projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tpm: Add HMAC session start and end functions
[linux-2.6-block.git] / drivers / char / tpm / tpm2-sessions.c
CommitLineData
d2add27c
JB		 1// SPDX-License-Identifier: GPL-2.0
2
3/*
4 * Copyright (C) 2018 James.Bottomley@HansenPartnership.com
5 *
699e3efd
JB		 6 * Cryptographic helper routines for handling TPM2 sessions for
7 * authorization HMAC and request response encryption.
8 *
9 * The idea is to ensure that every TPM command is HMAC protected by a
10 * session, meaning in-flight tampering would be detected and in
11 * addition all sensitive inputs and responses should be encrypted.
12 *
13 * The basic way this works is to use a TPM feature called salted
14 * sessions where a random secret used in session construction is
15 * encrypted to the public part of a known TPM key. The problem is we
16 * have no known keys, so initially a primary Elliptic Curve key is
17 * derived from the NULL seed (we use EC because most TPMs generate
18 * these keys much faster than RSA ones). The curve used is NIST_P256
19 * because that's now mandated to be present in 'TCG TPM v2.0
20 * Provisioning Guidance'
21 *
22 * Threat problems: the initial TPM2_CreatePrimary is not (and cannot
23 * be) session protected, so a clever Man in the Middle could return a
24 * public key they control to this command and from there intercept
25 * and decode all subsequent session based transactions. The kernel
26 * cannot mitigate this threat but, after boot, userspace can get
27 * proof this has not happened by asking the TPM to certify the NULL
28 * key. This certification would chain back to the TPM Endorsement
29 * Certificate and prove the NULL seed primary had not been tampered
30 * with and thus all sessions must have been cryptographically secure.
31 * To assist with this, the initial NULL seed public key name is made
32 * available in a sysfs file.
33 *
34 * Use of these functions:
35 *
36 * The design is all the crypto, hash and hmac gunk is confined in this
37 * file and never needs to be seen even by the kernel internal user. To
38 * the user there's an init function tpm2_sessions_init() that needs to
39 * be called once per TPM which generates the NULL seed primary key.
40 *
41 * These are the usage functions:
42 *
43 * tpm2_start_auth_session() which allocates the opaque auth structure
44 * and gets a session from the TPM. This must be called before
45 * any of the following functions. The session is protected by a
46 * session_key which is derived from a random salt value
47 * encrypted to the NULL seed.
48 * tpm2_end_auth_session() kills the session and frees the resources.
49 * Under normal operation this function is done by
50 * tpm_buf_check_hmac_response(), so this is only to be used on
51 * error legs where the latter is not executed.
d2add27c
JB		 52 */
53
54#include "tpm.h"
699e3efd
JB		 55#include <linux/random.h>
56#include <linux/scatterlist.h>
d2add27c 57#include <asm/unaligned.h>
699e3efd
JB		 58#include <crypto/kpp.h>
59#include <crypto/ecdh.h>
033ee84e
JB		 60#include <crypto/hash.h>
61#include <crypto/hmac.h>
62
699e3efd
JB		 63/*
64 * This is the structure that carries all the auth information (like
65 * session handle, nonces, session key and auth) from use to use it is
66 * designed to be opaque to anything outside.
67 */
68struct tpm2_auth {
69 u32 handle;
70 /*
71 * This has two meanings: before tpm_buf_fill_hmac_session()
72 * it marks the offset in the buffer of the start of the
73 * sessions (i.e. after all the handles). Once the buffer has
74 * been filled it markes the session number of our auth
75 * session so we can find it again in the response buffer.
76 *
77 * The two cases are distinguished because the first offset
78 * must always be greater than TPM_HEADER_SIZE and the second
79 * must be less than or equal to 5.
