From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C871621B9C0; Mon, 29 Sep 2025 03:59:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118394; cv=none; b=B17bIaI/STf5X+9m5K45unnuORlJDicQJ4J0Ejnc2uffWMhqGjKjCX8nwSwskemL0KU38hi11+wN9l+CB21XlPmZiQt0FRXcqZMGSNd8tQg/ak4pr431pDtss4n4tJl2yKZZzb3f4OrreEgKQEj+048aITF7idr/fSc02sbej8w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118394; c=relaxed/simple; bh=q1gt730fnSd2Av052hqSCVRgXrypYYybsDg0l/9rpQE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=oX2GToslwSj4L+7WzgkUpXAR3GrH8gLzqNV6DuMsxY9PENXdBHCH6rnaVoOa5qYWsOuoE+NeYgFsN0YSL6Tx/VWrEEaNXKINtnBJznz08fxYUP7KEPTLGmEnQc4GX1FwFnntFMwIqvmiVP+a7xym8kflwD1c/P+KtnNtOrAeiRw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Yh96lChb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Yh96lChb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C9DB4C116B1; Mon, 29 Sep 2025 03:59:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118394; bh=q1gt730fnSd2Av052hqSCVRgXrypYYybsDg0l/9rpQE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Yh96lChbM7jTHNlV+UNRzkrbovHmEroZXnrFTnWUwVPiQ1wYg4d0Y4CKx2rFqCkCm rXvO1Ka+2vIa29zccfBW1LkgXvtIsY8Iec5OALafd9NmouZZ2on8lANhx/LRD3tDgE TzPKSt2AjLw0RDHYeZmD0YIgI6U36j7rs99dvX+FSpQHYAr/V6v3ADXTph2E4PobqV ZCh5l3e6X36Rqewe9oANgCxWVrJzlo7D6T3J15HZlAxque7iOLdS6jzH0Rv25ktbOv J0Uu97Kcg6hcl+PODzw0FrfGrefYf2Zkppwou46aBdRJS6/vs0VVzJ682HlGlpW5Hk A13ukCe6s+6IA== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Roberto Sassu , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 1/9] tpm: cap PCR bank in tpm2_get_pcr_allocations() Date: Mon, 29 Sep 2025 06:59:30 +0300 Message-Id: <20250929035938.1773341-2-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks received from external hardware device. This could lead into resource over-consumption with a fauly TPM device. Cc: Roberto Sassu Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array") Signed-off-by: Jarkko Sakkinen --- v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 13 +++++++++---- drivers/char/tpm/tpm.h | 1 - drivers/char/tpm/tpm1-cmd.c | 25 ------------------------- drivers/char/tpm/tpm2-cmd.c | 8 +++----- include/linux/tpm.h | 18 ++++++++---------- 5 files changed, 20 insertions(+), 45 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 687f6d8cd601..9a6538f76f50 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -559,14 +559,19 @@ static int tpm_add_hwrng(struct tpm_chip *chip) =20 static int tpm_get_pcr_allocation(struct tpm_chip *chip) { - int rc; + int rc =3D 0; =20 if (tpm_is_firmware_upgrade(chip)) return 0; =20 - rc =3D (chip->flags & TPM_CHIP_FLAG_TPM2) ? - tpm2_get_pcr_allocation(chip) : - tpm1_get_pcr_allocation(chip); + if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) { + chip->allocated_banks[0].alg_id =3D TPM_ALG_SHA1; + chip->allocated_banks[0].digest_size =3D hash_digest_size[HASH_ALGO_SHA1= ]; + chip->allocated_banks[0].crypto_id =3D HASH_ALGO_SHA1; + chip->nr_allocated_banks =3D 1; + } else { + rc =3D tpm2_get_pcr_allocation(chip); + } =20 if (rc > 0) return -ENODEV; diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 57ef8589f5f5..769fa6b00c54 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -252,7 +252,6 @@ int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u= 8 *res_buf); ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap, const char *desc, size_t min_cap_length); int tpm1_get_random(struct tpm_chip *chip, u8 *out, size_t max); -int tpm1_get_pcr_allocation(struct tpm_chip *chip); unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal= ); int tpm_pm_suspend(struct device *dev); int tpm_pm_resume(struct device *dev); diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c index cf64c7385105..5c49bdff33de 100644 --- a/drivers/char/tpm/tpm1-cmd.c +++ b/drivers/char/tpm/tpm1-cmd.c @@ -786,28 +786,3 @@ int tpm1_pm_suspend(struct tpm_chip *chip, u32 tpm_sus= pend_pcr) =20 return rc; } - -/** - * tpm1_get_pcr_allocation() - initialize the allocated bank - * @chip: TPM chip to use. - * - * The function initializes the SHA1 allocated bank to extend PCR - * - * Return: - * * 0 on success, - * * < 0 on error. - */ -int tpm1_get_pcr_allocation(struct tpm_chip *chip) -{ - chip->allocated_banks =3D kcalloc(1, sizeof(*chip->allocated_banks), - GFP_KERNEL); - if (!chip->allocated_banks) - return -ENOMEM; - - chip->allocated_banks[0].alg_id =3D TPM_ALG_SHA1; - chip->allocated_banks[0].digest_size =3D hash_digest_size[HASH_ALGO_SHA1]; - chip->allocated_banks[0].crypto_id =3D HASH_ALGO_SHA1; - chip->nr_allocated_banks =3D 1; - - return 0; -} diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 7d77f6fbc152..e416cc8705e3 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -538,11 +538,9 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) =20 nr_possible_banks =3D be32_to_cpup( (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); - - chip->allocated_banks =3D kcalloc(nr_possible_banks, - sizeof(*chip->allocated_banks), - GFP_KERNEL); - if (!chip->allocated_banks) { + if (nr_possible_banks > TPM2_MAX_BANKS) { + pr_err("tpm:: unexpected large number of banks: %u > %u", + nr_possible_banks, TPM2_MAX_BANKS); rc =3D -ENOMEM; goto out; } diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 900c81a2bc41..fc7df87dfb9a 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -27,7 +27,12 @@ #include =20 #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */ -#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE +#define TPM_HEADER_SIZE 10 + +#define TPM2_PLATFORM_PCR 24 +#define TPM2_PCR_SELECT_MIN 