Message ID | 1464861418-19709-3-git-send-email-nayna@linux.vnet.ibm.com |
---|---|
State | RFC |
Headers | show |
On Thu, Jun 02, 2016 at 05:56:57AM -0400, Nayna Jain wrote: > Adds new lib to support security specific functions. > Functions are separated into different files based on > functionality they provide. Details as below: > > lib/security/crypto: Set of files to support crypto functions > like hash, encryption etc. Currently, it provides support > only for hash function and can be extended as needed. Hash > function is implemented using kernel crypto API. > > lib/security/tpmOperations: Set of files to support tpm > specific operations. Currently, it provides function to extend TPM. > The implmentation of this function is currently experimental and > is bound to change. > > Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> Format sounds good - although please don't use camelcase in filenames (eg. tpm_operations instead of tmpOperations) > --- > lib/Makefile.am | 6 +++- > lib/security/crypto.c | 73 ++++++++++++++++++++++++++++++++++++++++++++ > lib/security/crypto.h | 22 +++++++++++++ > lib/security/tpmOperations.c | 72 +++++++++++++++++++++++++++++++++++++++++++ > lib/security/tpmOperations.h | 18 +++++++++++ > 5 files changed, 190 insertions(+), 1 deletion(-) > create mode 100644 lib/security/crypto.c > create mode 100644 lib/security/crypto.h > create mode 100644 lib/security/tpmOperations.c > create mode 100644 lib/security/tpmOperations.h > > diff --git a/lib/Makefile.am b/lib/Makefile.am > index 09bc1aa..d5559f0 100644 > --- a/lib/Makefile.am > +++ b/lib/Makefile.am > @@ -50,7 +50,11 @@ lib_libpbcore_la_SOURCES = \ > lib/util/util.c \ > lib/util/util.h \ > lib/flash/config.h \ > - lib/flash/flash.h > + lib/flash/flash.h \ > + lib/security/tpmOperations.c \ > + lib/security/tpmOperations.h \ > + lib/security/crypto.c \ > + lib/security/crypto.h > > if ENABLE_MTD > lib_libpbcore_la_SOURCES += \ > diff --git a/lib/security/crypto.c b/lib/security/crypto.c > new file mode 100644 > index 0000000..e5344a8 > --- /dev/null > +++ b/lib/security/crypto.c > @@ -0,0 +1,73 @@ > +#include <stdio.h> > +#include <stdlib.h> > +#include <string.h> > +#include <unistd.h> > + > +#include <sys/socket.h> > +#include <linux/if_alg.h> > +#include <linux/socket.h> > + > +#include <log/log.h> > + > +#include "crypto.h" > + > +#define DIGEST_SIZE(digestname) !strcmp(digestname, "sha1")? \ > + SHA1_DIGEST_SIZE : !strcmp(digestname, "sha256")? \ > + SHA256_DIGEST_SIZE : !strcmp(digestname, "sha512")? \ > + SHA512_DIGEST_SIZE : 0 Please use strncmp() instead of strcmp(). Also this would probably be better off as a small (inline?) function instead of a macro. > + > + > +int calc_digest(const char *digestname, const unsigned char *ibuf, > + uint8_t *obuf) > +{ > + struct sockaddr_alg sa = { > + .salg_family = AF_ALG, > + .salg_type = "hash", > + }; > + > + int fd = -1; > + int sockfd = -1; > + int rc = 0; > + unsigned char digest[DIGEST_SIZE(digestname)]; > + char *input = NULL; > + input = ibuf ; I've noticed this in a few places, please be consistent with indentation. > + memset(sa.salg_name, 0, sizeof(sa.salg_name)); > + memcpy(sa.salg_name, digestname, sizeof(sa.salg_name)); > + > + sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); > + if (sockfd == -1) > + { > + rc = -1; > + goto out; > + } > + > + rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)); > + if (rc == -1) > + goto out; > + > + fd = accept(sockfd, NULL, 0); > + if (fd == -1) > + { > + rc = -1; > + goto out; > + } > + > + rc = write(fd, input, sizeof(input)); > + if (rc == -1) > + goto out; > + > + read(fd, digest, sizeof(digest)); > + > + memset(obuf, 0, sizeof(digest)); > + memcpy(obuf, digest, sizeof(digest)); > + > + > +out: > + if (fd > 0) > + close(fd); > + if (sockfd > 0) > + close(sockfd); > + > + return 0; > + > +} > diff --git a/lib/security/crypto.h b/lib/security/crypto.h > new file mode 100644 > index 0000000..111c1ea > --- /dev/null > +++ b/lib/security/crypto.h > @@ -0,0 +1,22 @@ > +#ifndef CRYPTO_H > +#define CRYPTO_H > + > +#include <stdint.h> > + > +#define SHA1_DIGEST_SIZE 20 > +#define SHA256_DIGEST_SIZE 32 > +#define SHA512_DIGEST_SIZE 64 > + > +/** > + * Calculates and returns the digest of the input buffer. > + * @digestname: Type of digest to be calculated. > + * @ibuf: Input buffer whose digest is to be calculated. > + * @obuf: Output buffer in which calculated digest is returned. > + * > + * On success, 0 is returned. On error, -1 is returned. > + **/ > +int calc_digest(const