2022-09-06 05:51:23

by Pankaj Gupta

[permalink] [raw]
Subject: [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option added

Two changes are done:
- new cmd line option "hw" needs to be suffix, to generate the
hw bound key.
for ex:
$:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
$:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s

- For "new", generating the hw bounded trusted key, updating the input key
length as part of seal operation as well.

Signed-off-by: Pankaj Gupta <[email protected]>
---
include/keys/trusted-type.h | 2 ++
security/keys/trusted-keys/trusted_caam.c | 6 ++++++
security/keys/trusted-keys/trusted_core.c | 14 ++++++++++++++
3 files changed, 22 insertions(+)

diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 4eb64548a74f..064266b936c7 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -22,6 +22,7 @@
#define MAX_BLOB_SIZE 512
#define MAX_PCRINFO_SIZE 64
#define MAX_DIGEST_SIZE 64
+#define HW_BOUND_KEY 1

struct trusted_key_payload {
struct rcu_head rcu;
@@ -29,6 +30,7 @@ struct trusted_key_payload {
unsigned int blob_len;
unsigned char migratable;
unsigned char old_format;
+ unsigned char is_hw_bound;
unsigned char key[MAX_KEY_SIZE + 1];
unsigned char blob[MAX_BLOB_SIZE];
};
diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
index e3415c520c0a..fceb9a271c4d 100644
--- a/security/keys/trusted-keys/trusted_caam.c
+++ b/security/keys/trusted-keys/trusted_caam.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (C) 2021 Pengutronix, Ahmad Fatoum <[email protected]>
+ * Copyright 2022 NXP, Pankaj Gupta <[email protected]>
*/

#include <keys/trusted_caam.h>
@@ -23,6 +24,7 @@ static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob)
.input = p->key, .input_len = p->key_len,
.output = p->blob, .output_len = MAX_BLOB_SIZE,
.key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
+ .is_hw_bound = p->is_hw_bound,
};

ret = caam_encap_blob(blobifier, &info);
@@ -30,6 +32,9 @@ static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob)
return ret;

p->blob_len = info.output_len;
+ if (p->is_hw_bound)
+ p->key_len = info.input_len;
+
return 0;
}

@@ -40,6 +45,7 @@ static int trusted_caam_unseal(struct trusted_key_payload *p, char *datablob)
.input = p->blob, .input_len = p->blob_len,
.output = p->key, .output_len = MAX_KEY_SIZE,
.key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
+ .is_hw_bound = p->is_hw_bound,
};

ret = caam_decap_blob(blobifier, &info);
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index c6fc50d67214..7f7cc2551b92 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
int key_cmd;
char *c;

+ p->is_hw_bound = !HW_BOUND_KEY;
+
/* main command */
c = strsep(datablob, " \t");
if (!c)
@@ -94,6 +96,12 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
return -EINVAL;
p->key_len = keylen;
+ /* second argument is to determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if (c) {
+ if (strcmp(c, "hw") == 0)
+ p->is_hw_bound = HW_BOUND_KEY;
+ }
ret = Opt_new;
break;
case Opt_load:
@@ -107,6 +115,12 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
ret = hex2bin(p->blob, c, p->blob_len);
if (ret < 0)
return -EINVAL;
+ /* second argument is to determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if (c) {
+ if (strcmp(c, "hw") == 0)
+ p->is_hw_bound = HW_BOUND_KEY;
+ }
ret = Opt_load;
break;
case Opt_update:
--
2.17.1


2022-09-06 13:07:37

by Ben Boeckel

[permalink] [raw]
Subject: Re: [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option added

