[PATCH 2/3] lib/security: New lib for security functions.
Nayna Jain
nayna at linux.vnet.ibm.com
Thu Jun 2 19:56:57 AEST 2016
Adds new lib to support security specific functions.
Functions are separated into different files based on
functionality they provide. Details as below:
lib/security/crypto: Set of files to support crypto functions
like hash, encryption etc. Currently, it provides support
only for hash function and can be extended as needed. Hash
function is implemented using kernel crypto API.
lib/security/tpmOperations: Set of files to support tpm
specific operations. Currently, it provides function to extend TPM.
The implmentation of this function is currently experimental and
is bound to change.
Signed-off-by: Nayna Jain <nayna at linux.vnet.ibm.com>
---
lib/Makefile.am | 6 +++-
lib/security/crypto.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
lib/security/crypto.h | 22 +++++++++++++
lib/security/tpmOperations.c | 72 +++++++++++++++++++++++++++++++++++++++++++
lib/security/tpmOperations.h | 18 +++++++++++
5 files changed, 190 insertions(+), 1 deletion(-)
create mode 100644 lib/security/crypto.c
create mode 100644 lib/security/crypto.h
create mode 100644 lib/security/tpmOperations.c
create mode 100644 lib/security/tpmOperations.h
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 09bc1aa..d5559f0 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -50,7 +50,11 @@ lib_libpbcore_la_SOURCES = \
lib/util/util.c \
lib/util/util.h \
lib/flash/config.h \
- lib/flash/flash.h
+ lib/flash/flash.h \
+ lib/security/tpmOperations.c \
+ lib/security/tpmOperations.h \
+ lib/security/crypto.c \
+ lib/security/crypto.h
if ENABLE_MTD
lib_libpbcore_la_SOURCES += \
diff --git a/lib/security/crypto.c b/lib/security/crypto.c
new file mode 100644
index 0000000..e5344a8
--- /dev/null
+++ b/lib/security/crypto.c
@@ -0,0 +1,73 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <linux/socket.h>
+
+#include <log/log.h>
+
+#include "crypto.h"
+
+#define DIGEST_SIZE(digestname) !strcmp(digestname, "sha1")? \
+ SHA1_DIGEST_SIZE : !strcmp(digestname, "sha256")? \
+ SHA256_DIGEST_SIZE : !strcmp(digestname, "sha512")? \
+ SHA512_DIGEST_SIZE : 0
+
+
+int calc_digest(const char *digestname, const unsigned char *ibuf,
+ uint8_t *obuf)
+{
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ .salg_type = "hash",
+ };
+
+ int fd = -1;
+ int sockfd = -1;
+ int rc = 0;
+ unsigned char digest[DIGEST_SIZE(digestname)];
+ char *input = NULL;
+ input = ibuf ;
+ memset(sa.salg_name, 0, sizeof(sa.salg_name));
+ memcpy(sa.salg_name, digestname, sizeof(sa.salg_name));
+
+ sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ if (sockfd == -1)
+ {
+ rc = -1;
+ goto out;
+ }
+
+ rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
+ if (rc == -1)
+ goto out;
+
+ fd = accept(sockfd, NULL, 0);
+ if (fd == -1)
+ {
+ rc = -1;
+ goto out;
+ }
+
+ rc = write(fd, input, sizeof(input));
+ if (rc == -1)
+ goto out;
+
+ read(fd, digest, sizeof(digest));
+
+ memset(obuf, 0, sizeof(digest));
+ memcpy(obuf, digest, sizeof(digest));
+
+
+out:
+ if (fd > 0)
+ close(fd);
+ if (sockfd > 0)
+ close(sockfd);
+
+ return 0;
+
+}
diff --git a/lib/security/crypto.h b/lib/security/crypto.h
new file mode 100644
index 0000000..111c1ea
--- /dev/null
+++ b/lib/security/crypto.h
@@ -0,0 +1,22 @@
+#ifndef CRYPTO_H
+#define CRYPTO_H
+
+#include <stdint.h>
+
+#define SHA1_DIGEST_SIZE 20
+#define SHA256_DIGEST_SIZE 32
+#define SHA512_DIGEST_SIZE 64
+
+/**
+ * Calculates and returns the digest of the input buffer.
+ * @digestname: Type of digest to be calculated.
+ * @ibuf: Input buffer whose digest is to be calculated.
+ * @obuf: Output buffer in which calculated digest is returned.
+ *
+ * On success, 0 is returned. On error, -1 is returned.
+ **/
+int calc_digest(const char *digestname, const unsigned char *ibuf,
+ uint8_t *obuf);
+
+#endif /* CRYPTO_H */
+
diff --git a/lib/security/tpmOperations.c b/lib/security/tpmOperations.c
new file mode 100644
index 0000000..bfb2c21
--- /dev/null
+++ b/lib/security/tpmOperations.c
@@ -0,0 +1,72 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <linux/socket.h>
+
+#include <log/log.h>
+
+#include "crypto.h"
+#include "tpmOperations.h"
+
+/**
+Note: The implementation of this function is experimental.
+It only servers the purpose of showing tpm_extend API and its interface.
+Final implementation will be changed.
+**/
+
+int tpm_extend(unsigned int pcr, const char* pcr_bank_hash_alg, uint8_t * buf,
+ uint8_t buflen)
+{
+
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ .salg_type = "tpm-extend",
+ };
+ int i=0;
+ int sockfd = -1;
+ int fd = -1;
+ int rc = 0;
+ char res[256]; //This is temporary size and will be defined correctly once
+ //response status code is finalized for extend operation.
+ memset(sa.salg_name, 0, sizeof(sa.salg_name));
+ memcpy(sa.salg_name, pcr_bank_hash_alg, sizeof(pcr_bank_hash_alg));
+
+ sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ if (sockfd == -1)
+ {
+ rc = -1;
+ goto out;
+ }
+
+ rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
+ if (rc == -1)
+ goto out;
+
+ fd = accept(sockfd, NULL, 0);
+ if (fd == -1)
+ {
+ rc = -1;
+ goto out;
+ }
+
+ rc = write(fd, buf, buflen);
+ if (rc == -1)
+ {
+ rc = -1;
+ goto out;
+ }
+
+ //response will contain status code for extend operation.
+ //handling of error status code is yet to be finalized.
+ read(fd, res, sizeof(res));
+
+out:
+ if (fd > 0)
+ close(fd);
+ if (sockfd > 0)
+ close(sockfd);
+ return rc;
+}
diff --git a/lib/security/tpmOperations.h b/lib/security/tpmOperations.h
new file mode 100644
index 0000000..2231152
--- /dev/null
+++ b/lib/security/tpmOperations.h
@@ -0,0 +1,18 @@
+#ifndef _TPM_OPERATIONS_H
+#define _TPM_OPERATIONS_H
+
+/**
+ * Prepares the request and send to TPM for extend.
+ * @pcr : PCR Index to which to be extended.
+ * @pcr_bank : PCR Bank to which to be extended.
+ * @buf : Input data to be extended.
+ * @buflen : Length of the input data.
+ *
+ * On success, 0 is returned. On error, -1 is returned.
+**/
+
+int tpm_extend(unsigned int pcr, const char* pcr_bank, uint8_t * buf,
+ uint8_t buflen);
+
+#endif /* _TPM_OPERATIONS_H */
+
--
2.5.0
More information about the Petitboot
mailing list