From nobody Fri Nov 29 19:44:12 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E33717C91; Sun, 15 Sep 2024 18:04:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423498; cv=none; b=DurcEvKJmeo3ibW4qosmwUWy51nTcQiQuUEkJWjtNIcdBzRmgLWY6mgta1dd8rZQ3nVxSwF/N6/ejcd1F3Czki0htuMWxDSfRv6BNVylkxHkbnmxBnXCmzTFv4PAySvofNAVjH3vaJ7UsVWwVDZV1834JOQYcQkEeAO59yB4rGQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423498; c=relaxed/simple; bh=PSWKFNVV/x7KpttZabN/IKNBqvoJsZn3/j63V1Q+yhw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Cp1VWLN4yRhfzsCSTVE7m2hTce42AwDOOI+vVuzgJFREP3friIr2DNr+UHATwc7wv7/+3uNRmzd5sspVMe1ZrbyYlDz7ygJ7l2j/sm1GFPHpwn5vHYqMp1L912ce/zWahnL2s37Azto0m06GOSsFA1NzQT08TKb1qcEHtsNm8gA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=a9XWtdKv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="a9XWtdKv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6381CC4CEC3; Sun, 15 Sep 2024 18:04:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726423497; bh=PSWKFNVV/x7KpttZabN/IKNBqvoJsZn3/j63V1Q+yhw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=a9XWtdKvVF96aEWW9cmZziMlCeDNDs/oSorS4PuMVXTQ3ASUrBvM8TPAJVXRU5R5G qua/ZXfhIq4XWVvYZicPSEgNGejh1eXk19fjDGTqrOl2qQ1Dgat/bvIJ/iXc3fjZHa DTsXA006pFieyCX+kkPHz8JSPuDnNV5ZF4zU2EDw92Dqx+akuLAJaNyPkd1Z41WDJP Tx8b4KUki9bTOmMifnihQqI9oFY/032toHiiiAKEMgvdzLk8ZTbi3poWN23rrtWT/v oXXLmaCACaVGKJnYF2Z9jfNolb/yDu5zSmTAyIIZb2o7X5lFLCAwoP6f5NLCb+g1eU OPl7t74cyTKpg== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , Peter Huewe , Jason Gunthorpe , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 1/4] tpm: remove file header documentation from tpm2-sessions.c Date: Sun, 15 Sep 2024 21:04:43 +0300 Message-ID: <20240915180448.2030115-2-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240915180448.2030115-1-jarkko@kernel.org> References: <20240915180448.2030115-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The documentation in the file header is duplicate documentation, which is already addressed elsewhere (tpm-security.rs and function associated documentations). In addition remove the invalid newline character after the SPDX tag. Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-sessions.c | 65 -------------------------------- 1 file changed, 65 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessi= ons.c index 44f60730cff4..6cc1ea81c57c 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1,71 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 - /* * Copyright (C) 2018 James.Bottomley@HansenPartnership.com - * - * Cryptographic helper routines for handling TPM2 sessions for - * authorization HMAC and request response encryption. - * - * The idea is to ensure that every TPM command is HMAC protected by a - * session, meaning in-flight tampering would be detected and in - * addition all sensitive inputs and responses should be encrypted. - * - * The basic way this works is to use a TPM feature called salted - * sessions where a random secret used in session construction is - * encrypted to the public part of a known TPM key. The problem is we - * have no known keys, so initially a primary Elliptic Curve key is - * derived from the NULL seed (we use EC because most TPMs generate - * these keys much faster than RSA ones). The curve used is NIST_P256 - * because that's now mandated to be present in 'TCG TPM v2.0 - * Provisioning Guidance' - * - * Threat problems: the initial TPM2_CreatePrimary is not (and cannot - * be) session protected, so a clever Man in the Middle could return a - * public key they control to this command and from there intercept - * and decode all subsequent session based transactions. The kernel - * cannot mitigate this threat but, after boot, userspace can get - * proof this has not happened by asking the TPM to certify the NULL - * key. This certification would chain