From patchwork Fri Nov 11 23:16:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Evan Green X-Patchwork-Id: 19058 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1021443wru; Fri, 11 Nov 2022 15:39:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf7vEwdkryZzhZQlKB25hZhOCR2KP9eaLuB/2NB3xqlsei7GKB8/O1rnzUbS35GOOEnvQpWs X-Received: by 2002:a17:907:2350:b0:78d:9c2f:bf78 with SMTP id we16-20020a170907235000b0078d9c2fbf78mr3624077ejb.594.1668209971637; Fri, 11 Nov 2022 15:39:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668209971; cv=none; d=google.com; s=arc-20160816; b=ScwE9gJlfX9xE+ZU0DwMVVDDFl6ZS8Jn3CG4OaD0UGvl4D0+3egvcnBYoth3xOqZzw OGW6p9uUZPfFeKT3W2VAYhs8S4JerrqkW3HL3kwQvY+i0jQjO1jJInIRmSwWz1zEw9j3 BprhD/Pp5TA6BlsGsBCjjIP2l3ppdMlGXwSG7z/i7xfSc80Nd4VcrxQMTabFHtRc2NlI Th+QUAziEdApFNSGemyef1+ePvp8T96CpoH1mpxiU3Dyr4ucrSGvC43sIhRkZO8DuwJG r3jD5VV5FjRIk4rq7ig4AXMm+jTWTpPyN1r16DaSfYoAHcO5xXy1mQ4pNyxgNTfPTc6/ qWfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=fYb7Pc7kk00iZIixiz1ShzY4z/wZpG44t4abSwKlK2k=; b=lovMWVeDxB6oiBnGpcPPOIXNUAgx2oS0vMGcnAI+FH0+ilTM99HEREALRhUMvnIpaf fkqK+WAPcoB6Eb5n4/iZlxeG5DVnOBzUCubUd27iGvTSmESAWtFiAbk1EhUFh9RRo9Qx ho1xe85wOli8S2NmTtAGQqS5t9xhl1gm4UmNeMGJraTu/RoKIAdzyGHXgxtIAYoB+D8R WJffgo2CFAQSRzSbb8umXl06/+stzucft+ahO6X3q0NiebqdFO1HGDQtyUpvt66AcrOv 9mDmZ6fRb0MBTbP0wKY3tYdhviMDlZ/GWfKfgTxF6RtqKaO/bDVhpY1aIPfTzCRhLvDM FDnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=YsrTyClP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u1-20020a1709064ac100b007ae832c0b69si2484401ejt.512.2022.11.11.15.39.08; Fri, 11 Nov 2022 15:39:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=YsrTyClP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234761AbiKKXVM (ORCPT + 99 others); Fri, 11 Nov 2022 18:21:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234663AbiKKXU2 (ORCPT ); Fri, 11 Nov 2022 18:20:28 -0500 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A87B186D71 for ; Fri, 11 Nov 2022 15:19:59 -0800 (PST) Received: by mail-pj1-x1034.google.com with SMTP id h14so5617945pjv.4 for ; Fri, 11 Nov 2022 15:19:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fYb7Pc7kk00iZIixiz1ShzY4z/wZpG44t4abSwKlK2k=; b=YsrTyClPvsWKOPUOmdMjFm3cMJd+VRq4mdvYTJHKJR8FbxBBdRBDvmV+VIuyla+V10 4VBd9zqYyPp4bHY3aYNLW86+5FWLUQW+brN4cYdvvrLpxgUQzt0En2KhqKPDgAo+FSS1 ITPaUkDCPa6LT+NLfRfX8fNR63T6F6OkGNraI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fYb7Pc7kk00iZIixiz1ShzY4z/wZpG44t4abSwKlK2k=; b=Qt8sDgeyfJPysuHG6VZ1XC91/Vby5ji3W1qEMh/GWL9FzAv3RIWVN/VcEAEH54pdOs cItuXJMwgmsN1mzun6xiguQELtXZu1A8t3q2gfCVk1KLbvbziLrjXyYAntNPd5cgi7YF FpMTdbc73D5WUOI+WZhvyr0G1kuMCh66qLuCgedyMLQTq768i5dANRBcR9NAXSoh+SfZ Bjex4jM80lNNaNiRsfYBYqk5xC5YRWYUeIxOYkLdbN4dQEYGyvze/0bGYiqXBUQXkUSA Woi7WN/KrT921bmOqNjT1zrkC2ADojRSn4e9w3pJkG8+oBJbg/am5vYMz4z+e3tPivDW toiA== X-Gm-Message-State: ANoB5plgvKS/YS2DM6314LkKQaptlNQj79QL2UCTYddrfdCRuFUaUM7i RRpGLFbro4HdIPOVdCtW8+O4eE2rhW9PR67X X-Received: by 2002:a17:902:c115:b0:180:87d7:9be8 with SMTP id 21-20020a170902c11500b0018087d79be8mr4327747pli.85.1668208799133; Fri, 11 Nov 2022 15:19:59 -0800 (PST) Received: from evgreen-glaptop.lan ([98.45.28.95]) by smtp.gmail.com with ESMTPSA id x128-20020a623186000000b0056da2ad6503sm2106900pfx.39.2022.11.11.15.19.