summary refs log tree commit diff
path: root/include/keys
diff options
context:
space:
mode:
authorJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>2015-10-31 17:53:44 +0200
committerJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>2015-12-20 15:27:13 +0200
commit5beb0c435bdde35a09376566b0e28f7df87c9f68 (patch)
tree3f8c2bc84de7a77c3fed187f3bd15011e2b33e5b /include/keys
parent5ca4c20cfd37bac6486de040e9951b3b34755238 (diff)
downloadlinux-5beb0c435bdde35a09376566b0e28f7df87c9f68.tar.gz
keys, trusted: seal with a TPM2 authorization policy
TPM2 supports authorization policies, which are essentially
combinational logic statements repsenting the conditions where the data
can be unsealed based on the TPM state. This patch enables to use
authorization policies to seal trusted keys.

Two following new options have been added for trusted keys:

* 'policydigest=': provide an auth policy digest for sealing.
* 'policyhandle=': provide a policy session handle for unsealing.

If 'hash=' option is supplied after 'policydigest=' option, this
will result an error because the state of the option would become
mixed.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Peter Huewe <peterhuewe@gmx.de>
Diffstat (limited to 'include/keys')
-rw-r--r--include/keys/trusted-type.h4
1 files changed, 4 insertions, 0 deletions
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index a6a100833ae9..42cf2d991bf4 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -18,6 +18,7 @@
 #define MAX_KEY_SIZE			128
 #define MAX_BLOB_SIZE			512
 #define MAX_PCRINFO_SIZE		64
+#define MAX_DIGEST_SIZE			64
 
 struct trusted_key_payload {
 	struct rcu_head rcu;
@@ -37,6 +38,9 @@ struct trusted_key_options {
 	unsigned char pcrinfo[MAX_PCRINFO_SIZE];
 	int pcrlock;
 	uint32_t hash;
+	uint32_t digest_len;
+	unsigned char policydigest[MAX_DIGEST_SIZE];
+	uint32_t policyhandle;
 };
 
 extern struct key_type key_type_trusted;