1
// SPDX-License-Identifier: GPL-2.0
2

3
/*
4
 * Copyright (C) 2018 [email protected]
5
 *
6
 * Cryptographic helper routines for handling TPM2 sessions for
7
 * authorization HMAC and request response encryption.
8
 *
9
 * The idea is to ensure that every TPM command is HMAC protected by a
10
 * session, meaning in-flight tampering would be detected and in
11
 * addition all sensitive inputs and responses should be encrypted.
12
 *
13
 * The basic way this works is to use a TPM feature called salted
14
 * sessions where a random secret used in session construction is
15
 * encrypted to the public part of a known TPM key.  The problem is we
16
 * have no known keys, so initially a primary Elliptic Curve key is
17
 * derived from the NULL seed (we use EC because most TPMs generate
18
 * these keys much faster than RSA ones).  The curve used is NIST_P256
19
 * because that's now mandated to be present in 'TCG TPM v2.0
20
 * Provisioning Guidance'
21
 *
22
 * Threat problems: the initial TPM2_CreatePrimary is not (and cannot
23
 * be) session protected, so a clever Man in the Middle could return a
24
 * public key they control to this command and from there intercept
25
 * and decode all subsequent session based transactions.  The kernel
26
 * cannot mitigate this threat but, after boot, userspace can get
27
 * proof this has not happened by asking the TPM to certify the NULL
28
 * key.  This certification would chain back to the TPM Endorsement
29
 * Certificate and prove the NULL seed primary had not been tampered
30
 * with and thus all sessions must have been cryptographically secure.
31
 * To assist with this, the initial NULL seed public key name is made
32
 * available in a sysfs file.
33
 *
34
 * Use of these functions:
35
 *
36
 * The design is all the crypto, hash and hmac gunk is confined in this
37
 * file and never needs to be seen even by the kernel internal user.  To
38
 * the user there's an init function tpm2_sessions_init() that needs to
39
 * be called once per TPM which generates the NULL seed primary key.
40
 *
41
 * These are the usage functions:
42
 *
43
 * tpm2_end_auth_session() kills the session and frees the resources.
44
 *	Under normal operation this function is done by
45
 *	tpm_buf_check_hmac_response(), so this is only to be used on
46
 *	error legs where the latter is not executed.
47
 * tpm_buf_append_name() to add a handle to the buffer.  This must be
48
 *	used in place of the usual tpm_buf_append_u32() for adding
49
 *	handles because handles have to be processed specially when
50
 *	calculating the HMAC.  In particular, for NV, volatile and
51
 *	permanent objects you now need to provide the name.
52
 * tpm_buf_append_hmac_session() which appends the hmac session to the
53
 *	buf in the same way tpm_buf_append_auth does().
54
 * tpm_buf_fill_hmac_session() This calculates the correct hash and
55
 *	places it in the buffer.  It must be called after the complete
56
 *	command buffer is finalized so it can fill in the correct HMAC
57
 *	based on the parameters.
58
 * tpm_buf_check_hmac_response() which checks the session response in
59
 *	the buffer and calculates what it should be.  If there's a
60
 *	mismatch it will log a warning and return an error.  If
61
 *	tpm_buf_append_hmac_session() did not specify
62
 *	TPM_SA_CONTINUE_SESSION then the session will be closed (if it
63
 *	hasn't been consumed) and the auth structure freed.
64
 */
65

66
#include "tpm.h"
67
#include <linux/random.h>
68
#include <linux/scatterlist.h>
69
#include <linux/unaligned.h>
70
#include <crypto/kpp.h>
71
#include <crypto/ecdh.h>
72
#include <crypto/hash.h>
73
#include <crypto/hmac.h>
74

75
/* maximum number of names the TPM must remember for authorization */
76
#define AUTH_MAX_NAMES	3
77

78
#define AES_KEY_BYTES	AES_KEYSIZE_128
79
#define AES_KEY_BITS	(AES_KEY_BYTES*8)
80

81
/*
82
 * This is the structure that carries all the auth information (like
83
 * session handle, nonces, session key and auth) from use to use it is
84
 * designed to be opaque to anything outside.
85
 */
86
struct tpm2_auth {
87
	u32 handle;
88
	/*
89
	 * This has two meanings: before tpm_buf_fill_hmac_session()
90
	 * it marks the offset in the buffer of the start of the
91
	 * sessions (i.e. after all the handles).  Once the buffer has
92
	 * been filled it markes the session number of our auth
93
	 * session so we can find it again in the response buffer.
94
	 *
95
	 * The two cases are distinguished because the first offset
96
	 * must always be greater than TPM_HEADER_SIZE and the second
97
	 * must be less than or equal to 5.
98
	 */
99
	u32 session;
100
	/*
101
	 * the size here is variable and set by the size of our_nonce
102
	 * which must be between 16 and the name hash length. we set
103
	 * the maximum sha256 size for the greatest protection
104
	 */
105
	u8 our_nonce[SHA256_DIGEST_SIZE];
106
	u8 tpm_nonce[SHA256_DIGEST_SIZE];
107
	/*
108
	 * the salt is only used across the session command/response
109
	 * after that it can be used as a scratch area
110
	 */
111
	union {
112
		u8 salt[EC_PT_SZ];
113
		/* scratch for key + IV */
114
		u8 scratch[AES_KEY_BYTES + AES_BLOCK_SIZE];
115
	};
116
	/*
117
	 * the session key and passphrase are the same size as the
118
	 * name digest (sha256 again).  The session key is constant
119
	 * for the use of the session and the passphrase can change
120
	 * with every invocation.
121
	 *
122
	 * Note: these fields must be adjacent and in this order
123
	 * because several HMAC/KDF schemes use the combination of the
124
	 * session_key and passphrase.
125
	 */
126
	u8 session_key[SHA256_DIGEST_SIZE];
127
	u8 passphrase[SHA256_DIGEST_SIZE];
128
	int passphrase_len;
129
	struct crypto_aes_ctx aes_ctx;
130
	/* saved session attributes: */
131
	u8 attrs;
132
	__be32 ordinal;
133

134
	/*
135
	 * memory for three authorization handles.  We know them by
136
	 * handle, but they are part of the session by name, which
137
	 * we must compute and remember
138
	 */
139
	u32 name_h[AUTH_MAX_NAMES];
140
	u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
141
};
142

143
#ifdef CONFIG_TCG_TPM2_HMAC
144
/*
145
 * Name Size based on TPM algorithm (assumes no hash bigger than 255)
146
 */
147
static u8 name_size(const u8 *name)
148
{
149
	static u8 size_map[] = {
150
		[TPM_ALG_SHA1] = SHA1_DIGEST_SIZE,
151
		[TPM_ALG_SHA256] = SHA256_DIGEST_SIZE,
152
		[TPM_ALG_SHA384] = SHA384_DIGEST_SIZE,
153
		[TPM_ALG_SHA512] = SHA512_DIGEST_SIZE,
154
	};
155
	u16 alg = get_unaligned_be16(name);
156
	return size_map[alg] + 2;
157
}
158

