From patchwork Thu Jun 2 09:56:57 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna X-Patchwork-Id: 629158 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3rL2wz1bZLz9t3V for ; Thu, 2 Jun 2016 20:08:19 +1000 (AEST) Received: from ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3rL2wz0qzNzDvMl for ; Thu, 2 Jun 2016 20:08:19 +1000 (AEST) X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3rL2hw3TWZzDr13 for ; Thu, 2 Jun 2016 19:57:52 +1000 (AEST) Received: from pps.filterd (m0048817.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u529vJLG010212 for ; Thu, 2 Jun 2016 05:57:50 -0400 Received: from e23smtp05.au.ibm.com (e23smtp05.au.ibm.com [202.81.31.147]) by mx0a-001b2d01.pphosted.com with ESMTP id 23a4fx4s4x-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 02 Jun 2016 05:57:50 -0400 Received: from localhost by e23smtp05.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 2 Jun 2016 19:57:45 +1000 Received: from d23dlp01.au.ibm.com (202.81.31.203) by e23smtp05.au.ibm.com (202.81.31.211) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 2 Jun 2016 19:57:32 +1000 X-IBM-Helo: d23dlp01.au.ibm.com X-IBM-MailFrom: nayna@linux.vnet.ibm.com X-IBM-RcptTo: petitboot@lists.ozlabs.org Received: from d23relay10.au.ibm.com (d23relay10.au.ibm.com [9.190.26.77]) by d23dlp01.au.ibm.com (Postfix) with ESMTP id C826A2CE8060 for ; Thu, 2 Jun 2016 19:57:26 +1000 (EST) Received: from d23av06.au.ibm.com (d23av06.au.ibm.com [9.190.235.151]) by d23relay10.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u529vGtt1245456 for ; Thu, 2 Jun 2016 19:57:21 +1000 Received: from d23av06.au.ibm.com (localhost [127.0.0.1]) by d23av06.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u529vG4d019624 for ; Thu, 2 Jun 2016 19:57:16 +1000 Received: from c365f16u1b3.pok.stglabs.ibm.com (c365f16u1b3.pok.stglabs.ibm.com [9.47.77.42]) by d23av06.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id u529v6cR019479; Thu, 2 Jun 2016 19:57:14 +1000 From: Nayna Jain To: petitboot@lists.ozlabs.org Subject: [PATCH 2/3] lib/security: New lib for security functions. Date: Thu, 2 Jun 2016 05:56:57 -0400 X-Mailer: git-send-email 2.5.0 In-Reply-To: <1464861418-19709-1-git-send-email-nayna@linux.vnet.ibm.com> References: <1464861418-19709-1-git-send-email-nayna@linux.vnet.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16060209-0016-0000-0000-000001A126C3 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16060209-0017-0000-0000-000004C07DE8 Message-Id: <1464861418-19709-3-git-send-email-nayna@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-06-02_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1606020110 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: hellerda@us.ibm.com, gcwilson@us.ibm.com MIME-Version: 1.0 Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" Adds new lib to support security specific functions. Functions are separated into different files based on functionality they provide. Details as below: lib/security/crypto: Set of files to support crypto functions like hash, encryption etc. Currently, it provides support only for hash function and can be extended as needed. Hash function is implemented using kernel crypto API. lib/security/tpmOperations: Set of files to support tpm specific operations. Currently, it provides function to extend TPM. The implmentation of this function is currently experimental and is bound to change. Signed-off-by: Nayna Jain --- lib/Makefile.am | 6 +++- lib/security/crypto.c | 73 ++++++++++++++++++++++++++++++++++++++++++++ lib/security/crypto.h | 22 +++++++++++++ lib/security/tpmOperations.c | 72 +++++++++++++++++++++++++++++++++++++++++++ lib/security/tpmOperations.h | 18 +++++++++++ 5 files changed, 190 insertions(+), 1 deletion(-) create mode 100644 lib/security/crypto.c create mode 100644 lib/security/crypto.h create mode 100644 lib/security/tpmOperations.c create mode 100644 lib/security/tpmOperations.h diff --git a/lib/Makefile.am b/lib/Makefile.am index 09bc1aa..d5559f0 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -50,7 +50,11 @@ lib_libpbcore_la_SOURCES = \ lib/util/util.c \ lib/util/util.h \ lib/flash/config.h \ - lib/flash/flash.h + lib/flash/flash.h \ + lib/security/tpmOperations.c \ + lib/security/tpmOperations.h \ + lib/security/crypto.c \ + lib/security/crypto.h if ENABLE_MTD lib_libpbcore_la_SOURCES += \ diff --git