3 +#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE +#define TPM2_MAX_BANKS 4 =20 struct tpm_chip; struct trusted_key_payload; @@ -69,7 +74,7 @@ enum tpm2_curves { =20 struct tpm_digest { u16 alg_id; - u8 digest[TPM_MAX_DIGEST_SIZE]; + u8 digest[TPM2_MAX_DIGEST_SIZE]; } __packed; =20 struct tpm_bank_info { @@ -190,7 +195,7 @@ struct tpm_chip { unsigned int groups_cnt; =20 u32 nr_allocated_banks; - struct tpm_bank_info *allocated_banks; + struct tpm_bank_info allocated_banks[TPM2_MAX_BANKS]; #ifdef CONFIG_ACPI acpi_handle acpi_dev_handle; char ppi_version[TPM_PPI_VERSION_LEN + 1]; @@ -217,13 +222,6 @@ struct tpm_chip { #endif }; =20 -#define TPM_HEADER_SIZE 10 - -enum tpm2_const { - TPM2_PLATFORM_PCR =3D 24, - TPM2_PCR_SELECT_MIN =3D ((TPM2_PLATFORM_PCR + 7) / 8), -}; - enum tpm2_timeouts { TPM2_TIMEOUT_A =3D 750, TPM2_TIMEOUT_B =3D 4000, --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FF8321578F; Mon, 29 Sep 2025 03:59:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118400; cv=none; b=BtqPNY0HUQcP2z8w3Rb+eDweCJx5PGMxmEG4vC1YnqRsuFBlneaRPkFt7NUIvWytm0908EmRaQntFnFfujgE0HYhgrsg8n2WuQDdh+xN9vRsvzBITSOIbs9V9UYiFhK8FW6vQL3i+mtjsDvQu7a2cBSYJ2iflS7hONMv41mS2gk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118400; c=relaxed/simple; bh=32+Zkv7IC1rnLrmW1JNVh4wEzCsKly1ozoVFx6a8iEA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nQRSpk/J3ZkiPCkZwtCwpw9bpb7Q3D2IiMfSyqA9Oj561aWS08qmcWhALlDJo8Sm5AVZ5Si1tw0hSMvk1sgXOfr4Ht/r28a3KgZb5tyS+AvmbP2ehFXjijl81T2PoATbiOt+zUT0zykUnYtcbi1ENUASa7gCPBmxnC9DvnF3i4o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aXJs7gRa; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aXJs7gRa" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3D9CFC4CEF4; Mon, 29 Sep 2025 03:59:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118399; bh=32+Zkv7IC1rnLrmW1JNVh4wEzCsKly1ozoVFx6a8iEA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aXJs7gRaWXupf261neT8cATN+gcXW6uGuXdpWgUrq17uNY6Yl41Q+Wm+30rPozOTr dT0blkTLj4uP7i59ZSJhY4MXoutYelo9UtDPKy3F+S+hH+JDadE8aZjJmH5Y75IEX3 VoPpdSKm/qwOFqJIb2mMBJILqRvLCAH+SocpgXuLo6orzncpUBDCkEdBzGA+DFfQmP E4Teg6/jH8CSiXjfPvW0yqyzdo6IjTsvXqYw26uEgfqBAMao6+tTeajVu21aUx2/7r IkuD2KnAvUmM47NvcoR2ossBUFG8HFeRGcIG7Lu49oQLZ4ZIolyGk/lW6cndPD+58Y sjT4ayhXtBIqw== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , Stefano Garzarella , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 2/9] tpm: Use -EPERM as fallback error code in tpm_ret_to_err Date: Mon, 29 Sep 2025 06:59:31 +0300 Message-Id: <20250929035938.1773341-3-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen Using -EFAULT as the tpm_ret_to_err() fallback error code causes makes it incompatible on how trusted keys transmute TPM return codes. Change the fallback as -EPERM in order to gain compatibility with trusted keys. In addition, map TPM_RC_HASH to -EINVAL in order to be compatible with tpm2_seal_trusted() return values. Fixes: 539fbab37881 ("tpm: Mask TPM RC in tpm2_start_auth_session()") Signed-off-by: Jarkko Sakkinen --- v2: - Split trusted_tpm2 change to a separate patch. --- include/linux/tpm.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index fc7df87dfb9a..51846317d662 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -453,8 +453,10 @@ static inline ssize_t tpm_ret_to_err(ssize_t ret) return 0; case TPM2_RC_SESSION_MEMORY: return -ENOMEM; + case TPM2_RC_HASH: + return -EINVAL; default: - return -EFAULT; + return -EPERM; } } =20 --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3DA2F1F462C; Mon, 29 Sep 2025 04:00:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118405; cv=none; b=fDu5Y1BErrPUTlneu7V9KhIDu2t8l+XXNkADuclGiIcXnY423kaGjRYAFu6go6yds7G1AZ8JgSRBbvLCqnRYtPdGpKGAycC0DtajQgI2UH4fPQh+ngdw3JsOA0hkniF5lhJJXw+ZXdJPcoSY3qPAEVTZ17ppEK6jLAlIFZzDZAw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118405; c=relaxed/simple; bh=S7K6IaShWtXQ8ax6mFIu2V9kk51XsYQUCSQjLA/qhsw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=MRn6HcRi/i+wxuccnXBqXVpNT2ojO+Ua2jJwJuWSc0OSrm1I6W+qaufJrml2RcFyX0xSP32jjZVbXscYhi4egwaYFdjOdfB5LA5K/R9mtlg9xo9467/NwrWSC86udMS8N7i7Yl3EgvRPOZhbYW7dhM/cDpwfbnQljn/ryc9mqkk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SB0+uKmA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SB0+uKmA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 41C78C116B1; Mon, 29 Sep 2025 04:00:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118404; bh=S7K6IaShWtXQ8ax6mFIu2V9kk51XsYQUCSQjLA/qhsw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SB0+uKmAsbedV/hgzCP6m4lvh/ZwjM67/QGOC3DU/6ar84UUdOUE+SGCNEL2yXgbo vqZpa13Tx6WMGIynf6zK81Zt6Bf5EtQQj01ydqdSK7AxQy77+lv8OVvJANTjim7a98 ZqW2vcYWLkxBVeS16WLufXjuIKFG/ZeW8cENEyGhcJeipYMrE8zmxIC4lshqWu0pnw 2m4DtDnJ9WMX5oYQZyw9Xrn1GTws9Rg5pVycUCeKtPN6aNHpIwfPq/h8wbK5xuakwH Au1524CJ2gM2Jc/Gyakkxrtrc1I20IyP172aZpxYKNbJKIVLyQityF0z756GGvyGEW G+nOS2kZhNFgQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , David Howells , Jarkko Sakkinen , Paul Moore , James Morris , "Serge E. Hallyn" , James Bottomley , Mimi Zohar , keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 3/9] KEYS: trusted: Use tpm_ret_to_err() in trusted_tpm2 Date: Mon, 29 Sep 2025 06:59:32 +0300 Message-Id: <20250929035938.1773341-4-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen Use tpm_ret_to_err() to transmute TPM return codes in trusted_tpm2. Signed-off-by: Jarkko Sakkinen --- v2: - New patch split out from the fix. --- security/keys/trusted-keys/trusted_tpm2.c | 26 ++++++----------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trus= ted-keys/trusted_tpm2.c