char *digestname, const unsigned char *ibuf, > + uint8_t *obuf); > + > +#endif /* CRYPTO_H */ > + > diff --git a/lib/security/tpmOperations.c b/lib/security/tpmOperations.c > new file mode 100644 > index 0000000..bfb2c21 > --- /dev/null > +++ b/lib/security/tpmOperations.c > @@ -0,0 +1,72 @@ > +#include <stdio.h> > +#include <string.h> > +#include <stdlib.h> > +#include <unistd.h> > +#include <sys/socket.h> > +#include <linux/if_alg.h> > +#include <linux/socket.h> > + > +#include <log/log.h> > + > +#include "crypto.h" > +#include "tpmOperations.h" > + > +/** > +Note: The implementation of this function is experimental. > +It only servers the purpose of showing tpm_extend API and its interface. > +Final implementation will be changed. > +**/ Right - I'd like to see a lot more detail about what is expected to happen here so I can fully understand the purpose. > + > +int tpm_extend(unsigned int pcr, const char* pcr_bank_hash_alg, uint8_t * buf, > + uint8_t buflen) > +{ > + > + struct sockaddr_alg sa = { > + .salg_family = AF_ALG, > + .salg_type = "tpm-extend", > + }; > + int i=0; > + int sockfd = -1; > + int fd = -1; > + int rc = 0; > + char res[256]; //This is temporary size and will be defined correctly once > + //response status code is finalized for extend operation. > + memset(sa.salg_name, 0, sizeof(sa.salg_name)); > + memcpy(sa.salg_name, pcr_bank_hash_alg, sizeof(pcr_bank_hash_alg)); > + > + sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); > + if (sockfd == -1) > + { > + rc = -1; > + goto out; > + } > + > + rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)); > + if (rc == -1) > + goto out; > + > + fd = accept(sockfd, NULL, 0); > + if (fd == -1) > + { > + rc = -1; > + goto out; > + } > + > + rc = write(fd, buf, buflen); > + if (rc == -1) > + { > + rc = -1; > + goto out; > + } > + > + //response will contain status code for extend operation. > + //handling of error status code is yet to be finalized. > + read(fd, res, sizeof(res)); > + > +out: > + if (fd > 0) > + close(fd); > + if (sockfd > 0) > + close(sockfd); > + return rc; > +} > diff --git a/lib/security/tpmOperations.h b/lib/security/tpmOperations.h > new file mode 100644 > index 0000000..2231152 > --- /dev/null > +++ b/lib/security/tpmOperations.h > @@ -0,0 +1,18 @@ > +#ifndef _TPM_OPERATIONS_H > +#define _TPM_OPERATIONS_H > + > +/** > + * Prepares the request and send to TPM for extend. > + * @pcr : PCR Index to which to be extended. > + * @pcr_bank : PCR Bank to which to be extended. > + * @buf : Input data to be extended. > + * @buflen : Length of the input data. > + * > + * On success, 0 is returned. On error, -1 is returned. > +**/ > + > +int tpm_extend(unsigned int pcr, const char* pcr_bank, uint8_t * buf, > + uint8_t buflen); > + > +#endif /* _TPM_OPERATIONS_H */ > + > -- > 2.5.0 > > _______________________________________________ > Petitboot mailing list > Petitboot@lists.ozlabs.org > https://lists.ozlabs.org/listinfo/petitboot
diff --git a/lib/Makefile.am b/lib/Makefile.am index 09bc1aa..d5559f0 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -50,7 +50,11 @@ lib_libpbcore_la_SOURCES = \ lib/util/util.c \ lib/util/util.h \ lib/flash/config.h \ - lib/flash/flash.h + lib/flash/flash.h \ + lib/security/tpmOperations.c \ + lib/security/tpmOperations.h \ + lib/security/crypto.c \ + lib/security/crypto.h if ENABLE_MTD lib_libpbcore_la_SOURCES += \ diff --git a/lib/security/crypto.c b/lib/security/crypto.c new file mode 100644 index 0000000..e5344a8 --- /dev/null +++ b/lib/security/crypto.c @@ -0,0 +1,73 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <sys/socket.h> +#include <linux/if_alg.h> +#include <linux/socket.h> + +#include <log/log.h> + +#include "crypto.h" + +#define DIGEST_SIZE(digestname) !strcmp(digestname, "sha1")? \ + SHA1_DIGEST_SIZE : !strcmp(digestname, "sha256")? \ + SHA256_DIGEST_SIZE : !strcmp(digestname, "sha512")? \ + SHA512_DIGEST_SIZE : 0 + + +int calc_digest(const char *digestname, const unsigned char *ibuf, + uint8_t *obuf) +{ + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + .salg_type = "hash", + }; + + int fd = -1; + int sockfd = -1; + int rc = 0; + unsigned char digest[DIGEST_SIZE(digestname)]; + char *input = NULL; + input = ibuf ; + memset(sa.salg_name, 0, sizeof(sa.salg_name)); + memcpy(sa.salg_name, digestname, sizeof(sa.salg_name)); + + sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + if (sockfd == -1) + { + rc = -1; + goto out; + } + + rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)); + if (rc == -1) + goto out; + + fd = accept(sockfd, NULL, 0); + if (fd == -1) + { + rc = -1; + goto out; + } + + rc = write(fd, input, sizeof(input)); + if (rc == -1) + goto out; + + read(fd, digest, sizeof(digest)); + + memset(obuf, 0, sizeof(digest)); + memcpy(obuf, digest, sizeof(digest)); + + +out: + if (fd > 0) + close(fd); + if (sockfd > 0) + close(sockfd); + + return 0; + +} diff --git a/lib/security/crypto.h b/lib/security/crypto.h new file mode 100644 index 0000000..111c1ea --- /dev/null +++ b/lib/security/crypto.h @@ -0,0 +1,22 @@ +#ifndef CRYPTO_H +#define CRYPTO_H + +#include <stdint.h> + +#define SHA1_DIGEST_SIZE 20 +#define SHA256_DIGEST_SIZE 32 +#define SHA512_DIGEST_SIZE 64 + +/** + * Calculates and returns the digest of the input buffer. + * @digestname: Type of digest to be calculated. + * @ibuf: Input buffer whose digest is to be calculated. + * @obuf: Output buffer in which calculated digest is returned. + * + * On success, 0 is returned. On error, -1 is returned. + **/ +int calc_digest(const char *digestname, const unsigned char *ibuf, + uint8_t *obuf); + +#endif /* CRYPTO_H */ + diff --git a/lib/security/tpmOperations.c b/lib/security/tpmOperations.c new file mode 100644 index 0000000..bfb2c21 --- /dev/null +++ b/lib/security/tpmOperations.c @@ -0,0 +1,72 @@ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/socket.h> +#include <linux/if_alg.h> +#include <linux/socket.h> + +#include <log/log.h> + +#include "crypto.h" +#include "tpmOperations.h" + +/** +Note: The implementation of this function is experimental. +It only servers the purpose of showing tpm_extend API and its interface. +Final implementation will be changed. +**/ + +int tpm_extend(unsigned int pcr, const char* pcr_bank_hash_alg, uint8_t * buf, + uint8_t buflen) +{ + + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + .salg_type = "tpm-extend", + }; + int i=0; + int sockfd = -1; + int fd = -1; + int rc = 0; + char res[256]; //This is temporary size and will be defined correctly once + //response status code is finalized for extend operation. + memset(sa.salg_name, 0, sizeof(sa.salg_name)); + memcpy(sa.salg_name, pcr_bank_hash_alg, sizeof(pcr_bank_hash_alg)); + + sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + if (sockfd == -1) + { + rc = -1; + goto out; + } + + rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)); + if (rc == -1) + goto out; + + fd = accept(sockfd, NULL, 0); + if (fd == -1) + { + rc = -1; + goto out; + } + + rc = write(fd, buf, buflen); + if (rc == -1) + { + rc = -1; + goto out; + } + + //response will contain status code for extend operation. + //handling of error status code is yet to be finalized. + read(fd, res, sizeof(res)); + +out: + if (fd > 0) + close(fd); + if (sockfd > 0) + close(sockfd); + return rc; +} diff --git a/lib/security/tpmOperations.h b/lib/security/tpmOperations.h new file mode 100644 index 0000000..2231152 --- /dev/null +++ b/lib/security/tpmOperations.h @@ -0,0 +1,18 @@ +#ifndef _TPM_OPERATIONS_H +#define _TPM_OPERATIONS_H + +/** + * Prepares the request and send to TPM for extend. + * @pcr : PCR Index to which to be extended. + * @pcr_bank : PCR Bank to which to be extended. + * @buf : Input data to be extended. + * @buflen : Length of the input data. + * + * On success, 0 is returned. On error, -1 is returned. +**/ + +int tpm_extend(unsigned int pcr, const char* pcr_bank, uint8_t * buf, + uint8_t buflen); + +#endif /* _TPM_OPERATIONS_H */ +
Adds new lib to support security specific functions. Functions are separated into different files based on functionality they provide. Details as below: lib/security/crypto: Set of files to support crypto functions like hash, encryption etc. Currently, it provides support only for hash function and can be extended as needed. Hash function is implemented using kernel crypto API. lib/security/tpmOperations: Set of files to support tpm specific operations. Currently, it provides function to extend TPM. The implmentation of this function is currently experimental and is bound to change. Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> --- lib/Makefile.am | 6 +++- lib/security/crypto.c | 73 ++++++++++++++++++++++++++++++++++++++++++++ lib/security/crypto.h | 22 +++++++++++++ lib/security/tpmOperations.c | 72 +++++++++++++++++++++++++++++++++++++++++++ lib/security/tpmOperations.h | 18 +++++++++++ 5 files changed, 190 insertions(+), 1 deletion(-) create mode 100644 lib/security/crypto.c create mode 100644 lib/security/crypto.h create mode 100644 lib/security/tpmOperations.c create mode 100644 lib/security/tpmOperations.h