From 285fdfc5d9959a2104021b6bbdec39b8c26e99ef Mon Sep 17 00:00:00 2001 From: Mickaël Salaün Date: Tue, 20 Sep 2016 19:39:47 +0200 Subject: seccomp: Fix documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix struct seccomp_filter and seccomp_run_filters() signatures. Signed-off-by: Mickaël Salaün Cc: Andy Lutomirski Cc: James Morris Cc: Kees Cook Cc: Will Drewry Signed-off-by: Kees Cook --- kernel/seccomp.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 0db7c8a2afe2..494cba230ca0 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -41,8 +41,7 @@ * outside of a lifetime-guarded section. In general, this * is only needed for handling filters shared across tasks. * @prev: points to a previously installed, or inherited, filter - * @len: the number of instructions in the program - * @insnsi: the BPF program instructions to evaluate + * @prog: the BPF program to evaluate * * seccomp_filter objects are organized in a tree linked via the @prev * pointer. For any task, it appears to be a singly-linked list starting @@ -168,8 +167,8 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) } /** - * seccomp_run_filters - evaluates all seccomp filters against @syscall - * @syscall: number of the current system call + * seccomp_run_filters - evaluates all seccomp filters against @sd + * @sd: optional seccomp data to be passed to filters * * Returns valid seccomp BPF response codes. */ -- cgit v1.2.3-70-g09d2 From 0af04ba5640dd6318f117a9fcbfde886516a0220 Mon Sep 17 00:00:00 2001 From: Ricky Zhou Date: Thu, 13 Oct 2016 10:29:14 -0700 Subject: samples/seccomp: Fix hostprogs variable In f6041c1d, a separate SAMPLES_SECCOMP option was added. This changed hostprogs-y to hostprogs-m, so adjust it. Signed-off-by: Ricky Zhou Signed-off-by: Kees Cook --- samples/seccomp/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile index ae7ff6f24f36..bf7cc6b0dc19 100644 --- a/samples/seccomp/Makefile +++ b/samples/seccomp/Makefile @@ -36,13 +36,13 @@ HOSTLOADLIBES_bpf-direct += $(MFLAG) HOSTLOADLIBES_bpf-fancy += $(MFLAG) HOSTLOADLIBES_dropper += $(MFLAG) endif -always := $(hostprogs-y) +always := $(hostprogs-m) else # MIPS system calls are defined based on the -mabi that is passed # to the toolchain which may or may not be a valid option # for the host toolchain. So disable tests if target architecture # is MIPS but the host isn't. ifndef CONFIG_MIPS -always := $(hostprogs-y) +always := $(hostprogs-m) endif endif -- cgit v1.2.3-70-g09d2 From 1ff120504f8c322a03fbce035d99e29e741da725 Mon Sep 17 00:00:00 2001 From: Ricky Zhou Date: Thu, 13 Oct 2016 10:34:08 -0700 Subject: samples/seccomp: Enable PR_SET_NO_NEW_PRIVS in dropper Either CAP_SYS_ADMIN or PR_SET_NO_NEW_PRIVS is required to enable seccomp. This allows samples/seccomp/dropper to be run without CAP_SYS_ADMIN. Signed-off-by: Ricky Zhou Signed-off-by: Kees Cook --- samples/seccomp/dropper.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/samples/seccomp/dropper.c b/samples/seccomp/dropper.c index c69c347c7011..68325ca5e71c 100644 --- a/samples/seccomp/dropper.c +++ b/samples/seccomp/dropper.c @@ -11,7 +11,6 @@ * When run, returns the specified errno for the specified * system call number against the given architecture. * - * Run this one as root as PR_SET_NO_NEW_PRIVS is not called. */ #include @@ -42,8 +41,12 @@ static int install_filter(int nr, int arch, int error) .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), .filter = filter, }; + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + return 1; + } if (prctl(PR_SET_SECCOMP, 2, &prog)) { - perror("prctl"); + perror("prctl(PR_SET_SECCOMP)"); return 1; } return 0; -- cgit v1.2.3-70-g09d2 From d881d25cf5bc2fafbbfb383a475278977e1bd55a Mon Sep 17 00:00:00 2001 From: Ricky Zhou Date: Thu, 13 Oct 2016 10:37:28 -0700 Subject: samples/seccomp: Support programs with >256 instructions Previously, the program size was incorrectly truncated to 8 bits, resulting in broken labels in large programs. Also changes the jump resolution loop to not rely on undefined behavior (making a pointer point before the filter array). Signed-off-by: Ricky Zhou Signed-off-by: Kees Cook --- samples/seccomp/bpf-helper.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/samples/seccomp/bpf-helper.c b/samples/seccomp/bpf-helper.c index 05cb4d5ff9f5..1ef0f4d72898 100644 --- a/samples/seccomp/bpf-helper.c +++ b/samples/seccomp/bpf-helper.c @@ -18,41 +18,41 @@ int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count) { - struct sock_filter *begin = filter; - __u8 insn = count - 1; + size_t i; - if (count < 1) + if (count < 1 || count > BPF_MAXINSNS) return -1; /* * Walk it once, backwards, to build the label table and do fixups. * Since backward jumps are disallowed by BPF, this is easy. */ - filter += insn; - for (; filter >= begin; --insn, --filter) { - if (filter->code != (BPF_JMP+BPF_JA)) + for (i = 0; i < count; ++i) { + size_t offset = count - i - 1; + struct sock_filter *instr = &filter[offset]; + if (instr->code != (BPF_JMP+BPF_JA)) continue; - switch ((filter->jt<<8)|filter->jf) { + switch ((instr->jt<<8)|instr->jf) { case (JUMP_JT<<8)|JUMP_JF: - if (labels->labels[filter->k].location == 0xffffffff) { + if (labels->labels[instr->k].location == 0xffffffff) { fprintf(stderr, "Unresolved label: '%s'\n", - labels->labels[filter->k].label); + labels->labels[instr->k].label); return 1; } - filter->k = labels->labels[filter->k].location - - (insn + 1); - filter->jt = 0; - filter->jf = 0; + instr->k = labels->labels[instr->k].location - + (offset + 1); + instr->jt = 0; + instr->jf = 0; continue; case (LABEL_JT<<8)|LABEL_JF: - if (labels->labels[filter->k].location != 0xffffffff) { + if (labels->labels[instr->k].location != 0xffffffff) { fprintf(stderr, "Duplicate label use: '%s'\n", - labels->labels[filter->k].label); + labels->labels[instr->k].label); return 1; } - labels->labels[filter->k].location = insn; - filter->k = 0; /* fall through */ - filter->jt = 0; - filter->jf = 0; + labels->labels[instr->k].location = offset; + instr->k = 0; /* fall through */ + instr->jt = 0; + instr->jf = 0; continue; } } -- cgit v1.2.3-70-g09d2 From 08382c9f6efe08b8bb30645c2744480cbd8f161a Mon Sep 17 00:00:00 2001 From: jooseong lee Date: Thu, 3 Nov 2016 11:54:39 +0100 Subject: Smack: Assign smack_known_web label for kernel thread's Assign smack_known_web label for kernel thread's socket Creating struct sock by sk_alloc function in various kernel subsystems like bluetooth doesn't call smack_socket_post_create(). In such case, received sock label is the floor('_') label and makes access deny. Signed-off-by: jooseong lee Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1cb060293505..e73460d5acc6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2337,8 +2337,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) if (ssp == NULL) return -ENOMEM; - ssp->smk_in = skp; - ssp->smk_out = skp; + /* + * Sockets created by kernel threads receive web label. + */ + if (unlikely(current->flags & PF_KTHREAD)) { + ssp->smk_in = &smack_known_web; + ssp->smk_out = &smack_known_web; + } else { + ssp->smk_in = skp; + ssp->smk_out = skp; + } ssp->smk_packet = NULL; sk->sk_security = ssp; -- cgit v1.2.3-70-g09d2 From 2097f59920ea81516d7783396683cad22c26d140 Mon Sep 17 00:00:00 2001 From: Himanshu Shukla Date: Thu, 10 Nov 2016 16:19:52 +0530 Subject: smack: parse mnt opts after privileges check In smack_set_mnt_opts()first the SMACK mount options are being parsed and later it is being checked whether the user calling mount has CAP_MAC_ADMIN capability. This sequence of operationis will allow unauthorized user to add SMACK labels in label list and may cause denial of security attack by adding many labels by allocating kernel memory by unauthorized user. Superblock smack flag is also being set as initialized though function may return with EPERM error. First check the capability of calling user then set the SMACK attributes and smk_flags. Signed-off-by: Himanshu Shukla Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 50 +++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e73460d5acc6..788a5faf3774 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -769,6 +769,31 @@ static int smack_set_mnt_opts(struct super_block *sb, if (sp->smk_flags & SMK_SB_INITIALIZED) return 0; + if (!smack_privileged(CAP_MAC_ADMIN)) { + /* + * Unprivileged mounts don't get to specify Smack values. + */ + if (num_opts) + return -EPERM; + /* + * Unprivileged mounts get root and default from the caller. + */ + skp = smk_of_current(); + sp->smk_root = skp; + sp->smk_default = skp; + /* + * For a handful of fs types with no user-controlled + * backing store it's okay to trust security labels + * in the filesystem. The rest are untrusted. + */ + if (sb->s_user_ns != &init_user_ns && + sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && + sb->s_magic != RAMFS_MAGIC) { + transmute = 1; + sp->smk_flags |= SMK_SB_UNTRUSTED; + } + } + sp->smk_flags |= SMK_SB_INITIALIZED; for (i = 0; i < num_opts; i++) { @@ -809,31 +834,6 @@ static int smack_set_mnt_opts(struct super_block *sb, } } - if (!smack_privileged(CAP_MAC_ADMIN)) { - /* - * Unprivileged mounts don't get to specify Smack values. - */ - if (num_opts) - return -EPERM; - /* - * Unprivileged mounts get root and default from the caller. - */ - skp = smk_of_current(); - sp->smk_root = skp; - sp->smk_default = skp; - /* - * For a handful of fs types with no user-controlled - * backing store it's okay to trust security labels - * in the filesystem. The rest are untrusted. - */ - if (sb->s_user_ns != &init_user_ns && - sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && - sb->s_magic != RAMFS_MAGIC) { - transmute = 1; - sp->smk_flags |= SMK_SB_UNTRUSTED; - } - } - /* * Initialize the root inode. */ -- cgit v1.2.3-70-g09d2 From 7128ea159d60a91b3f0a7d10a1ea7d62b53cda93 Mon Sep 17 00:00:00 2001 From: Himanshu Shukla Date: Thu, 10 Nov 2016 16:17:49 +0530 Subject: SMACK: Do not apply star label in smack_setprocattr hook Smack prohibits processes from using the star ("*") and web ("@") labels. Checks have been added in other functions. In smack_setprocattr() hook, only check for web ("@") label has been added and restricted from applying web ("@") label. Check for star ("*") label should also be added in smack_setprocattr() hook. Return error should be "-EINVAL" not "-EPERM" as permission is there for setting label but not the label value as star ("*") or web ("@"). Signed-off-by: Himanshu Shukla Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 788a5faf3774..3a5684b47354 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name, return PTR_ERR(skp); /* - * No process is ever allowed the web ("@") label. + * No process is ever allowed the web ("@") label + * and the star ("*") label. */ - if (skp == &smack_known_web) - return -EPERM; + if (skp == &smack_known_web || skp == &smack_known_star) + return -EINVAL; if (!smack_privileged(CAP_MAC_ADMIN)) { rc = -EPERM; -- cgit v1.2.3-70-g09d2 From b437aba85b5c4689543409d8407c016749231aae Mon Sep 17 00:00:00 2001 From: Himanshu Shukla Date: Thu, 10 Nov 2016 16:17:02 +0530 Subject: SMACK: Fix the memory leak in smack_cred_prepare() hook Memory leak in smack_cred_prepare()function. smack_cred_prepare() hook returns error if there is error in allocating memory in smk_copy_rules() or smk_copy_relabel() function. If smack_cred_prepare() function returns error then the calling function should call smack_cred_free() function for cleanup. In smack_cred_free() function first credential is extracted and then all rules are deleted. In smack_cred_prepare() function security field is assigned in the end when all function return success. But this function may return before and memory will not be freed. Signed-off-by: Himanshu Shukla Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 3a5684b47354..f7ee77c3db55 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2023,6 +2023,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, if (new_tsp == NULL) return -ENOMEM; + new->security = new_tsp; + rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); if (rc != 0) return rc; @@ -2032,7 +2034,6 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, if (rc != 0) return rc; - new->security = new_tsp; return 0; } -- cgit v1.2.3-70-g09d2 From 2e4939f7026f938a1dc81533d020801198562804 Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Mon, 7 Nov 2016 19:01:09 -0800 Subject: Smack: ipv6 label match fix The check for a deleted entry in the list of IPv6 host addresses was being performed in the wrong place, leading to most peculiar results in some cases. This puts the check into the right place. Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f7ee77c3db55..b2c839f735c0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2443,18 +2443,18 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) return NULL; list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { + /* + * If the label is NULL the entry has + * been renounced. Ignore it. + */ + if (snp->smk_label == NULL) + continue; /* * we break after finding the first match because * the list is sorted from longest to shortest mask * so we have found the most specific match */ for (found = 1, i = 0; i < 8; i++) { - /* - * If the label is NULL the entry has - * been renounced. Ignore it. - */ - if (snp->smk_label == NULL) - continue; if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != snp->smk_host.s6_addr16[i]) { found = 0; -- cgit v1.2.3-70-g09d2 From 9a11a18902bc3b904353063763d06480620245a6 Mon Sep 17 00:00:00 2001 From: Eric Richter Date: Thu, 13 Oct 2016 17:47:36 -0500 Subject: ima: fix memory leak in ima_release_policy When the "policy" securityfs file is opened for read, it is opened as a sequential file. However, when it is eventually released, there is no cleanup for the sequential file, therefore some memory is leaked. This patch adds a call to seq_release() in ima_release_policy() to clean up the memory when the file is opened for read. Fixes: 80eae209d63a IMA: allow reading back the current policy Reported-by: Colin Ian King Signed-off-by: Eric Richter Tested-by: Colin Ian King Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index c07a3844ea0a..3df46906492d 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -401,7 +401,7 @@ static int ima_release_policy(struct inode *inode, struct file *file) const char *cause = valid_policy ? "completed" : "failed"; if ((file->f_flags & O_ACCMODE) == O_RDONLY) - return 0; + return seq_release(inode, file); if (valid_policy && ima_check_policy() < 0) { cause = "failed"; -- cgit v1.2.3-70-g09d2 From f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 2 Nov 2016 09:14:16 -0400 Subject: Revert "ima: limit file hash setting by user to fix and log modes" Userspace applications have been modified to write security xattrs, but they are not context aware. In the case of security.ima, the security xattr can be either a file hash or a file signature. Permitting writing one, but not the other requires the application to be context aware. In addition, userspace applications might write files to a staging area, which might not be in policy, and then change some file metadata (eg. owner) making it in policy. As a result, these files are not labeled properly. This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533, which prevents writing file hashes as security.ima xattrs. Requested-by: Patrick Ohly Cc: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 389325ac6067..a705598ced5f 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -384,14 +384,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (result == 1) { - bool digsig; - if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; - digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); - if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) - return -EPERM; - ima_reset_appraise_flags(d_backing_inode(dentry), digsig); + ima_reset_appraise_flags(d_backing_inode(dentry), + (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); result = 0; } return result; -- cgit v1.2.3-70-g09d2 From 064be15c525d02e46251fd529d84e5835b0b1339 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 31 Oct 2016 13:22:15 -0400 Subject: ima: include the reason for TPM-bypass mode This patch includes the reason for going into TPM-bypass mode and not using the TPM. Signed-off-by: Mimi Zohar (zohar@linux.vnet.ibm> --- security/integrity/ima/ima_init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 32912bd54ead..2ac1f41db5c0 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -115,7 +115,8 @@ int __init ima_init(void) ima_used_chip = 1; if (!ima_used_chip) - pr_info("No TPM chip found, activating TPM-bypass!\n"); + pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n", + rc); rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); if (rc) -- cgit v1.2.3-70-g09d2 From 5465d02a4970990d8ec692c7539af5fdde95e613 Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Sun, 6 Nov 2016 10:10:57 +0200 Subject: Doc: security: keys-trusted: drop duplicate blobauth entry Signed-off-by: Baruch Siach Signed-off-by: Mimi Zohar --- Documentation/security/keys-trusted-encrypted.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt index 324ddf5223b3..b20a993a32af 100644 --- a/Documentation/security/keys-trusted-encrypted.txt +++ b/Documentation/security/keys-trusted-encrypted.txt @@ -32,8 +32,6 @@ Usage: (40 ascii zeros) blobauth= ascii hex auth for sealed data default 0x00... (40 ascii zeros) - blobauth= ascii hex auth for sealed data default 0x00... - (40 ascii zeros) pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) pcrlock= pcr number to be extended to "lock" blob migratable= 0|1 indicating permission to reseal to new PCR values, -- cgit v1.2.3-70-g09d2 From b4bfec7f4a86424b114f94f41c4e1841ec102df3 Mon Sep 17 00:00:00 2001 From: Seth Forshee Date: Mon, 1 Aug 2016 08:19:10 -0500 Subject: security/integrity: Harden against malformed xattrs In general the handling of IMA/EVM xattrs is good, but I found a few locations where either the xattr size or the value of the type field in the xattr are not checked. Add a few simple checks to these locations to prevent malformed or malicious xattrs from causing problems. Signed-off-by: Seth Forshee Signed-off-by: Mimi Zohar --- security/integrity/digsig.c | 2 +- security/integrity/evm/evm_main.c | 4 ++++ security/integrity/ima/ima_appraise.c | 5 ++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 4304372b323f..106e855e2d9d 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -51,7 +51,7 @@ static bool init_keyring __initdata; int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen) { - if (id >= INTEGRITY_KEYRING_MAX) + if (id >= INTEGRITY_KEYRING_MAX || siglen < 2) return -EINVAL; if (!keyring[id]) { diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index ba8615576d4d..e2ed498c0f5f 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -145,6 +145,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, /* check value type */ switch (xattr_data->type) { case EVM_XATTR_HMAC: + if (xattr_len != sizeof(struct evm_ima_xattr_data)) { + evm_status = INTEGRITY_FAIL; + goto out; + } rc = evm_calc_hmac(dentry, xattr_name, xattr_value, xattr_value_len, calc.digest); if (rc) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index a705598ced5f..1fd9539a969d 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -130,6 +130,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len) { struct signature_v2_hdr *sig; + enum hash_algo ret; if (!xattr_value || xattr_len < 2) /* return default hash algo */ @@ -143,7 +144,9 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, return sig->hash_algo; break; case IMA_XATTR_DIGEST_NG: - return xattr_value->digest[0]; + ret = xattr_value->digest[0]; + if (ret < HASH_ALGO__LAST) + return ret; break; case IMA_XATTR_DIGEST: /* this is for backward compatibility */ -- cgit v1.2.3-70-g09d2 From 8931c3bdb3bfbdfb3c86f590f517ed9acfed27d7 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 14 Nov 2016 20:16:12 +0900 Subject: SELinux: Use GFP_KERNEL for selinux_parse_opts_str(). Since selinux_parse_opts_str() is calling match_strdup() which uses GFP_KERNEL, it is safe to use GFP_KERNEL from kcalloc() which is called by selinux_parse_opts_str(). Signed-off-by: Tetsuo Handa Signed-off-by: Paul Moore --- security/selinux/hooks.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 09fd6108e421..d1b141e33ecb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1100,11 +1100,12 @@ static int selinux_parse_opts_str(char *options, } rc = -ENOMEM; - opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); + opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); if (!opts->mnt_opts) goto out_err; - opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); + opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), + GFP_KERNEL); if (!opts->mnt_opts_flags) { kfree(opts->mnt_opts); goto out_err; -- cgit v1.2.3-70-g09d2 From 420591128cb206201dc444c2d42fb6f299b2ecd0 Mon Sep 17 00:00:00 2001 From: Andreas Gruenbacher Date: Thu, 10 Nov 2016 22:18:27 +0100 Subject: selinux: Minor cleanups Fix the comment for function __inode_security_revalidate, which returns an integer. Use the LABEL_* constants consistently for isec->initialized. Signed-off-by: Andreas Gruenbacher Signed-off-by: Paul Moore --- security/selinux/hooks.c | 3 ++- security/selinux/selinuxfs.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d1b141e33ecb..1c0721708ccc 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -237,6 +237,7 @@ static int inode_alloc_security(struct inode *inode) isec->sid = SECINITSID_UNLABELED; isec->sclass = SECCLASS_FILE; isec->task_sid = sid; + isec->initialized = LABEL_INVALID; inode->i_security = isec; return 0; @@ -247,7 +248,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* * Try reloading inode security labels that have been marked as invalid. The * @may_sleep parameter indicates when sleeping and thus reloading labels is - * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is + * allowed; when set to false, returns -ECHILD when the label is * invalid. The @opt_dentry parameter should be set to a dentry of the inode; * when no dentry is available, set it to NULL instead. */ diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 72c145dd799f..50fca204d3f1 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1301,7 +1301,7 @@ static int sel_make_bools(void) goto out; isec->sid = sid; - isec->initialized = 1; + isec->initialized = LABEL_INITIALIZED; inode->i_fop = &sel_bool_ops; inode->i_ino = i|SEL_BOOL_INO_OFFSET; d_add(dentry, inode); @@ -1834,7 +1834,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) isec = (struct inode_security_struct *)inode->i_security; isec->sid = SECINITSID_DEVNULL; isec->sclass = SECCLASS_CHR_FILE; - isec->initialized = 1; + isec->initialized = LABEL_INITIALIZED; init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3)); d_add(dentry, inode); -- cgit v1.2.3-70-g09d2 From db978da8fa1d0819b210c137d31a339149b88875 Mon Sep 17 00:00:00 2001 From: Andreas Gruenbacher Date: Thu, 10 Nov 2016 22:18:28 +0100 Subject: proc: Pass file mode to proc_pid_make_inode Pass the file mode of the proc inode to be created to proc_pid_make_inode. In proc_pid_make_inode, initialize inode->i_mode before calling security_task_to_inode. This allows selinux to set isec->sclass right away without introducing "half-initialized" inode security structs. Signed-off-by: Andreas Gruenbacher Signed-off-by: Paul Moore --- fs/proc/base.c | 23 +++++++++-------------- fs/proc/fd.c | 6 ++---- fs/proc/internal.h | 2 +- fs/proc/namespaces.c | 3 +-- security/selinux/hooks.c | 1 + 5 files changed, 14 insertions(+), 21 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 8e654468ab67..9de05e5854ef 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1663,7 +1663,8 @@ const struct inode_operations proc_pid_link_inode_operations = { /* building an inode */ -struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *task) +struct