index 024be262702f..e165b117bbca 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -348,25 +348,19 @@ int tpm2_seal_trusted(struct tpm_chip *chip, } =20 blob_len =3D tpm2_key_encode(payload, options, &buf.data[offset], blob_le= n); + if (blob_len < 0) + rc =3D blob_len; =20 out: tpm_buf_destroy(&sized); tpm_buf_destroy(&buf); =20 - if (rc > 0) { - if (tpm2_rc_value(rc) =3D=3D TPM2_RC_HASH) - rc =3D -EINVAL; - else - rc =3D -EPERM; - } - if (blob_len < 0) - rc =3D blob_len; - else + if (!rc) payload->blob_len =3D blob_len; =20 out_put: tpm_put_ops(chip); - return rc; + return tpm_ret_to_err(rc); } =20 /** @@ -468,10 +462,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, kfree(blob); tpm_buf_destroy(&buf); =20 - if (rc > 0) - rc =3D -EPERM; - - return rc; + return tpm_ret_to_err(rc); } =20 /** @@ -534,8 +525,6 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, tpm_buf_fill_hmac_session(chip, &buf); rc =3D tpm_transmit_cmd(chip, &buf, 6, "unsealing"); rc =3D tpm_buf_check_hmac_response(chip, &buf, rc); - if (rc > 0) - rc =3D -EPERM; =20 if (!rc) { data_len =3D be16_to_cpup( @@ -568,7 +557,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, =20 out: tpm_buf_destroy(&buf); - return rc; + return tpm_ret_to_err(rc); } =20 /** @@ -600,6 +589,5 @@ int tpm2_unseal_trusted(struct tpm_chip *chip, =20 out: tpm_put_ops(chip); - - return rc; + return tpm_ret_to_err(rc); } --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EEC714A91; Mon, 29 Sep 2025 04:00:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118411; cv=none; b=YyxuCakPTUYdtMs4y28a5qo1lZuVe/eWaZzPkgj8hWoSpCi6STeSNIUwlyltW7eP40bxaRAIM4YugeC/KjG9lEZcVcRZU3F0wU2QxQk2fmbNoNmFoRMmscY+iQdgXTnH3wgwOR2A8edLC7H4pI8Hu/HEj8uHspwfQN3n6SqDjLE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118411; c=relaxed/simple; bh=iKBAauh/IVDSTPGyRj3HzKGmRyZQIGXTk8XjN2QIDwM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=u8kzMUwMEAuJgpEVlQuqIUpBF5woa/iTaoeUpnof5vnOflfEJCwSi3IWuT6M8HaQ5OHQg8Q1FCy0WRq0nLEcbcFQPzeljyLolJRriVJO4Fj+FgHHmfE6ylscgeQy+KAJPSQdpMg3aWUz/oTmvHqwd3qRN0SWXjEEpQwbRseSaKQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=G0YR5dWI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="G0YR5dWI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B575C4CEF4; Mon, 29 Sep 2025 04:00:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118409; bh=iKBAauh/IVDSTPGyRj3HzKGmRyZQIGXTk8XjN2QIDwM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=G0YR5dWI26l7E4nneRw7Ps6jlbTsCIFumk+3bzXiBZDi14dW8lQ4DAXsP0RQeG4LC 0tUqFnAe4Nc8Mha/HpVGnlXdmTedFeebgxdjDlfbuRKJul5YZZeVHvpyrWR1OGKuMt AvxbMMe8W+BVUYKFAOHpJsJapZnr3tq0g87ACnFZVMtpwl18Q7R4M9nF1mSNGlF90o yIM6lFxoacP4YSqqOfJnph5zj6GkkaybCkZfOWeCCcX7dlbtpzjl8Nn2DfqAWSiEhd +opA4IU6NEmOWzurnc1ea1a1cXKoyFeVmNuFegz4Y0HV73aC6DlYTdmsWeem0IX7pg rfeRNWoZIQxjA== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , Roberto Sassu , Mimi Zohar , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 4/9] tpm2-sessions: Remove 'attributes' from tpm_buf_append_auth Date: Mon, 29 Sep 2025 06:59:33 +0300 Message-Id: <20250929035938.1773341-5-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen In a previous bug fix, 'attributes' was added by mistake to tpm_buf_append_auth(). Remove the parameter. Fixes: 27184f8905ba ("tpm: Opt-in in disable PCR integrity protection") Signed-off-by: Jarkko Sakkinen --- v2: - Uncorrupt the patch. --- drivers/char/tpm/tpm2-cmd.c | 2 +- drivers/char/tpm/tpm2-sessions.c | 5 ++--- include/linux/tpm.h | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index e416cc8705e3..c182a07b70de 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -191,7 +191,7 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); } else { tpm_buf_append_handle(chip, &buf, pcr_idx); - tpm_buf_append_auth(chip, &buf, 0, NULL, 0); + tpm_buf_append_auth(chip, &buf, NULL, 0); } =20 tpm_buf_append_u32(&buf, chip->nr_allocated_banks); diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessi= ons.c index 6d03c224e6b2..13f019d1312a 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -266,7 +266,7 @@ void tpm_buf_append_name(struct tpm_chip *chip, struct = tpm_buf *buf, EXPORT_SYMBOL_GPL(tpm_buf_append_name); =20 void tpm_buf_append_auth(struct tpm_chip *chip, struct tpm_buf *buf, - u8 attributes, u8 *passphrase, int passphrase_len) + u8 *passphrase, int passphrase_len) { /* offset tells us where the sessions area begins */ int offset =3D buf->handles * 4 + TPM_HEADER_SIZE; @@ -327,8 +327,7 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip,= struct tpm_buf *buf, #endif =20 if (!tpm2_chip_auth(chip)) { - tpm_buf_append_auth(chip, buf, attributes, passphrase, - passphrase_len); + tpm_buf_append_auth(chip, buf, passphrase, passphrase_len); return; } =20 diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 51846317d662..1fa02e18e688 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -531,7 +531,7 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip,= struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); void tpm_buf_append_auth(struct tpm_chip *chip, struct tpm_buf *buf, - u8 attributes, u8 *passphrase, int passphraselen); + u8 *passphrase, int passphraselen); static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75B1914A91; Mon, 29 Sep 2025 