On Tue, Sep 06, 2022 at 12:21:50 +0530, Pankaj Gupta wrote:
> Two changes are done:
> - new cmd line option "hw" needs to be suffix, to generate the
> hw bound key.
> for ex:
> $:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
> $:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s
>
> - For "new", generating the hw bounded trusted key, updating the input key
> length as part of seal operation as well.
>
> Signed-off-by: Pankaj Gupta <[email protected]>
> ---
> include/keys/trusted-type.h | 2 ++
> security/keys/trusted-keys/trusted_caam.c | 6 ++++++
> security/keys/trusted-keys/trusted_core.c | 14 ++++++++++++++
> 3 files changed, 22 insertions(+)
>
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index 4eb64548a74f..064266b936c7 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -22,6 +22,7 @@
> #define MAX_BLOB_SIZE 512
> #define MAX_PCRINFO_SIZE 64
> #define MAX_DIGEST_SIZE 64
> +#define HW_BOUND_KEY 1
>
> struct trusted_key_payload {
> struct rcu_head rcu;
> @@ -29,6 +30,7 @@ struct trusted_key_payload {
> unsigned int blob_len;
> unsigned char migratable;
> unsigned char old_format;
> + unsigned char is_hw_bound;
> unsigned char key[MAX_KEY_SIZE + 1];
> unsigned char blob[MAX_BLOB_SIZE];
> };
> diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
> index e3415c520c0a..fceb9a271c4d 100644
> --- a/security/keys/trusted-keys/trusted_caam.c
> +++ b/security/keys/trusted-keys/trusted_caam.c
> @@ -1,6 +1,7 @@
> // SPDX-License-Identifier: GPL-2.0-only
> /*
> * Copyright (C) 2021 Pengutronix, Ahmad Fatoum <[email protected]>
> + * Copyright 2022 NXP, Pankaj Gupta <[email protected]>
> */
>
> #include <keys/trusted_caam.h>
> @@ -23,6 +24,7 @@ static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob)
> .input = p->key, .input_len = p->key_len,
> .output = p->blob, .output_len = MAX_BLOB_SIZE,
> .key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
> + .is_hw_bound = p->is_hw_bound,
> };
>
> ret = caam_encap_blob(blobifier, &info);
> @@ -30,6 +32,9 @@ static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob)
> return ret;
>
> p->blob_len = info.output_len;
> + if (p->is_hw_bound)
> + p->key_len = info.input_len;
> +
> return 0;
> }
>
> @@ -40,6 +45,7 @@ static int trusted_caam_unseal(struct trusted_key_payload *p, char *datablob)
> .input = p->blob, .input_len = p->blob_len,
> .output = p->key, .output_len = MAX_KEY_SIZE,
> .key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
> + .is_hw_bound = p->is_hw_bound,
> };
>
> ret = caam_decap_blob(blobifier, &info);
> diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
> index c6fc50d67214..7f7cc2551b92 100644
> --- a/security/keys/trusted-keys/trusted_core.c
> +++ b/security/keys/trusted-keys/trusted_core.c
> @@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
> int key_cmd;
> char *c;
>
> + p->is_hw_bound = !HW_BOUND_KEY;

This seems…backwards to me.

> @@ -94,6 +96,12 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
> if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
> return -EINVAL;
> p->key_len = keylen;
> + /* second argument is to determine if tied to HW */
> + c = strsep(datablob, " \t");
> + if (c) {
> + if (strcmp(c, "hw") == 0)
> + p->is_hw_bound = HW_BOUND_KEY;
> + }

Userspace documentation is missing for this new field. Must it always be
second or is it "any following argument"? For example, let's say we have
another flag like this for "FIPS" (or whatever). It'd be nice if these
all worked:

'new 32 fips hw'
'new 32 fips'
'new 32 hw fips'
'new 32 hw'

> @@ -107,6 +115,12 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
> ret = hex2bin(p->blob, c, p->blob_len);
> if (ret < 0)
> return -EINVAL;
> + /* second argument is to determine if tied to HW */
> + c = strsep(datablob, " \t");
> + if (c) {
> + if (strcmp(c, "hw") == 0)
> + p->is_hw_bound = HW_BOUND_KEY;
> + }

Same here.

--Ben

2022-09-07 07:30:48

by Pankaj Gupta

[permalink] [raw]
Subject: RE: [EXT] Re: [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option added



