Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...

[cascardo/linux.git] / security / keys / trusted.c

diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 16dec53..0dcab20 100644 (file)
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -11,6 +11,7 @@
  * See Documentation/security/keys-trusted-encrypted.txt
  */
 
+#include <crypto/hash_info.h>
 #include <linux/uaccess.h>
 #include <linux/module.h>
 #include <linux/init.h>
@@ -710,7 +711,10 @@ enum {
        Opt_err = -1,
        Opt_new, Opt_load, Opt_update,
        Opt_keyhandle, Opt_keyauth, Opt_blobauth,
-       Opt_pcrinfo, Opt_pcrlock, Opt_migratable
+       Opt_pcrinfo, Opt_pcrlock, Opt_migratable,
+       Opt_hash,
+       Opt_policydigest,
+       Opt_policyhandle,
 };
 
 static const match_table_t key_tokens = {
@@ -723,6 +727,9 @@ static const match_table_t key_tokens = {
        {Opt_pcrinfo, "pcrinfo=%s"},
        {Opt_pcrlock, "pcrlock=%s"},
        {Opt_migratable, "migratable=%s"},
+       {Opt_hash, "hash=%s"},
+       {Opt_policydigest, "policydigest=%s"},
+       {Opt_policyhandle, "policyhandle=%s"},
        {Opt_err, NULL}
 };
 
@@ -736,11 +743,23 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
        int res;
        unsigned long handle;
        unsigned long lock;
+       unsigned long token_mask = 0;
+       int i;
+       int tpm2;
+
+       tpm2 = tpm_is_tpm2(TPM_ANY_NUM);
+       if (tpm2 < 0)
+               return tpm2;
+
+       opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
+       opt->digest_len = hash_digest_size[opt->hash];
 
        while ((p = strsep(&c, " \t"))) {
                if (*p == '\0' || *p == ' ' || *p == '\t')
                        continue;
                token = match_token(p, key_tokens, args);
+               if (test_and_set_bit(token, &token_mask))
+                       return -EINVAL;
 
                switch (token) {
                case Opt_pcrinfo:
@@ -787,6 +806,41 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
                                return -EINVAL;
                        opt->pcrlock = lock;
                        break;
+               case Opt_hash:
+                       if (test_bit(Opt_policydigest, &token_mask))
+                               return -EINVAL;
+                       for (i = 0; i < HASH_ALGO__LAST; i++) {
+                               if (!strcmp(args[0].from, hash_algo_name[i])) {
+                                       opt->hash = i;
+                                       opt->digest_len =
+                                               hash_digest_size[opt->hash];
+                                       break;
+                               }
+                       }
+                       if (i == HASH_ALGO__LAST)
+                               return -EINVAL;
+                       if  (!tpm2 && i != HASH_ALGO_SHA1) {
+                               pr_info("trusted_key: TPM 1.x only supports SHA-1.\n");
+                               return -EINVAL;
+                       }
+                       break;
+               case Opt_policydigest:
+                       if (!tpm2 ||
+                           strlen(args[0].from) != (2 * opt->digest_len))
+                               return -EINVAL;
+                       res = hex2bin(opt->policydigest, args[0].from,
+                                     opt->digest_len);
+                       if (res < 0)
+                               return -EINVAL;
+                       break;
+               case Opt_policyhandle:
+                       if (!tpm2)
+                               return -EINVAL;
+                       res = kstrtoul(args[0].from, 16, &handle);
+                       if (res < 0)
+                               return -EINVAL;
+                       opt->policyhandle = handle;
+                       break;
                default:
                        return -EINVAL;
                }