From patchwork Wed Sep 18 20:35:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 13807144 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F18417E019; Wed, 18 Sep 2024 20:36:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691774; cv=none; b=h7+OApRggVvEnd4tWXhiuWKkYLm/OS13RukDChk0atT+E/u1P6Db8tXzjBIiWmcVhPi/Xu2QXIKP1ciiZ4wqojkvtuNgnMQR/gl1iThdpnRNJfbB0LFqGadaYd+bTz3vz2CV2M+Gy3ssB+PYocyxKTe5XYE25I75jvtscCWdrKo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691774; c=relaxed/simple; bh=TvUdzspAQaz6C2R6RF1Y+KyYSdkWOqy1X74m1OujPCc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HroGzt9U9njuCK8l6WGBBvHS2AekWYWzulWjd2RIROkrDxLYZONABow88NUDEGz+xULFFoo/S/phAoqmAh53eCxvAHsoQWD4wrURGssir4gkQkUdTLdGwmxh4WeYKoME9Z42VZJ09qNccyyFJYAHWWBbxPh5Xl70zZfI6HSPQZc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ke3PSDuu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ke3PSDuu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 69264C4CED3; Wed, 18 Sep 2024 20:36:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726691774; bh=TvUdzspAQaz6C2R6RF1Y+KyYSdkWOqy1X74m1OujPCc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ke3PSDuuEou00Gz7bk61dWlz2sdBuQ91//vPiDUnCPZBxXvJvEnt8UEbpqVQFm/oq myDwGR4KQvigZZ0X033+OjxVJfWjg/zc4RlaA7sFLCXPek2Rz0/FWRKcVxc7upSQvI FrDTZ3FPFEDdCmnhybKbCVoaa4DczT0Xh72SJf3Pnb3tqrVYdam3aI0Nm17s+vG//v dUiuaJUXqsDkwtGcWihP88O9QIqMqYwhXr91YdAMZRkDA2uY/D/XcFrMjRkQOVaGFr fWk8bmoOcB8RY6TBmpsO0/b5dPPRZMjwXUsneLkLSrLHN39siMZVekowNW7AMMY42E 0ZfdDWFlIgZTQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , stable@vger.kernel.org, Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 1/5] tpm: Return on tpm2_create_null_primary() failure Date: Wed, 18 Sep 2024 23:35:45 +0300 Message-ID: <20240918203559.192605-2-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240918203559.192605-1-jarkko@kernel.org> References: <20240918203559.192605-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 tpm2_sessions_init() does not ignores the result of saving the null key. Address this by printing either TPM or POSIX error code, and returning -ENODEV back to the caller. Cc: stable@vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen --- v4: - Fixed up stable version. v3: - Handle TPM and POSIX error separately and return -ENODEV always back to the caller. v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index d3521aadd43e..795f4c7c6adb 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1338,7 +1338,13 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) tpm2_flush_context(chip, null_key); } - return rc; + if (rc < 0) + dev_err(&chip->dev, "saving the null key failed with error %d\n", rc); + else if (rc > 0) + dev_err(&chip->dev, "saving the null key failed with TPM error 0x%04X\n", rc); + + /* Map all errors to -ENODEV: */ + return rc ? -ENODEV : rc; } /** @@ -1354,7 +1360,7 @@ int tpm2_sessions_init(struct tpm_chip *chip) rc = tpm2_create_null_primary(chip); if (rc) - dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) From patchwork Wed Sep 18 20:35:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 13807145 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6146917E019; Wed, 18 Sep 2024 20:36:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691779; cv=none; b=Mq+MSfg/fJtdyWQzgBM85s+Vc6gKrGZ1WB4o+2RfD4jKPs4KJUGc0+DA6w+IRMxNhH8C35dTv5WXjII0q1AabfBaJvR0lYLYBazDFMPtpuU7JHXPwSDASu72Q+FPUK43rp33PYif/HDk6lz4LFLPBwaAo3LzMyEeeIABV3p2lzw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691779; c=relaxed/simple; bh=ifKvo8VOZ3QdmOhSmhUmW5ZmuqFihwqa71jgKwwZ8zw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lfrnmB8clvg7EgGMOw1QnvWCY17BzuGuow2qXRFQO1Y6ZKWfk659DAfttp6zisXcaUjEhyIppK2oW673TvSfx71jAUJAUP41GmqCEZT1CHFuCfry5XCyt7R1Uovm/AtkiAB2+2CnCM2bunLfSZlB1m0gA44UbvsZ13pMBP48gIo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=oTrWkqVb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="oTrWkqVb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 929A6C4CEC2; Wed, 18 Sep 2024 20:36:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726691778; bh=ifKvo8VOZ3QdmOhSmhUmW5ZmuqFihwqa71jgKwwZ8zw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oTrWkqVbir1kgK0u6GbFKdG8xLfS2DalgN1ro6i2Pu22jIvoFwfrbuSQAOHjHdjpI