inode *proc_pid_make_inode(struct super_block * sb, + struct task_struct *task, umode_t mode) { struct inode * inode; struct proc_inode *ei; @@ -1677,6 +1678,7 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t /* Common stuff */ ei = PROC_I(inode); + inode->i_mode = mode; inode->i_ino = get_next_ino(); inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); inode->i_op = &proc_def_inode_operations; @@ -2003,7 +2005,9 @@ proc_map_files_instantiate(struct inode *dir, struct dentry *dentry, struct proc_inode *ei; struct inode *inode; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK | + ((mode & FMODE_READ ) ? S_IRUSR : 0) | + ((mode & FMODE_WRITE) ? S_IWUSR : 0)); if (!inode) return -ENOENT; @@ -2012,12 +2016,6 @@ proc_map_files_instantiate(struct inode *dir, struct dentry *dentry, inode->i_op = &proc_map_files_link_inode_operations; inode->i_size = 64; - inode->i_mode = S_IFLNK; - - if (mode & FMODE_READ) - inode->i_mode |= S_IRUSR; - if (mode & FMODE_WRITE) - inode->i_mode |= S_IWUSR; d_set_d_op(dentry, &tid_map_files_dentry_operations); d_add(dentry, inode); @@ -2371,12 +2369,11 @@ static int proc_pident_instantiate(struct inode *dir, struct inode *inode; struct proc_inode *ei; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, p->mode); if (!inode) goto out; ei = PROC_I(inode); - inode->i_mode = p->mode; if (S_ISDIR(inode->i_mode)) set_nlink(inode, 2); /* Use getattr to fix if necessary */ if (p->iop) @@ -3058,11 +3055,10 @@ static int proc_pid_instantiate(struct inode *dir, { struct inode *inode; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | S_IXUGO); if (!inode) goto out; - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; @@ -3351,11 +3347,10 @@ static int proc_task_instantiate(struct inode *dir, struct dentry *dentry, struct task_struct *task, const void *ptr) { struct inode *inode; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | S_IXUGO); if (!inode) goto out; - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; inode->i_op = &proc_tid_base_inode_operations; inode->i_fop = &proc_tid_base_operations; inode->i_flags|=S_IMMUTABLE; diff --git a/fs/proc/fd.c b/fs/proc/fd.c index d21dafef3102..4274f83bf100 100644 --- a/fs/proc/fd.c +++ b/fs/proc/fd.c @@ -183,14 +183,13 @@ proc_fd_instantiate(struct inode *dir, struct dentry *dentry, struct proc_inode *ei; struct inode *inode; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK); if (!inode) goto out; ei = PROC_I(inode); ei->fd = fd; - inode->i_mode = S_IFLNK; inode->i_op = &proc_pid_link_inode_operations; inode->i_size = 64; @@ -322,14 +321,13 @@ proc_fdinfo_instantiate(struct inode *dir, struct dentry *dentry, struct proc_inode *ei; struct inode *inode; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, S_IFREG | S_IRUSR); if (!inode) goto out; ei = PROC_I(inode); ei->fd = fd; - inode->i_mode = S_IFREG | S_IRUSR; inode->i_fop = &proc_fdinfo_file_operations; d_set_d_op(dentry, &tid_fd_dentry_operations); diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 5378441ec1b7..f4494dcbdc8b 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -162,7 +162,7 @@ extern int proc_pid_statm(struct seq_file *, struct pid_namespace *, extern const struct dentry_operations pid_dentry_operations; extern int pid_getattr(struct vfsmount *, struct dentry *, struct kstat *); extern int proc_setattr(struct dentry *, struct iattr *); -extern struct inode *proc_pid_make_inode(struct super_block *, struct task_struct *); +extern struct inode *proc_pid_make_inode(struct super_block *, struct task_struct *, umode_t); extern int pid_revalidate(struct dentry *, unsigned int); extern int pid_delete_dentry(const struct dentry *); extern int proc_pid_readdir(struct file *, struct dir_context *); diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 51b8b0a8ad91..766f0c637ad1 100644 --- a/fs/proc/namespaces.c +++ b/fs/proc/namespaces.c @@ -92,12 +92,11 @@ static int proc_ns_instantiate(struct inode *dir, struct inode *inode; struct proc_inode *ei; - inode = proc_pid_make_inode(dir->i_sb, task); + inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK | S_IRWXUGO); if (!inode) goto out; ei = PROC_I(inode); - inode->i_mode = S_IFLNK|S_IRWXUGO; inode->i_op = &proc_ns_link_inode_operations; ei->ns_ops = ns_ops; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1c0721708ccc..32beac817bf5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3955,6 +3955,7 @@ static void selinux_task_to_inode(struct task_struct *p, struct inode_security_struct *isec = inode->i_security; u32 sid = task_sid(p); + isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = sid; isec->initialized = LABEL_INITIALIZED; } -- cgit v1.2.3-70-g09d2 From 13457d073c29da92001f6ee809075eaa8757fb96 Mon Sep 17 00:00:00 2001 From: Andreas Gruenbacher Date: Thu, 10 Nov 2016 22:18:29 +0100 Subject: selinux: Clean up initialization of isec->sclass Now that isec->initialized == LABEL_INITIALIZED implies that isec->sclass is valid, skip such inodes immediately in inode_doinit_with_dentry. For the remaining inodes, initialize isec->sclass at the beginning of inode_doinit_with_dentry to simplify the code. Signed-off-by: Andreas Gruenbacher Signed-off-by: Paul Moore --- security/selinux/hooks.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 32beac817bf5..2a506861a772 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1390,12 +1390,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent int rc = 0; if (isec->initialized == LABEL_INITIALIZED) - goto out; + return 0; mutex_lock(&isec->lock); if (isec->initialized == LABEL_INITIALIZED) goto out_unlock; + if (isec->sclass == SECCLASS_FILE) + isec->sclass = inode_mode_to_security_class(inode->i_mode); + sbsec = inode->i_sb->s_security; if (!(sbsec->flags & SE_SBINITIALIZED)) { /* Defer initialization until selinux_complete_init, @@ -1513,7 +1516,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent isec->sid = sbsec->sid; /* Try to obtain a transition SID. */ - isec->sclass = inode_mode_to_security_class(inode->i_mode); rc = security_transition_sid(isec->task_sid, sbsec->sid, isec->sclass, NULL, &sid); if (rc) @@ -1549,7 +1551,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent */ if (!dentry) goto out_unlock; - isec->sclass = inode_mode_to_security_class(inode->i_mode); rc = selinux_genfs_get_sid(dentry, isec->sclass, sbsec->flags, &sid); dput(dentry); @@ -1564,9 +1565,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent out_unlock: mutex_unlock(&isec->lock); -out: - if (isec->sclass == SECCLASS_FILE) - isec->sclass = inode_mode_to_security_class(inode->i_mode); return rc; } -- cgit v1.2.3-70-g09d2 From 8c15d66e429afd099b66f05393527c23f85ca41c Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 14 Nov 2016 20:12:55 +0900 Subject: Smack: Use GFP_KERNEL for smack_parse_opts_str(). Since smack_parse_opts_str() is calling match_strdup() which uses GFP_KERNEL, it is safe to use GFP_KERNEL from kcalloc() which is called by smack_parse_opts_str(). Signed-off-by: Tetsuo Handa Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b2c839f735c0..46d8be434466 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -692,12 +692,12 @@ static int smack_parse_opts_str(char *options, } } - opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC); + opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL); if (!opts->mnt_opts) goto out_err; opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), - GFP_ATOMIC); + GFP_KERNEL); if (!opts->mnt_opts_flags) { kfree(opts->mnt_opts); goto out_err; -- cgit v1.2.3-70-g09d2 From 152f91d4d11a30106b9cc0b27b47e0e80b633ee8 Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Mon, 14 Nov 2016 09:38:15 -0800 Subject: Smack: Remove unnecessary smack_known_invalid The invalid Smack label ("") and the Huh ("?") Smack label serve the same purpose and having both is unnecessary. While pulling out the invalid label it became clear that the use of smack_from_secid() was inconsistent, so that is repaired. The setting of inode labels to the invalid label could never happen in a functional system, has never been observed in the wild and is not what you'd really want for a failure behavior in any case. That is removed. Signed-off-by: Casey Schaufler --- security/smack/smack.h | 1 - security/smack/smack_access.c | 7 +------ security/smack/smack_lsm.c | 29 +++-------------------------- security/smack/smackfs.c | 3 --- 4 files changed, 4 insertions(+), 36 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 51fd30192c08..77abe2efacae 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -336,7 +336,6 @@ extern int smack_ptrace_rule; extern struct smack_known smack_known_floor; extern struct smack_known smack_known_hat; extern struct smack_known smack_known_huh; -extern struct smack_known smack_known_invalid; extern struct smack_known smack_known_star; extern struct smack_known smack_known_web; diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 23e5808a0970..356e3764cad9 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -36,11 +36,6 @@ struct smack_known smack_known_floor = { .smk_secid = 5, }; -struct smack_known smack_known_invalid = { - .smk_known = "", - .smk_secid = 6, -}; - struct smack_known smack_known_web = { .smk_known = "@", .smk_secid = 7, @@ -615,7 +610,7 @@ struct smack_known *smack_from_secid(const u32 secid) * of a secid that is not on the list. */ rcu_read_unlock(); - return &smack_known_invalid; + return &smack_known_huh; } /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 46d8be434466..4d90257d03ad 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1384,20 +1384,14 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, skp = smk_import_entry(value, size); if (!IS_ERR(skp)) isp->smk_inode = skp; - else - isp->smk_inode = &smack_known_invalid; } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { skp = smk_import_entry(value, size); if (!IS_ERR(skp)) isp->smk_task = skp; - else - isp->smk_task = &smack_known_invalid; } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { skp = smk_import_entry(value, size); if (!IS_ERR(skp)) isp->smk_mmap = skp; - else - isp->smk_mmap = &smack_known_invalid; } return; @@ -2068,12 +2062,8 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) static int smack_kernel_act_as(struct cred *new, u32 secid) { struct task_smack *new_tsp = new->security; - struct smack_known *skp = smack_from_secid(secid); - - if (skp == NULL) - return -EINVAL; - new_tsp->smk_task = skp; + new_tsp->smk_task = smack_from_secid(secid); return 0; } @@ -3894,21 +3884,11 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, return &smack_known_web; return &smack_known_star; } - if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { + if ((sap->flags & NETLBL_SECATTR_SECID) != 0) /* * Looks like a fallback, which gives us a secid. */ - skp = smack_from_secid(sap->attr.secid); - /* - * This has got to be a bug because it is - * impossible to specify a fallback without - * specifying the label, which will ensure - * it has a secid, and the only way to get a - * secid is from a fallback. - */ - BUG_ON(skp == NULL); - return skp; - } + return smack_from_secid(sap->attr.secid); /* * Without guidance regarding the smack value * for the packet fall back on the network @@ -4771,7 +4751,6 @@ static __init void init_smack_known_list(void) mutex_init(&smack_known_hat.smk_rules_lock); mutex_init(&smack_known_floor.smk_rules_lock); mutex_init(&smack_known_star.smk_rules_lock); - mutex_init(&smack_known_invalid.smk_rules_lock); mutex_init(&smack_known_web.smk_rules_lock); /* * Initialize rule lists @@ -4780,7 +4759,6 @@ static __init void init_smack_known_list(void) INIT_LIST_HEAD(&smack_known_hat.smk_rules); INIT_LIST_HEAD(&smack_known_star.smk_rules); INIT_LIST_HEAD(&smack_known_floor.smk_rules); - INIT_LIST_HEAD(&smack_known_invalid.smk_rules); INIT_LIST_HEAD(&smack_known_web.smk_rules); /* * Create the known labels list @@ -4789,7 +4767,6 @@ static __init void init_smack_known_list(void) smk_insert_entry(&smack_known_hat); smk_insert_entry(&smack_known_star); smk_insert_entry(&smack_known_floor); - smk_insert_entry(&smack_known_invalid); smk_insert_entry(&smack_known_web); } diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 6492fe96cae4..13743a01b35b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2996,9 +2996,6 @@ static int __init init_smk_fs(void) if (err == 0 && rc < 0) err = rc; rc = smk_preset_netlabel(&smack_known_huh); - if (err == 0 && rc < 0) - err = rc; - rc = smk_preset_netlabel(&smack_known_invalid); if (err == 0 && rc < 0) err = rc; rc = smk_preset_netlabel(&smack_known_star); -- cgit v1.2.3-70-g09d2 From ea49d10eee5a220b717dbf2ee429c9e3d59c978c Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 18 Nov 2016 09:30:38 -0500 Subject: selinux: normalize input to /sys/fs/selinux/enforce At present, one can write any signed integer value to /sys/fs/selinux/enforce and it will be stored, e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 > /sys/fs/selinux/enforce. This makes no real difference to the kernel, since it only ever cares if it is zero or non-zero, but some userspace code compares it with 1 to decide if SELinux is enforcing, and this could confuse it. Only a process that is already root and is allowed the setenforce permission in SELinux policy can write to /sys/fs/selinux/enforce, so this is not considered to be a security issue, but it should be fixed. Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/selinuxfs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 50fca204d3f1..cf9293e01fc1 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -163,6 +163,8 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, if (sscanf(page, "%d", &new_value) != 1) goto out; + new_value = !!new_value; + if (new_value != selinux_enforcing) { length = task_has_security(current, SECURITY__SETENFORCE); if (length) -- cgit v1.2.3-70-g09d2 From 3322d0d64f4e942862a152f6f11137a1f5eac2e9 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 18 Nov 2016 10:23:09 -0500 Subject: selinux: keep SELinux in sync with new capability definitions When a new capability is defined, SELinux needs to be updated. Trigger a build error if a new capability is defined without corresponding update to security/selinux/include/classmap.h's COMMON_CAP2_PERMS. This is similar to BUILD_BUG_ON() guards in the SELinux nlmsgtab code to ensure that SELinux tracks new netlink message types as needed. Note that there is already a similar build guard in security/selinux/hooks.c to detect when more than 64 capabilities are defined, since that will require adding a third capability class to SELinux. A nicer way to do this would be to extend scripts/selinux/genheaders or a similar tool to auto-generate the necessary definitions and code for SELinux capability checking from include/uapi/linux/capability.h. AppArmor does something similar in its Makefile, although it only needs to generate a single table of names. That is left as future work. Signed-off-by: Stephen Smalley [PM: reformat the description to keep checkpatch.pl happy] Signed-off-by: Paul Moore --- security/selinux/include/classmap.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 1f1f4b2f6018..e2d4ad3a4b4c 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -24,6 +24,10 @@ #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ "wake_alarm", "block_suspend", "audit_read" +#if CAP_LAST_CAP > CAP_AUDIT_READ +#error New capability defined, please update COMMON_CAP2_PERMS. +#endif + /* * Note: The name for any socket class should be suffixed by "socket", * and doesn't contain more than one substr of "socket". -- cgit v1.2.3-70-g09d2 From 9287aed2ad1ff1bde5eb190bcd6dccd5f1cf47d3 Mon Sep 17 00:00:00 2001 From: Andreas Gruenbacher Date: Tue, 15 Nov 2016 11:06:40 +0100 Subject: selinux: Convert isec->lock into a spinlock Convert isec->lock from a mutex into a spinlock. Instead of holding the lock while sleeping in inode_doinit_with_dentry, set isec->initialized to LABEL_PENDING and release the lock. Then, when the sid has been determined, re-acquire the lock. If isec->initialized is still set to LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime. This fixes a deadlock on gfs2 where * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds isec->lock, and tries to acquire the inode's glock, and * another task is in do_xmote -> inode_go_inval -> selinux_inode_invalidate_secctx, holds the inode's glock, and tries to acquire isec->lock. Signed-off-by: Andreas Gruenbacher [PM: minor tweaks to keep checkpatch.pl happy] Signed-off-by: Paul Moore --- security/selinux/hooks.c | 101 ++++++++++++++++++++++++-------------- security/selinux/include/objsec.h | 5 +- 2 files changed, 66 insertions(+), 40 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2a506861a772..98a2e92b3168 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -231,7 +231,7 @@ static int inode_alloc_security(struct inode *inode) if (!isec) return -ENOMEM; - mutex_init(&isec->lock); + spin_lock_init(&isec->lock); INIT_LIST_HEAD(&isec->list); isec->inode = inode; isec->sid = SECINITSID_UNLABELED; @@ -1382,7 +1382,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent { struct superblock_security_struct *sbsec = NULL; struct inode_security_struct *isec = inode->i_security; - u32 sid; + u32 task_sid, sid = 0; + u16 sclass; struct dentry *dentry; #define INITCONTEXTLEN 255 char *context = NULL; @@ -1392,7 +1393,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent if (isec->initialized == LABEL_INITIALIZED) return 0; - mutex_lock(&isec->lock); + spin_lock(&isec->lock); if (isec->initialized == LABEL_INITIALIZED) goto out_unlock; @@ -1411,12 +1412,18 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent goto out_unlock; } + sclass = isec->sclass; + task_sid = isec->task_sid; + sid = isec->sid; + isec->initialized = LABEL_PENDING; + spin_unlock(&isec->lock); + switch (sbsec->behavior) { case SECURITY_FS_USE_NATIVE: break; case SECURITY_FS_USE_XATTR: if (!(inode->i_opflags & IOP_XATTR)) { - isec->sid = sbsec->def_sid; + sid = sbsec->def_sid; break; } /* Need a dentry, since the xattr API requires one. @@ -1438,7 +1445,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent * inode_doinit with a dentry, before these inodes could * be used again by userspace. */ - goto out_unlock; + goto out; } len = INITCONTEXTLEN; @@ -1446,7 +1453,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent if (!context) { rc = -ENOMEM; dput(dentry); - goto out_unlock; + goto out; } context[len] = '\0'; rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); @@ -1457,14 +1464,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); if (rc < 0) { dput(dentry); - goto out_unlock; + goto out; } len = rc; context = kmalloc(len+1, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); - goto out_unlock; + goto out; } context[len] = '\0'; rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); @@ -1476,7 +1483,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent "%d for dev=%s ino=%ld\n", __func__, -rc, inode->i_sb->s_id, inode->i_ino); kfree(context); - goto out_unlock; + goto out; } /* Map ENODATA to the default file SID */ sid = sbsec->def_sid; @@ -1506,28 +1513,25 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } } kfree(context); - isec->sid = sid; break; case SECURITY_FS_USE_TASK: - isec->sid = isec->task_sid; + sid = task_sid; break; case SECURITY_FS_USE_TRANS: /* Default to the fs SID. */ - isec->sid = sbsec->sid; + sid = sbsec->sid; /* Try to obtain a transition SID. */ - rc = security_transition_sid(isec->task_sid, sbsec->sid, - isec->sclass, NULL, &sid); + rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); if (rc) - goto out_unlock; - isec->sid = sid; + goto out; break; case SECURITY_FS_USE_MNTPOINT: - isec->sid = sbsec->mntpoint_sid; + sid = sbsec->mntpoint_sid; break; default: /* Default to the fs superblock SID. */ - isec->sid = sbsec->sid; + sid = sbsec->sid; if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { /* We must have a dentry to determine the label on @@ -1550,21 +1554,30 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent * could be used again by userspace. */ if (!dentry) - goto out_unlock; - rc = selinux_genfs_get_sid(dentry, isec->sclass, + goto out; + rc = selinux_genfs_get_sid(dentry, sclass, sbsec->flags, &sid); dput(dentry); if (rc) - goto out_unlock; - isec->sid = sid; + goto out; } break; } - isec->initialized = LABEL_INITIALIZED; +out: + spin_lock(&isec->lock); + if (isec->initialized == LABEL_PENDING) { + if (!sid || rc) { + isec->initialized = LABEL_INVALID; + goto out_unlock; + } + + isec->initialized = LABEL_INITIALIZED; + isec->sid = sid; + } out_unlock: - mutex_unlock(&isec->lock); + spin_unlock(&isec->lock); return rc; } @@ -3195,9 +3208,11 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, } isec = backing_inode_security(dentry); + spin_lock(&isec->lock); isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = newsid; isec->initialized = LABEL_INITIALIZED; + spin_unlock(&isec->lock); return; } @@ -3290,9 +3305,11 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, if (rc) return rc; + spin_lock(&isec->lock); isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = newsid; isec->initialized = LABEL_INITIALIZED; + spin_unlock(&isec->lock); return 0; } @@ -3953,9 +3970,11 @@ static void selinux_task_to_inode(struct task_struct *p, struct inode_security_struct *isec = inode->i_security; u32 sid = task_sid(p); + spin_lock(&isec->lock); isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = sid; isec->initialized = LABEL_INITIALIZED; + spin_unlock(&isec->lock); } /* Returns error only if unable to parse addresses */ @@ -4274,24 +4293,24 @@ static int selinux_socket_post_create(struct socket *sock, int family, const struct task_security_struct *tsec = current_security(); struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); struct sk_security_struct *sksec; + u16 sclass = socket_type_to_security_class(family, type, protocol); + u32 sid = SECINITSID_KERNEL; int err = 0; - isec->sclass = socket_type_to_security_class(family, type, protocol); - - if (kern) - isec->sid = SECINITSID_KERNEL; - else { - err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); + if (!kern) { + err = socket_sockcreate_sid(tsec, sclass, &sid); if (err) return err; } + isec->sclass = sclass; + isec->sid = sid; isec->initialized = LABEL_INITIALIZED; if (sock->sk) { sksec = sock->sk->sk_security; - sksec->sid = isec->sid; - sksec->sclass = isec->sclass; + sksec->sclass = sclass; + sksec->sid = sid; err = selinux_netlbl_socket_post_create(sock->sk, family); } @@ -4467,16 +4486,22 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) int err; struct inode_security_struct *isec; struct inode_security_struct *newisec; + u16 sclass; + u32 sid; err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); if (err) return err; - newisec = inode_security_novalidate(SOCK_INODE(newsock)); - isec = inode_security_novalidate(SOCK_INODE(sock)); - newisec->sclass = isec->sclass; - newisec->sid = isec->sid; + spin_lock(&isec->lock); + sclass = isec->sclass; + sid = isec->sid; + spin_unlock(&isec->lock); + + newisec = inode_security_novalidate(SOCK_INODE(newsock)); + newisec->sclass = sclass; + newisec->sid = sid; newisec->initialized = LABEL_INITIALIZED; return 0; @@ -5979,9 +6004,9 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) { struct inode_security_struct *isec = inode->i_security; - mutex_lock(&isec->lock); + spin_lock(&isec->lock); isec->initialized = LABEL_INVALID; - mutex_unlock(&isec->lock); + spin_unlock(&isec->lock); } /* diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index c21e135460a5..e8dab0f02c72 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -39,7 +39,8 @@ struct task_security_struct { enum label_initialized { LABEL_INVALID, /* invalid or not initialized */ - LABEL_INITIALIZED /* initialized */ + LABEL_INITIALIZED, /* initialized */ + LABEL_PENDING }; struct inode_security_struct { @@ -52,7 +53,7 @@ struct