80 */
81 u32 session;
82 /*
83 * the size here is variable and set by the size of our_nonce
84 * which must be between 16 and the name hash length. we set
85 * the maximum sha256 size for the greatest protection
86 */
87 u8 our_nonce[SHA256_DIGEST_SIZE];
88 u8 tpm_nonce[SHA256_DIGEST_SIZE];
89 /*
90 * the salt is only used across the session command/response
91 * after that it can be used as a scratch area
92 */
93 union {
94 u8 salt[EC_PT_SZ];
95 /* scratch for key + IV */
96 u8 scratch[AES_KEY_BYTES + AES_BLOCK_SIZE];
97 };
98 u8 session_key[SHA256_DIGEST_SIZE];
99};
100
033ee84e
JB		 101/*
102 * It turns out the crypto hmac(sha256) is hard for us to consume
103 * because it assumes a fixed key and the TPM seems to change the key
104 * on every operation, so we weld the hmac init and final functions in
105 * here to give it the same usage characteristics as a regular hash
106 */
107static void tpm2_hmac_init(struct sha256_state *sctx, u8 *key, u32 key_len)
108{
109 u8 pad[SHA256_BLOCK_SIZE];
110 int i;
111
112 sha256_init(sctx);
113 for (i = 0; i < sizeof(pad); i++) {
114 if (i < key_len)
115 pad[i] = key[i];
116 else
117 pad[i] = 0;
118 pad[i] ^= HMAC_IPAD_VALUE;
119 }
120 sha256_update(sctx, pad, sizeof(pad));
121}
122
123static void tpm2_hmac_final(struct sha256_state *sctx, u8 *key, u32 key_len,
124 u8 *out)
125{
126 u8 pad[SHA256_BLOCK_SIZE];
127 int i;
128
129 for (i = 0; i < sizeof(pad); i++) {
130 if (i < key_len)
131 pad[i] = key[i];
132 else
133 pad[i] = 0;
134 pad[i] ^= HMAC_OPAD_VALUE;
135 }
136
137 /* collect the final hash; use out as temporary storage */
138 sha256_final(sctx, out);
139
140 sha256_init(sctx);
141 sha256_update(sctx, pad, sizeof(pad));
142 sha256_update(sctx, out, SHA256_DIGEST_SIZE);
143 sha256_final(sctx, out);
144}
145
146/*
147 * assume hash sha256 and nonces u, v of size SHA256_DIGEST_SIZE but
148 * otherwise standard tpm2_KDFa. Note output is in bytes not bits.
149 */
150static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
151 u8 *v, u32 bytes, u8 *out)
152{
153 u32 counter = 1;
154 const __be32 bits = cpu_to_be32(bytes * 8);
155
156 while (bytes > 0) {
157 struct sha256_state sctx;
158 __be32 c = cpu_to_be32(counter);
159
160 tpm2_hmac_init(&sctx, key, key_len);
161 sha256_update(&sctx, (u8 *)&c, sizeof(c));
162 sha256_update(&sctx, label, strlen(label)+1);
163 sha256_update(&sctx, u, SHA256_DIGEST_SIZE);
164 sha256_update(&sctx, v, SHA256_DIGEST_SIZE);
165 sha256_update(&sctx, (u8 *)&bits, sizeof(bits));
166 tpm2_hmac_final(&sctx, key, key_len, out);
167
168 bytes -= SHA256_DIGEST_SIZE;
169 counter++;
170 out += SHA256_DIGEST_SIZE;
171 }
172}
173
174/*
175 * Somewhat of a bastardization of the real KDFe. We're assuming
176 * we're working with known point sizes for the input parameters and
177 * the hash algorithm is fixed at sha256. Because we know that the
178 * point size is 32 bytes like the hash size, there's no need to loop
179 * in this KDF.