dDbfB3QS8PhYkSw6knJWFRPItUveGrggArTCcj8FvBBn6gfbU2G4h4CFaiPaoDah2N gEsI7u2UwmnNkDDxzahK867E+N+eGbZ0YeCien9887FiTT4JTIhZaqyy2PpmoqbiJj 5rZoE1xBxjXmkhVk61oMm+Kacw8AueTE6EoMek6wIFiwnn6LUyyU5qd/GYbu2FNKNJ 3wpoKEFZP4XAXW1rVdOnnjQfMT2z8rZRSOOIn4n2WLTtCQt5S+luznconeOCMmy0kV ZuopcnC060MbA== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , stable@vger.kernel.org, Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 2/5] tpm: Return on tpm2_create_primary() failure in tpm2_load_null() Date: Wed, 18 Sep 2024 23:35:46 +0300 Message-ID: <20240918203559.192605-3-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240918203559.192605-1-jarkko@kernel.org> References: <20240918203559.192605-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 tpm2_load_null() ignores the return value of tpm2_create_primary(). Further, it does not heal from the situation when memcmp() returns zero. Address this by returning on failure and saving the null key if there was no detected interference in the bus. Cc: stable@vger.kernel.org # v6.10+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen --- v3: - Update log messages. Previously the log message incorrectly stated on load failure that integrity check had been failed, even tho the check is done *after* the load operation. v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 38 +++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 795f4c7c6adb..a62f64e21511 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -915,32 +915,34 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; return rc; + } + dev_info(&chip->dev, "the null key has been reset\n"); - /* an integrity failure may mean the TPM has been reset */ - dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; - /* - * Fatal TPM failure: the NULL seed has actually changed, so - * the TPM must have been illegally reset. All in-kernel TPM - * operations will fail because the NULL primary can't be - * loaded to salt the sessions, but disable the TPM anyway so - * userspace programmes can't be compromised by it. - */ - dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); - chip->flags |= TPM_CHIP_FLAG_DISABLE; + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + + /* Deduce from the name change TPM interference: */ + dev_err(&chip->dev, "the null key integrity check failedh\n"); + tpm2_flush_context(chip, tmp_null_key); + chip->flags |= TPM_CHIP_FLAG_DISABLE; return rc; } From patchwork Wed Sep 18 20:35:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 13807146 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B89E81CB53B; Wed, 18 Sep 2024 20:36:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691784; cv=none; b=u9qCxi9mdvB2uspkIoop/O6uEuKsPZynjbGeIPcD6lR6OCHhl9pybLAtkzA3pt6Tr4LepesWe3k0UNL3kYiQsMKNSapNeCrsHSd2YApSSu8OjaWdpwAe+PeWcvN9tmIDuHsA4W8p+u4OLQrsBY53n/LP5Pb8dPutrgWvhbLUPH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691784; c=relaxed/simple; bh=kbo0Z0RhoCm2kz1JvajJujVV7vc6cCJXd+V6ZXLaxNQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pGUlqb4E3X6YK74FA7RjKe9N1cN3Q5aVP+3jTERv55mTuY9L2E5zIzwHXMIcdKfCdqZFa7fL7DQvT3FBsHtek5IJvdB+DzVbUtpcmHc2Rb8PVQOmZRKgvo5YfnKMIguNk4f4Fh6FX18E0YyrnN/lrvePweGRINMsm/clHjkgRQw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KQjphzQz; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KQjphzQz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C8CB6C4CEC2; Wed, 18 Sep 2024 20:36:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726691784; bh=kbo0Z0RhoCm2kz1JvajJujVV7vc6cCJXd+V6ZXLaxNQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KQjphzQzeQzXPggjPjBamdrZnOPySVFuzTmP10LeZ9m17oQgKwbnsa7GQElmuu8gX pEcqwGsBoT0Ch0rsj+JiRvCfSh1/W14PnNZEi71jjJm6BQfUjpal165hCqOj4ldpnB /da5sCjABT6uR/BChrqEcJ0x0tVvvH4jLP3ZAwl4MRfV8xZ7S8ZOY5glW1Q1JPqPmn 65ELZaBIhw14S/NsRTtBg265pmP40sha26BvstXFdwiO2pIt5aw4xiL5+OfNk2OWqO lrNenMzVkzrVBXcLyzEEfbLEG0iujzJGWEMqEBpIAIpgRtFHpscEXnNOc/hPByzoq6 4skR5AkAA4S9w== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , stable@vger.kernel.org, Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 3/5] tpm: flush the null key only when /dev/tpm0 is accessed Date: Wed, 18 Sep 2024 23:35:47 +0300 Message-ID: <20240918203559.192605-4-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240918203559.192605-1-jarkko@kernel.org> References: <20240918203559.192605-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Instead of flushing and reloading the null key for every single auth session, flush it only when: 1. User space needs to access /dev/tpm{rm}0. 