diff mbox

[2/2] KEYS: trusted: Find tpm_chip and use it until module shutdown

Message ID 20180626193040.2509798-3-stefanb@linux.vnet.ibm.com (mailing list archive)
State New, archived
Headers show

Commit Message

Stefan Berger June 26, 2018, 7:30 p.m. UTC 
Use tpm_default_chip() to find the system's default TPM chip and
use it as the tpm_chip parameter for all TPM operations. Release
the tpm_chip when the module is shut down.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 security/keys/trusted.c | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

Comments

Jarkko Sakkinen July 3, 2018, 3:24 p.m. UTC | #1 
On Tue, 2018-06-26 at 15:30 -0400, Stefan Berger wrote:
> Use tpm_default_chip() to find the system's default TPM chip and
> use it as the tpm_chip parameter for all TPM operations. Release
> the tpm_chip when the module is shut down.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> ---
>  security/keys/trusted.c | 41 ++++++++++++++++++++++++++++-------------
>  1 file changed, 28 insertions(+), 13 deletions(-)
> 
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 423776682025..06d863caea43 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -42,6 +42,7 @@ struct sdesc {
>  
>  static struct crypto_shash *hashalg;
>  static struct crypto_shash *hmacalg;
> +static struct tpm_chip *tpm_chip;
>  
>  static struct sdesc *init_sdesc(struct crypto_shash *alg)
>  {
> @@ -360,7 +361,7 @@ static int trusted_tpm_send(unsigned char *cmd, size_t
> buflen)
>  	int rc;
>  
>  	dump_tpm_buf(cmd);
> -	rc = tpm_send(NULL, cmd, buflen);
> +	rc = tpm_send(tpm_chip, cmd, buflen);
>  	dump_tpm_buf(cmd);
>  	if (rc > 0)
>  		/* Can't return positive return codes values to keyctl */
> @@ -381,10 +382,10 @@ static int pcrlock(const int pcrnum)
>  
>  	if (!capable(CAP_SYS_ADMIN))
>  		return -EPERM;
> -	ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
> +	ret = tpm_get_random(tpm_chip, hash, SHA1_DIGEST_SIZE);
>  	if (ret != SHA1_DIGEST_SIZE)
>  		return ret;
> -	return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
> +	return tpm_pcr_extend(tpm_chip, pcrnum, hash) ? -EINVAL : 0;
>  }
>  
>  /*
> @@ -397,7 +398,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
>  	unsigned char ononce[TPM_NONCE_SIZE];
>  	int ret;
>  
> -	ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
> +	ret = tpm_get_random(tpm_chip, ononce, TPM_NONCE_SIZE);
>  	if (ret != TPM_NONCE_SIZE)
>  		return ret;
>  
> @@ -492,7 +493,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
>  	if (ret < 0)
>  		goto out;
>  
> -	ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
> +	ret = tpm_get_random(tpm_chip, td->nonceodd, TPM_NONCE_SIZE);
>  	if (ret != TPM_NONCE_SIZE)
>  		goto out;
>  	ordinal = htonl(TPM_ORD_SEAL);
> @@ -602,7 +603,7 @@ static int tpm_unseal(struct tpm_buf *tb,
>  
>  	ordinal = htonl(TPM_ORD_UNSEAL);
>  	keyhndl = htonl(SRKHANDLE);
> -	ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
> +	ret = tpm_get_random(tpm_chip, nonceodd, TPM_NONCE_SIZE);
>  	if (ret != TPM_NONCE_SIZE) {
>  		pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
>  		return ret;
> @@ -747,7 +748,7 @@ static int getoptions(char *c, struct trusted_key_payload
> *pay,
>  	int i;
>  	int tpm2;
>  
> -	tpm2 = tpm_is_tpm2(NULL);
> +	tpm2 = tpm_is_tpm2(tpm_chip);
>  	if (tpm2 < 0)
>  		return tpm2;
>  
> @@ -916,7 +917,7 @@ static struct trusted_key_options
> *trusted_options_alloc(void)
>  	struct trusted_key_options *options;
>  	int tpm2;
>  
> -	tpm2 = tpm_is_tpm2(NULL);
> +	tpm2 = tpm_is_tpm2(tpm_chip);
>  	if (tpm2 < 0)
>  		return NULL;
>  
> @@ -966,7 +967,7 @@ static int trusted_instantiate(struct key *key,
>  	size_t key_len;
>  	int tpm2;
>  
> -	tpm2 = tpm_is_tpm2(NULL);
> +	tpm2 = tpm_is_tpm2(tpm_chip);
>  	if (tpm2 < 0)
>  		return tpm2;
>  
> @@ -1007,7 +1008,7 @@ static int trusted_instantiate(struct key *key,
>  	switch (key_cmd) {
>  	case Opt_load:
>  		if (tpm2)
> -			ret = tpm_unseal_trusted(NULL, payload, options);
> +			ret = tpm_unseal_trusted(tpm_chip, payload, options);
>  		else
>  			ret = key_unseal(payload, options);
>  		dump_payload(payload);
> @@ -1017,13 +1018,13 @@ static int trusted_instantiate(struct key *key,
>  		break;
>  	case Opt_new:
>  		key_len = payload->key_len;
> -		ret = tpm_get_random(NULL, payload->key, key_len);
> +		ret = tpm_get_random(tpm_chip, payload->key, key_len);
>  		if (ret != key_len) {
>  			pr_info("trusted_key: key_create failed (%d)\n",
> ret);
>  			goto out;
>  		}
>  		if (tpm2)
> -			ret = tpm_seal_trusted(NULL, payload, options);
> +			ret = tpm_seal_trusted(tpm_chip, payload, options);
>  		else
>  			ret = key_seal(payload, options);
>  		if (ret < 0)
> @@ -1226,12 +1227,26 @@ static int __init init_trusted(void)
>  		return ret;
>  	ret = register_key_type(&key_type_trusted);
>  	if (ret < 0)
> -		trusted_shash_release();
> +		goto exit_shash_release;
> +	tpm_chip = tpm_default_chip();
> +	if (!tpm_chip) {
> +		ret = -ENODEV;
> +		goto exit_unregister;
> +	}
> +	return 0;
> +
> +exit_unregister:
> +	unregister_key_type(&key_type_trusted);
> +
> +exit_shash_release:
> +	trusted_shash_release();
>  	return ret;
>  }
>  
>  static void __exit cleanup_trusted(void)
>  {
> +	if (tpm_chip)
> +		tpm_put_chip(tpm_chip);
>  	trusted_shash_release();
>  	unregister_key_type(&key_type_trusted);
>  }

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Is James maintaining this now? Have not seen his feedback yet...

/Jarkko
James Bottomley July 3, 2018, 3:26 p.m. UTC | #2 
On Tue, 2018-07-03 at 18:24 +0300, Jarkko Sakkinen wrote:
[...]
> 
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> 
> Is James maintaining this now? Have not seen his feedback yet...

Hey, I thought we both were ...

However, it looks fine to me

Reviewed-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>

James
Jarkko Sakkinen July 3, 2018, 4:51 p.m. UTC | #3 
On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote:
> On Tue, 2018-07-03 at 18:24 +0300, Jarkko Sakkinen wrote:
> [...]
> > 
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > 
> > Is James maintaining this now? Have not seen his feedback yet...
> 
> Hey, I thought we both were ...
> 
> However, it looks fine to me
> 
> Reviewed-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
> 
> James

OK, I was not sure how that discussion went. I could add myself as
co-maintainer to MAINTAINERS because I anyway need to go through
all of these.

If anyone does not vote against, I'll send a patch.

/Jarkko
James Morris July 3, 2018, 6:51 p.m. UTC | #4 
On Tue, 3 Jul 2018, Jarkko Sakkinen wrote:

> On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote:
> 
> OK, I was not sure how that discussion went. I could add myself as
> co-maintainer to MAINTAINERS because I anyway need to go through
> all of these.
> 
> If anyone does not vote against, I'll send a patch.
> 

For Keys?  That would would be useful to help reduce the workload on 
David.
James Bottomley July 3, 2018, 7:06 p.m. UTC | #5 
On Wed, 2018-07-04 at 04:51 +1000, James Morris wrote:
> On Tue, 3 Jul 2018, Jarkko Sakkinen wrote:
> 
> > On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote:
> > 
> > OK, I was not sure how that discussion went. I could add myself as
> > co-maintainer to MAINTAINERS because I anyway need to go through
> > all of these.
> > 
> > If anyone does not vote against, I'll send a patch.
> > 
> 
> For Keys?  That would would be useful to help reduce the workload on 
> David.

Well, no, this was for trusted keys, which is the part of the key
infrastructure that goes via the TPM: The KEYS-TRUSTED part in the
MAINTAINERs file.  There's still KEYS-ENCRYPTED, KEYS/KEYRING and
ASYMETRIC KEYS, which don't use the TPM.

However, I've no objection to consolidating the lot under a larger set
of maintainers ... I recently agreed to look at the asymmetric key TPM
patch because it's my area, but it also strays over into crypto,
keyring and asymmetric keys.

James
Jarkko Sakkinen July 4, 2018, 1:52 p.m. UTC | #6 
On Tue, Jul 03, 2018 at 12:06:23PM -0700, James Bottomley wrote:
> On Wed, 2018-07-04 at 04:51 +1000, James Morris wrote:
> > On Tue, 3 Jul 2018, Jarkko Sakkinen wrote:
> > 
> > > On Tue, Jul 03, 2018 at 08:26:55AM -0700, James Bottomley wrote:
> > > 
> > > OK, I was not sure how that discussion went. I could add myself as
> > > co-maintainer to MAINTAINERS because I anyway need to go through
> > > all of these.
> > > 
> > > If anyone does not vote against, I'll send a patch.
> > > 
> > 
> > For Keys?  That would would be useful to help reduce the workload on 
> > David.
> 
> Well, no, this was for trusted keys, which is the part of the key
> infrastructure that goes via the TPM: The KEYS-TRUSTED part in the
> MAINTAINERs file.  There's still KEYS-ENCRYPTED, KEYS/KEYRING and
> ASYMETRIC KEYS, which don't use the TPM.
> 
> However, I've no objection to consolidating the lot under a larger set
> of maintainers ... I recently agreed to look at the asymmetric key TPM
> patch because it's my area, but it also strays over into crypto,
> keyring and asymmetric keys.

Should 2/2 be rolled through my tree? 1/2 is a tpm patch.

/Jarkko
diff mbox

Patch

diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 423776682025..06d863caea43 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -42,6 +42,7 @@  struct sdesc {
 
 static struct crypto_shash *hashalg;
 static struct crypto_shash *hmacalg;
+static struct tpm_chip *tpm_chip;
 
 static struct sdesc *init_sdesc(struct crypto_shash *alg)
 {
@@ -360,7 +361,7 @@  static int trusted_tpm_send(unsigned char *cmd, size_t buflen)
 	int rc;
 
 	dump_tpm_buf(cmd);
-	rc = tpm_send(NULL, cmd, buflen);
+	rc = tpm_send(tpm_chip, cmd, buflen);
 	dump_tpm_buf(cmd);
 	if (rc > 0)
 		/* Can't return positive return codes values to keyctl */
@@ -381,10 +382,10 @@  static int pcrlock(const int pcrnum)
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
-	ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
+	ret = tpm_get_random(tpm_chip, hash, SHA1_DIGEST_SIZE);
 	if (ret != SHA1_DIGEST_SIZE)
 		return ret;
-	return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
+	return tpm_pcr_extend(tpm_chip, pcrnum, hash) ? -EINVAL : 0;
 }
 
 /*
@@ -397,7 +398,7 @@  static int osap(struct tpm_buf *tb, struct osapsess *s,
 	unsigned char ononce[TPM_NONCE_SIZE];
 	int ret;
 
-	ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
+	ret = tpm_get_random(tpm_chip, ononce, TPM_NONCE_SIZE);
 	if (ret != TPM_NONCE_SIZE)
 		return ret;
 
@@ -492,7 +493,7 @@  static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
 	if (ret < 0)
 		goto out;
 
-	ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
+	ret = tpm_get_random(tpm_chip, td->nonceodd, TPM_NONCE_SIZE);
 	if (ret != TPM_NONCE_SIZE)
 		goto out;
 	ordinal = htonl(TPM_ORD_SEAL);
@@ -602,7 +603,7 @@  static int tpm_unseal(struct tpm_buf *tb,
 
 	ordinal = htonl(TPM_ORD_UNSEAL);
 	keyhndl = htonl(SRKHANDLE);
-	ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
+	ret = tpm_get_random(tpm_chip, nonceodd, TPM_NONCE_SIZE);
 	if (ret != TPM_NONCE_SIZE) {
 		pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
 		return ret;
@@ -747,7 +748,7 @@  static int getoptions(char *c, struct trusted_key_payload *pay,
 	int i;
 	int tpm2;
 
-	tpm2 = tpm_is_tpm2(NULL);
+	tpm2 = tpm_is_tpm2(tpm_chip);
 	if (tpm2 < 0)
 		return tpm2;
 
@@ -916,7 +917,7 @@  static struct trusted_key_options *trusted_options_alloc(void)
 	struct trusted_key_options *options;
 	int tpm2;
 
-	tpm2 = tpm_is_tpm2(NULL);
+	tpm2 = tpm_is_tpm2(tpm_chip);
 	if (tpm2 < 0)
 		return NULL;
 
@@ -966,7 +967,7 @@  static int trusted_instantiate(struct key *key,
 	size_t key_len;
 	int tpm2;
 
-	tpm2 = tpm_is_tpm2(NULL);
+	tpm2 = tpm_is_tpm2(tpm_chip);
 	if (tpm2 < 0)
 		return tpm2;
 
@@ -1007,7 +1008,7 @@  static int trusted_instantiate(struct key *key,
 	switch (key_cmd) {
 	case Opt_load:
 		if (tpm2)
-			ret = tpm_unseal_trusted(NULL, payload, options);
+			ret = tpm_unseal_trusted(tpm_chip, payload, options);
 		else
 			ret = key_unseal(payload, options);
 		dump_payload(payload);
@@ -1017,13 +1018,13 @@  static int trusted_instantiate(struct key *key,
 		break;
 	case Opt_new:
 		key_len = payload->key_len;
-		ret = tpm_get_random(NULL, payload->key, key_len);
+		ret = tpm_get_random(tpm_chip, payload->key, key_len);
 		if (ret != key_len) {
 			pr_info("trusted_key: key_create failed (%d)\n", ret);
 			goto out;
 		}
 		if (tpm2)
-			ret = tpm_seal_trusted(NULL, payload, options);
+			ret = tpm_seal_trusted(tpm_chip, payload, options);
 		else
 			ret = key_seal(payload, options);
 		if (ret < 0)
@@ -1226,12 +1227,26 @@  static int __init init_trusted(void)
 		return ret;
 	ret = register_key_type(&key_type_trusted);
 	if (ret < 0)
-		trusted_shash_release();
+		goto exit_shash_release;
+	tpm_chip = tpm_default_chip();
+	if (!tpm_chip) {
+		ret = -ENODEV;
+		goto exit_unregister;
+	}
+	return 0;
+
+exit_unregister:
+	unregister_key_type(&key_type_trusted);
+
+exit_shash_release:
+	trusted_shash_release();
 	return ret;
 }
 
 static void __exit cleanup_trusted(void)
 {
+	if (tpm_chip)
+		tpm_put_chip(tpm_chip);
 	trusted_shash_release();
 	unregister_key_type(&key_type_trusted);
 }