159
static int tpm2_parse_read_public(char *name, struct tpm_buf *buf)
160
{
161
	struct tpm_header *head = (struct tpm_header *)buf->data;
162
	off_t offset = TPM_HEADER_SIZE;
163
	u32 tot_len = be32_to_cpu(head->length);
164
	u32 val;
165

166
	/* we're starting after the header so adjust the length */
167
	tot_len -= TPM_HEADER_SIZE;
168

169
	/* skip public */
170
	val = tpm_buf_read_u16(buf, &offset);
171
	if (val > tot_len)
172
		return -EINVAL;
173
	offset += val;
174
	/* name */
175
	val = tpm_buf_read_u16(buf, &offset);
176
	if (val != name_size(&buf->data[offset]))
177
		return -EINVAL;
178
	memcpy(name, &buf->data[offset], val);
179
	/* forget the rest */
180
	return 0;
181
}
182

183
static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name)
184
{
185
	struct tpm_buf buf;
186
	int rc;
187

188
	rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
189
	if (rc)
190
		return rc;
191

192
	tpm_buf_append_u32(&buf, handle);
193
	rc = tpm_transmit_cmd(chip, &buf, 0, "read public");
194
	if (rc == TPM2_RC_SUCCESS)
195
		rc = tpm2_parse_read_public(name, &buf);
196

197
	tpm_buf_destroy(&buf);
198

199
	return rc;
200
}
201
#endif /* CONFIG_TCG_TPM2_HMAC */
202

203
/**
204
 * tpm_buf_append_name() - add a handle area to the buffer
205
 * @chip: the TPM chip structure
206
 * @buf: The buffer to be appended
207
 * @handle: The handle to be appended
208
 * @name: The name of the handle (may be NULL)
209
 *
210
 * In order to compute session HMACs, we need to know the names of the
211
 * objects pointed to by the handles.  For most objects, this is simply
212
 * the actual 4 byte handle or an empty buf (in these cases @name
213
 * should be NULL) but for volatile objects, permanent objects and NV
214
 * areas, the name is defined as the hash (according to the name
215
 * algorithm which should be set to sha256) of the public area to
216
 * which the two byte algorithm id has been appended.  For these
217
 * objects, the @name pointer should point to this.  If a name is
218
 * required but @name is NULL, then TPM2_ReadPublic() will be called
219
 * on the handle to obtain the name.
220
 *
221
 * As with most tpm_buf operations, success is assumed because failure
222
 * will be caused by an incorrect programming model and indicated by a
223
 * kernel message.
224
 */
225
void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf,
226
			 u32 handle, u8 *name)
227
{
228
#ifdef CONFIG_TCG_TPM2_HMAC
229
	enum tpm2_mso_type mso = tpm2_handle_mso(handle);
230
	struct tpm2_auth *auth;
231
	int slot;
232
#endif
233

234
	if (!tpm2_chip_auth(chip)) {
235
		tpm_buf_append_handle(chip, buf, handle);
236
		return;
237
	}
238

239
#ifdef CONFIG_TCG_TPM2_HMAC
240
	slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4;
241
	if (slot >= AUTH_MAX_NAMES) {
242
		dev_err(&chip->dev, "TPM: too many handles\n");
243
		return;
244
	}
245
	auth = chip->auth;
246
	WARN(auth->session != tpm_buf_length(buf),
247
	     "name added in wrong place\n");
248
	tpm_buf_append_u32(buf, handle);
249
	auth->session += 4;
250

251
	if (mso == TPM2_MSO_PERSISTENT ||
252
	    mso == TPM2_MSO_VOLATILE ||
253
	    mso == TPM2_MSO_NVRAM) {
254
		if (!name)
255
			tpm2_read_public(chip, handle, auth->name[slot]);
256
	} else {
257
		if (name)
258
			dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n");
259
	}
260

261
	auth->name_h[slot] = handle;
262
	if (name)
263
		memcpy(auth->name[slot], name, name_size(name));
264
#endif
265
}
266
EXPORT_SYMBOL_GPL(tpm_buf_append_name);
267

268
void tpm_buf_append_auth(struct tpm_chip *chip, struct tpm_buf *buf,
269
			 u8 attributes, u8 *passphrase, int passphrase_len)
270
{
271
	/* offset tells us where the sessions area begins */
272
	int offset = buf->handles * 4 + TPM_HEADER_SIZE;
273
	u32 len = 9 + passphrase_len;
274

275
	if (tpm_buf_length(buf) != offset) {
276
		/* not the first session so update the existing length */
277
		len += get_unaligned_be32(&buf->data[offset]);
278
		put_unaligned_be32(len, &buf->data[offset]);
279
	} else {
280
		tpm_buf_append_u32(buf, len);
281
	}
282
	/* auth handle */
283
	tpm_buf_append_u32(buf, TPM2_RS_PW);
284
	/* nonce */
285
	tpm_buf_append_u16(buf, 0);
286
	/* attributes */
287
	tpm_buf_append_u8(buf, 0);
288
	/* passphrase */
289
	tpm_buf_append_u16(buf, passphrase_len);
290
	tpm_buf_append(buf, passphrase, passphrase_len);
291
}
292

293
/**
294
 * tpm_buf_append_hmac_session() - Append a TPM session element
295
 * @chip: the TPM chip structure
296
 * @buf: The buffer to be appended
297
 * @attributes: The session attributes
298
 * @passphrase: The session authority (NULL if none)
299
 * @passphrase_len: The length of the session authority (0 if none)
300
 *
301
 * This fills in a session structure in the TPM command buffer, except
302
 * for the HMAC which cannot be computed until the command buffer is
303
 * complete.  The type of session is controlled by the @attributes,
304
 * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the
305
 * session won't terminate after tpm_buf_check_hmac_response(),
306
 * TPM2_SA_DECRYPT which means this buffers first parameter should be
307
 * encrypted with a session key and TPM2_SA_ENCRYPT, which means the
308
 * response buffer's first parameter needs to be decrypted (confusing,
309
 * but the defines are written from the point of view of the TPM).
310
 *
311
 * Any session appended by this command must be finalized by calling
312
 * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect
313
 * and the TPM will reject the command.
314
 *
315
 * As with most tpm_buf operations, success is assumed because failure
316
 * will be caused by an incorrect programming model and indicated by a
317
 * kernel message.
318
 */
319
void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
320
				 u8 attributes, u8 *passphrase,
321
				 int passphrase_len)
322
{
323
#ifdef CONFIG_TCG_TPM2_HMAC
324
	u8 nonce[SHA256_DIGEST_SIZE];
325
	struct tpm2_auth *auth;
326
	u32 len;
327
#endif
328

329
	if (!tpm2_chip_auth(chip)) {
330
		tpm_buf_append_auth(chip, buf, attributes, passphrase,
331
				    passphrase_len);
332
		return;
333
	}
334

