Changes done: - new cmd line option "hw" needs to be suffix, to generate the hw bound key. for ex: $:> keyctl add trusted <KEYNAME> 'new 32 hw' @s $:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s - Key-payload, is added with two more information element specific to HBK -- flag 'is_hw_bound' -- structure 'struct hw_bound_key_info hbk_info' Signed-off-by: Pankaj Gupta <pankaj.gupta@xxxxxxx> --- include/keys/trusted-type.h | 4 ++++ security/keys/trusted-keys/trusted_core.c | 16 ++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index 4eb64548a74f..bf58a204a974 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -7,6 +7,7 @@ #ifndef _KEYS_TRUSTED_TYPE_H #define _KEYS_TRUSTED_TYPE_H +#include <linux/hw_bound_key.h> #include <linux/key.h> #include <linux/rcupdate.h> #include <linux/tpm.h> @@ -22,6 +23,7 @@ #define MAX_BLOB_SIZE 512 #define MAX_PCRINFO_SIZE 64 #define MAX_DIGEST_SIZE 64 +#define HW_BOUND_KEY 1 struct trusted_key_payload { struct rcu_head rcu; @@ -29,6 +31,8 @@ struct trusted_key_payload { unsigned int blob_len; unsigned char migratable; unsigned char old_format; + unsigned char is_hw_bound; + struct hw_bound_key_info hbk_info; unsigned char key[MAX_KEY_SIZE + 1]; unsigned char blob[MAX_BLOB_SIZE]; }; diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c index c6fc50d67214..cb1d56397ed0 100644 --- a/security/keys/trusted-keys/trusted_core.c +++ b/security/keys/trusted-keys/trusted_core.c @@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p) int key_cmd; char *c; + p->is_hw_bound = !HW_BOUND_KEY; + /* main command */ c = strsep(datablob, " \t"); if (!c) @@ -94,6 +96,13 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p) if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE) return -EINVAL; p->key_len = keylen; + do { + /* Second argument onwards, + * determine if tied to HW */ + c = strsep(datablob, " \t"); + if ((c != NULL) && (strcmp(c, "hw") == 0)) + p->is_hw_bound = HW_BOUND_KEY; + } while (c != NULL); ret = Opt_new; break; case Opt_load: @@ -107,6 +116,13 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p) ret = hex2bin(p->blob, c, p->blob_len); if (ret < 0) return -EINVAL; + do { + /* Second argument onwards, + * determine if tied to HW */ + c = strsep(datablob, " \t"); + if ((c != NULL) && (strcmp(c, "hw") == 0)) + p->is_hw_bound = HW_BOUND_KEY; + } while (c != NULL); ret = Opt_load; break; case Opt_update: -- 2.17.1