180 */
181static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v,
182 u8 *out)
183{
184 struct sha256_state sctx;
185 /*
186 * this should be an iterative counter, but because we know
187 * we're only taking 32 bytes for the point using a sha256
188 * hash which is also 32 bytes, there's only one loop
189 */
190 __be32 c = cpu_to_be32(1);
191
192 sha256_init(&sctx);
193 /* counter (BE) */
194 sha256_update(&sctx, (u8 *)&c, sizeof(c));
195 /* secret value */
196 sha256_update(&sctx, z, EC_PT_SZ);
197 /* string including trailing zero */
198 sha256_update(&sctx, str, strlen(str)+1);
199 sha256_update(&sctx, pt_u, EC_PT_SZ);
200 sha256_update(&sctx, pt_v, EC_PT_SZ);
201 sha256_final(&sctx, out);
202}
d2add27c 203
699e3efd
JB		 204static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip)
205{
206 struct crypto_kpp *kpp;
207 struct kpp_request *req;
208 struct scatterlist s[2], d[1];
209 struct ecdh p = {0};
210 u8 encoded_key[EC_PT_SZ], *x, *y;
211 unsigned int buf_len;
212
213 /* secret is two sized points */
214 tpm_buf_append_u16(buf, (EC_PT_SZ + 2)*2);
215 /*
216 * we cheat here and append uninitialized data to form
217 * the points. All we care about is getting the two
218 * co-ordinate pointers, which will be used to overwrite
219 * the uninitialized data
220 */
221 tpm_buf_append_u16(buf, EC_PT_SZ);
222 x = &buf->data[tpm_buf_length(buf)];
223 tpm_buf_append(buf, encoded_key, EC_PT_SZ);
224 tpm_buf_append_u16(buf, EC_PT_SZ);
225 y = &buf->data[tpm_buf_length(buf)];
226 tpm_buf_append(buf, encoded_key, EC_PT_SZ);
227 sg_init_table(s, 2);
228 sg_set_buf(&s[0], x, EC_PT_SZ);
229 sg_set_buf(&s[1], y, EC_PT_SZ);
230
231 kpp = crypto_alloc_kpp("ecdh-nist-p256", CRYPTO_ALG_INTERNAL, 0);
232 if (IS_ERR(kpp)) {
233 dev_err(&chip->dev, "crypto ecdh allocation failed\n");
234 return;
235 }
236
237 buf_len = crypto_ecdh_key_len(&p);
238 if (sizeof(encoded_key) < buf_len) {
239 dev_err(&chip->dev, "salt buffer too small needs %d\n",
240 buf_len);
241 goto out;
242 }
243 crypto_ecdh_encode_key(encoded_key, buf_len, &p);
244 /* this generates a random private key */
245 crypto_kpp_set_secret(kpp, encoded_key, buf_len);
246
247 /* salt is now the public point of this private key */
248 req = kpp_request_alloc(kpp, GFP_KERNEL);
249 if (!req)
250 goto out;
251 kpp_request_set_input(req, NULL, 0);
252 kpp_request_set_output(req, s, EC_PT_SZ*2);
253 crypto_kpp_generate_public_key(req);
254 /*
255 * we're not done: now we have to compute the shared secret
256 * which is our private key multiplied by the tpm_key public
257 * point, we actually only take the x point and discard the y
258 * point and feed it through KDFe to get the final secret salt
259 */
260 sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ);
261 sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ);
262 kpp_request_set_input(req, s, EC_PT_SZ*2);
263 sg_init_one(d, chip->auth->salt, EC_PT_SZ);
264 kpp_request_set_output(req, d, EC_PT_SZ);
265 crypto_kpp_compute_shared_secret(req);
266 kpp_request_free(req);
267
268 /*
269 * pass the shared secret through KDFe for salt. Note salt
270 * area is used both for input shared secret and output salt.
271 * This works because KDFe fully consumes the secret before it
272 * writes the salt
273 */
274 tpm2_KDFe(chip->auth->salt, "SECRET", x, chip->null_ec_key_x,
275 chip->auth->salt);
276
277 out:
278 crypto_free_kpp(kpp);
279}
280/**
281 * tpm2_end_auth_session() - kill the allocated auth session
282 * @chip: the TPM chip structure
283 *
284 * ends the session started by tpm2_start_auth_session and frees all
285 * the resources. Under normal conditions,
286 * tpm_buf_check_hmac_response() will correctly end the session if
287 * required, so this function is only for use in error legs that will
288 * bypass the normal invocation of tpm_buf_check_hmac_response().
