summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-02-13Merge tag 'tpmdd-next-20190213' of ↵James Morris
git://git.infradead.org/users/jjs/linux-tpmdd into next-tpm tpmdd updates for Linux v5.1 From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Clean up the transmission flow ============================== Cleaned up the whole transmission flow. Locking of the chip is now done in the level of tpm_try_get_ops() and tpm_put_ops() instead taking the chip lock inside tpm_transmit(). The nested calls inside tpm_transmit(), used with the resource manager, have been refactored out. Should make easier to perform more complex transactions with the TPM without making the subsystem a bigger mess (e.g. encrypted channel patches by James Bottomley). PPI 1.3 support =============== TPM PPI 1.3 introduces an additional optional command parameter that may be needed for some commands. Display the parameter if the command requires such a parameter. Only command 23 (SetPCRBanks) needs one. The PPI request file will show output like this then: # echo "23 16" > request # cat request 23 16 # echo "5" > request # cat request 5 Extend all PCR banks in IMA =========================== Instead of static PCR banks array, the array of available PCR banks is now allocated dynamically. The digests sizes are determined dynamically using a probe PCR read without relying crypto's static list of hash algorithms. This should finally make sealing of measurements in IMA safe and secure. TPM 2.0 selftests ================= Added a test suite to tools/testing/selftests/tpm2 previously outside of the kernel tree: https://github.com/jsakkine-intel/tpm2-scripts.
2019-02-13tpm/ppi: Enable submission of optional command parameter for PPI 1.3Stefan Berger
This patch enables a user to specify the additional optional command parameter by writing it into the request file: # echo "23 16" > request # cat request 23 16 For backwards compatibility: If only 1 parameter is given then we assume this is the operation request number. # echo "5" > request # cat request 5 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: David Safford <david.safford@ge.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm/ppi: Possibly show command parameter if TPM PPI 1.3 is usedStefan Berger
TPM PPI 1.3 introduces an additional optional command parameter that may be needed for some commands. Display the parameter if the command requires such a parameter. Only command 23 needs one. The PPI request file will show output like this then: # echo "23 16" > request # cat request 23 16 # echo "5" > request # cat request 5 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: David Safford <david.safford@ge.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm/ppi: Display up to 101 operations as define for version 1.3Stefan Berger
TPM PPI 1.3 defines operations up to number 101. We need to query up to this number to show the user what the firmware implements. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: David Safford <david.safford@ge.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm/ppi: rename TPM_PPI_REVISION_ID to TPM_PPI_REVISION_ID_1Stefan Berger
TPM PPI 1.3 introduces a function revision 2 for some functions. So, rename the existing TPM_PPI_REVISION_ID to TPM_PPI_REVISION_ID_1. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: David Safford <david.safford@ge.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm/ppi: pass function revision ID to tpm_eval_dsm()Stefan Berger
Since we will need to pass different function revision numbers to tpm_eval_dsm, convert this function now to take the function revision as an additional parameter. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: David Safford <david.safford@ge.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()Roberto Sassu
Currently, tpm_pcr_extend() accepts as an input only a SHA1 digest. This patch replaces the hash parameter of tpm_pcr_extend() with an array of tpm_digest structures, so that the caller can provide a digest for each PCR bank currently allocated in the TPM. tpm_pcr_extend() will not extend banks for which no digest was provided, as it happened before this patch, but instead it requires that callers provide the full set of digests. Since the number of digests will always be chip->nr_allocated_banks, the count parameter has been removed. Due to the API change, ima_pcr_extend() and pcrlock() have been modified. Since the number of allocated banks is not known in advance, the memory for the digests must be dynamically allocated. To avoid performance degradation and to avoid that a PCR extend is not done due to lack of memory, the array of tpm_digest structures is allocated by the users of the TPM driver at initialization time. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Mimi Zohar <zohar@linux.ibm.com> (on x86 for TPM 1.2 & PTT TPM 2.0) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()Roberto Sassu
