diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-11 08:27:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-11 08:27:49 +0000 |
commit | ace9429bb58fd418f0c81d4c2835699bddf6bde6 (patch) | |
tree | b2d64bc10158fdd5497876388cd68142ca374ed3 /include/keys | |
parent | Initial commit. (diff) | |
download | linux-ace9429bb58fd418f0c81d4c2835699bddf6bde6.tar.xz linux-ace9429bb58fd418f0c81d4c2835699bddf6bde6.zip |
Adding upstream version 6.6.15.upstream/6.6.15
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'include/keys')
-rw-r--r-- | include/keys/asymmetric-parser.h | 35 | ||||
-rw-r--r-- | include/keys/asymmetric-subtype.h | 60 | ||||
-rw-r--r-- | include/keys/asymmetric-type.h | 94 | ||||
-rw-r--r-- | include/keys/big_key-type.h | 23 | ||||
-rw-r--r-- | include/keys/ceph-type.h | 9 | ||||
-rw-r--r-- | include/keys/dns_resolver-type.h | 19 | ||||
-rw-r--r-- | include/keys/encrypted-type.h | 35 | ||||
-rw-r--r-- | include/keys/keyring-type.h | 14 | ||||
-rw-r--r-- | include/keys/request_key_auth-type.h | 33 | ||||
-rw-r--r-- | include/keys/rxrpc-type.h | 95 | ||||
-rw-r--r-- | include/keys/system_keyring.h | 133 | ||||
-rw-r--r-- | include/keys/trusted-type.h | 100 | ||||
-rw-r--r-- | include/keys/trusted_caam.h | 11 | ||||
-rw-r--r-- | include/keys/trusted_tee.h | 16 | ||||
-rw-r--r-- | include/keys/trusted_tpm.h | 98 | ||||
-rw-r--r-- | include/keys/user-type.h | 58 |
16 files changed, 833 insertions, 0 deletions
diff --git a/include/keys/asymmetric-parser.h b/include/keys/asymmetric-parser.h new file mode 100644 index 0000000000..516a3f5117 --- /dev/null +++ b/include/keys/asymmetric-parser.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* Asymmetric public-key cryptography data parser + * + * See Documentation/crypto/asymmetric-keys.rst + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_ASYMMETRIC_PARSER_H +#define _KEYS_ASYMMETRIC_PARSER_H + +struct key_preparsed_payload; + +/* + * Key data parser. Called during key instantiation. + */ +struct asymmetric_key_parser { + struct list_head link; + struct module *owner; + const char *name; + + /* Attempt to parse a key from the data blob passed to add_key() or + * keyctl_instantiate(). Should also generate a proposed description + * that the caller can optionally use for the key. + * + * Return EBADMSG if not recognised. + */ + int (*parse)(struct key_preparsed_payload *prep); +}; + +extern int register_asymmetric_key_parser(struct asymmetric_key_parser *); +extern void unregister_asymmetric_key_parser(struct asymmetric_key_parser *); + +#endif /* _KEYS_ASYMMETRIC_PARSER_H */ diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h new file mode 100644 index 0000000000..d55171f640 --- /dev/null +++ b/include/keys/asymmetric-subtype.h @@ -0,0 +1,60 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* Asymmetric public-key cryptography key subtype + * + * See Documentation/crypto/asymmetric-keys.rst + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_ASYMMETRIC_SUBTYPE_H +#define _KEYS_ASYMMETRIC_SUBTYPE_H + +#include <linux/seq_file.h> +#include <keys/asymmetric-type.h> + +struct kernel_pkey_query; +struct kernel_pkey_params; +struct public_key_signature; + +/* + * Keys of this type declare a subtype that indicates the handlers and + * capabilities. + */ +struct asymmetric_key_subtype { + struct module *owner; + const char *name; + unsigned short name_len; /* length of name */ + + /* Describe a key of this subtype for /proc/keys */ + void (*describe)(const struct key *key, struct seq_file *m); + + /* Destroy a key of this subtype */ + void (*destroy)(void *payload_crypto, void *payload_auth); + + int (*query)(const struct kernel_pkey_params *params, + struct kernel_pkey_query *info); + + /* Encrypt/decrypt/sign data */ + int (*eds_op)(struct kernel_pkey_params *params, + const void *in, void *out); + + /* Verify the signature on a key of this subtype (optional) */ + int (*verify_signature)(const struct key *key, + const struct public_key_signature *sig); +}; + +/** + * asymmetric_key_subtype - Get the subtype from an asymmetric key + * @key: The key of interest. + * + * Retrieves and returns the subtype pointer of the asymmetric key from the + * type-specific data attached to the key. + */ +static inline +struct asymmetric_key_subtype *asymmetric_key_subtype(const struct key *key) +{ + return key->payload.data[asym_subtype]; +} + +#endif /* _KEYS_ASYMMETRIC_SUBTYPE_H */ diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h new file mode 100644 index 0000000000..69a13e1e5b --- /dev/null +++ b/include/keys/asymmetric-type.h @@ -0,0 +1,94 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* Asymmetric Public-key cryptography key type interface + * + * See Documentation/crypto/asymmetric-keys.rst + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_ASYMMETRIC_TYPE_H +#define _KEYS_ASYMMETRIC_TYPE_H + +#include <linux/key-type.h> +#include <linux/verification.h> + +extern struct key_type key_type_asymmetric; + +/* + * The key payload is four words. The asymmetric-type key uses them as + * follows: + */ +enum asymmetric_payload_bits { + asym_crypto, /* The data representing the key */ + asym_subtype, /* Pointer to an asymmetric_key_subtype struct */ + asym_key_ids, /* Pointer to an asymmetric_key_ids struct */ + asym_auth /* The key's authorisation (signature, parent key ID) */ +}; + +/* + * Identifiers for an asymmetric key ID. We have three ways of looking up a + * key derived from an X.509 certificate: + * + * (1) Serial Number & Issuer. Non-optional. This is the only valid way to + * map a PKCS#7 signature to an X.509 certificate. + * + * (2) Issuer & Subject Unique IDs. Optional. These were the original way to + * match X.509 certificates, but have fallen into disuse in favour of (3). + * + * (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on + * CA keys that are intended to sign other keys, so don't appear in end + * user certificates unless forced. + * + * We could also support an PGP key identifier, which is just a SHA1 sum of the + * public key and certain parameters, but since we don't support PGP keys at + * the moment, we shall ignore those. + * + * What we actually do is provide a place where binary identifiers can be + * stashed and then compare against them when checking for an id match. + */ +struct asymmetric_key_id { + unsigned short len; + unsigned char data[]; +}; + +struct asymmetric_key_ids { + void *id[3]; +}; + +extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1, + const struct asymmetric_key_id *kid2); + +extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1, + const struct asymmetric_key_id *kid2); + +extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1, + size_t len_1, + const void *val_2, + size_t len_2); +static inline +const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) +{ + return key->payload.data[asym_key_ids]; +} + +static inline +const struct public_key *asymmetric_key_public_key(const struct key *key) +{ + return key->payload.data[asym_crypto]; +} + +extern struct key *find_asymmetric_key(struct key *keyring, + const struct asymmetric_key_id *id_0, + const struct asymmetric_key_id *id_1, + const struct asymmetric_key_id *id_2, + bool partial); + +int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size, + const struct key *keyring); + +/* + * The payload is at the discretion of the subtype. + */ + +#endif /* _KEYS_ASYMMETRIC_TYPE_H */ diff --git a/include/keys/big_key-type.h b/include/keys/big_key-type.h new file mode 100644 index 0000000000..988d90d77f --- /dev/null +++ b/include/keys/big_key-type.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* Big capacity key type. + * + * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_BIG_KEY_TYPE_H +#define _KEYS_BIG_KEY_TYPE_H + +#include <linux/key-type.h> + +extern struct key_type key_type_big_key; + +extern int big_key_preparse(struct key_preparsed_payload *prep); +extern void big_key_free_preparse(struct key_preparsed_payload *prep); +extern void big_key_revoke(struct key *key); +extern void big_key_destroy(struct key *key); +extern void big_key_describe(const struct key *big_key, struct seq_file *m); +extern long big_key_read(const struct key *key, char *buffer, size_t buflen); +extern int big_key_update(struct key *key, struct key_preparsed_payload *prep); + +#endif /* _KEYS_BIG_KEY_TYPE_H */ diff --git a/include/keys/ceph-type.h b/include/keys/ceph-type.h new file mode 100644 index 0000000000..aa6d3e050c --- /dev/null +++ b/include/keys/ceph-type.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _KEYS_CEPH_TYPE_H +#define _KEYS_CEPH_TYPE_H + +#include <linux/key.h> + +extern struct key_type key_type_ceph; + +#endif diff --git a/include/keys/dns_resolver-type.h b/include/keys/dns_resolver-type.h new file mode 100644 index 0000000000..218ca22fb0 --- /dev/null +++ b/include/keys/dns_resolver-type.