth->salt, "SECRET", x, chip->null_ec_key_x,
334 chip->auth->salt);
335
336 out:
337 crypto_free_kpp(kpp);
338}
d0a25bb9 339
1085b827
JB		 340/**
341 * tpm_buf_append_hmac_session() - Append a TPM session element
342 * @chip: the TPM chip structure
343 * @buf: The buffer to be appended
344 * @attributes: The session attributes
345 * @passphrase: The session authority (NULL if none)
346 * @passphrase_len: The length of the session authority (0 if none)
347 *
348 * This fills in a session structure in the TPM command buffer, except
349 * for the HMAC which cannot be computed until the command buffer is
350 * complete. The type of session is controlled by the @attributes,
351 * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the
352 * session won't terminate after tpm_buf_check_hmac_response(),
353 * TPM2_SA_DECRYPT which means this buffers first parameter should be
354 * encrypted with a session key and TPM2_SA_ENCRYPT, which means the
355 * response buffer's first parameter needs to be decrypted (confusing,
356 * but the defines are written from the point of view of the TPM).
357 *
358 * Any session appended by this command must be finalized by calling
359 * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect
360 * and the TPM will reject the command.
361 *
362 * As with most tpm_buf operations, success is assumed because failure
363 * will be caused by an incorrect programming model and indicated by a
364 * kernel message.
365 */
366void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
367 u8 attributes, u8 *passphrase,
368 int passphrase_len)
369{
370 u8 nonce[SHA256_DIGEST_SIZE];
371 u32 len;
372 struct tpm2_auth *auth = chip->auth;
373
374 /*
375 * The Architecture Guide requires us to strip trailing zeros
376 * before computing the HMAC
377 */
378 while (passphrase && passphrase_len > 0
379 && passphrase[passphrase_len - 1] == '\0')
380 passphrase_len--;
381
382 auth->attrs = attributes;
383 auth->passphrase_len = passphrase_len;
384 if (passphrase_len)
385 memcpy(auth->passphrase, passphrase, passphrase_len);
386
387 if (auth->session != tpm_buf_length(buf)) {
388 /* we're not the first session */
389 len = get_unaligned_be32(&buf->data[auth->session]);
390 if (4 + len + auth->session != tpm_buf_length(buf)) {
391 WARN(1, "session length mismatch, cannot append");
392 return;
393 }
394
395 /* add our new session */
396 len += 9 + 2 * SHA256_DIGEST_SIZE;
397 put_unaligned_be32(len, &buf->data[auth->session]);
398 } else {
399 tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE);
400 }
401
402 /* random number for our nonce */
403 get_random_bytes(nonce, sizeof(nonce));
404 memcpy(auth->our_nonce, nonce, sizeof(nonce));
405 tpm_buf_append_u32(buf, auth->handle);
406 /* our new nonce */
407 tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
408 tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
409 tpm_buf_append_u8(buf, auth->attrs);
410 /* and put a placeholder for the hmac */
411 tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
412 tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
413}
414EXPORT_SYMBOL(tpm_buf_append_hmac_session);
415
416/**
417 * tpm_buf_fill_hmac_session() - finalize the session HMAC
418 * @chip: the TPM chip structure
419 * @buf: The buffer to be appended
420 *
421 * This command must not be called until all of the parameters have
422 * been appended to @buf otherwise the computed HMAC will be
423 * incorrect.
424 *
425 * This function computes and fills in the session HMAC using the
426 * session key and, if TPM2_SA_DECRYPT was specified, computes the
427 * encryption key and encrypts the first parameter of the command
428 * buffer with it.
429 *
430 * As with most tpm_buf operations, success is assumed because failure
431 * will be caused by an incorrect programming model and indicated by a
432 * kernel message.