335
#ifdef CONFIG_TCG_TPM2_HMAC
336
	/* The first write to /dev/tpm{rm0} will flush the session. */
337
	attributes |= TPM2_SA_CONTINUE_SESSION;
338

339
	/*
340
	 * The Architecture Guide requires us to strip trailing zeros
341
	 * before computing the HMAC
342
	 */
343
	while (passphrase && passphrase_len > 0 && passphrase[passphrase_len - 1] == '\0')
344
		passphrase_len--;
345

346
	auth = chip->auth;
347
	auth->attrs = attributes;
348
	auth->passphrase_len = passphrase_len;
349
	if (passphrase_len)
350
		memcpy(auth->passphrase, passphrase, passphrase_len);
351

352
	if (auth->session != tpm_buf_length(buf)) {
353
		/* we're not the first session */
354
		len = get_unaligned_be32(&buf->data[auth->session]);
355
		if (4 + len + auth->session != tpm_buf_length(buf)) {
356
			WARN(1, "session length mismatch, cannot append");
357
			return;
358
		}
359

360
		/* add our new session */
361
		len += 9 + 2 * SHA256_DIGEST_SIZE;
362
		put_unaligned_be32(len, &buf->data[auth->session]);
363
	} else {
364
		tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE);
365
	}
366

367
	/* random number for our nonce */
368
	get_random_bytes(nonce, sizeof(nonce));
369
	memcpy(auth->our_nonce, nonce, sizeof(nonce));
370
	tpm_buf_append_u32(buf, auth->handle);
371
	/* our new nonce */
372
	tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
373
	tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
374
	tpm_buf_append_u8(buf, auth->attrs);
375
	/* and put a placeholder for the hmac */
376
	tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE);
377
	tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE);
378
#endif
379
}
380
EXPORT_SYMBOL_GPL(tpm_buf_append_hmac_session);
381

382
#ifdef CONFIG_TCG_TPM2_HMAC
383

384
static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
385
			       u32 *handle, u8 *name);
386

387
/*
388
 * It turns out the crypto hmac(sha256) is hard for us to consume
389
 * because it assumes a fixed key and the TPM seems to change the key
390
 * on every operation, so we weld the hmac init and final functions in
391
 * here to give it the same usage characteristics as a regular hash
392
 */
393
static void tpm2_hmac_init(struct sha256_ctx *sctx, u8 *key, u32 key_len)
394
{
395
	u8 pad[SHA256_BLOCK_SIZE];
396
	int i;
397

398
	sha256_init(sctx);
399
	for (i = 0; i < sizeof(pad); i++) {
400
		if (i < key_len)
401
			pad[i] = key[i];
402
		else
403
			pad[i] = 0;
404
		pad[i] ^= HMAC_IPAD_VALUE;
405
	}
406
	sha256_update(sctx, pad, sizeof(pad));
407
}
408

409
static void tpm2_hmac_final(struct sha256_ctx *sctx, u8 *key, u32 key_len,
410
			    u8 *out)
411
{
412
	u8 pad[SHA256_BLOCK_SIZE];
413
	int i;
414

415
	for (i = 0; i < sizeof(pad); i++) {
416
		if (i < key_len)
417
			pad[i] = key[i];
418
		else
419
			pad[i] = 0;
420
		pad[i] ^= HMAC_OPAD_VALUE;
421
	}
422

423
	/* collect the final hash;  use out as temporary storage */
424
	sha256_final(sctx, out);
425

426
	sha256_init(sctx);
427
	sha256_update(sctx, pad, sizeof(pad));
428
	sha256_update(sctx, out, SHA256_DIGEST_SIZE);
429
	sha256_final(sctx, out);
430
}
431

432
/*
433
 * assume hash sha256 and nonces u, v of size SHA256_DIGEST_SIZE but
434
 * otherwise standard tpm2_KDFa.  Note output is in bytes not bits.
435
 */
436
static void tpm2_KDFa(u8 *key, u32 key_len, const char *label, u8 *u,
437
		      u8 *v, u32 bytes, u8 *out)
438
{
439
	u32 counter = 1;
440
	const __be32 bits = cpu_to_be32(bytes * 8);
441

442
	while (bytes > 0) {
443
		struct sha256_ctx sctx;
444
		__be32 c = cpu_to_be32(counter);
445

446
		tpm2_hmac_init(&sctx, key, key_len);
447
		sha256_update(&sctx, (u8 *)&c, sizeof(c));
448
		sha256_update(&sctx, label, strlen(label)+1);
449
		sha256_update(&sctx, u, SHA256_DIGEST_SIZE);
450
		sha256_update(&sctx, v, SHA256_DIGEST_SIZE);
451
		sha256_update(&sctx, (u8 *)&bits, sizeof(bits));
452
		tpm2_hmac_final(&sctx, key, key_len, out);
453

454
		bytes -= SHA256_DIGEST_SIZE;
455
		counter++;
456
		out += SHA256_DIGEST_SIZE;
457
	}
458
}
459

460
/*
461
 * Somewhat of a bastardization of the real KDFe.  We're assuming
462
 * we're working with known point sizes for the input parameters and
463
 * the hash algorithm is fixed at sha256.  Because we know that the
464
 * point size is 32 bytes like the hash size, there's no need to loop
465
 * in this KDF.
466
 */
467
static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v,
468
		      u8 *out)
469
{
470
	struct sha256_ctx sctx;
471
	/*
472
	 * this should be an iterative counter, but because we know
473
	 *  we're only taking 32 bytes for the point using a sha256
474
	 *  hash which is also 32 bytes, there's only one loop
475
	 */
476
	__be32 c = cpu_to_be32(1);
477

478
	sha256_init(&sctx);
479
	/* counter (BE) */
480
	sha256_update(&sctx, (u8 *)&c, sizeof(c));
481
	/* secret value */
482
	sha256_update(&sctx, z, EC_PT_SZ);
483
	/* string including trailing zero */
484
	sha256_update(&sctx, str, strlen(str)+1);
485
	sha256_update(&sctx, pt_u, EC_PT_SZ);
486
	sha256_update(&sctx, pt_v, EC_PT_SZ);
487
	sha256_final(&sctx, out);
488
}
489

490
static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip,
491
				struct tpm2_auth *auth)
492
{
493
	struct crypto_kpp *kpp;
494
	struct kpp_request *req;
495
	struct scatterlist s[2], d[1];
496
	struct ecdh p = {0};
497
	u8 encoded_key[EC_PT_SZ], *x, *y;
498
	unsigned int buf_len;
499

500
	/* secret is two sized points */
501
	tpm_buf_append_u16(buf, (EC_PT_SZ + 2)*2);
502
	/*
503
	 * we cheat here and append uninitialized data to form
504
	 * the points.  All we care about is getting the two
505
	 * co-ordinate pointers, which will be used to overwrite
506
	 * the uninitialized data
507
	 */
508
	tpm_buf_append_u16(buf, EC_PT_SZ);
509
	x = &buf->data[tpm_buf_length(buf)];
510
	tpm_buf_append(buf, encoded_key, EC_PT_SZ);
511
	tpm_buf_append_u16(buf, EC_PT_SZ);
512
	y = &buf->data[tpm_buf_length(buf)];
513
	tpm_buf_append(buf, encoded_key, EC_PT_SZ);
514
	sg_init_table(s, 2);
515
	sg_set_buf(&s[0], x, EC_PT_SZ);
516
	sg_set_buf(&s[1], y, EC_PT_SZ);
517