04:00:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118416; cv=none; b=GRIeb5z77nmiwHzQstoK7fnRAQjIgV2tFoLZZs5RDpGQtxa4Uh+t8hFhxh4oKm8TJd0W6rXXzVoBffITH13HlGi80OMOADt0HalClHW5M9JBsNeaawlXZe6QlOwWNcCP1Sa+qMOSbKxAETLdTwA4ra2EpgTSaCalS3Bdqp/aOLk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118416; c=relaxed/simple; bh=vp/EXe41X8sVnTgTmzJQ7JxUyo9s8SkCvGwzwhH8u3U=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tcGNWMMDHsaSKAYeiwyLOh8+YB8TZfZm6ux02JPAEdN4mOJusu5fnv196kWvZrzyiz6i/1qMzc610mgb5X/VGDPhqyZFYdc1rA9UyHntHHJENwqMnWoPJqOzUPN6YSWHwtoZqSNum0Qf/MMmD5icWLKKAcHVzzgBD+kCJDCpb9I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rLD+MAlb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rLD+MAlb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7C67FC113D0; Mon, 29 Sep 2025 04:00:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118415; bh=vp/EXe41X8sVnTgTmzJQ7JxUyo9s8SkCvGwzwhH8u3U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rLD+MAlbYU9Fbu09zkbFlJZe7F4J5o7E8o3Re+gPohGB2S2MLOJD0M1JgvAj53qE6 1rrqUxJqtKbzVeH7Zy/7biVcqzYlC+1uGBkjGqLLtikD21NWgndSvrQAucHGYIDWue H1xUNv5mp+QAyXZqJoN7dALJloIAn1rDq3fQFYv7Mvm2gpEj+Z7MN9CCxGShWf5VhW ry88xz7mAy7hn5jlYGC9GVfW3EJPGqfJPZCMjd54rXpeBLoG1KFLdwVROfC9P+XsA7 8AJo8Aj5gE+1HBgBP8js9O5uxZoWypK4LACYHGAuXjsMrj65JUiOkvuESqtcNAFrjs b7/W6xVEBLmLg== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , James Bottomley , Mimi Zohar , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 5/9] tpm2-sessions: Umask tpm_buf_append_hmac_session() Date: Mon, 29 Sep 2025 06:59:34 +0300 Message-Id: <20250929035938.1773341-6-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen Open code tpm_buf_append_hmac_session_opt() in order to unmask the code paths in the call sites of tpm_buf_append_hmac_session(). Signed-off-by: Jarkko Sakkinen --- v2: - Uncorrupt the patch. --- drivers/char/tpm/tpm2-cmd.c | 14 +++++++++++--- include/linux/tpm.h | 23 ----------------------- security/keys/trusted-keys/trusted_tpm2.c | 12 ++++++++++-- 3 files changed, 21 insertions(+), 28 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index c182a07b70de..eef324e61308 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -257,9 +257,17 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, s= ize_t max) =20 do { tpm_buf_reset(&buf, TPM2_ST_SESSIONS, TPM2_CC_GET_RANDOM); - tpm_buf_append_hmac_session_opt(chip, &buf, TPM2_SA_ENCRYPT - | TPM2_SA_CONTINUE_SESSION, - NULL, 0); + if (tpm2_chip_auth(chip)) { + tpm_buf_append_hmac_session(chip, &buf, + TPM2_SA_ENCRYPT | + TPM2_SA_CONTINUE_SESSION, + NULL, 0); + } else { + offset =3D buf.handles * 4 + TPM_HEADER_SIZE; + head =3D (struct tpm_header *)buf.data; + if (tpm_buf_length(&buf) =3D=3D offset) + head->tag =3D cpu_to_be16(TPM2_ST_NO_SESSIONS); + } tpm_buf_append_u16(&buf, num_bytes); tpm_buf_fill_hmac_session(chip, &buf); err =3D tpm_transmit_cmd(chip, &buf, diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 1fa02e18e688..e72e7657faa2 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -532,29 +532,6 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip= , struct tpm_buf *buf, int passphraselen); void tpm_buf_append_auth(struct tpm_chip *chip, struct tpm_buf *buf, u8 *passphrase, int passphraselen); -static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, - struct tpm_buf *buf, - u8 attributes, - u8 *passphrase, - int passphraselen) -{ - struct tpm_header *head; - int offset; - - if (tpm2_chip_auth(chip)) { - tpm_buf_append_hmac_session(chip, buf, attributes, passphrase, passphras= elen); - } else { - offset =3D buf->handles * 4 + TPM_HEADER_SIZE; - head =3D (struct tpm_header *)buf->data; - - /* - * If the only sessions are optional, the command tag must change to - * TPM2_ST_NO_SESSIONS. - */ - if (tpm_buf_length(buf) =3D=3D offset) - head->tag =3D cpu_to_be16(TPM2_ST_NO_SESSIONS); - } -} =20 #ifdef CONFIG_TCG_TPM2_HMAC =20 diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trus= ted-keys/trusted_tpm2.c index e165b117bbca..c414a7006d78 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -482,8 +482,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, struct trusted_key_options *options, u32 blob_handle) { + struct tpm_header *head; struct tpm_buf buf; u16 data_len; + int offset; u8 *data; int rc; =20 @@ -518,8 +520,14 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, tpm2_buf_append_auth(&buf, options->policyhandle, NULL /* nonce */, 0, 0, options->blobauth, options->blobauth_len); - tpm_buf_append_hmac_session_opt(chip, &buf, TPM2_SA_ENCRYPT, - NULL, 0); + if (tpm2_chip_auth(chip)) { + tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_ENCRYPT, NULL, 0); + } else { + offset =3D buf.handles * 4 + TPM_HEADER_SIZE; + head =3D (struct tpm_header *)buf.data; + if (tpm_buf_length(&buf) =3D=3D offset) + head->tag =3D cpu_to_be16(TPM2_ST_NO_SESSIONS); + } } =20 tpm_buf_fill_hmac_session(chip, &buf); --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9948D217F29; Mon, 29 Sep 2025 04:00:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118422; cv=none; b=nP8kr2hTdT7iaCXO4D4/TSZp634GIXi2wZgfu0EUqyolmy4OPZ1bGr+uU5uxY+OwxDLlVeaA/EaBlDxmpoSR/QN7NpeuqKmrU4A6diZprFJ/QfSU9cz/HpaZe7yQnL0eu+WdWhrkwaEJMYiLg0tlye0mWmBx1MGhg8Okj0FAqDQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118422; c=relaxed/simple; bh=GzR8CWkFmj4n7Shr66/XIXfc/gfCOIfMIxPRIPMtQko=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=IcKTwo37mvOjGNAV2fFAckhm8ssKYNcst9MptxiK54wNdH8/pAsgel+lQzBTupqoATCdpi26qm3hbezjIkCNnDL5xfsBsFbiGmXW/5cagwjKoqhgi9HBoZmXe7/cAl8zizRBFnCHGHQ52D0wapE5tczWlYQu/M836FBkz5hoE8M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bv9+SsBf; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bv9+SsBf" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB764C116C6; Mon, 29 Sep 2025 04:00:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118420; bh=GzR8CWkFmj4n7Shr66/XIXfc/gfCOIfMIxPRIPMtQko=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bv9+SsBf61DEUMMWiV/8/pgmxj33eH1/esxc6yCHd5oY2gnux8wxqX/bhknRN7wNP qZFy3L5DTG/lXRFhAMHqGZYUJ6zl6w46OR16NQNHo60i75c+PutHLvHl2hw/uOSBqD 2NL+4vp5ahsivekza9oqfv9r4dWL3WggmWkeA7c2y7T4OzRh7UkPSlTR/fCrXRSkxG B2uyViZexKMBf9uR3ToHGEvi+vKyWCFiqrXEC0ww5ofov8eYOcypRNb503Yw6U7YS0 0sM2AOubPR7DFhasOKSwHXCNtZhB+tX5jLCVVv6KYioHrxt0YejOzt5mjhl8LiidM+ tBj2pyEDqGTSg== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Jonathan McDowell , David Howells , Jarkko Sakkinen , Paul Moore , James Morris , "Serge E. Hallyn" , James Bottomley , Mimi Zohar , keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 6/9] KEYS: trusted: Open code tpm2_buf_append() Date: Mon, 29 Sep 2025 06:59:35 +0300 Message-Id: <20250929035938.1773341-7-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen tpm2_buf_append_auth() has only single call site and most of its parameters are redundant. Open code it to the call site. Remove illegit FIXME comment as there is no categorized bug and replace it with more sane comment about implementation (i.e. "non-opionated inline comment"). Reviewed-by: Jonathan McDowell Signed-off-by: Jarkko Sakkinen --- v2: - No changes. --- security/keys/trusted-keys/trusted_tpm2.c | 51 ++++------------------- 1 file changed, 9 insertions(+), 42 deletions(-) diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trus= ted-keys/trusted_tpm2.c index c414a7006d78..8e3b283a59b2 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -198,36 +198,6 @@ int tpm2_key_priv(void *context, size_t hdrlen, return 0; } =20 -/** - * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. - * - * @buf: an allocated tpm_buf instance - * @session_handle: session handle - * @nonce: the session nonce, may be NULL if not used - * @nonce_len: the session nonce length, may be 0 if not used - * @attributes: the session attributes - * @hmac: the session HMAC or password, may be NULL if not used - * @hmac_len: the session HMAC or password length, maybe 0 if not used - */ -static void tpm2_buf_append_auth(struct tpm_buf *buf, u32 session_handle, - const u8 *nonce, u16 nonce_len, - u8 attributes, - const u8 *hmac, u16 hmac_len) -{ - tpm_buf_append_u32(buf, 9 + nonce_len + hmac_len); - tpm_buf_append_u32(buf, session_handle); - tpm_buf_append_u16(buf, nonce_len); - - if (nonce && nonce_len) - tpm_buf_append(buf, nonce, nonce_len); - - tpm_buf_append_u8(buf, attributes); - tpm_buf_append_u16(buf, hmac_len); - - if (hmac && hmac_len) - tpm_buf_append(buf, hmac, hmac_len); -} - /** * tpm2_seal_trusted() - seal the payload of a trusted key * @@ -507,19 +477,16 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, options->blobauth_len); } else { /* - * FIXME: The policy session was generated outside the - * kernel so we don't known the nonce and thus can't - * calculate a HMAC on it. Therefore, the user can - * only really use TPM2_PolicyPassword and we must - * send down the plain text password, which could be - * intercepted. We can still encrypt the returned - * key, but that's small comfort since the interposer - * could repeat our actions with the exfiltrated - * password. + * The policy session is generated outside the kernel, and thus + * the password will end up being unencrypted on the bus, as + * HMAC nonce cannot be calculated for it. */ - tpm2_buf_append_auth(&buf, options->policyhandle, - NULL /* nonce */, 0, 0, - options->blobauth, options->blobauth_len); + tpm_buf_append_u32(&buf, 9 + options->blobauth_len); + tpm_buf_append_u32(&buf, options->policyhandle); + tpm_buf_append_u16(&buf, 0); + tpm_buf_append_u8(&buf, 0); + tpm_buf_append_u16(&buf, options->blobauth_len); + tpm_buf_append(&buf, options->blobauth, options->blobauth_len); if (tpm2_chip_auth(chip)) { tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_ENCRYPT, NULL, 0); } else { --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE5DF217F31; Mon, 29 Sep 2025 04:00:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118426; cv=none; b=tvVmJMJ2T18rWUaWLpK3YzC1qmJqlB+SRj4pnKc3a/c6RqcV+ULBPN66P4o3031Fcqt6bwvX01qDiqF2Re61z672U2oMrdzuFG8eHQUG+DqMV1Sw5qTs+O3vHPDIcPeiCSIXFTUSoOg3D8h3y04Hs3by8WHEdNa+GC2x2Eq+vMk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118426; c=relaxed/simple; bh=94I9UMCMobtGGBP9Hdzd2RpPRLWl5wNSt5LPS8OBLh8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=oIASzzUn6z+aTpXnIz6SEwyB1JobqRqkNV3F9X6jxEHPwWFs3MSsNQWnqLE2f0FLnL6r8vkw1yOc8UrEiwn3Arg/+UASEbQ/JmDGro6+LAbgO5oE1j7zEuHxyPloKMVFnBOUTU8PORdOnlNlmQvONcV1rGsUH+XtAGuFH2L7/Mo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TzSWYtWD; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TzSWYtWD" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9921C116B1; Mon, 29 Sep 2025 04:00:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118425; bh=94I9UMCMobtGGBP9Hdzd2RpPRLWl5wNSt5LPS8OBLh8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TzSWYtWDNZZxZve67AbASK0O1L30lqoigxBx+NbmJoy9M7ienicCCrySwY5G8jSMI aEAmh4Z+BgWt66nVMW/0+CJT7Xzs750UjwI9QpOEGjW1pPkdsP2Ro49hRfD0UkwPU0 HpDkigUqoU21w8MjLwmrUbLvYyk2I/J0nzl14OpuqYDrtaH//lcyErfJZdRP+B/0wK XH9uujZFzblYmKFFMFt3dtAMvDw7pdlDzWEqZAbfPLC13okOuxX3Vkipv3pbJdCCL6 fBEjsQSL6r3aqGz04YP/BiXpoSKbdQzOx7CFEqW5iLEfCb1OWlTI7RFO5PeNB4rfqd 6ehQ4uE7s1zdQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , James Bottomley , Mimi Zohar , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 7/9] tpm-buf: check for corruption in tpm_buf_append_handle() Date: Mon, 29 