Instead of flushing and reloading the auth session for every single
transaction, keep the session open unless /dev/tpm0 is used. In practice
this means applying TPM2_SA_CONTINUE_SESSION to the session attributes.
Flush the session always when /dev/tpm0 is written.
Reported-by: Pengyu Ma <mapengyu@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229
Cc: stable@vger.kernel.org # v6.10+
Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()")
Tested-by: Pengyu Ma <mapengyu@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
v5:
- No changes.
v4:
- Changed as bug.
v3:
- Refined the commit message.
- Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when
/dev/tpm0 is open. It is not required as the auth session is flushed,
not saved.
v2:
- A new patch.
---
drivers/char/tpm/tpm-chip.c | 1 +
drivers/char/tpm/tpm-dev-common.c | 1 +
drivers/char/tpm/tpm-interface.c | 1 +
drivers/char/tpm/tpm2-sessions.c | 3 +++
4 files changed, 6 insertions(+)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 0ea00e32f575..7a6bb30d1f32 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip)
rc = tpm_try_get_ops(chip);
if (!rc) {
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ tpm2_end_auth_session(chip);
tpm2_flush_context(chip, chip->null_key);
chip->null_key = 0;
}
diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
index 4eaa8e05c291..a3ed7a99a394 100644
--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
#ifdef CONFIG_TCG_TPM2_HMAC
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ tpm2_end_auth_session(chip);
tpm2_flush_context(chip, chip->null_key);
chip->null_key = 0;
}
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index bfa47d48b0f2..2363018fa8fb 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev)
if (!rc) {
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
#ifdef CONFIG_TCG_TPM2_HMAC
+ tpm2_end_auth_session(chip);
tpm2_flush_context(chip, chip->null_key);
chip->null_key = 0;
#endif
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
index 6e52785de9fd..a7079c7ec6d1 100644
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf,
}
#ifdef CONFIG_TCG_TPM2_HMAC
+ /* The first write to /dev/tpm{rm0} will flush the session. */
+ attributes |= TPM2_SA_CONTINUE_SESSION;
+
/*
* The Architecture Guide requires us to strip trailing zeros
* before computing the HMAC
--
2.47.0
On 10/21/24 1:39 AM, Jarkko Sakkinen wrote: > Instead of flushing and reloading the auth session for every single > transaction, keep the session open unless /dev/tpm0 is used. In practice > this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. > Flush the session always when /dev/tpm0 is written. > > Reported-by: Pengyu Ma <mapengyu@gmail.com> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 > Cc: stable@vger.kernel.org # v6.10+ > Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") > Tested-by: Pengyu Ma <mapengyu@gmail.com> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > --- > v5: > - No changes. > v4: > - Changed as bug. > v3: > - Refined the commit message. > - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when > /dev/tpm0 is open. It is not required as the auth session is flushed, > not saved. > v2: > - A new patch. > --- > drivers/char/tpm/tpm-chip.c | 1 + > drivers/char/tpm/tpm-dev-common.c | 1 + > drivers/char/tpm/tpm-interface.c | 1 + > drivers/char/tpm/tpm2-sessions.c | 3 +++ > 4 files changed, 6 insertions(+) > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c > index 0ea00e32f575..7a6bb30d1f32 100644 > --- a/drivers/char/tpm/tpm-chip.c > +++ b/drivers/char/tpm/tpm-chip.c > @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) > rc = tpm_try_get_ops(chip); > if (!rc) { > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > + tpm2_end_auth_session(chip); That could also go into the inline. Looks good otherwise. > tpm2_flush_context(chip, chip->null_key); > chip->null_key = 0; > } > diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c > index 4eaa8e05c291..a3ed7a99a394 100644 > --- a/drivers/char/tpm/tpm-dev-common.c > +++ b/drivers/char/tpm/tpm-dev-common.c > @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, > > #ifdef CONFIG_TCG_TPM2_HMAC > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > + tpm2_end_auth_session(chip); > tpm2_flush_context(chip, chip->null_key); > chip->null_key = 0; > } > diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c > index bfa47d48b0f2..2363018fa8fb 100644 > --- a/drivers/char/tpm/tpm-interface.c > +++ b/drivers/char/tpm/tpm-interface.c > @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) > if (!rc) { > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > #ifdef CONFIG_TCG_TPM2_HMAC > + tpm2_end_auth_session(chip); > tpm2_flush_context(chip, chip->null_key); > chip->null_key = 0; > #endif > diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c > index 6e52785de9fd..a7079c7ec6d1 100644 > --- a/drivers/char/tpm/tpm2-sessions.c > +++ b/drivers/char/tpm/tpm2-sessions.c > @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, > } > > #ifdef CONFIG_TCG_TPM2_HMAC > + /* The first write to /dev/tpm{rm0} will flush the session. */ > + attributes |= TPM2_SA_CONTINUE_SESSION; > + > /* > * The Architecture Guide requires us to strip trailing zeros > * before computing the HMAC
© 2016 - 2024 Red Hat, Inc.