When crypto agility support will be added to the TPM driver, users of the driver have to retrieve the allocated banks from chip->allocated_banks and use this information to prepare the array of tpm_digest structures to be passed to tpm_pcr_extend(). This patch retrieves a tpm_chip pointer from tpm_default_chip() so that the pointer can be used to prepare the array of tpm_digest structures. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: move tpm_chip definition to include/linux/tpm.hRoberto Sassu
The tpm_chip structure contains the list of PCR banks currently allocated in the TPM. When support for crypto agility will be added to the TPM driver, users of the driver have to provide a digest for each allocated bank to tpm_pcr_extend(). With this patch, they can obtain the PCR bank algorithms directly from chip->allocated_banks. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: retrieve digest size of unknown algorithms with PCR readRoberto Sassu
Currently, the TPM driver retrieves the digest size from a table mapping TPM algorithms identifiers to identifiers defined by the crypto subsystem. If the algorithm is not defined by the latter, the digest size can be retrieved from the output of the PCR read command. The patch modifies the definition of tpm_pcr_read() and tpm2_pcr_read() to pass the desired hash algorithm and obtain the digest size at TPM startup. Algorithms and corresponding digest sizes are stored in the new structure tpm_bank_info, member of tpm_chip, so that the information can be used by other kernel subsystems. tpm_bank_info contains: the TPM algorithm identifier, necessary to generate the event log as defined by Trusted Computing Group (TCG); the digest size, to pad/truncate a digest calculated with a different algorithm; the crypto subsystem identifier, to calculate the digest of event data. This patch also protects against data corruption that could happen in the bus, by checking that the digest size returned by the TPM during a PCR read matches the size of the algorithm passed to tpm2_pcr_read(). For the initial PCR read, when digest sizes are not yet available, this patch ensures that the amount of data copied from the output returned by the TPM does not exceed the size of the array data are copied to. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: rename and export tpm2_digest and tpm2_algorithmsRoberto Sassu
Rename tpm2_* to tpm_* and move the definitions to include/linux/tpm.h so that these can be used by other kernel subsystems (e.g. IMA). Also, set the length of the digest array in tpm_digest to a new constant named TPM_MAX_DIGEST_SIZE, equal to SHA512_DIGEST_SIZE. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: dynamically allocate the allocated_banks arrayRoberto Sassu
This patch renames active_banks (member of tpm_chip) to allocated_banks, stores the number of allocated PCR banks in nr_allocated_banks (new member of tpm_chip), and replaces the static array with a pointer to a dynamically allocated array. tpm2_get_pcr_allocation() determines if a PCR bank is allocated by checking the mask in the TPML_PCR_SELECTION structure returned by the TPM for TPM2_Get_Capability(). If a bank is not allocated, the TPM returns that bank in TPML_PCR_SELECTION, with all bits in the mask set to zero. In this case, the bank is not included in chip->allocated_banks, to avoid that TPM driver users unnecessarily calculate a digest for that bank. One PCR bank with algorithm set to SHA1 is always allocated for TPM 1.x. As a consequence of the introduction of nr_allocated_banks, tpm_pcr_extend() does not check anymore if the algorithm stored in tpm_chip is equal to zero. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: remove @flags from tpm_transmit()Jarkko Sakkinen
Remove @flags from tpm_transmit() API. It is no longer used for anything. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: take TPM chip power gating out of tpm_transmit()Jarkko Sakkinen
Call tpm_chip_start() and tpm_chip_stop() in * tpm_chip_register() * tpm_class_shutdown() * tpm_del_char_device() * tpm_pm_suspend() * tpm_try_get_ops() and tpm_put_ops() * tpm2_del_space() And remove these calls from tpm_transmit(). The core reason for this change is that in tpm_vtpm_proxy a locality change requires a virtual TPM command (a command made up just for that driver). The consequence of this is that this commit removes the remaining nested calls. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: introduce tpm_chip_start() and tpm_chip_stop()Jarkko Sakkinen
Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: remove TPM_TRANSMIT_UNLOCKED flagJarkko Sakkinen
Added locking as part of tpm_try_get_ops() and tpm_put_ops() as they are anyway used in most of the call sites except in tpmrm_release() where we take the locks manually. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: use tpm_try_get_ops() in tpm-sysfs.c.Jarkko Sakkinen