Sep 2025 06:59:36 +0300 Message-Id: <20250929035938.1773341-8-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen Unify TPM_BUF_BOUNDARY_ERROR and TPM_BUF_OVERFLOW into TPM_BUF_INVALID flag because semantically they are identical. Test and set TPM_BUF_INVALID in tpm_buf_append_handle() following the pattern from other functions in tpm-buf.c. Signed-off-by: Jarkko Sakkinen --- v2: - A new patch. --- drivers/char/tpm/tpm-buf.c | 14 ++++++++------ include/linux/tpm.h | 8 +++----- security/keys/trusted-keys/trusted_tpm2.c | 6 +++--- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c index dc882fc9fa9e..5526f548b4de 100644 --- a/drivers/char/tpm/tpm-buf.c +++ b/drivers/char/tpm/tpm-buf.c @@ -104,13 +104,12 @@ EXPORT_SYMBOL_GPL(tpm_buf_length); */ void tpm_buf_append(struct tpm_buf *buf, const u8 *new_data, u16 new_lengt= h) { - /* Return silently if overflow has already happened. */ - if (buf->flags & TPM_BUF_OVERFLOW) + if (buf->flags & TPM_BUF_INVALID) return; =20 if ((buf->length + new_length) > PAGE_SIZE) { WARN(1, "tpm_buf: write overflow\n"); - buf->flags |=3D TPM_BUF_OVERFLOW; + buf->flags |=3D TPM_BUF_INVALID; return; } =20 @@ -157,7 +156,11 @@ EXPORT_SYMBOL_GPL(tpm_buf_append_u32); */ void tpm_buf_append_handle(struct tpm_chip *chip, struct tpm_buf *buf, u32= handle) { + if (buf->flags & TPM_BUF_INVALID) + return; + if (buf->flags & TPM_BUF_TPM2B) { + buf->flags |=3D TPM_BUF_INVALID; dev_err(&chip->dev, "Invalid buffer type (TPM2B)\n"); return; } @@ -177,14 +180,13 @@ static void tpm_buf_read(struct tpm_buf *buf, off_t *= offset, size_t count, void { off_t next_offset; =20 - /* Return silently if overflow has already happened. */ - if (buf->flags & TPM_BUF_BOUNDARY_ERROR) + if (buf->flags & TPM_BUF_INVALID) return; =20 next_offset =3D *offset + count; if (next_offset > buf->length) { WARN(1, "tpm_buf: read out of boundary\n"); - buf->flags |=3D TPM_BUF_BOUNDARY_ERROR; + buf->flags |=3D TPM_BUF_INVALID; return; } =20 diff --git a/include/linux/tpm.h b/include/linux/tpm.h index e72e7657faa2..5283f32781c4 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -366,12 +366,10 @@ struct tpm_header { } __packed; =20 enum tpm_buf_flags { - /* the capacity exceeded: */ - TPM_BUF_OVERFLOW =3D BIT(0), /* TPM2B format: */ - TPM_BUF_TPM2B =3D BIT(1), - /* read out of boundary: */ - TPM_BUF_BOUNDARY_ERROR =3D BIT(2), + TPM_BUF_TPM2B =3D BIT(0), + /* The buffer is in invalid and unusable state: */ + TPM_BUF_INVALID =3D BIT(1), }; =20 /* diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trus= ted-keys/trusted_tpm2.c index 8e3b283a59b2..119d5152c0db 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -295,7 +295,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, /* creation PCR */ tpm_buf_append_u32(&buf, 0); =20 - if (buf.flags & TPM_BUF_OVERFLOW) { + if (buf.flags & TPM_BUF_INVALID) { rc =3D -E2BIG; tpm2_end_auth_session(chip); goto out; @@ -308,7 +308,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out; =20 blob_len =3D tpm_buf_read_u32(&buf, &offset); - if (blob_len > MAX_BLOB_SIZE || buf.flags & TPM_BUF_BOUNDARY_ERROR) { + if (blob_len > MAX_BLOB_SIZE || buf.flags & TPM_BUF_INVALID) { rc =3D -E2BIG; goto out; } @@ -414,7 +414,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, =20 tpm_buf_append(&buf, blob, blob_len); =20 - if (buf.flags & TPM_BUF_OVERFLOW) { + if (buf.flags & TPM_BUF_INVALID) { rc =3D -E2BIG; tpm2_end_auth_session(chip); goto out; --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9E43205E02; Mon, 29 Sep 2025 04:00:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118431; cv=none; b=Mh6yCRJe+x3pAj8f2WqPbp73zQf6mh7zFBZpDBLi5rMTD4IaY2tjMCiecgzneXgF/lNJ94b2VNoXE09StBpKf/ZGpTle9c5BAQbnhScorRtZ1tFELdWmW/gFwyv7uNnUB6QOno5tZ7DI/tfpAMExFTG7gYrJnjbUk9ovbBUUYsM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118431; c=relaxed/simple; bh=0Q40GpSZtB6pCsgumq9WfNCq3yyKDUNbkzB2Cq6M9MI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=F4BqnZJG2HKH2x5PTsXqrdDswQ+ilOKzd5SzWtgYT7pomtrVIHasGK9d7v6umkkYXvMA25Vi+FLyOhdX/T73xLpSczXt740it+q/A7FyaOPod1A2zrnuX/IEcRPqQJbOGRNgMe4QLaoGr7hGjULb2bktNHlX4YUWqrDs/daqm9Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PXaw6TH0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PXaw6TH0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2BD1CC4CEF4; Mon, 29 Sep 2025 04:00:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118430; bh=0Q40GpSZtB6pCsgumq9WfNCq3yyKDUNbkzB2Cq6M9MI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PXaw6TH0mJHuF1jBCEo7duCk5HC6JCCKyFoFKMYCseg1t+G5BNIxPpa19ElHqHije TAs6Ix9ioJGU8Wtew/Y14f90a8rem03Vqf0UOvzgchzUPVH9jBA8y32l4kuLO+rYpx +JMzVLyFmCfxsEcIBZWYHucTwM3voepmX16C/H4CyL+l5RsUk9omZ45yDTcdq7Z2vT rICKjfPp9lpYEJsQk5q5ATJOe5roxAUnv1quL1SGYMN77QBymhhPGR0JuYkEwbUSDu WTdpucAF30i+Sf1GRxEm24TrcQgS0+wDJ64XwkOyA+oniFUCgwEmFXxWSsMxaPJ5k+ RIXdyCOYI53Mg== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 8/9] tpm-buf: Remove chip parameeter from tpm_buf_append_handle Date: Mon, 29 Sep 2025 06:59:37 +0300 Message-Id: <20250929035938.1773341-9-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen Remove chip parameter from tpm_buf_append_handle() in order to maintain decoupled state with tpm-buf. This is mandatory change in order to re-use the module in early boot code of Trenchboot, and the binding itself brings no benefit. Use WARN like in other functions, as the error condition can happen only as a net effect of a trivial programming mistake. Signed-off-by: Jarkko Sakkinen --- v2: - A new patch. --- drivers/char/tpm/tpm-buf.c | 6 ++---- drivers/char/tpm/tpm2-cmd.c | 2 +- drivers/char/tpm/tpm2-sessions.c | 2 +- include/linux/tpm.h | 2 +- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c index 5526f548b4de..c2bf7556cb23 100644 --- a/drivers/char/tpm/tpm-buf.c +++ b/drivers/char/tpm/tpm-buf.c @@ -147,21 +147,19 @@ EXPORT_SYMBOL_GPL(tpm_buf_append_u32); =20 /** * tpm_buf_append_handle() - Add a handle - * @chip: &tpm_chip instance * @buf: &tpm_buf instance * @handle: a TPM object handle * * Add a handle to the buffer, and increase the count tracking the number = of * handles in the command buffer. Works only for command buffers. */ -void tpm_buf_append_handle(struct tpm_chip *chip, struct tpm_buf *buf, u32= handle) +void tpm_buf_append_handle(struct tpm_buf *buf, u32 handle) { if (buf->flags & TPM_BUF_INVALID) return; =20 if (buf->flags & TPM_BUF_TPM2B) { - buf->flags |=3D TPM_BUF_INVALID; - dev_err(&chip->dev, "Invalid buffer type (TPM2B)\n"); + WARN(1, "tpm-buf: invalid type: TPM2B\n"); return; } =20 diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index eef324e61308..4248e59265aa 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -190,7 +190,7 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, tpm_buf_append_name(chip, &buf, pcr_idx, NULL); tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); } else { - tpm_buf_append_handle(chip, &buf, pcr_idx); + tpm_buf_append_handle(&buf, pcr_idx); tpm_buf_append_auth(chip, &buf, NULL, 0); } =20 diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessi= ons.c index 13f019d1312a..bbc05f0997a8 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -232,7 +232,7 @@ void tpm_buf_append_name(struct tpm_chip *chip, struct = tpm_buf *buf, #endif =20 if (!tpm2_chip_auth(chip)) { - tpm_buf_append_handle(chip, buf, handle); + tpm_buf_append_handle(buf, handle); return; } =20 diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 5283f32781c4..b2d89df70c18 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -423,7 +423,7 @@ void tpm_buf_append_u32(struct tpm_buf *buf, const u32 = value); u8 tpm_buf_read_u8(struct tpm_buf *buf, off_t *offset); u16 tpm_buf_read_u16(struct tpm_buf *buf, off_t *offset); u32 tpm_buf_read_u32(struct tpm_buf *buf, off_t *offset); -void tpm_buf_append_handle(struct tpm_chip *chip, struct tpm_buf *buf, u32= handle); +void tpm_buf_append_handle(struct tpm_buf *buf, u32 handle); =20 /* * Check if TPM device is in the firmware upgrade mode. --=20 2.39.5 From nobody Wed Oct 1 22:33:21 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 144131FE451; Mon, 29 Sep 2025 04:00:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118437; cv=none; b=n4yQ9DYVBLsa+2vsSlw1XArHYlx2/KDg+YfiVu7ker9LihCwArZppMcsFNNPRqRwK/PvxXqstgm0zH153KNTzIJIqpSrDI2f4/Zw9skdhI0LYx0TqoHo76GAmNNWwkySRlNoMR6nSW8sHyCu70JYwnBpRxVauFu74pxU1vBeYF8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759118437; c=relaxed/simple; bh=TJUuX70lkJSR7zJdcJBPfGO9d0JxBOuwKlSbLv9FkjU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KnUXxFcz0hPXliV2ZlWHnEFsc75f7pLf69EHg3RQ6Vy7qUUeMgKlBu9CUSqkO/V8IHCd0rcIerQeoOWo+4vKkCSCPMBIF4iIRMXpjI9D5vBBpW2Y7q+uYBazse8nvpphXtNahxMA13bsh/22Qk3mquHtMhg7LJgzTj8+GtuVzXY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bBijlIkM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bBijlIkM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D9B1C113D0; Mon, 29 Sep 2025 04:00:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1759118436; bh=TJUuX70lkJSR7zJdcJBPfGO9d0JxBOuwKlSbLv9FkjU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bBijlIkMFb3J88NRGaSBaEmtbip9+vwj48kPFaUQ+i8bkwd7ErCuLgTwCD9KlD6mi ReUi+UfnKTcLocSGvyLbAL3KpkeJ7RCL82oxtuXvLOMv041zBU9qOKcWN6vjUR7JrQ vau90FBqRU6kfUsf90wym+iz1XT0aluGgS7+TzYdJv3nusZt5s/Id7iHo86bLXV+SU oSj89BUpj+mfXZXgSNqNSez8E9jGdwQU/9Rs47TYdYJcpkSxhKaPhy/pWyn5NDk68p 74qahOaXRdgYgVknXmQD+lQvucosGN1bVQx6Yk85qIR6XX23bCJvl3Bf8rNalUfTf+ gjHVVDnJu3acQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: dpsmith@apertussolutions.com, ross.philipson@oracle.com, Jarkko Sakkinen , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS/KEYRINGS), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v2 9/9] tpm-buf: Build PCR extend commands Date: Mon, 29 Sep 2025 06:59:38 +0300 Message-Id: <20250929035938.1773341-10-jarkko@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250929035938.1773341-1-jarkko@kernel.org> References: <20250929035938.1773341-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jarkko Sakkinen Build and append TPM_ORD_EXTEND and TPM2_CC_PCR_EXTEND command bodies with the two new functions: 1. tpm1_buf_append_extend() 2. tpm2_buf_append_pcr_extend() These changes make the fallback more informative of the situation, as the underlying programming error is catched at the call site, instead of masking it as a tpm_transmit() failure. Further, decoupling the build of the command bodies for extending PCRs will be mandatory for the Trenchboot early boot code. Signed-off-by: Jarkko Sakkinen --- v2: - A new patch. --- drivers/char/tpm/tpm-buf.c | 67 +++++++++++++++++++++++++++++++++++++ drivers/char/tpm/tpm1-cmd.c | 15 +++++---- drivers/char/tpm/tpm2-cmd.c | 13 ++++--- include/linux/tpm.h | 4 +++ include/linux/tpm_command.h | 5 +-- 5 files changed, 88 insertions(+), 16 deletions(-) diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c index c2bf7556cb23..d54cc4273e8c 100644 --- a/drivers/char/tpm/tpm-buf.c +++ b/drivers/char/tpm/tpm-buf.c @@ -243,4 +243,71 @@ u32 tpm_buf_read_u32(struct tpm_buf *buf, off_t *offse= t) } EXPORT_SYMBOL_GPL(tpm_buf_read_u32); =20 +static bool tpm1_buf_is_command(struct tpm_buf *buf, u32 ordinal) +{ + struct tpm_header *head =3D (struct tpm_header *)buf->data; + + return !