518
	kpp = crypto_alloc_kpp("ecdh-nist-p256", CRYPTO_ALG_INTERNAL, 0);
519
	if (IS_ERR(kpp)) {
520
		dev_err(&chip->dev, "crypto ecdh allocation failed\n");
521
		return;
522
	}
523

524
	buf_len = crypto_ecdh_key_len(&p);
525
	if (sizeof(encoded_key) < buf_len) {
526
		dev_err(&chip->dev, "salt buffer too small needs %d\n",
527
			buf_len);
528
		goto out;
529
	}
530
	crypto_ecdh_encode_key(encoded_key, buf_len, &p);
531
	/* this generates a random private key */
532
	crypto_kpp_set_secret(kpp, encoded_key, buf_len);
533

534
	/* salt is now the public point of this private key */
535
	req = kpp_request_alloc(kpp, GFP_KERNEL);
536
	if (!req)
537
		goto out;
538
	kpp_request_set_input(req, NULL, 0);
539
	kpp_request_set_output(req, s, EC_PT_SZ*2);
540
	crypto_kpp_generate_public_key(req);
541
	/*
542
	 * we're not done: now we have to compute the shared secret
543
	 * which is our private key multiplied by the tpm_key public
544
	 * point, we actually only take the x point and discard the y
545
	 * point and feed it through KDFe to get the final secret salt
546
	 */
547
	sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ);
548
	sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ);
549
	kpp_request_set_input(req, s, EC_PT_SZ*2);
550
	sg_init_one(d, auth->salt, EC_PT_SZ);
551
	kpp_request_set_output(req, d, EC_PT_SZ);
552
	crypto_kpp_compute_shared_secret(req);
553
	kpp_request_free(req);
554

555
	/*
556
	 * pass the shared secret through KDFe for salt. Note salt
557
	 * area is used both for input shared secret and output salt.
558
	 * This works because KDFe fully consumes the secret before it
559
	 * writes the salt
560
	 */
561
	tpm2_KDFe(auth->salt, "SECRET", x, chip->null_ec_key_x, auth->salt);
562

563
 out:
564
	crypto_free_kpp(kpp);
565
}
566

567
/**
568
 * tpm_buf_fill_hmac_session() - finalize the session HMAC
569
 * @chip: the TPM chip structure
570
 * @buf: The buffer to be appended
571
 *
572
 * This command must not be called until all of the parameters have
573
 * been appended to @buf otherwise the computed HMAC will be
574
 * incorrect.
575
 *
576
 * This function computes and fills in the session HMAC using the
577
 * session key and, if TPM2_SA_DECRYPT was specified, computes the
578
 * encryption key and encrypts the first parameter of the command
579
 * buffer with it.
580
 *
581
 * As with most tpm_buf operations, success is assumed because failure
582
 * will be caused by an incorrect programming model and indicated by a
583
 * kernel message.
584
 */
585
void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf)
586
{
587
	u32 cc, handles, val;
588
	struct tpm2_auth *auth = chip->auth;
589
	int i;
590
	struct tpm_header *head = (struct tpm_header *)buf->data;
591
	off_t offset_s = TPM_HEADER_SIZE, offset_p;
592
	u8 *hmac = NULL;
593
	u32 attrs;
594
	u8 cphash[SHA256_DIGEST_SIZE];
595
	struct sha256_ctx sctx;
596

597
	if (!auth)
598
		return;
599

600
	/* save the command code in BE format */
601
	auth->ordinal = head->ordinal;
602

603
	cc = be32_to_cpu(head->ordinal);
604

605
	i = tpm2_find_cc(chip, cc);
606
	if (i < 0) {
607
		dev_err(&chip->dev, "Command 0x%x not found in TPM\n", cc);
608
		return;
609
	}
610
	attrs = chip->cc_attrs_tbl[i];
611

612
	handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0);
613

614
	/*
615
	 * just check the names, it's easy to make mistakes.  This
616
	 * would happen if someone added a handle via
617
	 * tpm_buf_append_u32() instead of tpm_buf_append_name()
618
	 */
619
	for (i = 0; i < handles; i++) {
620
		u32 handle = tpm_buf_read_u32(buf, &offset_s);
621

622
		if (auth->name_h[i] != handle) {
623
			dev_err(&chip->dev, "TPM: handle %d wrong for name\n",
624
				  i);
625
			return;
626
		}
627
	}
628
	/* point offset_s to the start of the sessions */
629
	val = tpm_buf_read_u32(buf, &offset_s);
630
	/* point offset_p to the start of the parameters */
631
	offset_p = offset_s + val;
632
	for (i = 1; offset_s < offset_p; i++) {
633
		u32 handle = tpm_buf_read_u32(buf, &offset_s);
634
		u16 len;
635
		u8 a;
636

637
		/* nonce (already in auth) */
638
		len = tpm_buf_read_u16(buf, &offset_s);
639
		offset_s += len;
640

641
		a = tpm_buf_read_u8(buf, &offset_s);
642

643
		len = tpm_buf_read_u16(buf, &offset_s);
644
		if (handle == auth->handle && auth->attrs == a) {
645
			hmac = &buf->data[offset_s];
646
			/*
647
			 * save our session number so we know which
648
			 * session in the response belongs to us
649
			 */
650
			auth->session = i;
651
		}
652

653
		offset_s += len;
654
	}
655
	if (offset_s != offset_p) {
656
		dev_err(&chip->dev, "TPM session length is incorrect\n");
657
		return;
658
	}
659
	if (!hmac) {
660
		dev_err(&chip->dev, "TPM could not find HMAC session\n");
661
		return;
662
	}
663

664
	/* encrypt before HMAC */
665
	if (auth->attrs & TPM2_SA_DECRYPT) {
666
		u16 len;
667

668
		/* need key and IV */
669
		tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
670
			  + auth->passphrase_len, "CFB", auth->our_nonce,
671
			  auth->tpm_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
672
			  auth->scratch);
673

674
		len = tpm_buf_read_u16(buf, &offset_p);
675
		aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES);
676
		aescfb_encrypt(&auth->aes_ctx, &buf->data[offset_p],
677
			       &buf->data[offset_p], len,
678
			       auth->scratch + AES_KEY_BYTES);
679
		/* reset p to beginning of parameters for HMAC */
680
		offset_p -= 2;
681
	}
682

683
	sha256_init(&sctx);
684
	/* ordinal is already BE */
685
	sha256_update(&sctx, (u8 *)&head->ordinal, sizeof(head->ordinal));
686
	/* add the handle names */
687
	for (i = 0; i < handles; i++) {
688
		enum tpm2_mso_type mso = tpm2_handle_mso(auth->name_h[i]);
689