inode_security_struct { u32 sid; /* SID of this object */ u16 sclass; /* security class of this object */ unsigned char initialized; /* initialization flag */ - struct mutex lock; + spinlock_t lock; }; struct file_security_struct { -- cgit v1.2.3-70-g09d2 From ba5287b6ef6a2ee91dc6cc0829649cecf7b70253 Mon Sep 17 00:00:00 2001 From: "Winkler, Tomas" Date: Thu, 15 Sep 2016 10:27:38 +0300 Subject: tpm/tpm_crb: implement tpm crb idle state The register TPM_CRB_CTRL_REQ_x contains bits goIdle and cmdReady for SW to indicate that the device can enter or should exit the idle state. The legacy ACPI-start (SMI + DMA) based devices do not support these bits and the idle state management is not exposed to the host SW. Thus, this functionality only is enabled only for a CRB start (MMIO) based devices. Based on Jarkko Sakkinen original patch: 'tpm_crb: implement power tpm crb power management' To keep the implementation local to the hw we don't use wait_for_tpm_stat for polling the TPM_CRB_CTRL_REQ. [jarkko.sakkinen@linux.intel.com: removed cmdReady debug trace on a success case due the heavy amount of log traffic it causes.] Signed-off-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index a7c870af916c..8dd0f20a839c 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -83,6 +83,72 @@ struct crb_priv { u32 cmd_size; }; +/** + * crb_go_idle - request tpm crb device to go the idle state + * + * @dev: crb device + * @priv: crb private data + * + * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ + * The device should respond within TIMEOUT_C by clearing the bit. + * Anyhow, we do not wait here as a consequent CMD_READY request + * will be handled correctly even if idle was not completed. + * + * The function does nothing for devices with ACPI-start method. + * + * Return: 0 always + */ +static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) +{ + if (priv->flags & CRB_FL_ACPI_START) + return 0; + + iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->cca->req); + /* we don't really care when this settles */ + + return 0; +} + +/** + * crb_cmd_ready - request tpm crb device to enter ready state + * + * @dev: crb device + * @priv: crb private data + * + * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ + * and poll till the device acknowledge it by clearing the bit. + * The device should respond within TIMEOUT_C. + * + * The function does nothing for devices with ACPI-start method + * + * Return: 0 on success -ETIME on timeout; + */ +static int __maybe_unused crb_cmd_ready(struct device *dev, + struct crb_priv *priv) +{ + ktime_t stop, start; + + if (priv->flags & CRB_FL_ACPI_START) + return 0; + + iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->cca->req); + + start = ktime_get(); + stop = ktime_add(start, ms_to_ktime(TPM2_TIMEOUT_C)); + do { + if (!(ioread32(&priv->cca->req) & CRB_CTRL_REQ_CMD_READY)) + return 0; + usleep_range(50, 100); + } while (ktime_before(ktime_get(), stop)); + + if (ioread32(&priv->cca->req) & CRB_CTRL_REQ_CMD_READY) { + dev_warn(dev, "cmdReady timed out\n"); + return -ETIME; + } + + return 0; +} + static SIMPLE_DEV_PM_OPS(crb_pm, tpm_pm_suspend, tpm_pm_resume); static u8 crb_status(struct tpm_chip *chip) -- cgit v1.2.3-70-g09d2 From bc33c5df710c0aae6db396146194108634ef6f60 Mon Sep 17 00:00:00 2001 From: "Winkler, Tomas" Date: Mon, 12 Sep 2016 16:04:19 +0300 Subject: tmp/tpm_crb: fix Intel PTT hw bug during idle state There is a HW bug in Skylake, and Broxton PCH Intel PTT device, where most of the registers in the control area except START, REQUEST, CANCEL, and LOC_CTRL lost retention when the device is in the idle state. Hence we need to bring the device to ready state before accessing the other registers. The fix brings device to ready state before trying to read command and response buffer addresses in order to remap the for access. Signed-off-by: Tomas Winkler Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 47 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 8dd0f20a839c..ff0d505ecffd 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -315,6 +315,7 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, struct list_head resources; struct resource io_res; struct device *dev = &device->dev; + u32 pa_high, pa_low; u64 cmd_pa; u32 cmd_size; u64 rsp_pa; @@ -342,12 +343,27 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, if (IS_ERR(priv->cca)) return PTR_ERR(priv->cca); - cmd_pa = ((u64) ioread32(&priv->cca->cmd_pa_high) << 32) | - (u64) ioread32(&priv->cca->cmd_pa_low); + /* + * PTT HW bug w/a: wake up the device to access + * possibly not retained registers. + */ + ret = crb_cmd_ready(dev, priv); + if (ret) + return ret; + + pa_high = ioread32(&priv->cca->cmd_pa_high); + pa_low = ioread32(&priv->cca->cmd_pa_low); + cmd_pa = ((u64)pa_high << 32) | pa_low; cmd_size = ioread32(&priv->cca->cmd_size); + + dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n", + pa_high, pa_low, cmd_size); + priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size); - if (IS_ERR(priv->cmd)) - return PTR_ERR(priv->cmd); + if (IS_ERR(priv->cmd)) { + ret = PTR_ERR(priv->cmd); + goto out; + } memcpy_fromio(&rsp_pa, &priv->cca->rsp_pa, 8); rsp_pa = le64_to_cpu(rsp_pa); @@ -355,7 +371,8 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, if (cmd_pa != rsp_pa) { priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size); - return PTR_ERR_OR_ZERO(priv->rsp); + ret = PTR_ERR_OR_ZERO(priv->rsp); + goto out; } /* According to the PTP specification, overlapping command and response @@ -363,12 +380,18 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, */ if (cmd_size != rsp_size) { dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical"); - return -EINVAL; + ret = -EINVAL; + goto out; } + priv->cmd_size = cmd_size; priv->rsp = priv->cmd; - return 0; + +out: + crb_go_idle(dev, priv); + + return ret; } static int crb_acpi_add(struct acpi_device *device) @@ -412,7 +435,15 @@ static int crb_acpi_add(struct acpi_device *device) if (rc) return rc; - return crb_init(device, priv); + rc = crb_cmd_ready(dev, priv); + if (rc) + return rc; + + rc = crb_init(device, priv); + if (rc) + crb_go_idle(dev, priv); + + return rc; } static int crb_acpi_remove(struct acpi_device *device) -- cgit v1.2.3-70-g09d2 From c58bd34cec4c05f8e3362a79ae94de9f405c39b5 Mon Sep 17 00:00:00 2001 From: "Winkler, Tomas" Date: Mon, 12 Sep 2016 16:04:20 +0300 Subject: tpm/tpm_crb: open code the crb_init into acpi_add This is preparation step for implementing tpm crb runtime pm. We need to have tpm chip allocated and populated before we access the runtime handlers. Signed-off-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index ff0d505ecffd..f579f1ac4688 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -262,21 +262,6 @@ static const struct tpm_class_ops tpm_crb = { .req_complete_val = CRB_DRV_STS_COMPLETE, }; -static int crb_init(struct acpi_device *device, struct crb_priv *priv) -{ - struct tpm_chip *chip; - - chip = tpmm_chip_alloc(&device->dev, &tpm_crb); - if (IS_ERR(chip)) - return PTR_ERR(chip); - - dev_set_drvdata(&chip->dev, priv); - chip->acpi_dev_handle = device->handle; - chip->flags = TPM_CHIP_FLAG_TPM2; - - return tpm_chip_register(chip); -} - static int crb_check_resource(struct acpi_resource *ares, void *data) { struct resource *io_res = data; @@ -398,6 +383,7 @@ static int crb_acpi_add(struct acpi_device *device) { struct acpi_table_tpm2 *buf; struct crb_priv *priv; + struct tpm_chip *chip; struct device *dev = &device->dev; acpi_status status; u32 sm; @@ -435,11 +421,19 @@ static int crb_acpi_add(struct acpi_device *device) if (rc) return rc; + chip = tpmm_chip_alloc(dev, &tpm_crb); + if (IS_ERR(chip)) + return PTR_ERR(chip); + + dev_set_drvdata(&chip->dev, priv); + chip->acpi_dev_handle = device->handle; + chip->flags = TPM_CHIP_FLAG_TPM2; + rc = crb_cmd_ready(dev, priv); if (rc) return rc; - rc = crb_init(device, priv); + rc = tpm_chip_register(chip); if (rc) crb_go_idle(dev, priv); -- cgit v1.2.3-70-g09d2 From e74f2f76c13770bb8e004475a933923e9c92723d Mon Sep 17 00:00:00 2001 From: "Winkler, Tomas" Date: Sat, 8 Oct 2016 14:59:39 +0300 Subject: tmp/tpm_crb: implement runtime pm for tpm_crb Utilize runtime_pm for driving tpm crb idle states. The framework calls cmd_ready from the pm_runtime_resume handler and go idle from the pm_runtime_suspend handler. The TPM framework should wake the device before transmit and receive. In case the runtime_pm framework is not compiled in or enabled, the device will be in the permanent ready state. Signed-off-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 5 +++++ drivers/char/tpm/tpm_crb.c | 42 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 3a9149cf0110..cb0e57ee053d 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -29,6 +29,7 @@ #include #include #include +#include #include "tpm.h" #include "tpm_eventlog.h" @@ -356,6 +357,8 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, if (!(flags & TPM_TRANSMIT_UNLOCKED)) mutex_lock(&chip->tpm_mutex); + pm_runtime_get_sync(chip->dev.parent); + rc = chip->ops->send(chip, (u8 *) buf, count); if (rc < 0) { dev_err(&chip->dev, @@ -397,6 +400,8 @@ out_recv: dev_err(&chip->dev, "tpm_transmit: tpm_recv: error %zd\n", rc); out: + pm_runtime_put_sync(chip->dev.parent); + if (!(flags & TPM_TRANSMIT_UNLOCKED)) mutex_unlock(&chip->tpm_mutex); return rc; diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index f579f1ac4688..717b6b47c042 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "tpm.h" #define ACPI_SIG_TPM2 "TPM2" @@ -149,8 +150,6 @@ static int __maybe_unused crb_cmd_ready(struct device *dev, return 0; } -static SIMPLE_DEV_PM_OPS(crb_pm, tpm_pm_suspend, tpm_pm_resume); - static u8 crb_status(struct tpm_chip *chip) { struct crb_priv *priv = dev_get_drvdata(&chip->dev); @@ -433,11 +432,21 @@ static int crb_acpi_add(struct acpi_device *device) if (rc) return rc; + pm_runtime_get_noresume(dev); + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + rc = tpm_chip_register(chip); - if (rc) + if (rc) { crb_go_idle(dev, priv); + pm_runtime_put_noidle(dev); + pm_runtime_disable(dev); + return rc; + } - return rc; + pm_runtime_put(dev); + + return 0; } static int crb_acpi_remove(struct acpi_device *device) @@ -447,9 +456,34 @@ static int crb_acpi_remove(struct acpi_device *device) tpm_chip_unregister(chip); + pm_runtime_disable(dev); + return 0; } +#ifdef CONFIG_PM +static int crb_pm_runtime_suspend(struct device *dev) +{ + struct tpm_chip *chip = dev_get_drvdata(dev); + struct crb_priv *priv = dev_get_drvdata(&chip->dev); + + return crb_go_idle(dev, priv); +} + +static int crb_pm_runtime_resume(struct device *dev) +{ + struct tpm_chip *chip = dev_get_drvdata(dev); + struct crb_priv *priv = dev_get_drvdata(&chip->dev); + + return crb_cmd_ready(dev, priv); +} +#endif /* CONFIG_PM */ + +static const struct dev_pm_ops crb_pm = { + SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume) + SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL) +}; + static struct acpi_device_id crb_device_ids[] = { {"MSFT0101", 0}, {"", 0}, -- cgit v1.2.3-70-g09d2 From 2c97f6f20cb193264360067259029892c70ce63f Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Tue, 11 Oct 2016 15:01:01 +0300 Subject: char/tpm: Check return code of wait_for_tpm_stat In some weird cases it might be possible that the TPM does not set STS.VALID within the given timeout time (or ever) but sets STS.EXPECT (STS=0x0C) In this case the driver gets stuck in the while loop of tpm_tis_send_data and loops endlessly. Checking the return value of wait_for_tpm_stat fixes this and the driver bails out correctly. While at it fixing all other users since if the TPM does not manage to set STS.VALID within the reasonable timeframe something is definitely wrong and the driver should react correctly. Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_core.