433 */
434void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
435{
436 u32 cc, handles, val;
437 struct tpm2_auth *auth = chip->auth;
438 int i;
439 struct tpm_header *head = (struct tpm_header *)buf->data;
440 off_t offset_s = TPM_HEADER_SIZE, offset_p;
441 u8 *hmac = NULL;
442 u32 attrs;
443 u8 cphash[SHA256_DIGEST_SIZE];
444 struct sha256_state sctx;
445
446 /* save the command code in BE format */
447 auth->ordinal = head->ordinal;
448
449 cc = be32_to_cpu(head->ordinal);
450
451 i = tpm2_find_cc(chip, cc);
452 if (i < 0) {
453 dev_err(&chip->dev, "Command 0x%x not found in TPM\n", cc);
454 return;
455 }
456 attrs = chip->cc_attrs_tbl[i];
457
458 handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0);
459
460 /*
461 * just check the names, it's easy to make mistakes. This
462 * would happen if someone added a handle via
463 * tpm_buf_append_u32() instead of tpm_buf_append_name()
464 */
465 for (i = 0; i < handles; i++) {
466 u32 handle = tpm_buf_read_u32(buf, &offset_s);
467
468 if (auth->name_h[i] != handle) {
469 dev_err(&chip->dev, "TPM: handle %d wrong for name\n",
470 i);
471 return;
472 }
473 }
474 /* point offset_s to the start of the sessions */
475 val = tpm_buf_read_u32(buf, &offset_s);
476 /* point offset_p to the start of the parameters */
477 offset_p = offset_s + val;
478 for (i = 1; offset_s < offset_p; i++) {
479 u32 handle = tpm_buf_read_u32(buf, &offset_s);
480 u16 len;
481 u8 a;
482
483 /* nonce (already in auth) */
484 len = tpm_buf_read_u16(buf, &offset_s);
485 offset_s += len;
486
487 a = tpm_buf_read_u8(buf, &offset_s);
488
489 len = tpm_buf_read_u16(buf, &offset_s);
490 if (handle == auth->handle && auth->attrs == a) {
491 hmac = &buf->data[offset_s];
492 /*
493 * save our session number so we know which
494 * session in the response belongs to us
495 */
496 auth->session = i;
497 }
498
499 offset_s += len;
500 }
501 if (offset_s != offset_p) {
502 dev_err(&chip->dev, "TPM session length is incorrect\n");
503 return;
504 }
505 if (!hmac) {
506 dev_err(&chip->dev, "TPM could not find HMAC session\n");
507 return;
508 }
509
510 /* encrypt before HMAC */
511 if (auth->attrs & TPM2_SA_DECRYPT) {
512 u16 len;
513
514 /* need key and IV */
515 tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
516 + auth->passphrase_len, "CFB", auth->our_nonce,
517 auth->tpm_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
518 auth->scratch);
519
520 len = tpm_buf_read_u16(buf, &offset_p);
521 aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES);
522 aescfb_encrypt(&auth->aes_ctx, &buf->data[offset_p],
523 &buf->data[offset_p], len,
524 auth->scratch + AES_KEY_BYTES);
525 /* reset p to beginning of parameters for HMAC */
526 offset_p -= 2;
527 }
528
529 sha256_init(&sctx);
530 /* ordinal is already BE */
531 sha256_update(&sctx, (u8 *)&head->ordinal, sizeof(head->ordinal));
532 /* add the handle names */
533 for (i = 0; i < handles; i++) {
534 enum tpm2_mso_type mso = tpm2_handle_mso(auth->name_h[i]);
535
536 if (mso == TPM2_MSO_PERSISTENT ||
537 mso == TPM2_MSO_VOLATILE ||
538 mso == TPM2_MSO_NVRAM) {
539 sha256_update(&sctx, auth->name[i],
540 name_size(auth->name[i]));
541 } else {
542 __be32 h = cpu_to_be32(auth->name_h[i]);
543
544 sha256_update(&sctx, (u8 *)&h, 4);
545 }
546 }
547 if (offset_s != tpm_buf_length(buf))
548 sha256_update(&sctx, &buf->data[offset_s],
549 tpm_buf_length(buf) - offset_s);
550 sha256_final(&sctx, cphash);
551
552 /* now calculate the hmac */
553 tpm2_hmac_init(&sctx, auth->session_key, sizeof(auth->session_key)
554 + auth->passphrase_len);
555 sha256_update(&sctx, cphash, sizeof(cphash));
556 sha256_update(&sctx, auth->our_nonce, sizeof(auth->our_nonce));
557 sha256_update(&sctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
558 sha256_update(&sctx, &auth->attrs, 1);
559 tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
560 + auth->passphrase_len, hmac);
561}
562EXPORT_SYMBOL(tpm_buf_fill_hmac_session);
563
d0a25bb9
JB		 564static int tpm2_parse_read_public(char *name, struct tpm_buf *buf)
