Message ID | 20180626193040.2509798-3-stefanb@linux.vnet.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Tue, 2018-06-26 at 15:30 -0400, Stefan Berger wrote: > Use tpm_default_chip() to find the system's default TPM chip and > use it as the tpm_chip parameter for all TPM operations. Release > the tpm_chip when the module is shut down. > > Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> > --- > security/keys/trusted.c | 41 ++++++++++++++++++++++++++++------------- > 1 file changed, 28 insertions(+), 13 deletions(-) > > diff --git a/security/keys/trusted.c b/security/keys/trusted.c > index 423776682025..06d863caea43 100644 > --- a/security/keys/trusted.c > +++ b/security/keys/trusted.c > @@ -42,6 +42,7 @@ struct sdesc { > > static struct crypto_shash *hashalg; > static struct crypto_shash *hmacalg; > +static struct tpm_chip *tpm_chip; > > static struct sdesc *init_sdesc(struct crypto_shash *alg) > { > @@ -360,7 +361,7 @@ static int trusted_tpm_send(unsigned char *cmd, size_t > buflen) > int rc; > > dump_tpm_buf(cmd); > - rc = tpm_send(NULL, cmd, buflen); > + rc = tpm_send(tpm_chip, cmd, buflen); > dump_tpm_buf(cmd); > if (rc > 0) > /* Can't return positive return codes values to keyctl */ > @@ -381,10 +382,10 @@ static int pcrlock(const int pcrnum) > > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); > + ret = tpm_get_random(tpm_chip, hash, SHA1_DIGEST_SIZE); > if (ret != SHA1_DIGEST_SIZE) > return ret; > - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; > + return tpm_pcr_extend(tpm_chip, pcrnum, hash) ? -EINVAL : 0; > } > > /* > @@ -397,7 +398,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, > unsigned char ononce[TPM_NONCE_SIZE]; > int ret; > > - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); > + ret = tpm_get_random(tpm_chip, ononce, TPM_NONCE_SIZE); > if (ret != TPM_NONCE_SIZE) > return ret; > > @@ -492,7 +493,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, > if (ret < 0) > goto out; > > - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); > + ret = tpm_get_random(tpm_chip, td->nonceodd, TPM_NONCE_SIZE); > if (ret != TPM_NONCE_SIZE) > goto out; > ordinal = htonl(TPM_ORD_SEAL); > @@ -602,7 +603,7 @@ static int tpm_unseal(struct tpm_buf *tb, > > ordinal = htonl(TPM_ORD_UNSEAL); > keyhndl = htonl(SRKHANDLE); > - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); > + ret = tpm_get_random(tpm_chip, nonceodd, TPM_NONCE_SIZE); > if (ret != TPM_NONCE_SIZE) { > pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); > return ret; > @@ -747,7 +748,7 @@ static int getoptions(char *c, struct trusted_key_payload > *pay, > int i; > int tpm2; > > - tpm2 = tpm_is_tpm2(NULL); > + tpm2 = tpm_is_tpm2(tpm_chip); > if (tpm2 < 0) > return tpm2; > > @@ -916,7 +917,7 @@ static struct trusted_key_options > *trusted_options_alloc(void) > struct trusted_key_options *options; > int tpm2; > > - tpm2 = tpm_is_tpm2(NULL); > + tpm2 = tpm_is_tpm2(tpm_chip); > if (tpm2 < 0) > return NULL; > > @@ -966,7 +967,7 @@ static int trusted_instantiate(struct key *key, > size_t key_len; > int tpm2; > > - tpm2 = tpm_is_tpm2(NULL); > + tpm2 = tpm_is_tpm2(tpm_chip); > if (tpm2 < 0) > return tpm2; > > @@ -1007,7 +1008,7 @@ static int trusted_instantiate(struct key *key, > switch (key_cmd) { > case Opt_load: > if (tpm2) > - ret = tpm_unseal_trusted(NULL, payload, options); > + ret = tpm_unseal_trusted(tpm_chip, payload, options); > else > ret = key_unseal(payload, options); > dump_payload(payload); > @@ -1017,13 +1018,13 @@ static int trusted_instantiate(struct key *key, > break; > case Opt_new: > key_len = payload->key_len; > - ret = tpm_get_random(NULL, payload->key, key_len); > + ret = tpm_get_random(tpm_chip, payload->key, key_len); > if (ret != key_len) { > pr_info("trusted_key: key_create failed (%d)\n", > ret); > goto out; > } > if (tpm2) > - ret = tpm_seal_trusted(NULL, payload, options); > + ret = tpm_seal_trusted(tpm_chip, payload, options); > else > ret = key_seal(payload, options); > if (ret < 0) > @@ -1226,12 +1227,26 @@ static int __init init_trusted(void) > return ret; > ret = register_key_type(&key_type_trusted); > if (ret < 0) > - trusted_shash_release(); > + goto exit_shash_release; > + tpm_chip = tpm_default_chip(); > + if (!tpm_chip) { > + ret = -ENODEV; > + goto exit_unregister; > + } > + return 0; > + > +exit_unregister: > + unregister_key_type(&key_type_trusted); > + > +exit_shash_release: > + trusted_shash_release(); > return ret; > } > > static void __exit cleanup_trusted(void) > { > + if (tpm_chip) > + tpm_put_chip(tpm_chip); > trusted_shash_release(); > unregister_key_type(&key_type_trusted); > } Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Is James maintaining this now? Have not seen his feedback yet... /Jarkko
On Tue, 2018-07-03 at 18:24 +0300, Jarkko Sakkinen wrote: [...] > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > Is James maintaining this now? Have not seen his feedback yet... Hey, I thought we both were ... However, it looks fine to me Reviewed-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com> James
On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote: > On Tue, 2018-07-03 at 18:24 +0300, Jarkko Sakkinen wrote: > [...] > > > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > > > Is James maintaining this now? Have not seen his feedback yet... > > Hey, I thought we both were ... > > However, it looks fine to me > > Reviewed-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com> > > James OK, I was not sure how that discussion went. I could add myself as co-maintainer to MAINTAINERS because I anyway need to go through all of these. If anyone does not vote against, I'll send a patch. /Jarkko
On Tue, 3 Jul 2018, Jarkko Sakkinen wrote: > On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote: > > OK, I was not sure how that discussion went. I could add myself as > co-maintainer to MAINTAINERS because I anyway need to go through > all of these. > > If anyone does not vote against, I'll send a patch. > For Keys? That would would be useful to help reduce the workload on David.
On Wed, 2018-07-04 at 04:51 +1000, James Morris wrote: > On Tue, 3 Jul 2018, Jarkko Sakkinen wrote: > > > On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote: > > > > OK, I was not sure how that discussion went. I could add myself as > > co-maintainer to MAINTAINERS because I anyway need to go through > > all of these. > > > > If anyone does not vote against, I'll send a patch. > > > > For Keys? That would would be useful to help reduce the workload on > David. Well, no, this was for trusted keys, which is the part of the key infrastructure that goes via the TPM: The KEYS-TRUSTED part in the MAINTAINERs file. There's still KEYS-ENCRYPTED, KEYS/KEYRING and ASYMETRIC KEYS, which don't use the TPM. However, I've no objection to consolidating the lot under a larger set of maintainers ... I recently agreed to look at the asymmetric key TPM patch because it's my area, but it also strays over into crypto, keyring and asymmetric keys. James
On Tue, Jul 03, 2018 at 12:06:23PM -0700, James Bottomley wrote: > On Wed, 2018-07-04 at 04:51 +1000, James Morris wrote: > > On Tue, 3 Jul 2018, Jarkko Sakkinen wrote: > > > > > On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote: > > > > > > OK, I was not sure how that discussion went. I could add myself as > > > co-maintainer to MAINTAINERS because I anyway need to go through > > > all of these. > > > > > > If anyone does not vote against, I'll send a patch. > > > > > > > For Keys? That would would be useful to help reduce the workload on > > David. > > Well, no, this was for trusted keys, which is the part of the key > infrastructure that goes via the TPM: The KEYS-TRUSTED part in the > MAINTAINERs file. There's still KEYS-ENCRYPTED, KEYS/KEYRING and > ASYMETRIC KEYS, which don't use the TPM. > > However, I've no objection to consolidating the lot under a larger set > of maintainers ... I recently agreed to look at the asymmetric key TPM > patch because it's my area, but it also strays over into crypto, > keyring and asymmetric keys. Should 2/2 be rolled through my tree? 1/2 is a tpm patch. /Jarkko
diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 423776682025..06d863caea43 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -42,6 +42,7 @@ struct sdesc { static struct crypto_shash *hashalg; static struct crypto_shash *hmacalg; +static struct tpm_chip *tpm_chip; static struct sdesc *init_sdesc(struct crypto_shash *alg) { @@ -360,7 +361,7 @@ static int trusted_tpm_send(unsigned char *cmd, size_t buflen) int rc; dump_tpm_buf(cmd); - rc = tpm_send(NULL, cmd, buflen); + rc = tpm_send(tpm_chip, cmd, buflen); dump_tpm_buf(cmd); if (rc > 0) /* Can't return positive return codes values to keyctl */ @@ -381,10 +382,10 @@ static int pcrlock(const int pcrnum) if (!capable(CAP_SYS_ADMIN)) return -EPERM; - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); + ret = tpm_get_random(tpm_chip, hash, SHA1_DIGEST_SIZE); if (ret != SHA1_DIGEST_SIZE) return ret; - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; + return tpm_pcr_extend(tpm_chip, pcrnum, hash) ? -EINVAL : 0; } /* @@ -397,7 +398,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, unsigned char ononce[TPM_NONCE_SIZE]; int ret; - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); + ret = tpm_get_random(tpm_chip, ononce, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) return ret; @@ -492,7 +493,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, if (ret < 0) goto out; - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); + ret = tpm_get_random(tpm_chip, td->nonceodd, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) goto out; ordinal = htonl(TPM_ORD_SEAL); @@ -602,7 +603,7 @@ static int tpm_unseal(struct tpm_buf *tb, ordinal = htonl(TPM_ORD_UNSEAL); keyhndl = htonl(SRKHANDLE); - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); + ret = tpm_get_random(tpm_chip, nonceodd, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) { pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); return ret; @@ -747,7 +748,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, int i; int tpm2; - tpm2 = tpm_is_tpm2(NULL); + tpm2 = tpm_is_tpm2(tpm_chip); if (tpm2 < 0) return tpm2; @@ -916,7 +917,7 @@ static struct trusted_key_options *trusted_options_alloc(void) struct trusted_key_options *options; int tpm2; - tpm2 = tpm_is_tpm2(NULL); + tpm2 = tpm_is_tpm2(tpm_chip); if (tpm2 < 0) return NULL; @@ -966,7 +967,7 @@ static int trusted_instantiate(struct key *key, size_t key_len; int tpm2; - tpm2 = tpm_is_tpm2(NULL); + tpm2 = tpm_is_tpm2(tpm_chip); if (tpm2 < 0) return tpm2; @@ -1007,7 +1008,7 @@ static int trusted_instantiate(struct key *key, switch (key_cmd) { case Opt_load: if (tpm2) - ret = tpm_unseal_trusted(NULL, payload, options); + ret = tpm_unseal_trusted(tpm_chip, payload, options); else ret = key_unseal(payload, options); dump_payload(payload); @@ -1017,13 +1018,13 @@ static int trusted_instantiate(struct key *key, break; case Opt_new: key_len = payload->key_len; - ret = tpm_get_random(NULL, payload->key, key_len); + ret = tpm_get_random(tpm_chip, payload->key, key_len); if (ret != key_len) { pr_info("trusted_key: key_create failed (%d)\n", ret); goto out; } if (tpm2) - ret = tpm_seal_trusted(NULL, payload, options); + ret = tpm_seal_trusted(tpm_chip, payload, options); else ret = key_seal(payload, options); if (ret < 0) @@ -1226,12 +1227,26 @@ static int __init init_trusted(void) return ret; ret = register_key_type(&key_type_trusted); if (ret < 0) - trusted_shash_release(); + goto exit_shash_release; + tpm_chip = tpm_default_chip(); + if (!tpm_chip) { + ret = -ENODEV; + goto exit_unregister; + } + return 0; + +exit_unregister: + unregister_key_type(&key_type_trusted); + +exit_shash_release: + trusted_shash_release(); return ret; } static void __exit cleanup_trusted(void) { + if (tpm_chip) + tpm_put_chip(tpm_chip); trusted_shash_release(); unregister_key_type(&key_type_trusted); }
Use tpm_default_chip() to find the system's default TPM chip and use it as the tpm_chip parameter for all TPM operations. Release the tpm_chip when the module is shut down. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- security/keys/trusted.c | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-)