289 */
290void tpm2_end_auth_session(struct tpm_chip *chip)
291{
292 tpm2_flush_context(chip, chip->auth->handle);
293 memzero_explicit(chip->auth, sizeof(*chip->auth));
294}
295EXPORT_SYMBOL(tpm2_end_auth_session);
296
297static int tpm2_parse_start_auth_session(struct tpm2_auth *auth,
298 struct tpm_buf *buf)
299{
300 struct tpm_header *head = (struct tpm_header *)buf->data;
301 u32 tot_len = be32_to_cpu(head->length);
302 off_t offset = TPM_HEADER_SIZE;
303 u32 val;
304
305 /* we're starting after the header so adjust the length */
306 tot_len -= TPM_HEADER_SIZE;
307
308 /* should have handle plus nonce */
309 if (tot_len != 4 + 2 + sizeof(auth->tpm_nonce))
310 return -EINVAL;
311
312 auth->handle = tpm_buf_read_u32(buf, &offset);
313 val = tpm_buf_read_u16(buf, &offset);
314 if (val != sizeof(auth->tpm_nonce))
315 return -EINVAL;
316 memcpy(auth->tpm_nonce, &buf->data[offset], sizeof(auth->tpm_nonce));
317 /* now compute the session key from the nonces */
318 tpm2_KDFa(auth->salt, sizeof(auth->salt), "ATH", auth->tpm_nonce,
319 auth->our_nonce, sizeof(auth->session_key),
320 auth->session_key);
321
322 return 0;
323}
324
325/**
326 * tpm2_start_auth_session() - create a HMAC authentication session with the TPM
327 * @chip: the TPM chip structure to create the session with
328 *
329 * This function loads the NULL seed from its saved context and starts
330 * an authentication session on the null seed, fills in the
331 * @chip->auth structure to contain all the session details necessary
332 * for performing the HMAC, encrypt and decrypt operations and
333 * returns. The NULL seed is flushed before this function returns.
334 *
335 * Return: zero on success or actual error encountered.
336 */
337int tpm2_start_auth_session(struct tpm_chip *chip)
338{
339 struct tpm_buf buf;
340 struct tpm2_auth *auth = chip->auth;
341 int rc;
342 /* null seed context has no offset, but we must provide one */
343 unsigned int offset = 0;
344 u32 nullkey;
345
346 rc = tpm2_load_context(chip, chip->null_key_context, &offset,
347 &nullkey);
348 if (rc)
349 goto out;
350
351 auth->session = TPM_HEADER_SIZE;
352
353 rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS);
354 if (rc)
355 goto out;
356
357 /* salt key handle */
358 tpm_buf_append_u32(&buf, nullkey);
359 /* bind key handle */
360 tpm_buf_append_u32(&buf, TPM2_RH_NULL);
361 /* nonce caller */
362 get_random_bytes(auth->our_nonce, sizeof(auth->our_nonce));
363 tpm_buf_append_u16(&buf, sizeof(auth->our_nonce));
364 tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce));
365
366 /* append encrypted salt and squirrel away unencrypted in auth */
367 tpm_buf_append_salt(&buf, chip);
368 /* session type (HMAC, audit or policy) */
369 tpm_buf_append_u8(&buf, TPM2_SE_HMAC);
370
371 /* symmetric encryption parameters */
372 /* symmetric algorithm */
373 tpm_buf_append_u16(&buf, TPM_ALG_AES);
374 /* bits for symmetric algorithm */