565{
566 struct tpm_header *head = (struct tpm_header *)buf->data;
567 off_t offset = TPM_HEADER_SIZE;
568 u32 tot_len = be32_to_cpu(head->length);
569 u32 val;
570
571 /* we're starting after the header so adjust the length */
572 tot_len -= TPM_HEADER_SIZE;
573
574 /* skip public */
575 val = tpm_buf_read_u16(buf, &offset);
576 if (val > tot_len)
577 return -EINVAL;
578 offset += val;
579 /* name */
580 val = tpm_buf_read_u16(buf, &offset);
581 if (val != name_size(&buf->data[offset]))
582 return -EINVAL;
583 memcpy(name, &buf->data[offset], val);
584 /* forget the rest */
585 return 0;
586}
587
588static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name)
589{
590 struct tpm_buf buf;
591 int rc;
592
593 rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
594 if (rc)
595 return rc;
596
597 tpm_buf_append_u32(&buf, handle);
598 rc = tpm_transmit_cmd(chip, &buf, 0, "read public");
599 if (rc == TPM2_RC_SUCCESS)
600 rc = tpm2_parse_read_public(name, &buf);
601
602 tpm_buf_destroy(&buf);
603
604 return rc;
605}
606
607/**
608 * tpm_buf_append_name() - add a handle area to the buffer
609 * @chip: the TPM chip structure
610 * @buf: The buffer to be appended
611 * @handle: The handle to be appended
612 * @name: The name of the handle (may be NULL)
613 *
614 * In order to compute session HMACs, we need to know the names of the
615 * objects pointed to by the handles. For most objects, this is simply
616 * the actual 4 byte handle or an empty buf (in these cases @name
617 * should be NULL) but for volatile objects, permanent objects and NV
618 * areas, the name is defined as the hash (according to the name
619 * algorithm which should be set to sha256) of the public area to
620 * which the two byte algorithm id has been appended. For these
621 * objects, the @name pointer should point to this. If a name is
622 * required but @name is NULL, then TPM2_ReadPublic() will be called
623 * on the handle to obtain the name.
624 *
625 * As with most tpm_buf operations, success is assumed because failure
626 * will be caused by an incorrect programming model and indicated by a
627 * kernel message.
628 */
629void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf,
630 u32 handle, u8 *name)
631{
632 enum tpm2_mso_type mso = tpm2_handle_mso(handle);
633 struct tpm2_auth *auth = chip->auth;
634 int slot;
635
636 slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE)/4;
637 if (slot >= AUTH_MAX_NAMES) {
638 dev_err(&chip->dev, "TPM: too many handles\n");
639 return;
640 }
641 WARN(auth->session != tpm_buf_length(buf),
642 "name added in wrong place\n");
643 tpm_buf_append_u32(buf, handle);
644 auth->session += 4;
645
646 if (mso == TPM2_MSO_PERSISTENT ||
647 mso == TPM2_MSO_VOLATILE ||
648 mso == TPM2_MSO_NVRAM) {
649 if (!name)
650 tpm2_read_public(chip, handle, auth->name[slot]);
651 } else {
652 if (name)
653 dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n");
654 }
655
656 auth->name_h[slot] = handle;
657 if (name)
658 memcpy(auth->name[slot], name, name_size(name));
659}
660EXPORT_SYMBOL(tpm_buf_append_name);
1085b827
JB		 661
662/**
663 * tpm_buf_check_hmac_response() - check the TPM return HMAC for correctness
664 * @chip: the TPM chip structure
665 * @buf: the original command buffer (which now contains the response)
666 * @rc: the return code from tpm_transmit_cmd
667 *
668 * If @rc is non zero, @buf may not contain an actual return, so @rc
669 * is passed through as the return and the session cleaned up and
670 * de-allocated if required (this is required if
671 * TPM2_SA_CONTINUE_SESSION was not specified as a session flag).
672 *
673 * If @rc is zero, the response HMAC is computed against the returned
674 * @buf and matched to the TPM one in the session area. If there is a
675 * mismatch, an error is logged and -EINVAL returned.
676 *
677 * The reason for this is that the command issue and HMAC check
678 * sequence should look like:
679 *
680 * rc = tpm_transmit_cmd(...);
681 * rc = tpm_buf_check_hmac_response(&buf, auth, rc);
682 * if (rc)
683 * ...