(buf->flags & TPM_BUF_TPM2B) && + be16_to_cpu(head->tag) =3D=3D TPM_TAG_RQU_COMMAND && + be32_to_cpu(head->ordinal) =3D=3D ordinal; +} + +/** + * tpm1_buf_append_extend() - Append command body for TPM_Extend + * @buf: &tpm_buf instance + * @pcr_idx: index of the PCR + * @hash: SHA1 hash + */ +void tpm1_buf_append_extend(struct tpm_buf *buf, u32 pcr_idx, const u8 *ha= sh) +{ + if (buf->flags & TPM_BUF_INVALID) + return; + + if (!tpm1_buf_is_command(buf, TPM_ORD_EXTEND)) { + WARN(1, "tpm_buf: invalid TPM_Extend command\n"); + buf->flags |=3D TPM_BUF_INVALID; + return; + } + + tpm_buf_append_u32(buf, pcr_idx); + tpm_buf_append(buf, hash, TPM_DIGEST_SIZE); +} + +static bool tpm2_buf_is_command(struct tpm_buf *buf, u32 ordinal) +{ + struct tpm_header *head =3D (struct tpm_header *)buf->data; + u16 tag =3D be16_to_cpu(head->tag); + + return !(buf->flags & TPM_BUF_TPM2B) && + (tag =3D=3D TPM2_ST_SESSIONS || tag =3D=3D TPM2_ST_NO_SESSIONS) && + be32_to_cpu(head->ordinal) =3D=3D ordinal; +} + +/** + * tpm2_buf_append_pcr_extend() - Append command body for TPM2_PCR_Extend + * @buf: &tpm_buf instance + * @digests: list of PCR digests + * @banks: PCR bank descriptors + * @nr_banks: number of PCR banks + */ +void tpm2_buf_append_pcr_extend(struct tpm_buf *buf, struct tpm_digest *di= gests, + struct tpm_bank_info *banks, + unsigned int nr_banks) +{ + int i; =20 + if (buf->flags & TPM_BUF_INVALID) + return; + + if (!tpm2_buf_is_command(buf, TPM2_CC_PCR_EXTEND)) { + WARN(1, "tpm_buf: invalid TPM2_PCR_Extend command\n"); + buf->flags |=3D TPM_BUF_INVALID; + return; + } + + tpm_buf_append_u32(buf, nr_banks); + for (i =3D 0; i < nr_banks; i++) { + tpm_buf_append_u16(buf, digests[i].alg_id); + tpm_buf_append(buf, digests[i].digest, banks[i].digest_size); + } +} diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c index 5c49bdff33de..4f1af8beeed4 100644 --- a/drivers/char/tpm/tpm1-cmd.c +++ b/drivers/char/tpm/tpm1-cmd.c @@ -18,8 +18,8 @@ #include #include #include +#include #include - #include "tpm.h" =20 #define TPM_MAX_ORDINAL 243 @@ -459,21 +459,23 @@ int tpm1_get_timeouts(struct tpm_chip *chip) return 0; } =20 -#define TPM_ORD_PCR_EXTEND 20 int tpm1_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, const u8 *hash, const char *log_msg) { struct tpm_buf buf; int rc; =20 - rc =3D tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCR_EXTEND); + rc =3D tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_EXTEND); if (rc) return rc; =20 - tpm_buf_append_u32(&buf, pcr_idx); - tpm_buf_append(&buf, hash, TPM_DIGEST_SIZE); + tpm1_buf_append_extend(&buf, pcr_idx, hash); + + if (buf.flags & TPM_BUF_INVALID) + rc =3D -EINVAL; + else + rc =3D tpm_transmit_cmd(chip, &buf, TPM_DIGEST_SIZE, log_msg); =20 - rc =3D tpm_transmit_cmd(chip, &buf, TPM_DIGEST_SIZE, log_msg); tpm_buf_destroy(&buf); return rc; } @@ -511,7 +513,6 @@ ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_i= d, cap_t *cap, } EXPORT_SYMBOL_GPL(tpm1_getcap); =20 -#define TPM_ORD_GET_RANDOM 70 struct tpm1_get_random_out { __be32 rng_data_len; u8 rng_data[TPM_MAX_RNG_DATA]; diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 4248e59265aa..09ea4a090475 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -171,7 +171,6 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, { struct tpm_buf buf; int rc; - int i; =20 if (!disable_pcr_integrity) { rc =3D tpm2_start_auth_session(chip); @@ -194,12 +193,12 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_id= x, tpm_buf_append_auth(chip, &buf, NULL, 0); } =20 - tpm_buf_append_u32(&buf, chip->nr_allocated_banks); + tpm2_buf_append_pcr_extend(&buf, digests, chip->allocated_banks, + chip->nr_allocated_banks); =20 - for (i =3D 0; i < chip->nr_allocated_banks; i++) { - tpm_buf_append_u16(&buf, digests[i].alg_id); - tpm_buf_append(&buf, (const unsigned char *)&digests[i].digest, - chip->allocated_banks[i].digest_size); + if (buf.flags & TPM_BUF_INVALID) { + rc =3D -EINVAL; + goto out; } =20 if (!disable_pcr_integrity) @@ -208,8 +207,8 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, if (!disable_pcr_integrity) rc =3D tpm_buf_check_hmac_response(chip, &buf, rc); =20 +out: tpm_buf_destroy(&buf); - return rc; } =20 diff --git a/include/linux/tpm.h b/include/linux/tpm.h index b2d89df70c18..6c7349dce871 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -424,6 +424,10 @@ u8 tpm_buf_read_u8(struct tpm_buf *buf, off_t *offset); u16 tpm_buf_read_u16(struct tpm_buf *buf, off_t *offset); u32 tpm_buf_read_u32(struct tpm_buf *buf, off_t *offset); void tpm_buf_append_handle(struct tpm_buf *buf, u32 handle); +void tpm1_buf_append_extend(struct tpm_buf *buf, u32 pcr_idx, const u8 *ha= sh); +void tpm2_buf_append_pcr_extend(struct tpm_buf *buf, struct tpm_digest *di= gests, + struct tpm_bank_info *banks, + unsigned int nr_banks); =20 /* * Check if TPM device is in the firmware upgrade mode. diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h index f5c03e9c3913..02038972a05f 100644 --- a/include/linux/tpm_command.h +++ b/include/linux/tpm_command.h @@ -16,11 +16,12 @@ #define TPM_TAG_RSP_AUTH2_COMMAND 198 =20 /* Command Ordinals */ -#define TPM_ORD_GETRANDOM 70 -#define TPM_ORD_OSAP 11 #define TPM_ORD_OIAP 10 +#define TPM_ORD_OSAP 11 +#define TPM_ORD_EXTEND 20 #define TPM_ORD_SEAL 23 #define TPM_ORD_UNSEAL 24 +#define TPM_ORD_GET_RANDOM 70 =20 /* Other constants */ #define SRKHANDLE 0x40000000 --=20 2.39.5