375 tpm_buf_append_u16(&buf, AES_KEY_BITS);
376 /* symmetric algorithm mode (must be CFB) */
377 tpm_buf_append_u16(&buf, TPM_ALG_CFB);
378 /* hash algorithm for session */
379 tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
380
381 rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
382 tpm2_flush_context(chip, nullkey);
383
384 if (rc == TPM2_RC_SUCCESS)
385 rc = tpm2_parse_start_auth_session(auth, &buf);
386
387 tpm_buf_destroy(&buf);
388
389 if (rc)
390 goto out;
391
392 out:
393 return rc;
394}
395EXPORT_SYMBOL(tpm2_start_auth_session);
396
d2add27c
JB		 397/**
398 * tpm2_parse_create_primary() - parse the data returned from TPM_CC_CREATE_PRIMARY
399 *
400 * @chip: The TPM the primary was created under
401 * @buf: The response buffer from the chip
402 * @handle: pointer to be filled in with the return handle of the primary
403 * @hierarchy: The hierarchy the primary was created for
404 *
405 * Return:
406 * * 0 - OK
407 * * -errno - A system error
408 * * TPM_RC - A TPM error
409 */
410static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
411 u32 *handle, u32 hierarchy)
412{
413 struct tpm_header *head = (struct tpm_header *)buf->data;
414 off_t offset_r = TPM_HEADER_SIZE, offset_t;
415 u16 len = TPM_HEADER_SIZE;
416 u32 total_len = be32_to_cpu(head->length);
417 u32 val, param_len;
418
419 *handle = tpm_buf_read_u32(buf, &offset_r);
420 param_len = tpm_buf_read_u32(buf, &offset_r);
421 /*
422 * param_len doesn't include the header, but all the other
423 * lengths and offsets do, so add it to parm len to make
424 * the comparisons easier
425 */
426 param_len += TPM_HEADER_SIZE;
427
428 if (param_len + 8 > total_len)
429 return -EINVAL;
430 len = tpm_buf_read_u16(buf, &offset_r);
431 offset_t = offset_r;
432 /* now we have the public area, compute the name of the object */
433 put_unaligned_be16(TPM_ALG_SHA256, chip->null_key_name);
434 sha256(&buf->data[offset_r], len, chip->null_key_name + 2);
435
436 /* validate the public key */
437 val = tpm_buf_read_u16(buf, &offset_t);
438
439 /* key type (must be what we asked for) */
440 if (val != TPM_ALG_ECC)
441 return -EINVAL;
442 val = tpm_buf_read_u16(buf, &offset_t);
443
444 /* name algorithm */
445 if (val != TPM_ALG_SHA256)
446 return -EINVAL;
447 val = tpm_buf_read_u32(buf, &offset_t);
448
449 /* object properties */
450 if (val != TPM2_OA_TMPL)
451 return -EINVAL;
452
453 /* auth policy (empty) */
454 val = tpm_buf_read_u16(buf, &offset_t);
455 if (val != 0)
456 return -EINVAL;
457
458 /* symmetric key parameters */
459 val = tpm_buf_read_u16(buf, &offset_t);
460 if (val != TPM_ALG_AES)
461 return -EINVAL;
462
463 /* symmetric key length */
464 val = tpm_buf_read_u16(buf, &offset_t);
465 if (val != AES_KEY_BITS)
466 return -EINVAL;
467
468 /* symmetric encryption scheme */
469 val = tpm_buf_read_u16(buf, &offset_t);
470 if (val != TPM_ALG_CFB)
471 return -EINVAL;
472
473 /* signing scheme */
474 val = tpm_buf_read_u16(buf, &offset_t);
475 if (val != TPM_ALG_NULL)
476 return -EINVAL;
477
478 /* ECC Curve */
479 val = tpm_buf_read_u16(buf, &offset_t);
480 if (val != TPM2_ECC_NIST_P256)
481 return -EINVAL;
482
483 /* KDF Scheme */
484 val = tpm_buf_read_u16(buf, &offset_t);
485 if (val != TPM_ALG_NULL)
486 return -EINVAL;
487
488 /* extract public key (x and y points) */
489 val = tpm_buf_read_u16(buf, &offset_t);
490 if (val != EC_PT_SZ)
491 return -EINVAL;
492 memcpy(chip->null_ec_key_x, &buf->data[offset_t], val);
493 offset_t += val;
494 val = tpm_buf_read_u16(buf, &offset_t);
495 if (val != EC_PT_SZ)
496 return -EINVAL;
497 memcpy(chip->null_ec_key_y, &buf->data[offset_t], val);
498 offset_t += val;
499
500 /* original length of the whole TPM2B */
501 offset_r += len;
502
503 /* should have exactly consumed the TPM2B public structure */
504 if (offset_t != offset_r)
505 return -EINVAL;
506 if (offset_r > param_len)
507 return -EINVAL;
508
509 /* creation data (skip) */
510 len = tpm_buf_read_u16(buf, &offset_r);
511 offset_r += len;
512 if (offset_r > param_len)
513 return -EINVAL;
514
515 /* creation digest (must be sha256) */
516 len = tpm_buf_read_u16(buf, &offset_r);
517 offset_r += len;
518 if (len != SHA256_DIGEST_SIZE || offset_r > param_len)
519 return -EINVAL;
520
521 /* TPMT_TK_CREATION follows */
522 /* tag, must be TPM_ST_CREATION (0x8021) */
523 val = tpm_buf_read_u16(buf, &offset_r);
524 if (val != TPM2_ST_CREATION || offset_r > param_len)
525 return -EINVAL;
526
527 /* hierarchy */
528 val = tpm_buf_read_u32(buf, &offset_r);
529 if (val != hierarchy || offset_r > param_len)
530 return -EINVAL;
531
532 /* the ticket digest HMAC (might not be sha256) */
533 len = tpm_buf_read_u16(buf, &offset_r);
534 offset_r += len;
535 if (offset_r > param_len)
536 return -EINVAL;
537
538 /*
539 * finally we have the name, which is a sha256 digest plus a 2
540 * byte algorithm type
541 */
542 len = tpm_buf_read_u16(buf, &offset_r);
543 if (offset_r + len != param_len + 8)
544 return -EINVAL;
545 if (len != SHA256_DIGEST_SIZE + 2)
546 return -EINVAL;
547
548 if (memcmp(chip->null_key_name, &buf->data[offset_r],
549 SHA256_DIGEST_SIZE + 2) != 0) {
550 dev_err(&chip->dev, "NULL Seed name comparison failed\n");
551 return -EINVAL;
552 }
553
554 return 0;
555}
556
557/**
558 * tpm2_create_primary() - create a primary key using a fixed P-256 template
559 *
560 * @chip: the TPM chip to create under
561 * @hierarchy: The hierarchy handle to create under
562 * @handle: The returned volatile handle on success
563 *
564 * For platforms that might not have a persistent primary, this can be
565 * used to create one quickly on the fly (it uses Elliptic Curve not
566 * RSA, so even slow TPMs can create one fast). The template uses the
567 * TCG mandated H one for non-endorsement ECC primaries, i.e. P-256
568 * elliptic curve (the only current one all TPM2s are required to
569 * have) a sha256 name hash and no policy.