684 *
685 * Which is easily layered into the current contrl flow.
686 *
687 * Returns: 0 on success or an error.
688 */
689int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
690 int rc)
691{
692 struct tpm_header *head = (struct tpm_header *)buf->data;
693 struct tpm2_auth *auth = chip->auth;
694 off_t offset_s, offset_p;
695 u8 rphash[SHA256_DIGEST_SIZE];
696 u32 attrs;
697 struct sha256_state sctx;
698 u16 tag = be16_to_cpu(head->tag);
699 u32 cc = be32_to_cpu(auth->ordinal);
700 int parm_len, len, i, handles;
701
702 if (auth->session >= TPM_HEADER_SIZE) {
703 WARN(1, "tpm session not filled correctly\n");
704 goto out;
705 }
706
707 if (rc != 0)
708 /* pass non success rc through and close the session */
709 goto out;
710
711 rc = -EINVAL;
712 if (tag != TPM2_ST_SESSIONS) {
713 dev_err(&chip->dev, "TPM: HMAC response check has no sessions tag\n");
714 goto out;
715 }
716
717 i = tpm2_find_cc(chip, cc);
718 if (i < 0)
719 goto out;
720 attrs = chip->cc_attrs_tbl[i];
721 handles = (attrs >> TPM2_CC_ATTR_RHANDLE) & 1;
722
723 /* point to area beyond handles */
724 offset_s = TPM_HEADER_SIZE + handles * 4;
725 parm_len = tpm_buf_read_u32(buf, &offset_s);
726 offset_p = offset_s;
727 offset_s += parm_len;
728 /* skip over any sessions before ours */
729 for (i = 0; i < auth->session - 1; i++) {
730 len = tpm_buf_read_u16(buf, &offset_s);
731 offset_s += len + 1;
732 len = tpm_buf_read_u16(buf, &offset_s);
733 offset_s += len;
734 }
735 /* TPM nonce */
736 len = tpm_buf_read_u16(buf, &offset_s);
737 if (offset_s + len > tpm_buf_length(buf))
738 goto out;
739 if (len != SHA256_DIGEST_SIZE)
740 goto out;
741 memcpy(auth->tpm_nonce, &buf->data[offset_s], len);
742 offset_s += len;
743 attrs = tpm_buf_read_u8(buf, &offset_s);
744 len = tpm_buf_read_u16(buf, &offset_s);
745 if (offset_s + len != tpm_buf_length(buf))
746 goto out;
747 if (len != SHA256_DIGEST_SIZE)
748 goto out;
749 /*
750 * offset_s points to the HMAC. now calculate comparison, beginning
751 * with rphash
752 */
753 sha256_init(&sctx);
754 /* yes, I know this is now zero, but it's what the standard says */
755 sha256_update(&sctx, (u8 *)&head->return_code,
756 sizeof(head->return_code));
757 /* ordinal is already BE */
758 sha256_update(&sctx, (u8 *)&auth->ordinal, sizeof(auth->ordinal));
759 sha256_update(&sctx, &buf->data[offset_p], parm_len);
760 sha256_final(&sctx, rphash);
761
762 /* now calculate the hmac */
763 tpm2_hmac_init(&sctx, auth->session_key, sizeof(auth->session_key)
764 + auth->passphrase_len);
765 sha256_update(&sctx, rphash, sizeof(rphash));
766 sha256_update(&sctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
767 sha256_update(&sctx, auth->our_nonce, sizeof(auth->our_nonce));
768 sha256_update(&sctx, &auth->attrs, 1);
769 /* we're done with the rphash, so put our idea of the hmac there */
770 tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
771 + auth->passphrase_len, rphash);
772 if (memcmp(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE) == 0) {
773 rc = 0;
774 } else {
775 dev_err(&chip->dev, "TPM: HMAC check failed\n");
776 goto out;
777 }
778
779 /* now do response decryption */
780 if (auth->attrs & TPM2_SA_ENCRYPT) {
781 /* need key and IV */
782 tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
783 + auth->passphrase_len, "CFB", auth->tpm_nonce,
784 auth->our_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
785 auth->scratch);
786
787 len = tpm_buf_read_u16(buf, &offset_p);
788 aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES);
789 aescfb_decrypt(&auth->aes_ctx, &buf->data[offset_p],
790 &buf->data[offset_p], len,
791 auth->scratch + AES_KEY_BYTES);
792 }
793
794 out:
795 if ((auth->attrs & TPM2_SA_CONTINUE_SESSION) == 0) {
796 if (rc)
797 /* manually close the session if it wasn't consumed */
798 tpm2_flush_context(chip, auth->handle);
799 memzero_explicit(auth, sizeof(*auth));
800 } else {
801 /* reset for next use */
802 auth->session = TPM_HEADER_SIZE;
803 }
804
805 return rc;
806}
807EXPORT_SYMBOL(tpm_buf_check_hmac_response);
808
699e3efd
JB		 809/**
810 * tpm2_end_auth_session() - kill the allocated auth session
811 * @chip: the TPM chip structure
812 *
813 * ends the session started by tpm2_start_auth_session and frees all
814 * the resources. Under normal conditions,
815 * tpm_buf_check_hmac_response() will correctly end the session if
816 * required, so this function is only for use in error legs that will
817 * bypass the normal invocation of tpm_buf_check_hmac_response().