690
		if (mso == TPM2_MSO_PERSISTENT ||
691
		    mso == TPM2_MSO_VOLATILE ||
692
		    mso == TPM2_MSO_NVRAM) {
693
			sha256_update(&sctx, auth->name[i],
694
				      name_size(auth->name[i]));
695
		} else {
696
			__be32 h = cpu_to_be32(auth->name_h[i]);
697

698
			sha256_update(&sctx, (u8 *)&h, 4);
699
		}
700
	}
701
	if (offset_s != tpm_buf_length(buf))
702
		sha256_update(&sctx, &buf->data[offset_s],
703
			      tpm_buf_length(buf) - offset_s);
704
	sha256_final(&sctx, cphash);
705

706
	/* now calculate the hmac */
707
	tpm2_hmac_init(&sctx, auth->session_key, sizeof(auth->session_key)
708
		       + auth->passphrase_len);
709
	sha256_update(&sctx, cphash, sizeof(cphash));
710
	sha256_update(&sctx, auth->our_nonce, sizeof(auth->our_nonce));
711
	sha256_update(&sctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
712
	sha256_update(&sctx, &auth->attrs, 1);
713
	tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
714
			+ auth->passphrase_len, hmac);
715
}
716
EXPORT_SYMBOL(tpm_buf_fill_hmac_session);
717

718
/**
719
 * tpm_buf_check_hmac_response() - check the TPM return HMAC for correctness
720
 * @chip: the TPM chip structure
721
 * @buf: the original command buffer (which now contains the response)
722
 * @rc: the return code from tpm_transmit_cmd
723
 *
724
 * If @rc is non zero, @buf may not contain an actual return, so @rc
725
 * is passed through as the return and the session cleaned up and
726
 * de-allocated if required (this is required if
727
 * TPM2_SA_CONTINUE_SESSION was not specified as a session flag).
728
 *
729
 * If @rc is zero, the response HMAC is computed against the returned
730
 * @buf and matched to the TPM one in the session area.  If there is a
731
 * mismatch, an error is logged and -EINVAL returned.
732
 *
733
 * The reason for this is that the command issue and HMAC check
734
 * sequence should look like:
735
 *
736
 *	rc = tpm_transmit_cmd(...);
737
 *	rc = tpm_buf_check_hmac_response(&buf, auth, rc);
738
 *	if (rc)
739
 *		...
740
 *
741
 * Which is easily layered into the current contrl flow.
742
 *
743
 * Returns: 0 on success or an error.
744
 */
745
int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
746
				int rc)
747
{
748
	struct tpm_header *head = (struct tpm_header *)buf->data;
749
	struct tpm2_auth *auth = chip->auth;
750
	off_t offset_s, offset_p;
751
	u8 rphash[SHA256_DIGEST_SIZE];
752
	u32 attrs, cc;
753
	struct sha256_ctx sctx;
754
	u16 tag = be16_to_cpu(head->tag);
755
	int parm_len, len, i, handles;
756

757
	if (!auth)
758
		return rc;
759

760
	cc = be32_to_cpu(auth->ordinal);
761

762
	if (auth->session >= TPM_HEADER_SIZE) {
763
		WARN(1, "tpm session not filled correctly\n");
764
		goto out;
765
	}
766

767
	if (rc != 0)
768
		/* pass non success rc through and close the session */
769
		goto out;
770

771
	rc = -EINVAL;
772
	if (tag != TPM2_ST_SESSIONS) {
773
		dev_err(&chip->dev, "TPM: HMAC response check has no sessions tag\n");
774
		goto out;
775
	}
776

777
	i = tpm2_find_cc(chip, cc);
778
	if (i < 0)
779
		goto out;
780
	attrs = chip->cc_attrs_tbl[i];
781
	handles = (attrs >> TPM2_CC_ATTR_RHANDLE) & 1;
782

783
	/* point to area beyond handles */
784
	offset_s = TPM_HEADER_SIZE + handles * 4;
785
	parm_len = tpm_buf_read_u32(buf, &offset_s);
786
	offset_p = offset_s;
787
	offset_s += parm_len;
788
	/* skip over any sessions before ours */
789
	for (i = 0; i < auth->session - 1; i++) {
790
		len = tpm_buf_read_u16(buf, &offset_s);
791
		offset_s += len + 1;
792
		len = tpm_buf_read_u16(buf, &offset_s);
793
		offset_s += len;
794
	}
795
	/* TPM nonce */
796
	len = tpm_buf_read_u16(buf, &offset_s);
797
	if (offset_s + len > tpm_buf_length(buf))
798
		goto out;
799
	if (len != SHA256_DIGEST_SIZE)
800
		goto out;
801
	memcpy(auth->tpm_nonce, &buf->data[offset_s], len);
802
	offset_s += len;
803
	attrs = tpm_buf_read_u8(buf, &offset_s);
804
	len = tpm_buf_read_u16(buf, &offset_s);
805
	if (offset_s + len != tpm_buf_length(buf))
806
		goto out;
807
	if (len != SHA256_DIGEST_SIZE)
808
		goto out;
809
	/*
810
	 * offset_s points to the HMAC. now calculate comparison, beginning
811
	 * with rphash
812
	 */
813
	sha256_init(&sctx);
814
	/* yes, I know this is now zero, but it's what the standard says */
815
	sha256_update(&sctx, (u8 *)&head->return_code,
816
		      sizeof(head->return_code));
817
	/* ordinal is already BE */
818
	sha256_update(&sctx, (u8 *)&auth->ordinal, sizeof(auth->ordinal));
819
	sha256_update(&sctx, &buf->data[offset_p], parm_len);
820
	sha256_final(&sctx, rphash);
821

822
	/* now calculate the hmac */
823
	tpm2_hmac_init(&sctx, auth->session_key, sizeof(auth->session_key)
824
		       + auth->passphrase_len);
825
	sha256_update(&sctx, rphash, sizeof(rphash));
826
	sha256_update(&sctx, auth->tpm_nonce, sizeof(auth->tpm_nonce));
827
	sha256_update(&sctx, auth->our_nonce, sizeof(auth->our_nonce));
828
	sha256_update(&sctx, &auth->attrs, 1);
829
	/* we're done with the rphash, so put our idea of the hmac there */
830
	tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
831
			+ auth->passphrase_len, rphash);
832
	if (memcmp(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE) == 0) {
833
		rc = 0;
834
	} else {
835
		dev_err(&chip->dev, "TPM: HMAC check failed\n");
836
		goto out;
837
	}
838

839
	/* now do response decryption */
840
	if (auth->attrs & TPM2_SA_ENCRYPT) {
841
		/* need key and IV */
842
		tpm2_KDFa(auth->session_key, SHA256_DIGEST_SIZE
843
			  + auth->passphrase_len, "CFB", auth->tpm_nonce,
844
			  auth->our_nonce, AES_KEY_BYTES + AES_BLOCK_SIZE,
845
			  auth->scratch);
846