Use tpm_try_get_ops() in tpm-sysfs.c so that we can consider moving other decorations (locking, localities, power management for example) inside it. This direction can be of course taken only after other call sites for tpm_transmit() have been treated in the same way. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: remove @space from tpm_transmit()Jarkko Sakkinen
Remove @space from tpm_transmit() API` in order to completely remove the bound between low-level transmission functionality and TPM spaces. The only real dependency existing is the amount of data saved before trying to send a command to the TPM. It doesn't really matter if we save always a bit more than needed so this commit changes the amount saved always to be the size of the TPM header and three handles. Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: move TPM space code out of tpm_transmit()Jarkko Sakkinen
Prepare and commit TPM space before and after calling tpm_transmit() instead of doing that inside tpm_transmit(). After this change we can remove TPM_TRANSMIT_NESTED flag from tpm2_prepare_space() and tpm2_commit_space() and replace it with TPM_TRANSMIT_UNLOCKED. Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: move tpm_validate_commmand() to tpm2-space.cJarkko Sakkinen
Move tpm_validate_command() to tpm2-space.c and make it part of the tpm2_prepare_space() flow. Make cc resolution as part of the TPM space functionality in order to detach it from rest of the tpm_transmit() flow. Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: clean up tpm_try_transmit() error handling flowJarkko Sakkinen
Move locking, locality handling and power management to tpm_transmit() in order to simplify the flow. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: encapsulate tpm_dev_transmit()Jarkko Sakkinen
Encapsulate tpm_transmit() call pattern to tpm_dev_transmit() because it is identically used from two places. Use unlocked version of tpm_transmit() so that we are able to move the calls to tpm2_prepare_space() and tpm2_commit_space() later on to this new function. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: access command header through struct in tpm_try_transmit()Jarkko Sakkinen
Instead of accessing fields of the command header through offsets to the raw buffer, it is a better idea to use the header struct pointer that is already used elsewhere in the function. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: declare struct tpm_headerJarkko Sakkinen
Declare struct tpm_header that replaces struct tpm_input_header and struct tpm_output_header. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: print tpm2_commit_space() error inside tpm2_commit_space()Jarkko Sakkinen
The error logging for tpm2_commit_space() is in a wrong place. This commit moves it inside that function. Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: return 0 from pcrs_show() when tpm1_pcr_read() failsJarkko Sakkinen
Do not print partial list of PCRs when tpm1_pcr_read() fails but instead return 0 from pcrs_show(). This is consistent behavior with other sysfs functions. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: fix invalid return value in pubek_show()Jarkko Sakkinen
Return zero when tpm_buf_init() fails as we do for other functions in tpm-sysfs.c. Fixes: da379f3c1db0c ("tpm: migrate pubek_show to struct tpm_buf") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: use tpm_buf in tpm_transmit_cmd() as the IO parameterJarkko Sakkinen
Since we pass an initialized struct tpm_buf instance in every call site now, it is cleaner to pass that directly to the tpm_transmit_cmd() as the TPM command/response buffer. Fine-tune a little bit tpm_transmit() and tpm_transmit_cmd() comments while doing this. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-13tpm: don't return bool from update_timeoutsJerry Snitselaar
Set tpm_chip->timeouts_adjusted directly in the update_timeouts code instead of returning bool. In case of tpm read failing print warning that the read failed and continue on. Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: don't print error message in tpm_transmit_cmd when tpm still testingJerry Snitselaar
Currently tpm_transmit_cmd will print an error message if the tpm returns something other than TPM2_RC_SUCCESS. This means that if the tpm returns that it is testing an error message will be printed, and this can cause confusion for the end user. So avoid printing the error message if TPM2_RC_TESTING is the return code. Cc: Peter Huewe <peterhuewe@gmx.de> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: add _head suffix to tcg_efi_specid_event and tcg_pcr_event2Roberto Sassu