818 */
819void tpm2_end_auth_session(struct tpm_chip *chip)
820{
821 tpm2_flush_context(chip, chip->auth->handle);
822 memzero_explicit(chip->auth, sizeof(*chip->auth));
823}
824EXPORT_SYMBOL(tpm2_end_auth_session);
825
826static int tpm2_parse_start_auth_session(struct tpm2_auth *auth,
827 struct tpm_buf *buf)
828{
829 struct tpm_header *head = (struct tpm_header *)buf->data;
830 u32 tot_len = be32_to_cpu(head->length);
831 off_t offset = TPM_HEADER_SIZE;
832 u32 val;
833
834 /* we're starting after the header so adjust the length */
835 tot_len -= TPM_HEADER_SIZE;
836
837 /* should have handle plus nonce */
838 if (tot_len != 4 + 2 + sizeof(auth->tpm_nonce))
839 return -EINVAL;
840
841 auth->handle = tpm_buf_read_u32(buf, &offset);
842 val = tpm_buf_read_u16(buf, &offset);
843 if (val != sizeof(auth->tpm_nonce))
844 return -EINVAL;
845 memcpy(auth->tpm_nonce, &buf->data[offset], sizeof(auth->tpm_nonce));
846 /* now compute the session key from the nonces */
847 tpm2_KDFa(auth->salt, sizeof(auth->salt), "ATH", auth->tpm_nonce,
848 auth->our_nonce, sizeof(auth->session_key),
849 auth->session_key);
850
851 return 0;
852}
853
854/**
855 * tpm2_start_auth_session() - create a HMAC authentication session with the TPM
856 * @chip: the TPM chip structure to create the session with
857 *
858 * This function loads the NULL seed from its saved context and starts
859 * an authentication session on the null seed, fills in the
860 * @chip->auth structure to contain all the session details necessary
861 * for performing the HMAC, encrypt and decrypt operations and
862 * returns. The NULL seed is flushed before this function returns.
863 *
864 * Return: zero on success or actual error encountered.