570 *
571 * Return:
572 * * 0 - OK
573 * * -errno - A system error
574 * * TPM_RC - A TPM error
575 */
576static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
577 u32 *handle)
578{
579 int rc;
580 struct tpm_buf buf;
581 struct tpm_buf template;
582
583 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE_PRIMARY);
584 if (rc)
585 return rc;
586
587 rc = tpm_buf_init_sized(&template);
588 if (rc) {
589 tpm_buf_destroy(&buf);
590 return rc;
591 }
592
593 /*
594 * create the template. Note: in order for userspace to
595 * verify the security of the system, it will have to create
596 * and certify this NULL primary, meaning all the template
597 * parameters will have to be identical, so conform exactly to
598 * the TCG TPM v2.0 Provisioning Guidance for the SRK ECC
599 * key H template (H has zero size unique points)
600 */
601
602 /* key type */
603 tpm_buf_append_u16(&template, TPM_ALG_ECC);
604
605 /* name algorithm */
606 tpm_buf_append_u16(&template, TPM_ALG_SHA256);
607
608 /* object properties */
609 tpm_buf_append_u32(&template, TPM2_OA_TMPL);
610
611 /* sauth policy (empty) */
612 tpm_buf_append_u16(&template, 0);
613
614 /* BEGIN parameters: key specific; for ECC*/
615
616 /* symmetric algorithm */
617 tpm_buf_append_u16(&template, TPM_ALG_AES);
618
619 /* bits for symmetric algorithm */
620 tpm_buf_append_u16(&template, AES_KEY_BITS);
621
622 /* algorithm mode (must be CFB) */
623 tpm_buf_append_u16(&template, TPM_ALG_CFB);
624
625 /* scheme (NULL means any scheme) */
626 tpm_buf_append_u16(&template, TPM_ALG_NULL);
627
628 /* ECC Curve ID */
629 tpm_buf_append_u16(&template, TPM2_ECC_NIST_P256);
630
631 /* KDF Scheme */
632 tpm_buf_append_u16(&template, TPM_ALG_NULL);
633
634 /* unique: key specific; for ECC it is two zero size points */
635 tpm_buf_append_u16(&template, 0);
636 tpm_buf_append_u16(&template, 0);
637
638 /* END parameters */
639
640 /* primary handle */
641 tpm_buf_append_u32(&buf, hierarchy);
642 tpm_buf_append_empty_auth(&buf, TPM2_RS_PW);
643
644 /* sensitive create size is 4 for two empty buffers */
645 tpm_buf_append_u16(&buf, 4);
646
647 /* sensitive create auth data (empty) */
648 tpm_buf_append_u16(&buf, 0);
649
650 /* sensitive create sensitive data (empty) */
651 tpm_buf_append_u16(&buf, 0);
652
653 /* the public template */
654 tpm_buf_append(&buf, template.data, template.length);
655 tpm_buf_destroy(&template);
656
657 /* outside info (empty) */
658 tpm_buf_append_u16(&buf, 0);
659
660 /* creation PCR (none) */
661 tpm_buf_append_u32(&buf, 0);
662
663 rc = tpm_transmit_cmd(chip, &buf, 0,
664 "attempting to create NULL primary");
665
666 if (rc == TPM2_RC_SUCCESS)
667 rc = tpm2_parse_create_primary(chip, &buf, handle, hierarchy);
668
669 tpm_buf_destroy(&buf);
670
671 return rc;
672}
673
674static int tpm2_create_null_primary(struct tpm_chip *chip)
675{
676 u32 null_key;
677 int rc;
678
679 rc = tpm2_create_primary(chip, TPM2_RH_NULL, &null_key);
680
681 if (rc == TPM2_RC_SUCCESS) {
682 unsigned int offset = 0; /* dummy offset for null key context */
683
684 rc = tpm2_save_context(chip, null_key, chip->null_key_context,
685 sizeof(chip->null_key_context), &offset);
686 tpm2_flush_context(chip, null_key);
687 }
688
689 return rc;
690}
691
692/**
693 * tpm2_sessions_init() - start of day initialization for the sessions code
694 * @chip: TPM chip
695 *
696 * Derive and context save the null primary and allocate memory in the
697 * struct tpm_chip for the authorizations.
698 */
699int tpm2_sessions_init(struct tpm_chip *chip)
700{
701 int rc;
702
703 rc = tpm2_create_null_primary(chip);
704 if (rc)
705 dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc);
706
699e3efd
JB		 707 chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL);
708 if (!chip->auth)
709 return -ENOMEM;
710
d2add27c
JB		 711 return rc;
712}
Linux 6.x block layer and io_uring tree(s)