847
		len = tpm_buf_read_u16(buf, &offset_p);
848
		aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES);
849
		aescfb_decrypt(&auth->aes_ctx, &buf->data[offset_p],
850
			       &buf->data[offset_p], len,
851
			       auth->scratch + AES_KEY_BYTES);
852
	}
853

854
 out:
855
	if ((auth->attrs & TPM2_SA_CONTINUE_SESSION) == 0) {
856
		if (rc)
857
			/* manually close the session if it wasn't consumed */
858
			tpm2_flush_context(chip, auth->handle);
859

860
		kfree_sensitive(auth);
861
		chip->auth = NULL;
862
	} else {
863
		/* reset for next use  */
864
		auth->session = TPM_HEADER_SIZE;
865
	}
866

867
	return rc;
868
}
869
EXPORT_SYMBOL(tpm_buf_check_hmac_response);
870

871
/**
872
 * tpm2_end_auth_session() - kill the allocated auth session
873
 * @chip: the TPM chip structure
874
 *
875
 * ends the session started by tpm2_start_auth_session and frees all
876
 * the resources.  Under normal conditions,
877
 * tpm_buf_check_hmac_response() will correctly end the session if
878
 * required, so this function is only for use in error legs that will
879
 * bypass the normal invocation of tpm_buf_check_hmac_response().
880
 */
881
void tpm2_end_auth_session(struct tpm_chip *chip)
882
{
883
	struct tpm2_auth *auth = chip->auth;
884

885
	if (!auth)
886
		return;
887

888
	tpm2_flush_context(chip, auth->handle);
889
	kfree_sensitive(auth);
890
	chip->auth = NULL;
891
}
892
EXPORT_SYMBOL(tpm2_end_auth_session);
893

894
static int tpm2_parse_start_auth_session(struct tpm2_auth *auth,
895
					 struct tpm_buf *buf)
896
{
897
	struct tpm_header *head = (struct tpm_header *)buf->data;
898
	u32 tot_len = be32_to_cpu(head->length);
899
	off_t offset = TPM_HEADER_SIZE;
900
	u32 val;
901

902
	/* we're starting after the header so adjust the length */
903
	tot_len -= TPM_HEADER_SIZE;
904

905
	/* should have handle plus nonce */
906
	if (tot_len != 4 + 2 + sizeof(auth->tpm_nonce))
907
		return -EINVAL;
908

909
	auth->handle = tpm_buf_read_u32(buf, &offset);
910
	val = tpm_buf_read_u16(buf, &offset);
911
	if (val != sizeof(auth->tpm_nonce))
912
		return -EINVAL;
913
	memcpy(auth->tpm_nonce, &buf->data[offset], sizeof(auth->tpm_nonce));
914
	/* now compute the session key from the nonces */
915
	tpm2_KDFa(auth->salt, sizeof(auth->salt), "ATH", auth->tpm_nonce,
916
		  auth->our_nonce, sizeof(auth->session_key),
917
		  auth->session_key);
918

919
	return 0;
920
}
921

922
static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
923
{
924
	unsigned int offset = 0; /* dummy offset for null seed context */
925
	u8 name[SHA256_DIGEST_SIZE + 2];
926
	u32 tmp_null_key;
927
	int rc;
928

929
	rc = tpm2_load_context(chip, chip->null_key_context, &offset,
930
			       &tmp_null_key);
931
	if (rc != -EINVAL) {
932
		if (!rc)
933
			*null_key = tmp_null_key;
934
		goto err;
935
	}
936

937
	/* Try to re-create null key, given the integrity failure: */
938
	rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name);
939
	if (rc)
940
		goto err;
941

942
	/* Return null key if the name has not been changed: */
943
	if (!memcmp(name, chip->null_key_name, sizeof(name))) {
944
		*null_key = tmp_null_key;
945
		return 0;
946
	}
947

948
	/* Deduce from the name change TPM interference: */
949
	dev_err(&chip->dev, "null key integrity check failed\n");
950
	tpm2_flush_context(chip, tmp_null_key);
951

952
err:
953
	if (rc) {
954
		chip->flags |= TPM_CHIP_FLAG_DISABLE;
955
		rc = -ENODEV;
956
	}
957
	return rc;
958
}
959

960
/**
961
 * tpm2_start_auth_session() - Create an a HMAC authentication session
962
 * @chip:	A TPM chip
963
 *
964
 * Loads the ephemeral key (null seed), and starts an HMAC authenticated
965
 * session. The null seed is flushed before the return.
966
 *
967
 * Returns zero on success, or a POSIX error code.
968
 */
969
int tpm2_start_auth_session(struct tpm_chip *chip)
970
{
971
	struct tpm2_auth *auth;
972
	struct tpm_buf buf;
973
	u32 null_key;
974
	int rc;
975

976
	if (chip->auth) {
977
		dev_dbg_once(&chip->dev, "auth session is active\n");
978
		return 0;
979
	}
980

981
	auth = kzalloc(sizeof(*auth), GFP_KERNEL);
982
	if (!auth)
983
		return -ENOMEM;
984

985
	rc = tpm2_load_null(chip, &null_key);
986
	if (rc)
987
		goto out;
988

989
	auth->session = TPM_HEADER_SIZE;
990

991
	rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS);
992
	if (rc)
993
		goto out;
994

995
	/* salt key handle */
996
	tpm_buf_append_u32(&buf, null_key);
997
	/* bind key handle */
998
	tpm_buf_append_u32(&buf, TPM2_RH_NULL);
999
	/* nonce caller */
1000
	get_random_bytes(auth->our_nonce, sizeof(auth->our_nonce));
1001
	tpm_buf_append_u16(&buf, sizeof(auth->our_nonce));
1002
	tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce));
1003

1004
	/* append encrypted salt and squirrel away unencrypted in auth */
1005
	tpm_buf_append_salt(&buf, chip, auth);
1006
	/* session type (HMAC, audit or policy) */
1007
	tpm_buf_append_u8(&buf, TPM2_SE_HMAC);
1008

1009
	/* symmetric encryption parameters */
1010
	/* symmetric algorithm */
1011
	tpm_buf_append_u16(&buf, TPM_ALG_AES);
1012
	/* bits for symmetric algorithm */
1013
	tpm_buf_append_u16(&buf, AES_KEY_BITS);
1014
	/* symmetric algorithm mode (must be CFB) */
1015
	tpm_buf_append_u16(&buf, TPM_ALG_CFB);
1016
	/* hash algorithm for session */
1017
	tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
1018

1019
	rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
1020
	tpm2_flush_context(chip, null_key);
1021

1022
	if (rc == TPM2_RC_SUCCESS)
1023
		rc = tpm2_parse_start_auth_session(auth, &buf);
1024

1025
	tpm_buf_destroy(&buf);
1026

1027
	if (rc == TPM2_RC_SUCCESS) {
1028
		chip->auth = auth;
1029
		return 0;
1030
	}
1031

1032
out:
1033
	kfree_sensitive(auth);
1034
	return rc;
1035
}
1036
EXPORT_SYMBOL(tpm2_start_auth_session);
1037