865 */
866int tpm2_start_auth_session(struct tpm_chip *chip)
867{
868 struct tpm_buf buf;
869 struct tpm2_auth *auth = chip->auth;
870 int rc;
871 /* null seed context has no offset, but we must provide one */
872 unsigned int offset = 0;
873 u32 nullkey;
874
875 rc = tpm2_load_context(chip, chip->null_key_context, &offset,
876 &nullkey);
877 if (rc)
878 goto out;
879
880 auth->session = TPM_HEADER_SIZE;
881
882 rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS);
883 if (rc)
884 goto out;
885
886 /* salt key handle */
887 tpm_buf_append_u32(&buf, nullkey);
888 /* bind key handle */
889 tpm_buf_append_u32(&buf, TPM2_RH_NULL);
890 /* nonce caller */
891 get_random_bytes(auth->our_nonce, sizeof(auth->our_nonce));
892 tpm_buf_append_u16(&buf, sizeof(auth->our_nonce));
893 tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce));
894
895 /* append encrypted salt and squirrel away unencrypted in auth */
896 tpm_buf_append_salt(&buf, chip);
897 /* session type (HMAC, audit or policy) */
898 tpm_buf_append_u8(&buf, TPM2_SE_HMAC);
899
900 /* symmetric encryption parameters */
901 /* symmetric algorithm */
902 tpm_buf_append_u16(&buf, TPM_ALG_AES);
903 /* bits for symmetric algorithm */
904 tpm_buf_append_u16(&buf, AES_KEY_BITS);
905 /* symmetric algorithm mode (must be CFB) */
906 tpm_buf_append_u16(&buf, TPM_ALG_CFB);
907 /* hash algorithm for session */
908 tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
909
910 rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
911 tpm2_flush_context(chip, nullkey);
912
913 if (rc == TPM2_RC_SUCCESS)
914 rc = tpm2_parse_start_auth_session(auth, &buf);
915
916 tpm_buf_destroy(&buf);
917
918 if (rc)
919 goto out;
920
921 out:
922 return rc;
923}
924EXPORT_SYMBOL(tpm2_start_auth_session);
925
d2add27c
JB		 926/**
927 * tpm2_parse_create_primary() - parse the data returned from TPM_CC_CREATE_PRIMARY
928 *
929 * @chip: The TPM the primary was created under
930 * @buf: The response buffer from the chip
931 * @handle: pointer to be filled in with the return handle of the primary
932 * @hierarchy: The hierarchy the primary was created for
933 *
934 * Return:
935 * * 0 - OK
936 * * -errno - A system error
937 * * TPM_RC - A TPM error
938 */
939static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
940 u32 *handle, u32 hierarchy)
941{
942 struct tpm_header *head = (struct tpm_header *)buf->data;
943 off_t offset_r = TPM_HEADER_SIZE, offset_t;
944 u16 len = TPM_HEADER_SIZE;
945 u32 total_len = be32_to_cpu(head->length);
946 u32 val, param_len;
947
948 *handle = tpm_buf_read_u32(buf, &offset_r);
949 param_len = tpm_buf_read_u32(buf, &offset_r);
950 /*
951 * param_len doesn't include the header, but all the other
952 * lengths and offsets do, so add it to parm len to make
953 * the comparisons easier
954 */
955 param_len += TPM_HEADER_SIZE;
956
957 if (param_len + 8 > total_len)
958 return -EINVAL;
959 len = tpm_buf_read_u16(buf, &offset_r);
960 offset_t = offset_r;
961 /* now we have the public area, compute the name of the object */
962 put_unaligned_be16(TPM_ALG_SHA256, chip->null_key_name);
963 sha256(&buf->data[offset_r], len, chip->null_key_name + 2);
964
965 /* validate the public key */
966 val = tpm_buf_read_u16(buf, &offset_t);
967
968 /* key type (must be what we asked for) */
969 if (val != TPM_ALG_ECC)
970 return -EINVAL;
971 val = tpm_buf_read_u16(buf, &offset_t);
972
973 /* name algorithm */
974 if (val != TPM_ALG_SHA256)
975 return -EINVAL;
976 val = tpm_buf_read_u32(buf, &offset_t);
977
978 /* object properties */
979 if (val != TPM2_OA_TMPL)
980 return -EINVAL;
981