TCG defines two structures, TCG_EfiSpecIDEventStruct and TCG_PCR_EVENT2, which contain variable-sized arrays in the middle of the definition. Since these structures are not suitable for type casting, this patch removes structure members after the variable-sized arrays and adds the _head suffix to the structure name, to indicate that the renamed structures do not contain all fields defined by TCG. Lastly, given that variable-sized arrays are now in the last position, and given that the size of the arrays cannot be determined in advance, this patch also sets the size of those arrays to zero and removes the definition of TPM2_ACTIVE_PCR_BANKS. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: Fix off-by-one when reading binary_bios_measurementsJia Zhang
It is unable to read the entry when it is the only one in binary_bios_measurements: 00000000 00 00 00 00 08 00 00 00 c4 2f ed ad 26 82 00 cb 00000010 1d 15 f9 78 41 c3 44 e7 9d ae 33 20 00 00 00 00 00000020 This is obviously a firmware problem on my linux machine: Manufacturer: Inspur Product Name: SA5212M4 Version: 01 However, binary_bios_measurements should return it any way, rather than nothing, after all its content is completely valid. Fixes: 55a82ab3181b ("tpm: add bios measurement log") Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> Reviewd-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm: Simplify the measurements loopJia Zhang
The responsibility of tpm1_bios_measurements_start() is to walk over the first *pos measurements, ensuring the skipped and to-be-read measurements are not out-of-boundary. This commit simplifies the loop by employing a do-while loop with the necessary sanity check. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> Reviewd-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incompleteJarkko Sakkinen
Return -E2BIG when the transfer is incomplete. The upper layer does not retry, so not doing that is incorrect behaviour. Cc: stable@vger.kernel.org Fixes: a2871c62e186 ("tpm: Add support for Atmel I2C TPMs") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
2019-02-13tpm: Unify the send callback behaviourJarkko Sakkinen
The send() callback should never return length as it does not in every driver except tpm_crb in the success case. The reason is that the main transmit functionality only cares about whether the transmit was successful or not and ignores the count completely. Suggested-by: Stefan Berger <stefanb@linux.ibm.com> Cc: stable@vger.kernel.org Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
2019-02-12LSM: fix return value check in safesetid_init_securityfs()Wei Yongjun
In case of error, the function securityfs_create_dir() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: aeca4e2ca65c ("LSM: add SafeSetID module that gates setid calls") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-02-12LSM: SafeSetID: add selftestMicah Morton
This patch adds a selftest for the SafeSetID LSM. The test requires mounting securityfs if it isn't mounted, creating test users in /etc/passwd, and configuring policies for the SafeSetID LSM through writes to securityfs. Signed-off-by: Micah Morton <mortonm@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-02-08selftests: add TPM 2.0 testsJarkko Sakkinen
Added the tests that I've been using for testing TPM 2.0 functionality for a long time but have been out-of-tree so far, residing in https://github.com/jsakkine-intel/tpm2-scripts Cc: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Acked-by: Joey Pabalinas <joeypabalinas@gmail.com> Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
2019-02-08tpm: Fix some name collisions with drivers/char/tpm.hJarkko Sakkinen
* Rename TPM_BUFSIZE defined in drivers/char/tpm/st33zp24/st33zp24.h to ST33ZP24_BUFSIZE. * Rename TPM_BUFSIZE defined in drivers/char/tpm/tpm_i2c_infineon.c to TPM_I2C_INFINEON_BUFSIZE. * Rename TPM_RETRY in tpm_i2c_nuvoton to TPM_I2C_RETRIES. * Remove TPM_HEADER_SIZE from tpm_i2c_nuvoton. Cc: stable@vger.kernel.org Fixes: bf38b8710892 ("tpm/tpm_i2c_stm_st33: Split tpm_i2c_tpm_st33 in 2 layers (core + phy)") Fixes: aad628c1d91a ("char/tpm: Add new driver for Infineon I2C TIS TPM") Fixes: 32d33b29ba07 ("TPM: Retry SaveState command in suspend path") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-08tpm/tpm_crb: Avoid unaligned reads in crb_recv()Jarkko Sakkinen
The current approach to read first 6 bytes from the response and then tail of the response, can cause the 2nd memcpy_fromio() to do an unaligned read (e.g. read 32-bit word from address aligned to a 16-bits), depending on how memcpy_fromio() is implemented. If this happens, the read will fail and the memory controller will fill the read with 1's. This was triggered by 170d13ca3a2f, which should be probably refined to check and react to the address alignment. Before that commit, on x86 memcpy_fromio() turned out to be memcpy(). By a luck GCC has done the right thing (from tpm_crb's perspective) for us so far, but we should not rely on that. Thus, it makes sense to fix this also in tpm_crb, not least because the fix can be then backported to stable kernels and make them more robust when compiled in differing environments. Cc: stable@vger.kernel.org Cc: James Morris <jmorris@namei.org> Cc: Tomas Winkler <tomas.winkler@intel.com> Cc: Jerry Snitselaar <jsnitsel@redhat.com> Fixes: 30fc8d138e91 ("tpm: TPM 2.0 CRB Interface") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Acked-by: Tomas Winkler <tomas.winkler@intel.com>