back to the TPM Endorsement - * Certificate and prove the NULL seed primary had not been tampered - * with and thus all sessions must have been cryptographically secure. - * To assist with this, the initial NULL seed public key name is made - * available in a sysfs file. - * - * Use of these functions: - * - * The design is all the crypto, hash and hmac gunk is confined in this - * file and never needs to be seen even by the kernel internal user. To - * the user there's an init function tpm2_sessions_init() that needs to - * be called once per TPM which generates the NULL seed primary key. - * - * These are the usage functions: - * - * tpm2_start_auth_session() which allocates the opaque auth structure - * and gets a session from the TPM. This must be called before - * any of the following functions. The session is protected by a - * session_key which is derived from a random salt value - * encrypted to the NULL seed. - * tpm2_end_auth_session() kills the session and frees the resources. - * Under normal operation this function is done by - * tpm_buf_check_hmac_response(), so this is only to be used on - * error legs where the latter is not executed. - * tpm_buf_append_name() to add a handle to the buffer. This must be - * used in place of the usual tpm_buf_append_u32() for adding - * handles because handles have to be processed specially when - * calculating the HMAC. In particular, for NV, volatile and - * permanent objects you now need to provide the name. - * tpm_buf_append_hmac_session() which appends the hmac session to the - * buf in the same way tpm_buf_append_auth does(). - * tpm_buf_fill_hmac_session() This calculates the correct hash and - * places it in the buffer. It must be called after the complete - * command buffer is finalized so it can fill in the correct HMAC - * based on the parameters. - * tpm_buf_check_hmac_response() which checks the session response in - * the buffer and calculates what it should be. If there's a - * mismatch it will log a warning and return an error. If - * tpm_buf_append_hmac_session() did not specify - * TPM_SA_CONTINUE_SESSION then the session will be closed (if it - * hasn't been consumed) and the auth structure freed. */ =20 #include "tpm.h" --=20 2.46.0 From nobody Fri Nov 29 19:44:12 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3CC617C91; Sun, 15 Sep 2024 18:05:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423502; cv=none; b=pBt5rEB3nL9OofHSkTMiERi/g3xBOqXnqiPV5kIY3OqzQMGOvkrtnkg8j9fa6MyAa5nZRwp7CURBLy5roVCDBEevx+8pZ0q2RmjgX1LEbiy39BmlmeSCzmDK9H/aiBxdsN4en0+DXwMxvUkgY1lu2z4azZ47r7hX242RVgt88Nw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423502; c=relaxed/simple; bh=OMNS3XiyQZk7/mSoZqBVQ3dWvXlMWzK4cHdqClsviZc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=b0lqKaq/xPlv7wXiYSdkA0M0wlcQJcocwxkOnDgBqAj+vIxz42tUuyzD3UwJobH7LhutYdcmCnrTM8RXT6uhpMkAvpFR+RFSeRkWOEPdSijLkyAorhsw6HTev2yw4CQhi7gPRij1CFfqVt2slr8R6w08w64C4qicbImRPThS27M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lA3v3jEU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lA3v3jEU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7CBCC4CEC3; Sun, 15 Sep 2024 18:05:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726423502; bh=OMNS3XiyQZk7/mSoZqBVQ3dWvXlMWzK4cHdqClsviZc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lA3v3jEUXWjxg5ccmhka127pM+QjBbuYRcywZFOrneuYZnQi9dqs6HbjaK+kRZ/fK pYiAi08AP2jXOyE12opn7f2izKqMSVWry99KvBNGCc3sd9YRLrp2CQJ+X7H64/tTWZ 7I+25VrcAEEGdm8qc8IRr3ZoQWaZiOW1KCoMGAVUoQ0CfJnKGiUWvq4klpZDx50k0e AmUMcmlN5SecWrrQh9u7whbG/aUuT6IvWqajpVkj9aRcFQ1ekIAoSwg3JfNhGeKQGF N88M2MpMVcczI86QUa/kaO9Uy20EuRnq34VWJPSssc2LlLATaBiQebdgdmy4Hp1t8v PiBaqWfOBoBUw== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , Peter Huewe , Jason Gunthorpe , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 2/4] tpm: address tpm2_create_null_primary() return value Date: Sun, 15 Sep 2024 21:04:44 +0300 Message-ID: <20240915180448.2030115-3-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240915180448.2030115-1-jarkko@kernel.org> References: <20240915180448.2030115-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" tpm2_sessions_init() does not check the return value of tpm2_create_null_primary(). Return on failure. Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-sessions.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessi= ons.c index 6cc1ea81c57c..d63510ad44ab 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1288,8 +1288,10 @@ int tpm2_sessions_init(struct tpm_chip *chip) int rc; =20 rc =3D tpm2_create_null_primary(chip); - if (rc) + if (rc) { dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n",= rc); + return rc; + } =20 chip->auth =3D kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) --=20 2.46.0 From nobody Fri Nov 29 19:44:12 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCE7917C91; Sun, 15 Sep 2024 18:05:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423506; cv=none; b=Y2g+TWPj0lWu7oPw9VY9g7K/AIyx6YIRKslQaMy4gOtpKTgfgNhSHyN0I7ZSLn2XHvyr684WX0Qvf48Mtx68vJCe4LO0xQHvn3XNudXgmrWWgmPrn8wszq3aHTRdchCdeENAdpEtkZG1pqAKYD8tPsh2IHzbSH3R/PUOlvWL6ts= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423506; c=relaxed/simple; bh=cDWRjXQdn9KpsOVLFzVh/g6BNIDKx0+yYAU65TAkxQQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rNFIuX6CZ6SQ6TJRdAgNetKbH4/xfiQEQOUlu8kY+j8Xao3D2MP4L+lSyhW70dOdiD6e9HEZSf7HigiLUwiE8HXt4jDDokKCnDKs32odAMK+C6DbrhVvj/4wrvPHtstDVdT5qAfQeGsl5W8lC6deFAvKeeRs7IWghE7JcIiCrhQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gh23gf/I; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gh23gf/I" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 01F50C4CEC3; Sun, 15 Sep 2024 18:05:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726423506; bh=cDWRjXQdn9KpsOVLFzVh/g6BNIDKx0+yYAU65TAkxQQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gh23gf/IkEMu2/XaDYLRW5lfTA3UzZYwqVwOZ9cwxZbmYjevtS3sytwP8zRKVTqXe VVum5obZXAIHWtVy1TcpRx3jjwb2w7MOXlITaQC0+D/55zcdf512SJ2HDaXSOEgcav iylpDARmHpORFMchRrChfcqH8jgN9lyKvPojs43Y4gWoK+o51WTdKturvbeZWdvh+c ZO/OmdYhoE+tgJB54+24P8jeiT4nmYYAL4X20uIkpyB3OkpFCn/Is3XyD4uIDPu742 21dw4K7a5ZyqMMp0F7X99NgLdaXh45tHKxaKdGtwFwNuQ2ufwQS5kAX5JRsSxNAkgB tyYZxbAcJHApQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , Peter Huewe , Jason Gunthorpe , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 3/4] tpm: address tpm2_create_primary() failure Date: Sun, 15 Sep 2024 21:04:45 +0300 Message-ID: <20240915180448.2030115-4-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240915180448.2030115-1-jarkko@kernel.org> References: <20240915180448.2030115-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" tpm2_load_null() ignores the return value of tpm2_create_primary(). Return instead on failure. On success when the null key name has not been changed heal appropriately, and return the created key handle instead of flushing it. Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-sessions.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessi= ons.c index d63510ad44ab..34ce0d9d4577 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -850,9 +850,10 @@ static int tpm2_parse_start_auth_session(struct tpm2_a= uth *auth, =20 static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset =3D 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; =20 rc =3D tpm2_load_context(chip, chip->null_key_context, &offset, null_key); @@ -861,11 +862,17 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 = *null_key) =20 /* an integrity failure may mean the TPM has been reset */ dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) =3D=3D 0) - /* name unchanged, assume transient integrity failure */ + + rc =3D tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; + + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) =3D=3D 0) { + *null_key =3D tmp_null_key; + return 0; + } + /* * Fatal TPM failure: the NULL seed has actually changed, so * the TPM must have been illegally reset. All in-kernel TPM @@ -874,6 +881,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *n= ull_key) * userspace programmes can't be compromised by it. */ dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interfer= ence\n"); + tpm2_flush_context(chip, tmp_null_key); chip->flags |=3D TPM_CHIP_FLAG_DISABLE; =20 return rc; @@ -991,10 +999,6 @@ static int tpm2_parse_create_primary(struct tpm_chip *= chip, struct tpm_buf *buf, u32 val, param_len, keyhandle; =20 keyhandle =3D tpm_buf_read_u32(buf, &offset_r); - if (handle) - *handle =3D keyhandle; - else - tpm2_flush_context(chip, keyhandle); =20 param_len =3D tpm_buf_read_u32(buf, &offset_r); /* @@ -1135,6 +1139,7 @@ static int tpm2_parse_create_primary(struct tpm_chip = *chip, struct tpm_buf *buf, return -EINVAL; } =20 + *handle =3D keyhandle; return 0; } =20 --=20 2.46.0 From nobody Fri Nov 29 19:44:12 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 350B81CB318; Sun, 15 Sep 2024 18:05:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423512; cv=none; b=mpB1Opd7O+1JvbLDbjvRHJihni8e6mRqhDbCpphvNyvn/fLGPqrv9i9N0/yWgBJskYTYyMV3agneXbfym8vPVqfHG9lXhoIkBfeHTixj2lcmMD0kdK9ASMC6gB72xyJK/2eUuTNYYtoRqYSx/TuW55MtiMguKAGqTvZswXLAgsw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726423512; c=relaxed/simple; bh=pJB+gvoxB2IwXeXptgWGI8FB54z9gpIY0FmdSPIoBaA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HpgaURt2JoOB+Nbtd/LtSAJuKE3d5SZP1kxE1aoW3SbvTHEnl3+jjhr2trdEIMqk0/g5C0wCLAcP3qzne0NyYYNOpwMlEKBHJBVTGVwIq03Mwl2chKGuQIp62hqZUGuUjS+AdQV6+if4+S02np3SIzsD9PSPrL3i+ZTow1wZO3g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FKX9Uuk1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FKX9Uuk1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 63E10C4CEC3; Sun, 15 Sep 2024 18:05:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726423511; bh=pJB+gvoxB2IwXeXptgWGI8FB54z9gpIY0FmdSPIoBaA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FKX9Uuk1spKCi+Hw0guxSwKslWX0t9gJGaHTEwK7+8Ihf/mh+yw2vOme/lnos4xHe h7KlbX+hohx5Cz4HPYVoS09o5fNJ4BagOgaeE1y/HoqGPMl4Uh48bkICkuaqljsS4E k92Y0G1Chlx171QumRuE/TJwftB2Xc6cytenkAndIgW7mfWElsu9XHbkZRyqKX1Q0W JHOYTmM6wgjotukZaAwRyxy/aI7Bx7slJ6ucsErsfwUfTA0vjQIuLLRD0UBGNUzwYj bA1XS8H+OuxVoQmPnsgj2+/rzHbmzrOkilEPvyvSVpGYXG4gFHgUhHgk5Zs2l/aOgv SiTejSKVcTtDQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , Peter Huewe , Jason Gunthorpe , Stefan Berger , Ard Biesheuvel , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 4/4] tpm: flush the session null key only when required Date: Sun, 15 Sep 2024 21:04:46 +0300 Message-ID: <20240915180448.2030115-5-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240915180448.2030115-1-jarkko@kernel.org> References: <20240915180448.2030115-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of flushing and reloading the null key for every single auth session, flush it only when: 1. User space needs to access /dev/tpm{rm}0. 2. When going to sleep. 3. When unregistering the chip. Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 13 +++++++++++++ drivers/char/tpm/tpm-dev-common.c | 7 +++++++ drivers/char/tpm/tpm-interface.c | 9 +++++++-- drivers/char/tpm/tpm2-cmd.c | 3 +++ drivers/char/tpm/tpm2-sessions.c | 23 +++++++++++++++++++---- include/linux/tpm.h | 2 ++ 6 files changed, 51 insertions(+), 6 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 854546000c92..0ea00e32f575 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -674,6 +674,19 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); */ void tpm_chip_unregister(struct tpm_chip *chip) { +#ifdef CONFIG_TCG_TPM2_HMAC + int rc; + + rc =3D tpm_try_get_ops(chip); + if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key =3D 0; + } + tpm_put_ops(chip); + } +#endif + tpm_del_legacy_sysfs(chip); if (tpm_is_hwrng_enabled(chip)) hwrng_unregister(&chip->hwrng); diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-c= ommon.c index c3fbbf4d3db7..4bc07963e260 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -27,6 +27,13 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, s= truct tpm_space *space, struct tpm_header *header =3D (void *)buf; ssize_t ret, len; =20 +#ifdef CONFIG_TCG_TPM2_HMAC + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key =3D 0; + } +#endif + ret =3D tpm2_prepare_space(chip, space, buf, bufsiz); /* If the command is not implemented by the TPM, synthesize a * response with a TPM2_RC_COMMAND_CODE return for user-space. diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interf= ace.c index 5da134f12c9a..bfa47d48b0f2 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -379,10 +379,15 @@ int tpm_pm_suspend(struct device *dev) =20 rc =3D tpm_try_get_ops(chip); if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) + if (chip->flags & TPM_CHIP_FLAG_TPM2) { +#ifdef CONFIG_TCG_TPM2_HMAC + tpm2_flush_context(chip, chip->null_key); + chip->null_key =3D 0; +#endif tpm2_shutdown(chip, TPM2_SU_STATE); - else + } else { rc =3D tpm1_pm_suspend(chip, tpm_suspend_pcr); + } =20 tpm_put_ops(chip); } diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 1e856259219e..aba024cbe7c5 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -364,6 +364,9 @@ void tpm2_flush_context(struct tpm_chip *chip, u32 hand= le) struct tpm_buf buf; int rc; =20 + if (!handle) + return; + rc =3D tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); if (rc) { dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessi= ons.c index 34ce0d9d4577..8d7b708ce566 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -855,10 +855,21 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 = *null_key) u32 tmp_null_key; int rc; =20 + /* fast path */ + if (chip->null_key) { + *null_key =3D chip->null_key; + return 0; + } + rc =3D tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc !=3D -EINVAL) + &tmp_null_key); + if (rc !=3D -EINVAL) { + if (!rc) { + chip->null_key =3D tmp_null_key; + *null_key =3D tmp_null_key; + } return rc; + } =20 /* an integrity failure may mean the TPM has been reset */ dev_err(&chip->dev, "NULL key integrity failure!\n"); @@ -869,6 +880,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *n= ull_key) =20 /* Return the null key if the name has not been changed: */ if (memcmp(name, chip->null_key_name, sizeof(name)) =3D=3D 0) { + chip->null_key =3D tmp_null_key; *null_key =3D tmp_null_key; return 0; } @@ -946,7 +958,6 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append_u16(&buf, TPM_ALG_SHA256); =20 rc =3D tpm_transmit_cmd(chip, &buf, 0, "start auth session"); - tpm2_flush_context(chip, null_key); =20 if (rc =3D=3D TPM2_RC_SUCCESS) rc =3D tpm2_parse_start_auth_session(auth, &buf); @@ -1275,7 +1286,11 @@ static int tpm2_create_null_primary(struct tpm_chip = *chip) =20 rc =3D tpm2_save_context(chip, null_key, chip->null_key_context, sizeof(chip->null_key_context), &offset); - tpm2_flush_context(chip, null_key); + pr_info("%s: rc=3D0x%08x\n", __func__, rc); + if (rc) + tpm2_flush_context(chip, null_key); + else + chip->null_key =3D null_key; } =20 return rc; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index e93ee8d936a9..4eb39db80e05 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -205,6 +205,8 @@ struct tpm_chip { #ifdef CONFIG_TCG_TPM2_HMAC /* details for communication security via sessions */ =20 + /* loaded null key */ + u32 null_key; /* saved context for NULL seed */ u8 null_key_context[TPM2_MAX_CONTEXT_SIZE]; /* name of NULL seed */ --=20 2.46.0