982 /* auth policy (empty) */
983 val = tpm_buf_read_u16(buf, &offset_t);
984 if (val != 0)
985 return -EINVAL;
986
987 /* symmetric key parameters */
988 val = tpm_buf_read_u16(buf, &offset_t);
989 if (val != TPM_ALG_AES)
990 return -EINVAL;
991
992 /* symmetric key length */
993 val = tpm_buf_read_u16(buf, &offset_t);
994 if (val != AES_KEY_BITS)
995 return -EINVAL;
996
997 /* symmetric encryption scheme */
998 val = tpm_buf_read_u16(buf, &offset_t);
999 if (val != TPM_ALG_CFB)
1000 return -EINVAL;
1001
1002 /* signing scheme */
1003 val = tpm_buf_read_u16(buf, &offset_t);
1004 if (val != TPM_ALG_NULL)
1005 return -EINVAL;
1006
1007 /* ECC Curve */
1008 val = tpm_buf_read_u16(buf, &offset_t);
1009 if (val != TPM2_ECC_NIST_P256)
1010 return -EINVAL;
1011
1012 /* KDF Scheme */
1013 val = tpm_buf_read_u16(buf, &offset_t);
1014 if (val != TPM_ALG_NULL)
1015 return -EINVAL;
1016
1017 /* extract public key (x and y points) */
1018 val = tpm_buf_read_u16(buf, &offset_t);
1019 if (val != EC_PT_SZ)
1020 return -EINVAL;
1021 memcpy(chip->null_ec_key_x, &buf->data[offset_t], val);
1022 offset_t += val;
1023 val = tpm_buf_read_u16(buf, &offset_t);
1024 if (val != EC_PT_SZ)
1025 return -EINVAL;
1026 memcpy(chip->null_ec_key_y, &buf->data[offset_t], val);
1027 offset_t += val;
1028
1029 /* original length of the whole TPM2B */
1030 offset_r += len;
1031
1032 /* should have exactly consumed the TPM2B public structure */
1033 if (offset_t != offset_r)
1034 return -EINVAL;
1035 if (offset_r > param_len)
1036 return -EINVAL;
1037
1038 /* creation data (skip) */
1039 len = tpm_buf_read_u16(buf, &offset_r);
1040 offset_r += len;
1041 if (offset_r > param_len)
1042 return -EINVAL;
1043
1044 /* creation digest (must be sha256) */
1045 len = tpm_buf_read_u16(buf, &offset_r);
1046 offset_r += len;
1047 if (len != SHA256_DIGEST_SIZE || offset_r > param_len)
1048 return -EINVAL;
1049
1050 /* TPMT_TK_CREATION follows */
1051 /* tag, must be TPM_ST_CREATION (0x8021) */
1052 val = tpm_buf_read_u16(buf, &offset_r);
1053 if (val != TPM2_ST_CREATION || offset_r > param_len)
1054 return -EINVAL;
1055
1056 /* hierarchy */
1057 val = tpm_buf_read_u32(buf, &offset_r);
1058 if (val != hierarchy || offset_r > param_len)
1059 return -EINVAL;
1060
1061 /* the ticket digest HMAC (might not be sha256) */
1062 len = tpm_buf_read_u16(buf, &offset_r);
1063 offset_r += len;
1064 if (offset_r > param_len)
1065 return -EINVAL;
1066
1067 /*
1068 * finally we have the name, which is a sha256 digest plus a 2
1069 * byte algorithm type
1070 */
1071 len = tpm_buf_read_u16(buf, &offset_r);
1072 if (offset_r + len != param_len + 8)
1073 return -EINVAL;
1074 if (len != SHA256_DIGEST_SIZE + 2)
1075 return -EINVAL;
1076
1077 if (memcmp(chip->null_key_name, &buf->data[offset_r],
1078 SHA256_DIGEST_SIZE + 2) != 0) {
1079 dev_err(&chip->dev, "NULL Seed name comparison failed\n");
1080 return -EINVAL;
1081 }
1082
1083 return 0;
1084}
1085
1086/**
1087 * tpm2_create_primary() - create a primary key using a fixed P-256 template
1088 *
1089 * @chip: the TPM chip to create under
1090 * @hierarchy: The hierarchy handle to create under
1091 * @handle: The returned volatile handle on success
1092 *
1093 * For platforms that might not have a persistent primary, this can be
1094 * used to create one quickly on the fly (it uses Elliptic Curve not
1095 * RSA, so even slow TPMs can create one fast). The template uses the
1096 * TCG mandated H one for non-endorsement ECC primaries, i.e. P-256
1097 * elliptic curve (the only current one all TPM2s are required to
1098 * have) a sha256 name hash and no policy.
1099 *
1100 * Return:
1101 * * 0 - OK
1102 * * -errno - A system error
1103 * * TPM_RC - A TPM error
1104 */
1105static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
1106 u32 *handle)
1107{
1108 int rc;
1109 struct tpm_buf buf;
1110 struct tpm_buf template;
1111
1112 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE_PRIMARY);
1113 if (rc)
1114 return rc;
1115
1116 rc = tpm_buf_init_sized(&template);
1117 if (rc) {
1118 tpm_buf_destroy(&buf);
1119 return rc;
1120 }
1121
1122 /*
1123 * create the template. Note: in order for userspace to
1124 * verify the security of the system, it will have to create
1125 * and certify this NULL primary, meaning all the template
1126 * parameters will have to be identical, so conform exactly to
1127 * the TCG TPM v2.0 Provisioning Guidance for the SRK ECC
1128 * key H template (H has zero size unique points)
1129 */
1130
1131 /* key type */
1132 tpm_buf_append_u16(&template, TPM_ALG_ECC);
1133
1134 /* name algorithm */
1135 tpm_buf_append_u16(&template, TPM_ALG_SHA256);
1136
1137 /* object properties */
1138 tpm_buf_append_u32(&template, TPM2_OA_TMPL);
1139
1140 /* sauth policy (empty) */
1141 tpm_buf_append_u16(&template, 0);
1142
1143 /* BEGIN parameters: key specific; for ECC*/
1144
1145 /* symmetric algorithm */
1146 tpm_buf_append_u16(&template, TPM_ALG_AES);
1147
1148 /* bits for symmetric algorithm */
1149 tpm_buf_append_u16(&template, AES_KEY_BITS);
1150
1151 /* algorithm mode (must be CFB) */
1152 tpm_buf_append_u16(&template, TPM_ALG_CFB);
1153
1154 /* scheme (NULL means any scheme) */
1155 tpm_buf_append_u16(&template, TPM_ALG_NULL);
1156
1157 /* ECC Curve ID */
1158 tpm_buf_append_u16(&template, TPM2_ECC_NIST_P256);
1159
1160 /* KDF Scheme */
1161 tpm_buf_append_u16(&template, TPM_ALG_NULL);
1162
1163 /* unique: key specific; for ECC it is two zero size points */
1164 tpm_buf_append_u16(&template, 0);
1165 tpm_buf_append_u16(&template, 0);
1166
1167 /* END parameters */
1168
1169 /* primary handle */
1170 tpm_buf_append_u32(&buf, hierarchy);
1171 tpm_buf_append_empty_auth(&buf, TPM2_RS_PW);
1172
1173 /* sensitive create size is 4 for two empty buffers */
1174 tpm_buf_append_u16(&buf, 4);
1175
1176 /* sensitive create auth data (empty) */
1177 tpm_buf_append_u16(&buf, 0);
1178
1179 /* sensitive create sensitive data (empty) */
1180 tpm_buf_append_u16(&buf, 0);
1181
1182 /* the public template */
1183 tpm_buf_append(&buf, template.data, template.length);
1184 tpm_buf_destroy(&template);
1185
1186 /* outside info (empty) */
1187 tpm_buf_append_u16(&buf, 0);
1188
1189 /* creation PCR (none) */
1190 tpm_buf_append_u32(&buf, 0);
1191
1192 rc = tpm_transmit_cmd(chip, &buf, 0,
1193 "attempting to create NULL primary");
1194
1195 if (rc == TPM2_RC_SUCCESS)
1196 rc = tpm2_parse_create_primary(chip, &buf, handle, hierarchy);
1197
1198 tpm_buf_destroy(&buf);
1199
1200 return rc;
1201}
1202
1203static int tpm2_create_null_primary(struct tpm_chip *chip)
1204{
1205 u32 null_key;
1206 int rc;
1207
1208 rc = tpm2_create_primary(chip, TPM2_RH_NULL, &null_key);
1209
1210 if (rc == TPM2_RC_SUCCESS) {
1211 unsigned int offset = 0; /* dummy offset for null key context */
1212
1213 rc = tpm2_save_context(chip, null_key, chip->null_key_context,
1214 sizeof(chip->null_key_context), &offset);
1215 tpm2_flush_context(chip, null_key);
1216 }
1217
1218 return rc;
1219}
1220
1221/**
1222 * tpm2_sessions_init() - start of day initialization for the sessions code
1223 * @chip: TPM chip
1224 *
1225 * Derive and context save the null primary and allocate memory in the
1226 * struct tpm_chip for the authorizations.
1227 */
1228int tpm2_sessions_init(struct tpm_chip *chip)
1229{
1230 int rc;
1231
1232 rc = tpm2_create_null_primary(chip);
1233 if (rc)
1234 dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc);
1235
699e3efd
JB		 1236 chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL);
1237 if (!chip->auth)
1238 return -ENOMEM;
1239
d2add27c
JB		 1240 return rc;
1241}
Linux 6.x block layer and io_uring tree(s)