diff mbox series

[GIT,PULL] TPM DEVICE DRIVER updates for v5.13 (updated)

Message ID 52f4810fbcdb3a118b7126e2497ae384016c9004.camel@HansenPartnership.com (mailing list archive)
State New, archived
Headers show
Series [GIT,PULL] TPM DEVICE DRIVER updates for v5.13 (updated) | expand

Commit Message

James Bottomley April 23, 2021, 11:04 p.m. UTC
Fix a regression in the TPM trusted keys caused by the generic rework
to add ARM TEE based trusted keys.  Without this fix, the TPM trusted
key subsystem fails to add or load any keys.

This is an incremental update to Jarkko's previous pull request (which
contains the regression):

https://lore.kernel.org/linux-integrity/YHb06P4IOGV7eoiJ@kernel.org/

So if you could pull both in succession to minimize the bisection
problem, I'd be grateful (it's only a functional regression not a
compile one so the bisection problem would only impact someone
bisecting trusted keys).

There's also a minor conflict caused by the previous urgent fix I sent,
but the resolution is obvious.

git://git.kernel.org/pub/scm/linux/kernel/git/jejb/tpmdd.git queue

The short changelog is:

James Bottomley (1):
      KEYS: trusted: fix TPM trusted keys for generic framework

And the diffstat:

 security/keys/trusted-keys/trusted_core.c | 24 ++++++++++++------------
 security/keys/trusted-keys/trusted_tpm1.c |  5 ++++-
 2 files changed, 16 insertions(+), 13 deletions(-)

With full diff below.

James

---

Comments

pr-tracker-bot@kernel.org April 26, 2021, 3:59 p.m. UTC | #1
The pull request you sent on Fri, 23 Apr 2021 16:04:26 -0700:

> git://git.kernel.org/pub/scm/linux/kernel/git/jejb/tpmdd.git queue

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/87f27e7b189f54a9e928efb4ea98bf375708ff1f

Thank you!
Jarkko Sakkinen April 27, 2021, 11:43 p.m. UTC | #2
On Mon, Apr 26, 2021 at 03:59:20PM +0000, pr-tracker-bot@kernel.org wrote:
> The pull request you sent on Fri, 23 Apr 2021 16:04:26 -0700:
> 
> > git://git.kernel.org/pub/scm/linux/kernel/git/jejb/tpmdd.git queue
> 
> has been merged into torvalds/linux.git:
> https://git.kernel.org/torvalds/c/87f27e7b189f54a9e928efb4ea98bf375708ff1f
> 
> Thank you!

Thanks James for taking care of this (just came back from 2 week vacation)!

/Jarkko
diff mbox series

Patch

diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index 90774793f0b1..d5c891d8d353 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -62,7 +62,7 @@  static const match_table_t key_tokens = {
  *
  * On success returns 0, otherwise -EINVAL.
  */
-static int datablob_parse(char *datablob, struct trusted_key_payload *p)
+static int datablob_parse(char **datablob, struct trusted_key_payload *p)
 {
 	substring_t args[MAX_OPT_ARGS];
 	long keylen;
@@ -71,14 +71,14 @@  static int datablob_parse(char *datablob, struct trusted_key_payload *p)
 	char *c;
 
 	/* main command */
-	c = strsep(&datablob, " \t");
+	c = strsep(datablob, " \t");
 	if (!c)
 		return -EINVAL;
 	key_cmd = match_token(c, key_tokens, args);
 	switch (key_cmd) {
 	case Opt_new:
 		/* first argument is key size */
-		c = strsep(&datablob, " \t");
+		c = strsep(datablob, " \t");
 		if (!c)
 			return -EINVAL;
 		ret = kstrtol(c, 10, &keylen);
@@ -89,7 +89,7 @@  static int datablob_parse(char *datablob, struct trusted_key_payload *p)
 		break;
 	case Opt_load:
 		/* first argument is sealed blob */
-		c = strsep(&datablob, " \t");
+		c = strsep(datablob, " \t");
 		if (!c)
 			return -EINVAL;
 		p->blob_len = strlen(c) / 2;
@@ -140,7 +140,7 @@  static int trusted_instantiate(struct key *key,
 {
 	struct trusted_key_payload *payload = NULL;
 	size_t datalen = prep->datalen;
-	char *datablob;
+	char *datablob, *orig_datablob;
 	int ret = 0;
 	int key_cmd;
 	size_t key_len;
@@ -148,7 +148,7 @@  static int trusted_instantiate(struct key *key,
 	if (datalen <= 0 || datalen > 32767 || !prep->data)
 		return -EINVAL;
 
-	datablob = kmalloc(datalen + 1, GFP_KERNEL);
+	orig_datablob = datablob = kmalloc(datalen + 1, GFP_KERNEL);
 	if (!datablob)
 		return -ENOMEM;
 	memcpy(datablob, prep->data, datalen);
@@ -160,7 +160,7 @@  static int trusted_instantiate(struct key *key,
 		goto out;
 	}
 
-	key_cmd = datablob_parse(datablob, payload);
+	key_cmd = datablob_parse(&datablob, payload);
 	if (key_cmd < 0) {
 		ret = key_cmd;
 		goto out;
@@ -196,7 +196,7 @@  static int trusted_instantiate(struct key *key,
 		ret = -EINVAL;
 	}
 out:
-	kfree_sensitive(datablob);
+	kfree_sensitive(orig_datablob);
 	if (!ret)
 		rcu_assign_keypointer(key, payload);
 	else
@@ -220,7 +220,7 @@  static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 	struct trusted_key_payload *p;
 	struct trusted_key_payload *new_p;
 	size_t datalen = prep->datalen;
-	char *datablob;
+	char *datablob, *orig_datablob;
 	int ret = 0;
 
 	if (key_is_negative(key))
@@ -231,7 +231,7 @@  static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 	if (datalen <= 0 || datalen > 32767 || !prep->data)
 		return -EINVAL;
 
-	datablob = kmalloc(datalen + 1, GFP_KERNEL);
+	orig_datablob = datablob = kmalloc(datalen + 1, GFP_KERNEL);
 	if (!datablob)
 		return -ENOMEM;
 
@@ -243,7 +243,7 @@  static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 
 	memcpy(datablob, prep->data, datalen);
 	datablob[datalen] = '\0';
-	ret = datablob_parse(datablob, new_p);
+	ret = datablob_parse(&datablob, new_p);
 	if (ret != Opt_update) {
 		ret = -EINVAL;
 		kfree_sensitive(new_p);
@@ -267,7 +267,7 @@  static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 	rcu_assign_keypointer(key, new_p);
 	call_rcu(&p->rcu, trusted_rcu_free);
 out:
-	kfree_sensitive(datablob);
+	kfree_sensitive(orig_datablob);
 	return ret;
 }
 
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index 798dc7820084..469394550801 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -747,6 +747,9 @@  static int getoptions(char *c, struct trusted_key_payload *pay,
 
 	opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1;
 
+	if (!c)
+		return 0;
+
 	while ((p = strsep(&c, " \t"))) {
 		if (*p == '\0' || *p == ' ' || *p == '\t')
 			continue;
@@ -944,7 +947,7 @@  static int trusted_tpm_unseal(struct trusted_key_payload *p, char *datablob)
 		goto out;
 	dump_options(options);
 
-	if (!options->keyhandle) {
+	if (!options->keyhandle && !tpm2) {
 		ret = -EINVAL;
 		goto out;
 	}