> -----Original Message-----
> From: Ben Boeckel <[email protected]>
> Sent: Tuesday, September 6, 2022 6:32 PM
> To: Pankaj Gupta <[email protected]>
> Cc: [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; linux-
> [email protected]; [email protected]; linux-security-
> [email protected]; Sahil Malhotra <[email protected]>; Kshitiz
> Varshney <[email protected]>; Horia Geanta
> <[email protected]>; Varun Sethi <[email protected]>
> Subject: [EXT] Re: [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option
> added
>
> Caution: EXT Email
>
> On Tue, Sep 06, 2022 at 12:21:50 +0530, Pankaj Gupta wrote:
> > Two changes are done:
> > - new cmd line option "hw" needs to be suffix, to generate the
> > hw bound key.
> > for ex:
> > $:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
> > $:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>)
> > hw' @s
> >
> > - For "new", generating the hw bounded trusted key, updating the input
> key
> > length as part of seal operation as well.
> >
> > Signed-off-by: Pankaj Gupta <[email protected]>
> > ---
> > include/keys/trusted-type.h | 2 ++
> > security/keys/trusted-keys/trusted_caam.c | 6 ++++++
> > security/keys/trusted-keys/trusted_core.c | 14 ++++++++++++++
> > 3 files changed, 22 insertions(+)
> >
> > diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> > index 4eb64548a74f..064266b936c7 100644
> > --- a/include/keys/trusted-type.h
> > +++ b/include/keys/trusted-type.h
> > @@ -22,6 +22,7 @@
> > #define MAX_BLOB_SIZE 512
> > #define MAX_PCRINFO_SIZE 64
> > #define MAX_DIGEST_SIZE 64
> > +#define HW_BOUND_KEY 1
> >
> > struct trusted_key_payload {
> > struct rcu_head rcu;
> > @@ -29,6 +30,7 @@ struct trusted_key_payload {
> > unsigned int blob_len;
> > unsigned char migratable;
> > unsigned char old_format;
> > + unsigned char is_hw_bound;
> > unsigned char key[MAX_KEY_SIZE + 1];
> > unsigned char blob[MAX_BLOB_SIZE]; }; diff --git
> > a/security/keys/trusted-keys/trusted_caam.c
> > b/security/keys/trusted-keys/trusted_caam.c
> > index e3415c520c0a..fceb9a271c4d 100644
> > --- a/security/keys/trusted-keys/trusted_caam.c
> > +++ b/security/keys/trusted-keys/trusted_caam.c
> > @@ -1,6 +1,7 @@
> > // SPDX-License-Identifier: GPL-2.0-only
> > /*
> > * Copyright (C) 2021 Pengutronix, Ahmad Fatoum
> > <[email protected]>
> > + * Copyright 2022 NXP, Pankaj Gupta <[email protected]>
> > */
> >
> > #include <keys/trusted_caam.h>
> > @@ -23,6 +24,7 @@ static int trusted_caam_seal(struct
> trusted_key_payload *p, char *datablob)
> > .input = p->key, .input_len = p->key_len,
> > .output = p->blob, .output_len = MAX_BLOB_SIZE,
> > .key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
> > + .is_hw_bound = p->is_hw_bound,
> > };
> >
> > ret = caam_encap_blob(blobifier, &info); @@ -30,6 +32,9 @@
> > static int trusted_caam_seal(struct trusted_key_payload *p, char
> *datablob)
> > return ret;
> >
> > p->blob_len = info.output_len;
> > + if (p->is_hw_bound)
> > + p->key_len = info.input_len;
> > +
> > return 0;
> > }
> >
> > @@ -40,6 +45,7 @@ static int trusted_caam_unseal(struct
> trusted_key_payload *p, char *datablob)
> > .input = p->blob, .input_len = p->blob_len,
> > .output = p->key, .output_len = MAX_KEY_SIZE,
> > .key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
> > + .is_hw_bound = p->is_hw_bound,
> > };
> >
> > ret = caam_decap_blob(blobifier, &info); diff --git
> > a/security/keys/trusted-keys/trusted_core.c
> > b/security/keys/trusted-keys/trusted_core.c
> > index c6fc50d67214..7f7cc2551b92 100644
> > --- a/security/keys/trusted-keys/trusted_core.c
> > +++ b/security/keys/trusted-keys/trusted_core.c
> > @@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct
> trusted_key_payload *p)
> > int key_cmd;
> > char *c;
> >
> > + p->is_hw_bound = !HW_BOUND_KEY;
>
> This seems…backwards to me.
>
Initialized it to be a plain key & not a HW bounded key.

> > @@ -94,6 +96,12 @@ static int datablob_parse(char **datablob, struct
> trusted_key_payload *p)
> > if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
> > return -EINVAL;
> > p->key_len = keylen;
> > + /* second argument is to determine if tied to HW */
> > + c = strsep(datablob, " \t");
> > + if (c) {
> > + if (strcmp(c, "hw") == 0)
> > + p->is_hw_bound = HW_BOUND_KEY;
> > + }
>
> Userspace documentation is missing for this new field. Must it always be
> second or is it "any following argument"? For example, let's say we have
> another flag like this for "FIPS" (or whatever). It'd be nice if these all worked:
>
> 'new 32 fips hw'
> 'new 32 fips'
> 'new 32 hw fips'
> 'new 32 hw'
>
Will consider this, in the next version of this patch set.

> > @@ -107,6 +115,12 @@ static int datablob_parse(char **datablob, struct
> trusted_key_payload *p)
> > ret = hex2bin(p->blob, c, p->blob_len);
> > if (ret < 0)
> > return -EINVAL;
> > + /* second argument is to determine if tied to HW */
> > + c = strsep(datablob, " \t");
> > + if (c) {
> > + if (strcmp(c, "hw") == 0)
> > + p->is_hw_bound = HW_BOUND_KEY;
> > + }
>
> Same here.
>
> --Ben