1038
/*
1039
 * A mask containing the object attributes for the kernel held null primary key
1040
 * used in HMAC encryption. For more information on specific attributes look up
1041
 * to "8.3 TPMA_OBJECT (Object Attributes)".
1042
 */
1043
#define TPM2_OA_NULL_KEY ( \
1044
	TPM2_OA_NO_DA | \
1045
	TPM2_OA_FIXED_TPM | \
1046
	TPM2_OA_FIXED_PARENT | \
1047
	TPM2_OA_SENSITIVE_DATA_ORIGIN |	\
1048
	TPM2_OA_USER_WITH_AUTH | \
1049
	TPM2_OA_DECRYPT | \
1050
	TPM2_OA_RESTRICTED)
1051

1052
/**
1053
 * tpm2_parse_create_primary() - parse the data returned from TPM_CC_CREATE_PRIMARY
1054
 *
1055
 * @chip:	The TPM the primary was created under
1056
 * @buf:	The response buffer from the chip
1057
 * @handle:	pointer to be filled in with the return handle of the primary
1058
 * @hierarchy:	The hierarchy the primary was created for
1059
 * @name:	pointer to be filled in with the primary key name
1060
 *
1061
 * Return:
1062
 * * 0		- OK
1063
 * * -errno	- A system error
1064
 * * TPM_RC	- A TPM error
1065
 */
1066
static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
1067
				     u32 *handle, u32 hierarchy, u8 *name)
1068
{
1069
	struct tpm_header *head = (struct tpm_header *)buf->data;
1070
	off_t offset_r = TPM_HEADER_SIZE, offset_t;
1071
	u16 len = TPM_HEADER_SIZE;
1072
	u32 total_len = be32_to_cpu(head->length);
1073
	u32 val, param_len, keyhandle;
1074

1075
	keyhandle = tpm_buf_read_u32(buf, &offset_r);
1076
	if (handle)
1077
		*handle = keyhandle;
1078
	else
1079
		tpm2_flush_context(chip, keyhandle);
1080

1081
	param_len = tpm_buf_read_u32(buf, &offset_r);
1082
	/*
1083
	 * param_len doesn't include the header, but all the other
1084
	 * lengths and offsets do, so add it to parm len to make
1085
	 * the comparisons easier
1086
	 */
1087
	param_len += TPM_HEADER_SIZE;
1088

1089
	if (param_len + 8 > total_len)
1090
		return -EINVAL;
1091
	len = tpm_buf_read_u16(buf, &offset_r);
1092
	offset_t = offset_r;
1093
	if (name) {
1094
		/*
1095
		 * now we have the public area, compute the name of
1096
		 * the object
1097
		 */
1098
		put_unaligned_be16(TPM_ALG_SHA256, name);
1099
		sha256(&buf->data[offset_r], len, name + 2);
1100
	}
1101

1102
	/* validate the public key */
1103
	val = tpm_buf_read_u16(buf, &offset_t);
1104

1105
	/* key type (must be what we asked for) */
1106
	if (val != TPM_ALG_ECC)
1107
		return -EINVAL;
1108
	val = tpm_buf_read_u16(buf, &offset_t);
1109

1110
	/* name algorithm */
1111
	if (val != TPM_ALG_SHA256)
1112
		return -EINVAL;
1113
	val = tpm_buf_read_u32(buf, &offset_t);
1114

1115
	/* object properties */
1116
	if (val != TPM2_OA_NULL_KEY)
1117
		return -EINVAL;
1118

1119
	/* auth policy (empty) */
1120
	val = tpm_buf_read_u16(buf, &offset_t);
1121
	if (val != 0)
1122
		return -EINVAL;
1123

1124
	/* symmetric key parameters */
1125
	val = tpm_buf_read_u16(buf, &offset_t);
1126
	if (val != TPM_ALG_AES)
1127
		return -EINVAL;
1128

1129
	/* symmetric key length */
1130
	val = tpm_buf_read_u16(buf, &offset_t);
1131
	if (val != AES_KEY_BITS)
1132
		return -EINVAL;
1133

1134
	/* symmetric encryption scheme */
1135
	val = tpm_buf_read_u16(buf, &offset_t);
1136
	if (val != TPM_ALG_CFB)
1137
		return -EINVAL;
1138

1139
	/* signing scheme */
1140
	val = tpm_buf_read_u16(buf, &offset_t);
1141
	if (val != TPM_ALG_NULL)
1142
		return -EINVAL;
1143

1144
	/* ECC Curve */
1145
	val = tpm_buf_read_u16(buf, &offset_t);
1146
	if (val != TPM2_ECC_NIST_P256)
1147
		return -EINVAL;
1148

1149
	/* KDF Scheme */
1150
	val = tpm_buf_read_u16(buf, &offset_t);
1151
	if (val != TPM_ALG_NULL)
1152
		return -EINVAL;
1153

1154
	/* extract public key (x and y points) */
1155
	val = tpm_buf_read_u16(buf, &offset_t);
1156
	if (val != EC_PT_SZ)
1157
		return -EINVAL;
1158
	memcpy(chip->null_ec_key_x, &buf->data[offset_t], val);
1159
	offset_t += val;
1160
	val = tpm_buf_read_u16(buf, &offset_t);
1161
	if (val != EC_PT_SZ)
1162
		return -EINVAL;
1163
	memcpy(chip->null_ec_key_y, &buf->data[offset_t], val);
1164
	offset_t += val;
1165

1166
	/* original length of the whole TPM2B */
1167
	offset_r += len;
1168

1169
	/* should have exactly consumed the TPM2B public structure */
1170
	if (offset_t != offset_r)
1171
		return -EINVAL;
1172
	if (offset_r > param_len)
1173
		return -EINVAL;
1174

1175
	/* creation data (skip) */
1176
	len = tpm_buf_read_u16(buf, &offset_r);
1177
	offset_r += len;
1178
	if (offset_r > param_len)
1179
		return -EINVAL;
1180

1181
	/* creation digest (must be sha256) */
1182
	len = tpm_buf_read_u16(buf, &offset_r);
1183
	offset_r += len;
1184
	if (len != SHA256_DIGEST_SIZE || offset_r > param_len)
1185
		return -EINVAL;
1186

1187
	/* TPMT_TK_CREATION follows */
1188
	/* tag, must be TPM_ST_CREATION (0x8021) */
1189
	val = tpm_buf_read_u16(buf, &offset_r);
1190
	if (val != TPM2_ST_CREATION || offset_r > param_len)
1191
		return -EINVAL;
1192

1193
	/* hierarchy */
1194
	val = tpm_buf_read_u32(buf, &offset_r);
1195
	if (val != hierarchy || offset_r > param_len)
1196
		return -EINVAL;
1197

1198
	/* the ticket digest HMAC (might not be sha256) */
1199
	len = tpm_buf_read_u16(buf, &offset_r);
1200
	offset_r += len;
1201
	if (offset_r > param_len)
1202
		return -EINVAL;
1203

1204
	/*
1205
	 * finally we have the name, which is a sha256 digest plus a 2
1206
	 * byte algorithm type
1207
	 */
1208
	len = tpm_buf_read_u16(buf, &offset_r);
1209
	if (offset_r + len != param_len + 8)
1210
		return -EINVAL;
1211
	if (len != SHA256_DIGEST_SIZE + 2)
1212
		return -EINVAL;
1213

1214
	if (memcmp(chip->null_key_name, &buf->data[offset_r],
1215
		   SHA256_DIGEST_SIZE + 2) != 0) {
1216
		dev_err(&chip->dev, "NULL Seed name comparison failed\n");
1217
		return -EINVAL;
1218
	}
1219

1220
	return 0;
1221
}
1222

1223
/**
1224
 * tpm2_create_primary() - create a primary key using a fixed P-256 template
1225
 *
1226
 * @chip:      the TPM chip to create under
1227
 * @hierarchy: The hierarchy handle to create under
1228
 * @handle:    The returned volatile handle on success
1229
 * @name:      The name of the returned key
1230
 *
1231
 * For platforms that might not have a persistent primary, this can be
1232
 * used to create one quickly on the fly (it uses Elliptic Curve not
1233
 * RSA, so even slow TPMs can create one fast).  The template uses the
1234
 * TCG mandated H one for non-endorsement ECC primaries, i.e. P-256
1235
 * elliptic curve (the only current one all TPM2s are required to
1236
 * have) a sha256 name hash and no policy.
1237
 *
1238
 * Return:
1239
 * * 0		- OK
1240
 * * -errno	- A system error
1241
 * * TPM_RC	- A TPM error
1242
 */
1243
static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
1244
			       u32 *handle, u8 *name)
1245
{
1246
	int rc;
1247
	struct tpm_buf buf;
1248
	struct tpm_buf template;
1249

1250
	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE_PRIMARY);
1251
	if (rc)
1252
		return rc;
1253

1254
	rc = tpm_buf_init_sized(&template);
1255
	if (rc) {
1256
		tpm_buf_destroy(&buf);
1257
		return rc;
1258
	}
1259

1260
	/*
1261
	 * create the template.  Note: in order for userspace to
1262
	 * verify the security of the system, it will have to create
1263
	 * and certify this NULL primary, meaning all the template
1264
	 * parameters will have to be identical, so conform exactly to
1265
	 * the TCG TPM v2.0 Provisioning Guidance for the SRK ECC
1266
	 * key H template (H has zero size unique points)
1267
	 */
1268

1269
	/* key type */
1270
	tpm_buf_append_u16(&template, TPM_ALG_ECC);
1271

1272
	/* name algorithm */
1273
	tpm_buf_append_u16(&template, TPM_ALG_SHA256);
1274

1275
	/* object properties */
1276
	tpm_buf_append_u32(&template, TPM2_OA_NULL_KEY);
1277

1278
	/* sauth policy (empty) */
1279
	tpm_buf_append_u16(&template, 0);
1280

1281
	/* BEGIN parameters: key specific; for ECC*/
1282

1283
	/* symmetric algorithm */
1284
	tpm_buf_append_u16(&template, TPM_ALG_AES);
1285

1286
	/* bits for symmetric algorithm */
1287
	tpm_buf_append_u16(&template, AES_KEY_BITS);
1288

1289
	/* algorithm mode (must be CFB) */
1290
	tpm_buf_append_u16(&template, TPM_ALG_CFB);
1291

1292
	/* scheme (NULL means any scheme) */
1293
	tpm_buf_append_u16(&template, TPM_ALG_NULL);
1294

1295
	/* ECC Curve ID */
1296
	tpm_buf_append_u16(&template, TPM2_ECC_NIST_P256);
1297

1298
	/* KDF Scheme */
1299
	tpm_buf_append_u16(&template, TPM_ALG_NULL);
1300

1301
	/* unique: key specific; for ECC it is two zero size points */
1302
	tpm_buf_append_u16(&template, 0);
1303
	tpm_buf_append_u16(&template, 0);
1304

1305
	/* END parameters */
1306

1307
	/* primary handle */
1308
	tpm_buf_append_u32(&buf, hierarchy);
1309
	tpm_buf_append_empty_auth(&buf, TPM2_RS_PW);
1310

1311
	/* sensitive create size is 4 for two empty buffers */
1312
	tpm_buf_append_u16(&buf, 4);
1313

1314
	/* sensitive create auth data (empty) */
1315
	tpm_buf_append_u16(&buf, 0);
1316

1317
	/* sensitive create sensitive data (empty) */
1318
	tpm_buf_append_u16(&buf, 0);
1319

1320
	/* the public template */
1321
	tpm_buf_append(&buf, template.data, template.length);
1322
	tpm_buf_destroy(&template);
1323

1324
	/* outside info (empty) */
1325
	tpm_buf_append_u16(&buf, 0);
1326

1327
	/* creation PCR (none) */
1328
	tpm_buf_append_u32(&buf, 0);
1329

1330
	rc = tpm_transmit_cmd(chip, &buf, 0,
1331
			      "attempting to create NULL primary");
1332

1333
	if (rc == TPM2_RC_SUCCESS)
1334
		rc = tpm2_parse_create_primary(chip, &buf, handle, hierarchy,
1335
					       name);
1336

1337
	tpm_buf_destroy(&buf);
1338

1339
	return rc;
1340
}
1341

1342
static int tpm2_create_null_primary(struct tpm_chip *chip)
1343
{
1344
	u32 null_key;
1345
	int rc;
1346

1347
	rc = tpm2_create_primary(chip, TPM2_RH_NULL, &null_key,
1348
				 chip->null_key_name);
1349

1350
	if (rc == TPM2_RC_SUCCESS) {
1351
		unsigned int offset = 0; /* dummy offset for null key context */
1352

1353
		rc = tpm2_save_context(chip, null_key, chip->null_key_context,
1354
				       sizeof(chip->null_key_context), &offset);
1355
		tpm2_flush_context(chip, null_key);
1356
	}
1357

1358
	return rc;
1359
}
1360

1361
/**
1362
 * tpm2_sessions_init() - start of day initialization for the sessions code
1363
 * @chip: TPM chip
1364
 *
1365
 * Derive and context save the null primary and allocate memory in the
1366
 * struct tpm_chip for the authorizations.
1367
 *
1368
 * Return:
1369
 * * 0		- OK
1370
 * * -errno	- A system error
1371
 * * TPM_RC	- A TPM error
1372
 */
1373
int tpm2_sessions_init(struct tpm_chip *chip)
1374
{
1375
	int rc;
1376

1377
	rc = tpm2_create_null_primary(chip);
1378
	if (rc) {
1379
		dev_err(&chip->dev, "null key creation failed with %d\n", rc);
1380
		return rc;
1381
	}
1382

1383
	return rc;
1384
}
1385
#endif /* CONFIG_TCG_TPM2_HMAC */
1386

1387