2. When going to sleep. 3. When unregistering the chip. This removes the need to load and swap the null key between TPM and regular memory per transaction, when the user space is not using the chip. Cc: stable@vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Tested-by: Pengyu Ma Signed-off-by: Jarkko Sakkinen --- v4: - Changed to bug fix as not having the patch there is a major hit to bootup times. v3: - Unchanged. v2: - Refined the commit message. - Added tested-by from Pengyu Ma . - Removed spurious pr_info() statement. --- drivers/char/tpm/tpm-chip.c | 13 +++++++++++++ drivers/char/tpm/tpm-dev-common.c | 7 +++++++ drivers/char/tpm/tpm-interface.c | 9 +++++++-- drivers/char/tpm/tpm2-cmd.c | 3 +++ drivers/char/tpm/tpm2-sessions.c | 17 ++++++++++++++--- include/linux/tpm.h | 2 ++ 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 854546000c92..0ea00e32f575 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -674,6 +674,19 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); */ void tpm_chip_unregister(struct tpm_chip *chip) { +#ifdef CONFIG_TCG_TPM2_HMAC + int rc; + + rc = tpm_try_get_ops(chip); + if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } + tpm_put_ops(chip); + } +#endif + tpm_del_legacy_sysfs(chip); if (tpm_is_hwrng_enabled(chip)) hwrng_unregister(&chip->hwrng); diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 30b4c288c1bb..4eaa8e05c291 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -27,6 +27,13 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, struct tpm_header *header = (void *)buf; ssize_t ret, len; +#ifdef CONFIG_TCG_TPM2_HMAC + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } +#endif + ret = tpm2_prepare_space(chip, space, buf, bufsiz); /* If the command is not implemented by the TPM, synthesize a * response with a TPM2_RC_COMMAND_CODE return for user-space. diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 5da134f12c9a..bfa47d48b0f2 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -379,10 +379,15 @@ int tpm_pm_suspend(struct device *dev) rc = tpm_try_get_ops(chip); if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) + if (chip->flags & TPM_CHIP_FLAG_TPM2) { +#ifdef CONFIG_TCG_TPM2_HMAC + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; +#endif tpm2_shutdown(chip, TPM2_SU_STATE); - else + } else { rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + } tpm_put_ops(chip); } diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 1e856259219e..aba024cbe7c5 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -364,6 +364,9 @@ void tpm2_flush_context(struct tpm_chip *chip, u32 handle) struct tpm_buf buf; int rc; + if (!handle) + return; + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); if (rc) { dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a62f64e21511..42eb910e9acc 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -920,11 +920,19 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) u32 tmp_null_key; int rc; + /* fast path */ + if (chip->null_key) { + *null_key = chip->null_key; + return 0; + } + rc = tpm2_load_context(chip, chip->null_key_context, &offset, &tmp_null_key); if (rc != -EINVAL) { - if (!rc) + if (!rc) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; + } return rc; } dev_info(&chip->dev, "the null key has been reset\n"); @@ -935,6 +943,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) /* Return the null key if the name has not been changed: */ if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; return 0; } @@ -1005,7 +1014,6 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append_u16(&buf, TPM_ALG_SHA256); rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); - tpm2_flush_context(chip, null_key); if (rc == TPM2_RC_SUCCESS) rc = tpm2_parse_start_auth_session(auth, &buf); @@ -1337,7 +1345,10 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) rc = tpm2_save_context(chip, null_key, chip->null_key_context, sizeof(chip->null_key_context), &offset); - tpm2_flush_context(chip, null_key); + if (rc) + tpm2_flush_context(chip, null_key); + else + chip->null_key = null_key; } if (rc < 0) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index e93ee8d936a9..4eb39db80e05 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -205,6 +205,8 @@ struct tpm_chip { #ifdef CONFIG_TCG_TPM2_HMAC /* details for communication security via sessions */ + /* loaded null key */ + u32 null_key; /* saved context for NULL seed */ u8 null_key_context[TPM2_MAX_CONTEXT_SIZE]; /* name of NULL seed */ From patchwork Wed Sep 18 20:35:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 13807147 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0683D1CB31E; Wed, 18 Sep 2024 20:36:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691790; cv=none; b=pEqXovlkZgwAkVOyQKTCO/yPAwvPsCFTQii5MY+oy010uqrqxR77A4D1AK0SPQJxq2+cO04TYz2MHc85JONLEYygsDiyOGEY0BizgmDhSYYn122zq4TNep3jgWMHJE28TvWZBNV4rbfAp/vr5ayOBT8dseG3toQwJKhHhmml0cQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691790; c=relaxed/simple; bh=xnYK0K7lXvBa8L8kDUpdwxAKtJ7LihsPP3u6030CMDA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cWlQWWgDFEz5XISkfhBqmLrWIACUaNXSYjAe7oeEPbjQ3jH0c7bhXrc3L0H6BV5YQtPohjFTmK4llDdWPRxGezgUJ2I6QzPqCeuhFP//2nHWnWV6ZDV/R9OI2eMtNNIEXo5U6U3MlPcy6QW/ZQywQdNIMNHlAr0FBmeQpsGy7xk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uu6yWn05; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uu6yWn05" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 83178C4CEC7; Wed, 18 Sep 2024 20:36:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726691789; bh=xnYK0K7lXvBa8L8kDUpdwxAKtJ7LihsPP3u6030CMDA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uu6yWn05j6AuOLZHt2kXJVbK6fzTo4O8GdUu4O5nNfXndxQxTdmw6pq0gUnA5VqLD mq3VYnrzaauPmk+JGfHKQjoe69kwvLuQx1sjvf5YrA+LTrFG9on9nMGNWzVB7dqNOI kzpUxlZO9NpoXNG21AdGHSowq2VHYNAunQj5j2XWrmrwrdc43TNMVerQOTmxxAojku v6YBcOVRGW1JEGpxVrrLykWnyehOQzSHGyivUwzkAnOQ+OM4eD1hLMRrRXu/8esCRB BsbXbuHwpEncQxgKqoysXxRJDqCpyC6EVqkT2Dg61xYS7E36thrIoEtIJTD2/XmBe+ i24a6Ms7yoWtQ== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , stable@vger.kernel.org, Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 4/5] tpm: Allocate chip->auth in tpm2_start_auth_session() Date: Wed, 18 Sep 2024 23:35:48 +0300 Message-ID: <20240918203559.192605-5-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240918203559.192605-1-jarkko@kernel.org> References: <20240918203559.192605-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move allocation of chip->auth to tpm2_start_auth_session() so that the field can be used as flag to tell whether auth session is active or not. Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Signed-off-by: Jarkko Sakkinen --- v4: - Change to bug. v3: - No changes. v2: - A new patch. --- drivers/char/tpm/tpm2-sessions.c | 43 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 42eb910e9acc..6371e0ee88b0 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -484,7 +484,8 @@ static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v, sha256_final(&sctx, out); } -static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) +static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip, + struct tpm2_auth *auth) { struct crypto_kpp *kpp; struct kpp_request *req; @@ -543,7 +544,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ); sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ); kpp_request_set_input(req, s, EC_PT_SZ*2); - sg_init_one(d, chip->auth->salt, EC_PT_SZ); + sg_init_one(d, auth->salt, EC_PT_SZ); kpp_request_set_output(req, d, EC_PT_SZ); crypto_kpp_compute_shared_secret(req); kpp_request_free(req); @@ -554,8 +555,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) * This works because KDFe fully consumes the secret before it * writes the salt */ - tpm2_KDFe(chip->auth->salt, "SECRET", x, chip->null_ec_key_x, - chip->auth->salt); + tpm2_KDFe(auth->salt, "SECRET", x, chip->null_ec_key_x, auth->salt); out: crypto_free_kpp(kpp); @@ -854,6 +854,8 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, /* manually close the session if it wasn't consumed */ tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } else { /* reset for next use */ auth->session = TPM_HEADER_SIZE; @@ -882,6 +884,8 @@ void tpm2_end_auth_session(struct tpm_chip *chip) tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } EXPORT_SYMBOL(tpm2_end_auth_session); @@ -969,25 +973,29 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) */ int tpm2_start_auth_session(struct tpm_chip *chip) { + struct tpm2_auth *auth; struct tpm_buf buf; - struct tpm2_auth *auth = chip->auth; - int rc; u32 null_key; + int rc; - if (!auth) { - dev_warn_once(&chip->dev, "auth session is not active\n"); + if (chip->auth) { + dev_warn_once(&chip->dev, "auth session is active\n"); return 0; } + auth = kzalloc(sizeof(*auth), GFP_KERNEL); + if (!auth) + return -ENOMEM; + rc = tpm2_load_null(chip, &null_key); if (rc) - goto out; + goto err; auth->session = TPM_HEADER_SIZE; rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS); if (rc) - goto out; + goto err; /* salt key handle */ tpm_buf_append_u32(&buf, null_key); @@ -999,7 +1007,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce)); /* append encrypted salt and squirrel away unencrypted in auth */ - tpm_buf_append_salt(&buf, chip); + tpm_buf_append_salt(&buf, chip, auth); /* session type (HMAC, audit or policy) */ tpm_buf_append_u8(&buf, TPM2_SE_HMAC); @@ -1020,10 +1028,13 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_destroy(&buf); - if (rc) - goto out; + if (rc == TPM2_RC_SUCCESS) { + chip->auth = auth; + return 0; + } - out: +err: + kfree(auth); return rc; } EXPORT_SYMBOL(tpm2_start_auth_session); @@ -1375,10 +1386,6 @@ int tpm2_sessions_init(struct tpm_chip *chip) if (rc) return rc; - chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); - if (!chip->auth) - return -ENOMEM; - return rc; } #endif /* CONFIG_TCG_TPM2_HMAC */ From patchwork Wed Sep 18 20:35:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 13807148 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D45471CB32C; Wed, 18 Sep 2024 20:36:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691795; cv=none; b=Ze3UrMDRzG6GgtWRm63HeDU4XVGN2ZjU2w/0kOoFIu57f9if1QG2TprK0ovBFzTE8Ua44VEsVnvWw3LShW42IuSGPZjzJRD2CT0tzjD1b7a3eAB8uMNk4buH85ErCP3UBbeZjWUdQ3OpeZFhElFDWVdh45sFtWIC7Br/zZ0MAKo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726691795; c=relaxed/simple; bh=a6hjHtAXEMh6b1R8nEW38A6SmJBF8Y73m7GYMb7SEdk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SRTjRxsXW8LBm40kGRzjxCb6wqNsQSzJ9ryek7u5M4fslZBZvosKfAZ/Mne4TjZlMEHaAPFjlaOnCLTPTTU0Stjxhv1oGlx4D5ac0jjoOZ8nrk9OIonBhy/vtCULEjkfVfUhkwugOQ4+HaHIe5++PLErhHcVHgC+swT/xtQkYig= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jSunCmaX; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jSunCmaX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 551BCC4CEC2; Wed, 18 Sep 2024 20:36:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1726691794; bh=a6hjHtAXEMh6b1R8nEW38A6SmJBF8Y73m7GYMb7SEdk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jSunCmaXzik1WBkT7BnosXXdNSAG8dSg8J4fYJe/OPFdvCXWxbin/ZDf+jrmVed4u KhEMVsVrGbGOMp81NLGk0jLKiny68b7GiUjjK44HSVvSnZf/fbG5Q/uJ9PJ1w0O8RG z3vdhksIxLMNBzyKPqdGl9nR81EzlUDqRQW1Bgr9iVpzbwMe0fVeSeSFQU/3VyHGqf zCFektkS76ZAnhVytu0kHX8DAa84IZDs2gko/ZXjqDXtpLrY3WZsqtvKR8KlvOG7OM YW4buY5ncuMwhj0wfwGUboWr/NFIWJuJASDS86xl0BlNmTJLOSyueH9Y/HeET6sr18 Q1a2YvJ7KD8+g== From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: James.Bottomley@HansenPartnership.com, roberto.sassu@huawei.com, mapengyu@gmail.com, Jarkko Sakkinen , stable@vger.kernel.org, Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 5/5] tpm: flush the auth session only when /dev/tpm0 is open Date: Wed, 18 Sep 2024 23:35:49 +0300 Message-ID: <20240918203559.192605-6-jarkko@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240918203559.192605-1-jarkko@kernel.org> References: <20240918203559.192605-1-jarkko@kernel.org> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable@vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma Signed-off-by: Jarkko Sakkinen --- v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4eaa8e05c291..a3ed7a99a394 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6371e0ee88b0..e9d3a6a9d397 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC