[PATCH v0 2/8] keys-trusted: new cmd line option added
Pankaj Gupta
pankaj.gupta at nxp.com
Thu Oct 6 13:08:31 UTC 2022
Changes done:
- new cmd line option "hw" needs to be suffix, to generate the
hw bound key.
for ex:
$:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
$:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s
- Key-payload, is added with two more information element specific to HBK
-- flag 'is_hw_bound'
-- structure 'struct hw_bound_key_info hbk_info'
Signed-off-by: Pankaj Gupta <pankaj.gupta at nxp.com>
---
include/keys/trusted-type.h | 4 ++++
security/keys/trusted-keys/trusted_core.c | 16 ++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 4eb64548a74f..bf58a204a974 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -7,6 +7,7 @@
#ifndef _KEYS_TRUSTED_TYPE_H
#define _KEYS_TRUSTED_TYPE_H
+#include <linux/hw_bound_key.h>
#include <linux/key.h>
#include <linux/rcupdate.h>
#include <linux/tpm.h>
@@ -22,6 +23,7 @@
#define MAX_BLOB_SIZE 512
#define MAX_PCRINFO_SIZE 64
#define MAX_DIGEST_SIZE 64
+#define HW_BOUND_KEY 1
struct trusted_key_payload {
struct rcu_head rcu;
@@ -29,6 +31,8 @@ struct trusted_key_payload {
unsigned int blob_len;
unsigned char migratable;
unsigned char old_format;
+ unsigned char is_hw_bound;
+ struct hw_bound_key_info hbk_info;
unsigned char key[MAX_KEY_SIZE + 1];
unsigned char blob[MAX_BLOB_SIZE];
};
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index c6fc50d67214..cb1d56397ed0 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
int key_cmd;
char *c;
+ p->is_hw_bound = !HW_BOUND_KEY;
+
/* main command */
c = strsep(datablob, " \t");
if (!c)
@@ -94,6 +96,13 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
return -EINVAL;
p->key_len = keylen;
+ do {
+ /* Second argument onwards,
+ * determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if ((c != NULL) && (strcmp(c, "hw") == 0))
+ p->is_hw_bound = HW_BOUND_KEY;
+ } while (c != NULL);
ret = Opt_new;
break;
case Opt_load:
@@ -107,6 +116,13 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
ret = hex2bin(p->blob, c, p->blob_len);
if (ret < 0)
return -EINVAL;
+ do {
+ /* Second argument onwards,
+ * determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if ((c != NULL) && (strcmp(c, "hw") == 0))
+ p->is_hw_bound = HW_BOUND_KEY;
+ } while (c != NULL);
ret = Opt_load;
break;
case Opt_update:
--
2.17.1
More information about the Linux-security-module-archive
mailing list