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index e3bf31b37138..73f4c4bbc4df 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -180,11 +180,13 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev); int size = 0, burstcnt, rc; - while (size < count && - wait_for_tpm_stat(chip, + while (size < count) { + rc = wait_for_tpm_stat(chip, TPM_STS_DATA_AVAIL | TPM_STS_VALID, chip->timeout_c, - &priv->read_queue, true) == 0) { + &priv->read_queue, true); + if (rc < 0) + return rc; burstcnt = min_t(int, get_burstcount(chip), count - size); rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), @@ -229,8 +231,11 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count) goto out; } - wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c, - &priv->int_queue, false); + if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c, + &priv->int_queue, false) < 0) { + size = -ETIME; + goto out; + } status = tpm_tis_status(chip); if (status & TPM_STS_DATA_AVAIL) { /* retry? */ dev_err(&chip->dev, "Error left over data\n"); @@ -279,8 +284,11 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) count += burstcnt; - wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c, - &priv->int_queue, false); + if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c, + &priv->int_queue, false) < 0) { + rc = -ETIME; + goto out_err; + } status = tpm_tis_status(chip); if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) { rc = -EIO; @@ -293,8 +301,11 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) if (rc < 0) goto out_err; - wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c, - &priv->int_queue, false); + if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c, + &priv->int_queue, false) < 0) { + rc = -ETIME; + goto out_err; + } status = tpm_tis_status(chip); if (!itpm && (status & TPM_STS_DATA_EXPECT) != 0) { rc = -EIO; -- cgit v1.2.3-70-g09d2 From aaa6f7f6c8bf1a056c1bb337578cbb2f0c50c12a Mon Sep 17 00:00:00 2001 From: Ed Swierk Date: Mon, 19 Sep 2016 23:22:08 +0300 Subject: tpm: Clean up reading of timeout and duration capabilities Call tpm_getcap() from tpm_get_timeouts() to eliminate redundant code. Return all errors to the caller rather than swallowing them (e.g. when tpm_transmit_cmd() returns nonzero). Signed-off-by: Ed Swierk Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 65 +++++++++++----------------------------- 1 file changed, 17 insertions(+), 48 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index cb0e57ee053d..acf89e8d838e 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -493,10 +493,9 @@ static int tpm_startup(struct tpm_chip *chip, __be16 startup_type) int tpm_get_timeouts(struct tpm_chip *chip) { - struct tpm_cmd_t tpm_cmd; + cap_t cap; unsigned long new_timeout[4]; unsigned long old_timeout[4]; - struct duration_t *duration_cap; ssize_t rc; if (chip->flags & TPM_CHIP_FLAG_TPM2) { @@ -514,43 +513,25 @@ int tpm_get_timeouts(struct tpm_chip *chip) return 0; } - tpm_cmd.header.in = tpm_getcap_header; - tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP; - tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); - tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_TIMEOUT; - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, - NULL); - + rc = tpm_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, + "attempting to determine the timeouts"); if (rc == TPM_ERR_INVALID_POSTINIT) { /* The TPM is not started, we are the first to talk to it. Execute a startup command. */ - dev_info(&chip->dev, "Issuing TPM_STARTUP"); + dev_info(&chip->dev, "Issuing TPM_STARTUP\n"); if (tpm_startup(chip, TPM_ST_CLEAR)) return rc; - tpm_cmd.header.in = tpm_getcap_header; - tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP; - tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); - tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_TIMEOUT; - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, - 0, NULL); + rc = tpm_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, + "attempting to determine the timeouts"); } - if (rc) { - dev_err(&chip->dev, - "A TPM error (%zd) occurred attempting to determine the timeouts\n", - rc); - goto duration; - } - - if (be32_to_cpu(tpm_cmd.header.out.return_code) != 0 || - be32_to_cpu(tpm_cmd.header.out.length) - != sizeof(tpm_cmd.header.out) + sizeof(u32) + 4 * sizeof(u32)) - return -EINVAL; + if (rc) + return rc; - old_timeout[0] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.a); - old_timeout[1] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.b); - old_timeout[2] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.c); - old_timeout[3] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.d); + old_timeout[0] = be32_to_cpu(cap.timeout.a); + old_timeout[1] = be32_to_cpu(cap.timeout.b); + old_timeout[2] = be32_to_cpu(cap.timeout.c); + old_timeout[3] = be32_to_cpu(cap.timeout.d); memcpy(new_timeout, old_timeout, sizeof(new_timeout)); /* @@ -588,29 +569,17 @@ int tpm_get_timeouts(struct tpm_chip *chip) chip->timeout_c = usecs_to_jiffies(new_timeout[2]); chip->timeout_d = usecs_to_jiffies(new_timeout[3]); -duration: - tpm_cmd.header.in = tpm_getcap_header; - tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP; - tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); - tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_DURATION; - - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, - "attempting to determine the durations"); + rc = tpm_getcap(chip, TPM_CAP_PROP_TIS_DURATION, &cap, + "attempting to determine the durations"); if (rc) return rc; - if (be32_to_cpu(tpm_cmd.header.out.return_code) != 0 || - be32_to_cpu(tpm_cmd.header.out.length) - != sizeof(tpm_cmd.header.out) + sizeof(u32) + 3 * sizeof(u32)) - return -EINVAL; - - duration_cap = &tpm_cmd.params.getcap_out.cap.duration; chip->duration[TPM_SHORT] = - usecs_to_jiffies(be32_to_cpu(duration_cap->tpm_short)); + usecs_to_jiffies(be32_to_cpu(cap.duration.tpm_short)); chip->duration[TPM_MEDIUM] = - usecs_to_jiffies(be32_to_cpu(duration_cap->tpm_medium)); + usecs_to_jiffies(be32_to_cpu(cap.duration.tpm_medium)); chip->duration[TPM_LONG] = - usecs_to_jiffies(be32_to_cpu(duration_cap->tpm_long)); + usecs_to_jiffies(be32_to_cpu(cap.duration.tpm_long)); /* The Broadcom BCM0102 chipset in a Dell Latitude D820 gets the above * value wrong and apparently reports msecs rather than usecs. So we -- cgit v1.2.3-70-g09d2 From 84fda15286d1bcf15e1c5cfb8320c5fab770165f Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Mon, 19 Sep 2016 23:22:09 +0300 Subject: tpm: sanitize constant expressions Use cpu_to_b32 at the time it is needed in enum tpm_capabilities and enum tpm_sub_capabilities in order to be consistent with the other enums in drivats/char/tpm/tpm.h. Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 15 +++++++++------ drivers/char/tpm/tpm-sysfs.c | 4 ++-- drivers/char/tpm/tpm.h | 25 ++++++++++++------------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index acf89e8d838e..fa9752087181 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -442,26 +442,29 @@ static const struct tpm_input_header tpm_getcap_header = { .ordinal = TPM_ORD_GET_CAP }; -ssize_t tpm_getcap(struct tpm_chip *chip, __be32 subcap_id, cap_t *cap, +ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap, const char *desc) { struct tpm_cmd_t tpm_cmd; int rc; tpm_cmd.header.in = tpm_getcap_header; - if (subcap_id == CAP_VERSION_1_1 || subcap_id == CAP_VERSION_1_2) { - tpm_cmd.params.getcap_in.cap = subcap_id; + if (subcap_id == TPM_CAP_VERSION_1_1 || + subcap_id == TPM_CAP_VERSION_1_2) { + tpm_cmd.params.getcap_in.cap = cpu_to_be32(subcap_id); /*subcap field not necessary */ tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(0); tpm_cmd.header.in.length -= cpu_to_be32(sizeof(__be32)); } else { if (subcap_id == TPM_CAP_FLAG_PERM || subcap_id == TPM_CAP_FLAG_VOL) - tpm_cmd.params.getcap_in.cap = TPM_CAP_FLAG; + tpm_cmd.params.getcap_in.cap = + cpu_to_be32(TPM_CAP_FLAG); else - tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP; + tpm_cmd.params.getcap_in.cap = + cpu_to_be32(TPM_CAP_PROP); tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); - tpm_cmd.params.getcap_in.subcap = subcap_id; + tpm_cmd.params.getcap_in.subcap = cpu_to_be32(subcap_id); } rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, desc); diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c index a76ab4af9fb2..59a1ead4d141 100644 --- a/drivers/char/tpm/tpm-sysfs.c +++ b/drivers/char/tpm/tpm-sysfs.c @@ -193,7 +193,7 @@ static ssize_t caps_show(struct device *dev, struct device_attribute *attr, be32_to_cpu(cap.manufacturer_id)); /* Try to get a TPM version 1.2 TPM_CAP_VERSION_INFO */ - rc = tpm_getcap(chip, CAP_VERSION_1_2, &cap, + rc = tpm_getcap(chip, TPM_CAP_VERSION_1_2, &cap, "attempting to determine the 1.2 version"); if (!rc) { str += sprintf(str, @@ -204,7 +204,7 @@ static ssize_t caps_show(struct device *dev, struct device_attribute *attr, cap.tpm_version_1_2.revMinor); } else { /* Otherwise just use TPM_STRUCT_VER */ - rc = tpm_getcap(chip, CAP_VERSION_1_1, &cap, + rc = tpm_getcap(chip, TPM_CAP_VERSION_1_1, &cap, "attempting to determine the 1.1 version"); if (rc) return 0; diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 4d183c97f6a6..186493234c52 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -282,21 +282,20 @@ typedef union { } cap_t; enum tpm_capabilities { - TPM_CAP_FLAG = cpu_to_be32(4), - TPM_CAP_PROP = cpu_to_be32(5), - CAP_VERSION_1_1 = cpu_to_be32(0x06), - CAP_VERSION_1_2 = cpu_to_be32(0x1A) + TPM_CAP_FLAG = 4, + TPM_CAP_PROP = 5, + TPM_CAP_VERSION_1_1 = 0x06, + TPM_CAP_VERSION_1_2 = 0x1A, }; enum tpm_sub_capabilities { - TPM_CAP_PROP_PCR = cpu_to_be32(0x101), - TPM_CAP_PROP_MANUFACTURER = cpu_to_be32(0x103), - TPM_CAP_FLAG_PERM = cpu_to_be32(0x108), - TPM_CAP_FLAG_VOL = cpu_to_be32(0x109), - TPM_CAP_PROP_OWNER = cpu_to_be32(0x111), - TPM_CAP_PROP_TIS_TIMEOUT = cpu_to_be32(0x115), - TPM_CAP_PROP_TIS_DURATION = cpu_to_be32(0x120), - + TPM_CAP_PROP_PCR = 0x101, + TPM_CAP_PROP_MANUFACTURER = 0x103, + TPM_CAP_FLAG_PERM = 0x108, + TPM_CAP_FLAG_VOL = 0x109, + TPM_CAP_PROP_OWNER = 0x111, + TPM_CAP_PROP_TIS_TIMEOUT = 0x115, + TPM_CAP_PROP_TIS_DURATION = 0x120, }; struct tpm_getcap_params_in { @@ -484,7 +483,7 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, unsigned int flags); ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd, int len, unsigned int flags, const char *desc); -ssize_t tpm_getcap(struct tpm_chip *chip, __be32 subcap_id, cap_t *cap, +ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap, const char *desc); int tpm_get_timeouts(struct tpm_chip *); int tpm1_auto_startup(struct tpm_chip *chip); -- cgit v1.2.3-70-g09d2 From ca6d45802201c2680af040579af7697049149e38 Mon Sep 17 00:00:00 2001 From: "Winkler, Tomas" Date: Tue, 1 Nov 2016 03:05:13 +0200 Subject: tpm: place kdoc just above tpm_pcr_extend Place kdoc just above tpm_pcr_extend so it can be parsed correctly. Signed-off-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index fa9752087181..ffdae1daa138 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -703,6 +703,14 @@ int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) } EXPORT_SYMBOL_GPL(tpm_pcr_read); +#define TPM_ORD_PCR_EXTEND cpu_to_be32(20) +#define EXTEND_PCR_RESULT_SIZE 34 +static const struct tpm_input_header pcrextend_header = { + .tag = TPM_TAG_RQU_COMMAND, + .length = cpu_to_be32(34), + .ordinal = TPM_ORD_PCR_EXTEND +}; + /** * tpm_pcr_extend - extend pcr value with hash * @chip_num: tpm idx # or AN& @@ -713,14 +721,6 @@ EXPORT_SYMBOL_GPL(tpm_pcr_read); * isn't, protect against the chip disappearing, by incrementing * the module usage count. */ -#define TPM_ORD_PCR_EXTEND cpu_to_be32(20) -#define EXTEND_PCR_RESULT_SIZE 34 -static const struct tpm_input_header pcrextend_header = { - .tag = TPM_TAG_RQU_COMMAND, - .length = cpu_to_be32(34), - .ordinal = TPM_ORD_PCR_EXTEND -}; - int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) { struct tpm_cmd_t cmd; -- cgit v1.2.3-70-g09d2 From 26a137e31ffe6fbfdb008554a8d9b3d55bd5c86e Mon Sep 17 00:00:00 2001 From: Josh Zimmerman Date: Thu, 27 Oct 2016 14:50:09 -0700 Subject: tpm_tis: Check return values from get_burstcount. If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Cc: stable@vger.kernel.org Fixes: 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access) Signed-off-by: Josh Zimmerman Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_core.