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Nov 2022 15:19:58 -0800 (PST) From: Evan Green To: linux-kernel@vger.kernel.org Cc: corbet@lwn.net, linux-integrity@vger.kernel.org, Eric Biggers , gwendal@chromium.org, dianders@chromium.org, apronin@chromium.org, Pavel Machek , Ben Boeckel , rjw@rjwysocki.net, jejb@linux.ibm.com, Kees Cook , dlunev@google.com, zohar@linux.ibm.com, Matthew Garrett , jarkko@kernel.org, linux-pm@vger.kernel.org, Evan Green , Matthew Garrett , Len Brown , "Rafael J. Wysocki" Subject: [PATCH v5 10/11] PM: hibernate: Verify the digest encryption key Date: Fri, 11 Nov 2022 15:16:35 -0800 Message-Id: <20221111151451.v5.10.I504d456c7a94ef1aaa7a2c63775ce9690c3ad7ab@changeid> X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog In-Reply-To: <20221111231636.3748636-1-evgreen@chromium.org> References: <20221111231636.3748636-1-evgreen@chromium.org> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749244938862853987?= X-GMAIL-MSGID: =?utf-8?q?1749244938862853987?= We want to ensure that the key used to encrypt the digest was created by the kernel during hibernation. To do this we request that the TPM include information about the value of PCR 23 at the time of key creation in the sealed blob. On resume, we can make sure that the PCR information in the creation data blob (already certified by the TPM to be accurate) corresponds to the expected value. Since only the kernel can touch PCR 23, if an attacker generates a key themselves the value of PCR 23 will have been different, allowing us to reject the key and boot normally instead of resuming. Co-developed-by: Matthew Garrett Signed-off-by: Matthew Garrett Signed-off-by: Evan Green --- Matthew's original version of this patch is here: https://patchwork.kernel.org/project/linux-pm/patch/20210220013255.1083202-9-matthewgarrett@google.com/ I moved the TPM2_CC_CERTIFYCREATION code into a separate change in the trusted key code because the blob_handle was being flushed and was no longer valid for use in CC_CERTIFYCREATION after the key was loaded. As an added benefit of moving the certification into the trusted keys code, we can drop the other patch from the original series that squirrelled the blob_handle away. Changes in v5: - Use a struct to access creation data (Kees) - Build PCR bitmask programmatically in creation data (Kees) Changes in v4: - Local variable reordering (Jarkko) Changes in v3: - Changed funky tag to Co-developed-by (Kees). Matthew, holler if you want something different. Changes in v2: - Fixed some sparse warnings - Use CRYPTO_LIB_SHA256 to get rid of sha256_data() (Eric) - Adjusted offsets due to new ASN.1 format, and added a creation data length check. kernel/power/snapenc.c | 122 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 120 insertions(+), 2 deletions(-) diff --git a/kernel/power/snapenc.c b/kernel/power/snapenc.c index 0b38642628f7ce..f32c7347a330a4 100644 --- a/kernel/power/snapenc.c +++ b/kernel/power/snapenc.c @@ -22,6 +22,12 @@ static struct tpm_digest known_digest = { .alg_id = TPM_ALG_SHA256, 0xf1, 0x22, 0x38, 0x6c, 0x33, 0xb1, 0x14, 0xb7, 0xec, 0x05, 0x5f, 0x49}}; +/* sha256(sha256(empty_pcr | known_digest)) */ +static const char expected_digest[] = {0x2f, 0x96, 0xf2, 0x1b, 0x70, 0xa9, 0xe8, + 0x42, 0x25, 0x8e, 0x66, 0x07, 0xbe, 0xbc, 0xe3, 0x1f, 0x2c, 0x84, 0x4a, + 0x3f, 0x85, 0x17, 0x31, 0x47, 0x9a, 0xa5, 0x53, 0xbb, 0x23, 0x0c, 0x32, + 0xf3}; + /* Derive a key from the kernel and user keys for data encryption. */ static int snapshot_use_user_key(struct snapshot_data *data) { @@ -491,7 +497,7 @@ static int snapshot_setup_encryption_common(struct snapshot_data *data) static int snapshot_create_kernel_key(struct snapshot_data *data) { /* Create a key sealed by the SRK. */ - char *keyinfo = "new\t32\tkeyhandle=0x81000000"; + char *keyinfo = "new\t32\tkeyhandle=0x81000000\tcreationpcrs=0x00800000"; const struct cred *cred = current_cred(); struct tpm_digest *digests = NULL; struct key *key = NULL; @@ -612,17 +618,57 @@ int snapshot_get_encryption_key(struct snapshot_data *data, return rc; } +/* Currently only PCR23 is included in the creation data. */ +#define SNAPSHOT_KEY_PCR_COUNT 1 + +/* The standard set of 