tpm: add the null key name as a sysfs export
This is the last component of encrypted tpm2 session handling that allows us to verify from userspace that the key derived from the NULL seed genuinely belongs to the TPM and has not been spoofed. The procedure for doing this involves creating an attestation identity key (which requires verification of the TPM EK certificate) and then using that AIK to sign a certification of the Elliptic Curve key over the NULL seed. Userspace must create this EC Key using the parameters prescribed in TCG TPM v2.0 Provisioning Guidance for the SRK ECC; if this is done correctly the names will match and the TPM can then run a TPM2_Certify operation on this derived primary key using the newly created AIK. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
This commit is contained in:
parent
52ce7d9731
commit
089e0fb3f7
@ -309,6 +309,21 @@ static ssize_t tpm_version_major_show(struct device *dev,
|
||||
}
|
||||
static DEVICE_ATTR_RO(tpm_version_major);
|
||||
|
||||
#ifdef CONFIG_TCG_TPM2_HMAC
|
||||
static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
|
||||
char *buf)
|
||||
{
|
||||
struct tpm_chip *chip = to_tpm_chip(dev);
|
||||
int size = TPM2_NAME_SIZE;
|
||||
|
||||
bin2hex(buf, chip->null_key_name, size);
|
||||
size *= 2;
|
||||
buf[size++] = '\n';
|
||||
return size;
|
||||
}
|
||||
static DEVICE_ATTR_RO(null_name);
|
||||
#endif
|
||||
|
||||
static struct attribute *tpm1_dev_attrs[] = {
|
||||
&dev_attr_pubek.attr,
|
||||
&dev_attr_pcrs.attr,
|
||||
@ -326,6 +341,9 @@ static struct attribute *tpm1_dev_attrs[] = {
|
||||
|
||||
static struct attribute *tpm2_dev_attrs[] = {
|
||||
&dev_attr_tpm_version_major.attr,
|
||||
#ifdef CONFIG_TCG_TPM2_HMAC
|
||||
&dev_attr_null_name.attr,
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user