Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
---
drivers/char/tpm/tpm2-cmd.c | 2 +-
include/linux/tpm_command.h | 1 -
security/keys/trusted.c | 18 ++++++++++++++----
security/keys/trusted.h | 7 +++++++
4 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 0986c96..0fba698 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -422,7 +422,7 @@ static int tpm2_load(struct tpm_chip *chip,
options->keyauth /* hmac */,
TPM_DIGEST_SIZE);
- tpm_buf_append(&buf, payload->blob, payload->blob_len);
+ tpm_buf_append(&buf, payload->blob, blob_len);
rc = tpm_transmit_cmd(chip, buf.data, TPM_BUF_SIZE, "loading blob");
if (!rc)
diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
index 727512e..d7b0f82 100644
--- a/include/linux/tpm_command.h
+++ b/include/linux/tpm_command.h
@@ -22,7 +22,6 @@
#define TPM_ORD_UNSEAL 24
/* Other constants */
-#define SRKHANDLE 0x40000000
#define TPM_NONCE_SIZE 20
#endif
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index c0594cb..f6557b1 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -601,7 +601,7 @@ static int tpm_unseal(struct tpm_buf *tb,
}
ordinal = htonl(TPM_ORD_UNSEAL);
- keyhndl = htonl(SRKHANDLE);
+ keyhndl = htonl(TPM1_SRKHANDLE);
ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
if (ret != TPM_NONCE_SIZE) {
pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
@@ -867,7 +867,11 @@ static struct trusted_key_options
*trusted_options_alloc(void)
if (options) {
/* set any non-zero defaults */
options->keytype = SRK_keytype;
- options->keyhandle = SRKHANDLE;
+
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ options->keyhandle = TPM2_SRKHANDLE;
+ else
+ options->keyhandle = TPM1_SRKHANDLE;
}
return options;
}
@@ -937,7 +941,10 @@ static int trusted_instantiate(struct key *key,
switch (key_cmd) {
case Opt_load:
- ret = key_unseal(payload, options);
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options);
+ else
+ ret = key_unseal(payload, options);
dump_payload(payload);
dump_options(options);
if (ret < 0)
@@ -950,7 +957,10 @@ static int trusted_instantiate(struct key *key,
pr_info("trusted_key: key_create failed (%d)\n", ret);
goto out;
}
- ret = key_seal(payload, options);
+ if (tpm_is_tpm2(TPM_ANY_NUM))
+ ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options);
+ else
+ ret = key_seal(payload, options);
if (ret < 0)
pr_info("trusted_key: key_seal failed (%d)\n", ret);
break;
diff --git a/security/keys/trusted.h b/security/keys/trusted.h
index ff001a5..fc32c47 100644
--- a/security/keys/trusted.h
+++ b/security/keys/trusted.h
@@ -12,6 +12,13 @@
#define TPM_RETURN_OFFSET 6
#define TPM_DATA_OFFSET 10
+/* Transient object handles start from 0x80000000 in TPM 2.0, which makes it
+ * a sane default.
+ */
+
+#define TPM1_SRKHANDLE 0x40000000
+#define TPM2_SRKHANDLE 0x80000000
+
#define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset]))
#define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset])
#define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset]))
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