a/lib/security/crypto.c b/lib/security/crypto.c new file mode 100644 index 0000000..e5344a8 --- /dev/null +++ b/lib/security/crypto.c @@ -0,0 +1,73 @@ +#include +#include +#include +#include + +#include +#include +#include + +#include + +#include "crypto.h" + +#define DIGEST_SIZE(digestname) !strcmp(digestname, "sha1")? \ + SHA1_DIGEST_SIZE : !strcmp(digestname, "sha256")? \ + SHA256_DIGEST_SIZE : !strcmp(digestname, "sha512")? \ + SHA512_DIGEST_SIZE : 0 + + +int calc_digest(const char *digestname, const unsigned char *ibuf, + uint8_t *obuf) +{ + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + .salg_type = "hash", + }; + + int fd = -1; + int sockfd = -1; + int rc = 0; + unsigned char digest[DIGEST_SIZE(digestname)]; + char *input = NULL; + input = ibuf ; + memset(sa.salg_name, 0, sizeof(sa.salg_name)); + memcpy(sa.salg_name, digestname, sizeof(sa.salg_name)); + + sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + if (sockfd == -1) + { + rc = -1; + goto out; + } + + rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)); + if (rc == -1) + goto out; + + fd = accept(sockfd, NULL, 0); + if (fd == -1) + { + rc = -1; + goto out; + } + + rc = write(fd, input, sizeof(input)); + if (rc == -1) + goto out; + + read(fd, digest, sizeof(digest)); + + memset(obuf, 0, sizeof(digest)); + memcpy(obuf, digest, sizeof(digest)); + + +out: + if (fd > 0) + close(fd); + if (sockfd > 0) + close(sockfd); + + return 0; + +} diff --git a/lib/security/crypto.h b/lib/security/crypto.h new file mode 100644 index 0000000..111c1ea --- /dev/null +++ b/lib/security/crypto.h @@ -0,0 +1,22 @@ +#ifndef CRYPTO_H +#define CRYPTO_H + +#include + +#define SHA1_DIGEST_SIZE 20 +#define SHA256_DIGEST_SIZE 32 +#define SHA512_DIGEST_SIZE 64 + +/** + * Calculates and returns the digest of the input buffer. + * @digestname: Type of digest to be calculated. + * @ibuf: Input buffer whose digest is to be calculated. + * @obuf: Output buffer in which calculated digest is returned. + * + * On success, 0 is returned. On error, -1 is returned. + **/ +int calc_digest(const char *digestname, const unsigned char *ibuf, + uint8_t *obuf); + +#endif /* CRYPTO_H */ + diff --git a/lib/security/tpmOperations.c b/lib/security/tpmOperations.c new file mode 100644 index 0000000..bfb2c21 --- /dev/null +++ b/lib/security/tpmOperations.c @@ -0,0 +1,72 @@ +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "crypto.h" +#include "tpmOperations.h" + +/** +Note: The implementation of this function is experimental. +It only servers the purpose of showing tpm_extend API and its interface. +Final implementation will be changed. +**/ + +int tpm_extend(unsigned int pcr, const char* pcr_bank_hash_alg, uint8_t * buf, + uint8_t buflen) +{ + + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + .salg_type = "tpm-extend", + }; + int i=0; + int sockfd = -1; + int fd = -1; + int rc = 0; + char res[256]; //This is temporary size and will be defined correctly once + //response status code is finalized for extend operation. + memset(sa.salg_name, 0, sizeof(sa.salg_name)); + memcpy(sa.salg_name, pcr_bank_hash_alg, sizeof(pcr_bank_hash_alg)); + + sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + if (sockfd == -1) + { + rc = -1; + goto out; + } + + rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)); + if (rc == -1) + goto out; + + fd = accept(sockfd, NULL, 0); + if (fd == -1) + { + rc = -1; + goto out; + } + + rc = write(fd, buf, buflen); + if (rc == -1) + { + rc = -1; + goto out; + } + + //response will contain status code for extend operation. + //handling of error status code is yet to be finalized. + read(fd, res, sizeof(res)); + +out: + if (fd > 0) + close(fd); + if (sockfd > 0) + close(sockfd); + return rc; +} diff --git a/lib/security/tpmOperations.h b/lib/security/tpmOperations.h new file mode 100644 index 0000000..2231152 --- /dev/null +++ b/lib/security/tpmOperations.h @@ -0,0 +1,18 @@ +#ifndef _TPM_OPERATIONS_H +#define _TPM_OPERATIONS_H + +/** + * Prepares the request and send to TPM for extend. + * @pcr : PCR Index to which to be extended. + * @pcr_bank : PCR Bank to which to be extended. + * @buf : Input data to be extended. + * @buflen : Length of the input data. + * + * On success, 0 is returned. On error, -1 is returned. +**/ + +int tpm_extend(unsigned int pcr, const char* pcr_bank, uint8_t * buf, + uint8_t buflen); + +#endif /* _TPM_OPERATIONS_H */ +