24 PCRs takes 3 bytes to represent as a bitmask. */ +#define SNAPSHOT_KEY_PCR_SELECTION_BYTES 3 + +/* + * The TPM loves to return variable length structures. This is the form of + * TPM2B_CREATION_DATA expected and verified for the snapshot key. + */ +struct snapshot_key_creation_data { + __be16 size; + /* TPMS_CREATION_DATA, the hashed portion */ + struct { + /* TPML_PCR_SELECTION */ + struct { + __be32 count; + /* TPMS_PCR_SELECTION */ + struct { + __be16 hash_algo; + u8 size; + u8 select[SNAPSHOT_KEY_PCR_SELECTION_BYTES]; + } __packed pcr_selections; + } __packed pcr_select; + + /* TPM2B_DIGEST */ + struct { + __be16 size; + u8 digest[SHA256_DIGEST_SIZE]; + } __packed pcr_digest[SNAPSHOT_KEY_PCR_COUNT]; + + /* ... additional fields not verified ... */ + } creation; +} __packed; + static int snapshot_load_kernel_key(struct snapshot_data *data, struct uswsusp_key_blob *blob) { char *keytemplate = "load\t%s\tkeyhandle=0x81000000"; + struct snapshot_key_creation_data *creation; const struct cred *cred = current_cred(); + struct trusted_key_payload *payload; + char certhash[SHA256_DIGEST_SIZE]; struct tpm_digest *digests = NULL; + unsigned int creation_hash_length; char *blobstring = NULL; struct key *key = NULL; struct tpm_chip *chip; char *keyinfo = NULL; + u32 pcr_selection = 0; int i, ret; chip = tpm_default_chip(); @@ -640,8 +686,10 @@ static int snapshot_load_kernel_key(struct snapshot_data *data, digests = kcalloc(chip->nr_allocated_banks, sizeof(struct tpm_digest), GFP_KERNEL); - if (!digests) + if (!digests) { + ret = -ENOMEM; goto out; + } for (i = 0; i < chip->nr_allocated_banks; i++) { digests[i].alg_id = chip->allocated_banks[i].alg_id; @@ -681,6 +729,76 @@ static int snapshot_load_kernel_key(struct snapshot_data *data, if (ret != 0) goto out; + /* Verify the creation hash matches the creation data. */ + payload = key->payload.data[0]; + creation = (struct snapshot_key_creation_data *)payload->creation; + if (!creation || !payload->creation_hash || + (payload->creation_len < sizeof(*creation)) || + (payload->creation_hash_len - 2 != SHA256_DIGEST_SIZE)) { + ret = -EINVAL; + goto out; + } + + creation_hash_length = + payload->creation_len - + offsetof(struct snapshot_key_creation_data, creation); + + sha256((const u8 *)&creation->creation, creation_hash_length, certhash); + if (memcmp(payload->creation_hash + sizeof(__be16), certhash, SHA256_DIGEST_SIZE) != 0) { + ret = -EINVAL; + goto out; + } + + /* We now know that the creation data is authentic - parse it */ + + /* Verify TPML_PCR_SELECTION.count */ + if (be32_to_cpu(creation->creation.pcr_select.count) != + SNAPSHOT_KEY_PCR_COUNT) { + ret = -EINVAL; + goto out; + } + + /* Verify the PCRs are SHA256. */ + if (be16_to_cpu(creation->creation.pcr_select.pcr_selections.hash_algo) != + TPM_ALG_SHA256) { + ret = -EINVAL; + goto out; + } + + /* Gather the PCR selection bitmask. */ + if (creation->creation.pcr_select.pcr_selections.size != + SNAPSHOT_KEY_PCR_SELECTION_BYTES) { + ret = -EINVAL; + goto out; + } + + for (i = SNAPSHOT_KEY_PCR_SELECTION_BYTES - 1; i >= 0; i--) { + pcr_selection <<= 8; + pcr_selection |= + creation->creation.pcr_select.pcr_selections.select[i]; + } + + /* Verify PCR 23 is selected. */ + if (pcr_selection != (1 << 23)) { + ret = -EINVAL; + goto out; + } + + /* Verify the first and only PCR hash is the expected size. */ + if (be16_to_cpu(creation->creation.pcr_digest[0].size) != + SHA256_DIGEST_SIZE) { + ret = -EINVAL; + goto out; + } + + /* Verify PCR 23 contained the expected value when the key was created. */ + if (memcmp(&creation->creation.pcr_digest[0].digest, expected_digest, + SHA256_DIGEST_SIZE) != 0) { + + ret = -EINVAL; + goto out; + } + data->key = key; key = NULL;