2019-01-30LSM: SafeSetID: remove unused includeMicah Morton
The include for asm/syscall.h was needed in a prior version of lsm.c that checked return values of syscall_get_nr, but since we did away with that part of the code this include is no longer necessary. Take out this include since it breaks builds for certain architectures. We no longer have any arch-specific code in SafeSetID. Signed-off-by: Micah Morton <mortonm@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-29LSM: SafeSetID: 'depend' on CONFIG_SECURITYMicah Morton
This patch changes the Kconfig file for the SafeSetID LSM to depend on CONFIG_SECURITY as well as select CONFIG_SECURITYFS, since the policies for the LSM are configured through writing to securityfs. Signed-off-by: Micah Morton <mortonm@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-28LSM: Add 'name' field for SafeSetID in DEFINE_LSMMicah Morton
Without this, system boot was crashing with: [0.174285] LSM: Security Framework initializing [0.175277] BUG: unable to handle kernel NULL pointer dereference ... [0.176272] Call Trace: [0.176272] ordered_lsm_parse+0x112/0x20b [0.176272] security_init+0x9b/0x3ab [0.176272] start_kernel+0x413/0x479 [0.176272] secondary_startup_64+0xa4/0xb0 Signed-off-by: Micah Morton <mortonm@chromium.org> Fixed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-25LSM: add SafeSetID module that gates setid callsMicah Morton
SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. For now, only gating the set*uid family of syscalls is supported, with support for set*gid coming in a future patch set. Signed-off-by: Micah Morton <mortonm@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-25LSM: add SafeSetID module that gates setid callsMicah Morton
This change ensures that the set*uid family of syscalls in kernel/sys.c (setreuid, setuid, setresuid, setfsuid) all call ns_capable_common with the CAP_OPT_INSETID flag, so capability checks in the security_capable hook can know whether they are being called from within a set*uid syscall. This change is a no-op by itself, but is needed for the proposed SafeSetID LSM. Signed-off-by: Micah Morton <mortonm@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-24tomoyo: Allow multiple use_group lines.Tetsuo Handa
Being able to specify multiple "use_group" lines makes it easier to write whitelisted policies. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-24tomoyo: Coding style fix.Tetsuo Handa
Follow many of recommendations by scripts/checkpatch.pl, and follow "lift switch variables out of switches" by Kees Cook. This patch makes no functional change. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-23tomoyo: Swicth from cred->security to task_struct->security.Tetsuo Handa
TOMOYO security module is designed to use "struct task_struct"->security in order to allow per "struct task_struct" tracking without being disturbed by unable to update "struct cred"->security due to override mechanism. Now that infrastructure-managed security blob is ready, this patch updates TOMOYO to use "struct task_struct"->security. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-22security: keys: annotate implicit fall throughsMathieu Malaterre
There is a plan to build the kernel with -Wimplicit-fallthrough and these places in the code produced warnings (W=1). Fix them up. This commit remove the following warnings: security/keys/request_key.c:293:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/keys/request_key.c:298:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/keys/request_key.c:307:7: warning: this statement may fall through [-Wimplicit-fallthrough=] Signed-off-by: Mathieu Malaterre <malat@debian.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-22security: keys: annotate implicit fall throughsMathieu Malaterre
There is a plan to build the kernel with -Wimplicit-fallthrough and these places in the code produced warnings (W=1). Fix them up. This commit remove the following warning: security/keys/process_keys.c:380:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/keys/process_keys.c:404:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/keys/process_keys.c:424:7: warning: this statement may fall through [-Wimplicit-fallthrough=] Signed-off-by: Mathieu Malaterre <malat@debian.org> Signed-off-by: James Morris <james.morris@microsoft.com>