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* DNS resolver key type + * + * Copyright (C) 2010 Wang Lei. All Rights Reserved. + * Written by Wang Lei (wang840925@gmail.com) + */ + +#ifndef _KEYS_DNS_RESOLVER_TYPE_H +#define _KEYS_DNS_RESOLVER_TYPE_H + +#include <linux/key-type.h> + +extern struct key_type key_type_dns_resolver; + +extern int request_dns_resolver_key(const char *description, + const char *callout_info, + char **data); + +#endif /* _KEYS_DNS_RESOLVER_TYPE_H */ diff --git a/include/keys/encrypted-type.h b/include/keys/encrypted-type.h new file mode 100644 index 0000000000..abfcbe0200 --- /dev/null +++ b/include/keys/encrypted-type.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Copyright (C) 2010 IBM Corporation + * Copyright (C) 2010 Politecnico di Torino, Italy + * TORSEC group -- https://security.polito.it + * + * Authors: + * Mimi Zohar <zohar@us.ibm.com> + * Roberto Sassu <roberto.sassu@polito.it> + */ + +#ifndef _KEYS_ENCRYPTED_TYPE_H +#define _KEYS_ENCRYPTED_TYPE_H + +#include <linux/key.h> +#include <linux/rcupdate.h> + +struct encrypted_key_payload { + struct rcu_head rcu; + char *format; /* datablob: format */ + char *master_desc; /* datablob: master key name */ + char *datalen; /* datablob: decrypted key length */ + u8 *iv; /* datablob: iv */ + u8 *encrypted_data; /* datablob: encrypted data */ + unsigned short datablob_len; /* length of datablob */ + unsigned short decrypted_datalen; /* decrypted data length */ + unsigned short payload_datalen; /* payload data length */ + unsigned short encrypted_key_format; /* encrypted key format */ + u8 *decrypted_data; /* decrypted data */ + u8 payload_data[]; /* payload data + datablob + hmac */ +}; + +extern struct key_type key_type_encrypted; + +#endif /* _KEYS_ENCRYPTED_TYPE_H */ diff --git a/include/keys/keyring-type.h b/include/keys/keyring-type.h new file mode 100644 index 0000000000..1dc83862f5 --- /dev/null +++ b/include/keys/keyring-type.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* Keyring key type + * + * Copyright (C) 2008, 2013 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_KEYRING_TYPE_H +#define _KEYS_KEYRING_TYPE_H + +#include <linux/key.h> +#include <linux/assoc_array.h> + +#endif /* _KEYS_KEYRING_TYPE_H */ diff --git a/include/keys/request_key_auth-type.h b/include/keys/request_key_auth-type.h new file mode 100644 index 0000000000..36b89a9333 --- /dev/null +++ b/include/keys/request_key_auth-type.h @@ -0,0 +1,33 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* request_key authorisation token key type + * + * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_REQUEST_KEY_AUTH_TYPE_H +#define _KEYS_REQUEST_KEY_AUTH_TYPE_H + +#include <linux/key.h> + +/* + * Authorisation record for request_key(). + */ +struct request_key_auth { + struct rcu_head rcu; + struct key *target_key; + struct key *dest_keyring; + const struct cred *cred; + void *callout_info; + size_t callout_len; + pid_t pid; + char op[8]; +} __randomize_layout; + +static inline struct request_key_auth *get_request_key_auth(const struct key *key) +{ + return key->payload.data[0]; +} + + +#endif /* _KEYS_REQUEST_KEY_AUTH_TYPE_H */ diff --git a/include/keys/rxrpc-type.h b/include/keys/rxrpc-type.h new file mode 100644 index 0000000000..333c0f49a9 --- /dev/null +++ b/include/keys/rxrpc-type.h @@ -0,0 +1,95 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* RxRPC key type + * + * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_RXRPC_TYPE_H +#define _KEYS_RXRPC_TYPE_H + +#include <linux/key.h> + +/* + * key type for AF_RXRPC keys + */ +extern struct key_type key_type_rxrpc; + +extern struct key *rxrpc_get_null_key(const char *); + +/* + * RxRPC key for Kerberos IV (type-2 security) + */ +struct rxkad_key { + u32 vice_id; + u32 start; /* time at which ticket starts */ + u32 expiry; /* time at which ticket expires */ + u32 kvno; /* key version number */ + u8 primary_flag; /* T if key for primary cell for this user */ + u16 ticket_len; /* length of ticket[] */ + u8 session_key[8]; /* DES session key */ + u8 ticket[]; /* the encrypted ticket */ +}; + +/* + * list of tokens attached to an rxrpc key + */ +struct rxrpc_key_token { + u16 security_index; /* RxRPC header security index */ + bool no_leak_key; /* Don't copy the key to userspace */ + struct rxrpc_key_token *next; /* the next token in the list */ + union { + struct rxkad_key *kad; + }; +}; + +/* + * structure of raw payloads passed to add_key() or instantiate key + */ +struct rxrpc_key_data_v1 { + u16 security_index; + u16 ticket_length; + u32 expiry; /* time_t */ + u32 kvno; + u8 session_key[8]; + u8 ticket[]; +}; + +/* + * AF_RXRPC key payload derived from XDR format + * - based on openafs-1.4.10/src/auth/afs_token.xg + */ +#define AFSTOKEN_LENGTH_MAX 16384 /* max payload size */ +#define AFSTOKEN_STRING_MAX 256 /* max small string length */ +#define AFSTOKEN_DATA_MAX 64 /* max small data length */ +#define AFSTOKEN_CELL_MAX 64 /* max cellname length */ +#define AFSTOKEN_MAX 8 /* max tokens per payload */ +#define AFSTOKEN_BDATALN_MAX 16384 /* max big data length */ +#define AFSTOKEN_RK_TIX_MAX 12000 /* max RxKAD ticket size */ +#define AFSTOKEN_GK_KEY_MAX 64 /* max GSSAPI key size */ +#define AFSTOKEN_GK_TOKEN_MAX 16384 /* max GSSAPI token size */ + +/* + * Truncate a time64_t to the range from 1970 to 2106 as in the network + * protocol. + */ +static inline u32 rxrpc_time64_to_u32(time64_t time) +{ + if (time < 0) + return 0; + + if (time > UINT_MAX) + return UINT_MAX; + + return (u32)time; +} + +/* + * Extend u32 back to time64_t using the same 1970-2106 range. + */ +static inline time64_t rxrpc_u32_to_time64(u32 time) +{ + return (time64_t)time; +} + +#endif /* _KEYS_RXRPC_TYPE_H */ diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h new file mode 100644 index 0000000000..8365adf842 --- /dev/null +++ b/include/keys/system_keyring.h @@ -0,0 +1,133 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* System keyring containing trusted public keys. + * + * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_SYSTEM_KEYRING_H +#define _KEYS_SYSTEM_KEYRING_H + +#include <linux/key.h> + +enum blacklist_hash_type { + /* TBSCertificate hash */ + BLACKLIST_HASH_X509_TBS = 1, + /* Raw data hash */ + BLACKLIST_HASH_BINARY = 2, +}; + +#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING + +extern int restrict_link_by_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); +int restrict_link_by_digsig_builtin(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); +extern __init int load_module_cert(struct key *keyring); + +#else +#define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_digsig_builtin restrict_link_reject + +static inline __init int load_module_cert(struct key *keyring) +{ + return 0; +} + +#endif + +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +extern int restrict_link_by_builtin_and_secondary_trusted( + struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); +int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len); +#else +#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin +static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) +{ +} +#endif + +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern int restrict_link_by_builtin_secondary_and_machine( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); +extern void __init set_machine_trusted_keys(struct key *keyring); +#else +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted +static inline void __init set_machine_trusted_keys(struct key *keyring) +{ +} +#endif + +extern struct pkcs7_message *pkcs7; +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING +extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type); +extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type); +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); +#else +static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + return 0; +} + +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + return 0; +} +#endif + +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern int add_key_to_revocation_list(const char *data, size_t size); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); +#else +static inline int add_key_to_revocation_list(const char *data, size_t size) +{ + return 0; +} +static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + return -ENOKEY; +} +#endif + +#ifdef CONFIG_IMA_BLACKLIST_KEYRING +extern struct key *ima_blacklist_keyring; + +static inline struct key *get_ima_blacklist_keyring(void) +{ + return ima_blacklist_keyring; +} +#else +static inline struct key *get_ima_blacklist_keyring(void) +{ + return NULL; +} +#endif /* CONFIG_IMA_BLACKLIST_KEYRING */ + +#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ + defined(CONFIG_SYSTEM_TRUSTED_KEYRING) +extern void __init set_platform_trusted_keys(struct key *keyring); +#else +static inline void set_platform_trusted_keys(struct key *keyring) +{ +} +#endif + +#endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h new file mode 100644 index 0000000000..4eb64548a7 --- /dev/null +++ b/include/keys/trusted-type.h @@ -0,0 +1,100 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Copyright (C) 2010 IBM Corporation + * Author: David Safford <safford@us.ibm.com> + */ + +#ifndef _KEYS_TRUSTED_TYPE_H +#define _KEYS_TRUSTED_TYPE_H + +#include <linux/key.h> +#include <linux/rcupdate.h> +#include <linux/tpm.h> + +#ifdef pr_fmt +#undef pr_fmt +#endif + +#define pr_fmt(fmt) "trusted_key: " fmt + +#define MIN_KEY_SIZE 32 +#define MAX_KEY_SIZE 128 +#define MAX_BLOB_SIZE 512 +#define MAX_PCRINFO_SIZE 64 +#define MAX_DIGEST_SIZE 64 + +struct trusted_key_payload { + struct rcu_head rcu; + unsigned int key_len; + unsigned int blob_len; + unsigned char migratable; + unsigned char old_format; + unsigned char key[MAX_KEY_SIZE + 1]; + unsigned char blob[MAX_BLOB_SIZE]; +}; + +struct trusted_key_options { + uint16_t keytype; + uint32_t keyhandle; + unsigned char keyauth[TPM_DIGEST_SIZE]; + uint32_t blobauth_len; + unsigned char blobauth[TPM_DIGEST_SIZE]; + uint32_t pcrinfo_len; + unsigned char pcrinfo[MAX_PCRINFO_SIZE]; + int pcrlock; + uint32_t hash; + uint32_t policydigest_len; + unsigned char policydigest[MAX_DIGEST_SIZE]; + uint32_t policyhandle; +}; + +struct trusted_key_ops { + /* + * flag to indicate if trusted key implementation supports migration + * or not. + */ + unsigned char migratable; + + /* Initialize key interface. */ + int (*init)(void); + + /* Seal a key. */ + int (*seal)(struct trusted_key_payload *p, char *datablob); + + /* Unseal a key. */ + int (*unseal)(struct trusted_key_payload *p, char *datablob); + + /* Optional: Get a randomized key. */ + int (*get_random)(unsigned char *key, size_t key_len); + + /* Exit key interface. */ + void (*exit)(void); +}; + +struct trusted_key_source { + char *name; + struct trusted_key_ops *ops; +}; + +extern struct key_type key_type_trusted; + +#define TRUSTED_DEBUG 0 + +#if TRUSTED_DEBUG +static inline void dump_payload(struct trusted_key_payload *p) +{ + pr_info("key_len %d\n", p->key_len); + print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE, + 16, 1, p->key, p->key_len, 0); + pr_info("bloblen %d\n", p->blob_len); + print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE, + 16, 1, p->blob, p->blob_len, 0); + pr_info("migratable %d\n", p->migratable); +} +#else +static inline void dump_payload(struct trusted_key_payload *p) +{ +} +#endif + +#endif /* _KEYS_TRUSTED_TYPE_H */ diff --git a/include/keys/trusted_caam.h b/include/keys/trusted_caam.h new file mode 100644 index 0000000000..73fe2f32f6 --- /dev/null +++ b/include/keys/trusted_caam.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum <kernel@pengutronix.de> + */ + +#ifndef __CAAM_TRUSTED_KEY_H +#define __CAAM_TRUSTED_KEY_H + +extern struct trusted_key_ops trusted_key_caam_ops; + +#endif diff --git a/include/keys/trusted_tee.h b/include/keys/trusted_tee.h new file mode 100644 index 0000000000..151be25a97 --- /dev/null +++ b/include/keys/trusted_tee.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) 2019-2021 Linaro Ltd. + * + * Author: + * Sumit Garg <sumit.garg@linaro.org> + */ + +#ifndef __TEE_TRUSTED_KEY_H +#define __TEE_TRUSTED_KEY_H + +#include <keys/trusted-type.h> + +extern struct trusted_key_ops trusted_key_tee_ops; + +#endif diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h new file mode 100644 index 0000000000..7769b72686 --- /dev/null +++ b/include/keys/trusted_tpm.h @@ -0,0 +1,98 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __TRUSTED_TPM_H +#define __TRUSTED_TPM_H + +#include <keys/trusted-type.h> +#include <linux/tpm_command.h> + +/* implementation specific TPM constants */ +#define MAX_BUF_SIZE 1024 +#define TPM_GETRANDOM_SIZE 14 +#define TPM_SIZE_OFFSET 2 +#define TPM_RETURN_OFFSET 6 +#define TPM_DATA_OFFSET 10 + +#define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset])) +#define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset]) +#define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset])) + +extern struct trusted_key_ops trusted_key_tpm_ops; + +struct osapsess { + uint32_t handle; + unsigned char secret[SHA1_DIGEST_SIZE]; + unsigned char enonce[TPM_NONCE_SIZE]; +}; + +/* discrete values, but have to store in uint16_t for TPM use */ +enum { + SEAL_keytype = 1, + SRK_keytype = 4 +}; + +int TSS_authhmac(unsigned char *digest, const unsigned char *key, + unsigned int keylen, unsigned char *h1, + unsigned char *h2, unsigned int h3, ...); +int TSS_checkhmac1(unsigned char *buffer, + const uint32_t command, + const unsigned char *ononce, + const unsigned char *key, + unsigned int keylen, ...); + +int trusted_tpm_send(unsigned char *cmd, size_t buflen); +int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce); + +int tpm2_seal_trusted(struct tpm_chip *chip, + struct trusted_key_payload *payload, + struct trusted_key_options *options); +int tpm2_unseal_trusted(struct tpm_chip *chip, + struct trusted_key_payload *payload, + struct trusted_key_options *options); + +#define TPM_DEBUG 0 + +#if TPM_DEBUG +static inline void dump_options(struct trusted_key_options *o) +{ + pr_info("sealing key type %d\n", o->keytype); + pr_info("sealing key handle %0X\n", o->keyhandle); + pr_info("pcrlock %d\n", o->pcrlock); + pr_info("pcrinfo %d\n", o->pcrinfo_len); + print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE, + 16, 1, o->pcrinfo, o->pcrinfo_len, 0); +} + +static inline void dump_sess(struct osapsess *s) +{ + print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE, + 16, 1, &s->handle, 4, 0); + pr_info("secret:\n"); + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, + 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0); + pr_info("trusted-key: enonce:\n"); + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, + 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0); +} + +static inline void dump_tpm_buf(unsigned char *buf) +{ + int len; + + pr_info("\ntpm buffer\n"); + len = LOAD32(buf, TPM_SIZE_OFFSET); + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0); +} +#else +static inline void dump_options(struct trusted_key_options *o) +{ +} + +static inline void dump_sess(struct osapsess *s) +{ +} + +static inline void dump_tpm_buf(unsigned char *buf) +{ +} +#endif +#endif diff --git a/include/keys/user-type.h b/include/keys/user-type.h new file mode 100644 index 0000000000..386c314327 --- /dev/null +++ b/include/keys/user-type.h @@ -0,0 +1,58 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* user-type.h: User-defined key type + * + * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _KEYS_USER_TYPE_H +#define _KEYS_USER_TYPE_H + +#include <linux/key.h> +#include <linux/rcupdate.h> + +#ifdef CONFIG_KEYS + +/*****************************************************************************/ +/* + * the payload for a key of type "user" or "logon" + * - once filled in and attached to a key: + * - the payload struct is invariant may not be changed, only replaced + * - the payload must be read with RCU procedures or with the key semaphore + * held + * - the payload may only be replaced with the key semaphore write-locked + * - the key's data length is the size of the actual data, not including the + * payload wrapper + */ +struct user_key_payload { + struct rcu_head rcu; /* RCU destructor */ + unsigned short datalen; /* length of this data */ + char data[] __aligned(__alignof__(u64)); /* actual data */ +}; + +extern struct key_type key_type_user; +extern struct key_type key_type_logon; + +struct key_preparsed_payload; + +extern int user_preparse(struct key_preparsed_payload *prep); +extern void user_free_preparse(struct key_preparsed_payload *prep); +extern int user_update(struct key *key, struct key_preparsed_payload *prep); +extern void user_revoke(struct key *key); +extern void user_destroy(struct key *key); +extern void user_describe(const struct key *user, struct seq_file *m); +extern long user_read(const struct key *key, char *buffer, size_t buflen); + +static inline const struct user_key_payload *user_key_payload_rcu(const struct key *key) +{ + return (struct user_key_payload *)dereference_key_rcu(key); +} + +static inline struct user_key_payload *user_key_payload_locked(const struct key *key) +{ + return (struct user_key_payload *)dereference_key_locked((struct key *)key); +} + +#endif /* CONFIG_KEYS */ + +#endif /* _KEYS_USER_TYPE_H */ |