Re: [PATCH v6 19/20] tpm: add the null key name as a sysfs export

"Jarkko Sakkinen" <jarkko@xxxxxxxxxx> · Wed, 03 Jan 2024 17:22:24 +0200



On Tue Jan 2, 2024 at 7:04 PM EET, James Bottomley wrote:
> This is the last component of encrypted tpm2 session handling that
> allows us to verify from userspace that the key derived from the NULL
> seed genuinely belongs to the TPM and has not been spoofed.
>
> The procedure for doing this involves creating an attestation identity
> key (which requires verification of the TPM EK certificate) and then
> using that AIK to sign a certification of the Elliptic Curve key over
> the NULL seed.  Userspace must create this EC Key using the parameters
> prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if
> this is done correctly the names will match and the TPM can then run a
> TPM2_Certify operation on this derived primary key using the newly
> created AIK.
>
> Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
> ---
> v6: change config name
> ---
>  drivers/char/tpm/tpm-sysfs.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
>
> diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
> index 54c71473aa29..874c2c5fe79f 100644
> --- a/drivers/char/tpm/tpm-sysfs.c
> +++ b/drivers/char/tpm/tpm-sysfs.c
> @@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev,
>  }
>  static DEVICE_ATTR_RO(tpm_version_major);
>  
> +#ifdef CONFIG_TCG_TPM2_HMAC
> +static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
> +			      char *buf)
> +{
> +	struct tpm_chip *chip = to_tpm_chip(dev);
> +	int size = TPM2_NAME_SIZE;
> +
> +	bin2hex(buf, chip->tpmkeyname, size);
> +	size *= 2;
> +	buf[size++] = '\n';
> +	return size;
> +}
> +static DEVICE_ATTR_RO(null_name);
> +#endif
> +
>  static struct attribute *tpm1_dev_attrs[] = {
>  	&dev_attr_pubek.attr,
>  	&dev_attr_pcrs.attr,
> @@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = {
>  
>  static struct attribute *tpm2_dev_attrs[] = {
>  	&dev_attr_tpm_version_major.attr,
> +#ifdef CONFIG_TCG_TPM2_HMAC
> +	&dev_attr_null_name.attr,
> +#endif
>  	NULL
>  };
>  

Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>

BR, Jarkko