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index 73f4c4bbc4df..2d1e451fb1b3 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -187,7 +187,12 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) &priv->read_queue, true); if (rc < 0) return rc; - burstcnt = min_t(int, get_burstcount(chip), count - size); + burstcnt = get_burstcount(chip); + if (burstcnt < 0) { + dev_err(&chip->dev, "Unable to read burstcount\n"); + return burstcnt; + } + burstcnt = min_t(int, burstcnt, count - size); rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + size); @@ -276,7 +281,13 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) } while (count < len - 1) { - burstcnt = min_t(int, get_burstcount(chip), len - count - 1); + burstcnt = get_burstcount(chip); + if (burstcnt < 0) { + dev_err(&chip->dev, "Unable to read burstcount\n"); + rc = burstcnt; + goto out_err; + } + burstcnt = min_t(int, burstcnt, len - count - 1); rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + count); if (rc < 0) -- cgit v1.2.3-70-g09d2 From d1d253cff74fb866bce69c5052764ed571383ea8 Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Wed, 26 Oct 2016 16:28:44 -0600 Subject: tpm tis: Do not print timeout messages twice The tis driver does a tpm_get_timeouts out side of tpm_chip_register, and tpm_get_timeouts can print a message, resulting in two prints, eg: tpm tpm0: [Hardware Error]: Adjusting reported timeouts: A 10000->750000us B 10000->2000000us C 10000->750000us D 10000->750000us Keep track and prevent tpm_get_timeouts from running a second time, and clarify the purpose of the call in tpm_tis_core to only be connected to irq testing. Signed-off-by: Jason Gunthorpe Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 7 +++++++ drivers/char/tpm/tpm.h | 1 + drivers/char/tpm/tpm_tis_core.c | 20 ++++++++++---------- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index ffdae1daa138..ef0fcdb40cc3 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -501,6 +501,9 @@ int tpm_get_timeouts(struct tpm_chip *chip) unsigned long old_timeout[4]; ssize_t rc; + if (chip->flags & TPM_CHIP_FLAG_HAVE_TIMEOUTS) + return 0; + if (chip->flags & TPM_CHIP_FLAG_TPM2) { /* Fixed timeouts for TPM2 */ chip->timeout_a = msecs_to_jiffies(TPM2_TIMEOUT_A); @@ -513,6 +516,8 @@ int tpm_get_timeouts(struct tpm_chip *chip) msecs_to_jiffies(TPM2_DURATION_MEDIUM); chip->duration[TPM_LONG] = msecs_to_jiffies(TPM2_DURATION_LONG); + + chip->flags |= TPM_CHIP_FLAG_HAVE_TIMEOUTS; return 0; } @@ -596,6 +601,8 @@ int tpm_get_timeouts(struct tpm_chip *chip) chip->duration_adjusted = true; dev_info(&chip->dev, "Adjusting TPM timeout parameters."); } + + chip->flags |= TPM_CHIP_FLAG_HAVE_TIMEOUTS; return 0; } EXPORT_SYMBOL_GPL(tpm_get_timeouts); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 186493234c52..21c3dbe8c89c 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -143,6 +143,7 @@ enum tpm_chip_flags { TPM_CHIP_FLAG_TPM2 = BIT(1), TPM_CHIP_FLAG_IRQ = BIT(2), TPM_CHIP_FLAG_VIRTUAL = BIT(3), + TPM_CHIP_FLAG_HAVE_TIMEOUTS = BIT(4), }; struct tpm_chip { diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index 2d1e451fb1b3..7993678954a2 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -777,20 +777,20 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, if (intfcaps & TPM_INTF_DATA_AVAIL_INT) dev_dbg(dev, "\tData Avail Int Support\n"); - /* Very early on issue a command to the TPM in polling mode to make - * sure it works. May as well use that command to set the proper - * timeouts for the driver. - */ - if (tpm_get_timeouts(chip)) { - dev_err(dev, "Could not get TPM timeouts and durations\n"); - rc = -ENODEV; - goto out_err; - } - /* INTERRUPT Setup */ init_waitqueue_head(&priv->read_queue); init_waitqueue_head(&priv->int_queue); if (irq != -1) { + /* Before doing irq testing issue a command to the TPM in polling mode + * to make sure it works. May as well use that command to set the + * proper timeouts for the driver. + */ + if (tpm_get_timeouts(chip)) { + dev_err(dev, "Could not get TPM timeouts and durations\n"); + rc = -ENODEV; + goto out_err; + } + if (irq) { tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED, irq); -- cgit v1.2.3-70-g09d2 From 1f0f30e404b3d8f4597a2d9b77fba55452f8fd0e Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Wed, 26 Oct 2016 16:28:45 -0600 Subject: tpm xen: Remove bogus tpm_chip_unregister tpm_chip_unregister can only be called after tpm_chip_register. devm manages the allocation so no unwind is needed here. Cc: stable@vger.kernel.org Fixes: afb5abc262e96 ("tpm: two-phase chip management functions") Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/xen-tpmfront.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/char/tpm/xen-tpmfront.c b/drivers/char/tpm/xen-tpmfront.c index 62028f483bba..a2ab00831df1 100644 --- a/drivers/char/tpm/xen-tpmfront.c +++ b/drivers/char/tpm/xen-tpmfront.c @@ -307,7 +307,6 @@ static int tpmfront_probe(struct xenbus_device *dev, rv = setup_ring(dev, priv); if (rv) { chip = dev_get_drvdata(&dev->dev); - tpm_chip_unregister(chip); ring_free(priv); return rv; } -- cgit v1.2.3-70-g09d2 From 1a277e674bc2cf5300c77e1901ae2357726afe07 Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Wed, 26 Oct 2016 16:28:46 -0600 Subject: tpm: Get rid of TPM_CHIP_FLAG_REGISTERED This is no longer necessary, all calls to tpm_chip_unregister happen in remove() callbacks. Signed-off-by: Jason Gunthorpe Reviewed-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 5 ----- drivers/char/tpm/tpm.h | 1 - 2 files changed, 6 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index e5950131bd90..836f056f7d27 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -375,8 +375,6 @@ int tpm_chip_register(struct tpm_chip *chip) return rc; } - chip->flags |= TPM_CHIP_FLAG_REGISTERED; - rc = tpm_add_legacy_sysfs(chip); if (rc) { tpm_chip_unregister(chip); @@ -402,9 +400,6 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); */ void tpm_chip_unregister(struct tpm_chip *chip) { - if (!(chip->flags & TPM_CHIP_FLAG_REGISTERED)) - return; - tpm_del_legacy_sysfs(chip); tpm1_chip_unregister(chip); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 21c3dbe8c89c..f9401ca0454c 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -139,7 +139,6 @@ enum tpm2_startup_types { #define TPM_PPI_VERSION_LEN 3 enum tpm_chip_flags { - TPM_CHIP_FLAG_REGISTERED = BIT(0), TPM_CHIP_FLAG_TPM2 = BIT(1), TPM_CHIP_FLAG_IRQ = BIT(2), TPM_CHIP_FLAG_VIRTUAL = BIT(3), -- cgit v1.2.3-70-g09d2 From 82003e0487fb62ac8e58a2bc2583cbaaa1e50652 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Wed, 26 Oct 2016 05:21:44 -0400 Subject: Documentation: tpm: add the IBM Virtual TPM device tree binding documentation Virtual TPM, which is being used on IBM POWER7+ and POWER8 systems running POWERVM, is currently supported by tpm device driver but lacks the documentation. This patch adds the missing documentation for the existing support. Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Acked-by: Rob Herring Signed-off-by: Jarkko Sakkinen --- .../devicetree/bindings/security/tpm/ibmvtpm.txt | 41 ++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt diff --git a/Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt b/Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt new file mode 100644 index 000000000000..d89f99971368 --- /dev/null +++ b/Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt @@ -0,0 +1,41 @@ +* Device Tree Bindings for IBM Virtual Trusted Platform Module(vtpm) + +Required properties: + +- compatible : property name that conveys the platform architecture + identifiers, as 'IBM,vtpm' +- device_type : specifies type of virtual device +- interrupts : property specifying the interrupt source number and + sense code associated with this virtual I/O Adapters +- ibm,my-drc-index : integer index for the connector between the device + and its parent - present only if Dynamic + Reconfiguration(DR) Connector is enabled +- ibm,#dma-address-cells: specifies the number of cells that are used to + encode the physical address field of dma-window + properties +- ibm,#dma-size-cells : specifies the number of cells that are used to + encode the size field of dma-window properties +- ibm,my-dma-window : specifies DMA window associated with this virtual + IOA +- ibm,loc-code : specifies the unique and persistent location code + associated with this virtual I/O Adapters +- linux,sml-base : 64-bit base address of the reserved memory allocated + for the firmware event log +- linux,sml-size : size of the memory allocated for the firmware event log + +Example (IBM Virtual Trusted Platform Module) +--------------------------------------------- + + vtpm@30000003 { + ibm,#dma-size-cells = <0x2>; + compatible = "IBM,vtpm"; + device_type = "IBM,vtpm"; + ibm,my-drc-index = <0x30000003>; + ibm,#dma-address-cells = <0x2>; + linux,sml-base = <0xc60e 0x0>; + interrupts = <0xa0003 0x0>; + ibm,my-dma-window = <0x10000003 0x0 0x0 0x0 0x10000000>; + ibm,loc-code = "U8286.41A.10082DV-V3-C3"; + reg = <0x30000003>; + linux,sml-size = <0xbce10200>; + }; -- cgit v1.2.3-70-g09d2 From f45aac38c8b754bd4aa74b5ec4fedc0ff39e2cb3 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Wed, 26 Oct 2016 05:21:45 -0400 Subject: Documentation: tpm: add the Physical TPM device tree binding documentation Newly added support of TPM 2.0 eventlog securityfs pseudo files in tpm device driver consumes device tree bindings representing I2C based Physical TPM. This patch adds the documentation for corresponding device tree bindings of I2C based Physical TPM. These bindings are similar to vtpm device tree bindings being used on IBM Power7+ and Power8 Systems running PowerVM. Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Acked-by: Rob Herring Signed-off-by: Jarkko Sakkinen --- .../devicetree/bindings/security/tpm/tpm-i2c.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt diff --git a/Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt b/Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt new file mode 100644 index 000000000000..8cb638b7e89c --- /dev/null +++ b/Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt @@ -0,0 +1,21 @@ +* Device Tree Bindings for I2C based Trusted Platform Module(TPM) + +Required properties: + +- compatible : 'manufacturer,model', eg. nuvoton,npct650 +- label : human readable string describing the device, eg. "tpm" +- linux,sml-base : 64-bit base address of the reserved memory allocated for + the firmware event log +- linux,sml-size : size of the memory allocated for the firmware event log + +Example (for OpenPower Systems with Nuvoton TPM 2.0 on I2C) +---------------------------------------------------------- + +tpm@57 { + reg = <0x57>; + label = "tpm"; + compatible = "nuvoton,npct650", "nuvoton,npct601"; + linux,sml-base = <0x7f 0xfd450000>; + linux,sml-size = <0x10000>; + status = "okay"; +}; -- cgit v1.2.3-70-g09d2 From 2528a64664f8a463d85b6e6876b4025042687553 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Tue, 18 Oct 2016 20:49:39 -0400 Subject: tpm: define a generic open() method for ascii & bios measurements open() method for event log ascii and binary bios measurements file operations are very similar. This patch refactors the code into a single open() call by passing seq_operations as i_node->private data. Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Reviewed-by: Jason Gunthorpe Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_eventlog.c | 63 ++++++++++------------------------------- 1 file changed, 15 insertions(+), 48 deletions(-) diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index e7228863290e..42b49c4dff01 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -7,6 +7,7 @@ * Stefan Berger * Reiner Sailer * Kylene Hall + * Nayna Jain * * Maintained by: * @@ -304,26 +305,28 @@ static int tpm_ascii_bios_measurements_show(struct seq_file *m, void *v) return 0; } -static const struct seq_operations tpm_ascii_b_measurments_seqops = { +static const struct seq_operations tpm_ascii_b_measurements_seqops = { .start = tpm_bios_measurements_start, .next = tpm_bios_measurements_next, .stop = tpm_bios_measurements_stop, .show = tpm_ascii_bios_measurements_show, }; -static const struct seq_operations tpm_binary_b_measurments_seqops = { +static const struct seq_operations tpm_binary_b_measurements_seqops = { .start = tpm_bios_measurements_start, .next = tpm_bios_measurements_next, .stop = tpm_bios_measurements_stop, .show = tpm_binary_bios_measurements_show, }; -static int tpm_ascii_bios_measurements_open(struct inode *inode, +static int tpm_bios_measurements_open(struct inode *inode, struct file *file) { int err; struct tpm_bios_log *log; struct seq_file *seq; + const struct seq_operations *seqops = + (const struct seq_operations *)inode->i_private; log = kzalloc(sizeof(struct tpm_bios_log), GFP_KERNEL); if (!log) @@ -333,7 +336,7 @@ static int tpm_ascii_bios_measurements_open(struct inode *inode, goto out_free; /* now register seq file */ - err = seq_open(file, &tpm_ascii_b_measurments_seqops); + err = seq_open(file, seqops); if (!err) { seq = file->private_data; seq->private = log; @@ -349,46 +352,8 @@ out_free: goto out; } -static const struct file_operations tpm_ascii_bios_measurements_ops = { - .open = tpm_ascii_bios_measurements_open, - .read = seq_read, - .llseek = seq_lseek, - .release = tpm_bios_measurements_release, -}; - -static int tpm_binary_bios_measurements_open(struct inode *inode, - struct file *file) -{ - int err; - struct tpm_bios_log *log; - struct seq_file *seq; - - log = kzalloc(sizeof(struct tpm_bios_log), GFP_KERNEL); - if (!log) - return -ENOMEM; - - if ((err = read_log(log))) - goto out_free; - - /* now register seq file */ - err = seq_open(file, &tpm_binary_b_measurments_seqops); - if (!err) { - seq = file->private_data; - seq->private = log; - } else { - goto out_free; - } - -out: - return err; -out_free: - kfree(log->bios_event_log); - kfree(log); - goto out; -} - -static const struct file_operations tpm_binary_bios_measurements_ops = { - .open = tpm_binary_bios_measurements_open, +static const struct file_operations tpm_bios_measurements_ops = { + .open = tpm_bios_measurements_open, .read = seq_read, .llseek = seq_lseek, .release = tpm_bios_measurements_release, @@ -413,15 +378,17 @@ struct dentry **tpm_bios_log_setup(const char *name) bin_file = securityfs_create_file("binary_bios_measurements", - S_IRUSR | S_IRGRP, tpm_dir, NULL, - &tpm_binary_bios_measurements_ops); + S_IRUSR | S_IRGRP, tpm_dir, + (void *)&tpm_binary_b_measurements_seqops, + &tpm_bios_measurements_ops); if (is_bad(bin_file)) goto out_tpm; ascii_file = securityfs_create_file("ascii_bios_measurements", - S_IRUSR | S_IRGRP, tpm_dir, NULL, - &tpm_ascii_bios_measurements_ops); + S_IRUSR | S_IRGRP, tpm_dir, + (void *)&tpm_ascii_b_measurements_seqops, + &tpm_bios_measurements_ops); if (is_bad(ascii_file)) goto out_bin; -- cgit v1.2.3-70-g09d2 From 6804f6bba09997393904a112f2043963a8e08abf Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 7 Nov 2016 07:14:33 -0500 Subject: tpm: Only call pm_runtime_get_sync if device has a parent Only call pm_runtime_get_sync if the device has a parent. This change fixes a crash in the tpm_vtpm_proxy driver since that driver does not have a parent device. Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index ef0fcdb40cc3..a2688ac2b48f 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -357,7 +357,8 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, if (!(flags & TPM_TRANSMIT_UNLOCKED)) mutex_lock(&chip->tpm_mutex); - pm_runtime_get_sync(chip->dev.parent); + if (chip->dev.parent) + pm_runtime_get_sync(chip->dev.parent); rc = chip->ops->send(chip, (u8 *) buf, count); if (rc < 0) { @@ -400,7 +401,8 @@ out_recv: dev_err(&chip->dev, "tpm_transmit: tpm_recv: error %zd\n", rc); out: - pm_runtime_put_sync(chip->dev.parent); + if (chip->dev.parent) + pm_runtime_put_sync(chip->dev.parent); if (!(flags & TPM_TRANSMIT_UNLOCKED)) mutex_unlock(&chip->tpm_mutex); -- cgit v1.2.3-70-g09d2 From 7ea7861c8c2462af932410c54542cb279683eaf8 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Thu, 3 Nov 2016 17:57:50 -0600 Subject: tpm, tpm_vtpm_proxy: add kdoc comments for VTPM_PROXY_IOC_NEW_DEV Added kdoc comments for VTPM_PROXY_IOC_NEW_DEV so that these can be imported to the kernel documentation written with rst markup and generated with Sphinx. Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm_vtpm_proxy.c | 72 +++++++++++++++++++++++++-------------- include/uapi/linux/vtpm_proxy.h | 23 ++++++++++--- 2 files changed, 65 insertions(+), 30 deletions(-) diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c index 9a940332c157..3d6f6ca81def 100644 --- a/drivers/char/tpm/tpm_vtpm_proxy.c +++ b/drivers/char/tpm/tpm_vtpm_proxy.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2015, 2016 IBM Corporation + * Copyright (C) 2016 Intel Corporation * * Author: Stefan Berger * @@ -524,6 +525,50 @@ static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev) * Code related to the control device /dev/vtpmx */ +/** + * vtpmx_ioc_new_dev - handler for the %VTPM_PROXY_IOC_NEW_DEV ioctl + * @file: /dev/vtpmx + * @ioctl: the ioctl number + * @arg: pointer to the struct vtpmx_proxy_new_dev + * + * Creates an anonymous file that is used by the process acting as a TPM to + * communicate with the client processes. The function will also add a new TPM + * device through which data is proxied to this TPM acting process. The caller + * will be provided with a file descriptor to communicate with the clients and + * major and minor numbers for the TPM device. + */ +static long vtpmx_ioc_new_dev(struct file *file, unsigned int ioctl, + unsigned long arg) +{ + void __user *argp = (void __user *)arg; + struct vtpm_proxy_new_dev __user *vtpm_new_dev_p; + struct vtpm_proxy_new_dev vtpm_new_dev; + struct file *vtpm_file; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + vtpm_new_dev_p = argp; + + if (copy_from_user(&vtpm_new_dev, vtpm_new_dev_p, + sizeof(vtpm_new_dev))) + return -EFAULT; + + vtpm_file = vtpm_proxy_create_device(&vtpm_new_dev); + if (IS_ERR(vtpm_file)) + return PTR_ERR(vtpm_file); + + if (copy_to_user(vtpm_new_dev_p, &vtpm_new_dev, + sizeof(vtpm_new_dev))) { + put_unused_fd(vtpm_new_dev.fd); + fput(vtpm_file); + return -EFAULT; + } + + fd_install(vtpm_new_dev.fd, vtpm_file); + return 0; +} + /* * vtpmx_fops_ioctl: ioctl on /dev/vtpmx * @@ -531,34 +576,11 @@ static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev) * Returns 0 on success, a negative error code otherwise. */ static long vtpmx_fops_ioctl(struct file *f, unsigned int ioctl, - unsigned long arg) + unsigned long arg) { - void __user *argp = (void __user *)arg; - struct vtpm_proxy_new_dev __user *vtpm_new_dev_p; - struct vtpm_proxy_new_dev vtpm_new_dev; - struct file *file; - switch (ioctl) { case VTPM_PROXY_IOC_NEW_DEV: - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - vtpm_new_dev_p = argp; - if (copy_from_user(&vtpm_new_dev, vtpm_new_dev_p, - sizeof(vtpm_new_dev))) - return -EFAULT; - file = vtpm_proxy_create_device(&vtpm_new_dev); - if (IS_ERR(file)) - return PTR_ERR(file); - if (copy_to_user(vtpm_new_dev_p, &vtpm_new_dev, - sizeof(vtpm_new_dev))) { - put_unused_fd(vtpm_new_dev.fd); - fput(file); - return -EFAULT; - } - - fd_install(vtpm_new_dev.fd, file); - return 0; - + return vtpmx_ioc_new_dev(f, ioctl, arg); default: return -ENOIOCTLCMD; } diff --git a/include/uapi/linux/vtpm_proxy.h b/include/uapi/linux/vtpm_proxy.h index 41e8e2252a30..a69e991eb080 100644 --- a/include/uapi/linux/vtpm_proxy.h +++ b/include/uapi/linux/vtpm_proxy.h @@ -1,6 +1,7 @@ /* * Definitions for the VTPM proxy driver * Copyright (c) 2015, 2016, IBM Corporation + * Copyright (C) 2016 Intel Corporation * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -18,8 +19,23 @@ #include #include -/* ioctls */ +/** + * enum vtpm_proxy_flags - flags for the proxy TPM + * @VTPM_PROXY_FLAG_TPM2: the proxy TPM uses TPM 2.0 protocol + */ +enum vtpm_proxy_flags { + VTPM_PROXY_FLAG_TPM2 = 1, +}; +/** + * struct vtpm_proxy_new_dev - parameter structure for the + * %VTPM_PROXY_IOC_NEW_DEV ioctl + * @flags: flags for the proxy TPM + * @tpm_num: index of the TPM device + * @fd: the file descriptor used by the proxy TPM + * @major: the major number of the TPM device + * @minor: the minor number of the TPM device + */ struct vtpm_proxy_new_dev { __u32 flags; /* input */ __u32 tpm_num; /* output */ @@ -28,9 +44,6 @@ struct vtpm_proxy_new_dev { __u32 minor; /* output */ }; -/* above flags */ -#define VTPM_PROXY_FLAG_TPM2 1 /* emulator is TPM 2 */ - -#define VTPM_PROXY_IOC_NEW_DEV _IOWR(0xa1, 0x00, struct vtpm_proxy_new_dev) +#define VTPM_PROXY_IOC_NEW_DEV _IOWR(0xa1, 0x00, struct vtpm_proxy_new_dev) #endif /* _UAPI_LINUX_VTPM_PROXY_H */ -- cgit v1.2.3-70-g09d2 From 420d439849cabaa0587c424b09b9507108a4e058 Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Mon, 7 Nov 2016 15:44:31 -0700 Subject: tpm_tis: Allow tpm_tis to be bound using DT This provides an open firwmare driver binding for tpm_tis. OF is useful on arches where ACPI/PNP is not used. The tcg,tpm-tis-mmio register map interface is specified by the TCG. Reviewed-by: Rob Herring Signed-off-by: Jason Gunthorpe Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- .../bindings/security/tpm/tpm_tis_mmio.txt | 25 ++++++++++++++++++++++ drivers/char/tpm/Kconfig | 2 +- drivers/char/tpm/tpm_tis.c | 11 ++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt diff --git a/Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt b/Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt new file mode 100644 index 000000000000..41d740545189 --- /dev/null +++ b/Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt @@ -0,0 +1,25 @@ +Trusted Computing Group MMIO Trusted Platform Module + +The TCG defines multi vendor standard for accessing a TPM chip, this +is the standard protocol defined to access the TPM via MMIO. Typically +this interface will be implemented over Intel's LPC bus. + +Refer to the 'TCG PC Client Specific TPM Interface Specification (TIS)' TCG +publication for the specification. + +Required properties: + +- compatible: should contain a string below for the chip, followed by + "tcg,tpm-tis-mmio". Valid chip strings are: + * "atmel,at97sc3204" +- reg: The location of the MMIO registers, should be at least 0x5000 bytes +- interrupt-parent/interrupts: An optional interrupt indicating command completion. + +Example: + + tpm_tis@90000 { + compatible = "atmel,at97sc3204", "tcg,tpm-tis-mmio"; + reg = <0x90000 0x5000>; + interrupt-parent = <&EIC0>; + interrupts = <1 2>; + }; diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index 9faa0b1e7766..277186d3b668 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -32,7 +32,7 @@ config TCG_TIS_CORE config TCG_TIS tristate "TPM Interface Specification 1.2 Interface / TPM 2.0 FIFO Interface" - depends on X86 + depends on X86 || OF select TCG_TIS_CORE ---help--- If you have a TPM security chip that is compliant with the diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c index eaf5730d79eb..0127af130cb1 100644 --- a/drivers/char/tpm/tpm_tis.c +++ b/drivers/char/tpm/tpm_tis.c @@ -28,6 +28,8 @@ #include #include #include +#include +#include #include "tpm.h" #include "tpm_tis_core.h" @@ -354,12 +356,21 @@ static int tpm_tis_plat_remove(struct platform_device *pdev) return 0; } +#ifdef CONFIG_OF +static const struct of_device_id tis_of_platform_match[] = { + {.compatible = "tcg,tpm-tis-mmio"}, + {}, +}; +MODULE_DEVICE_TABLE(of, tis_of_platform_match); +#endif + static struct platform_driver tis_drv = { .probe = tpm_tis_plat_probe, .remove = tpm_tis_plat_remove, .driver = { .name = "tpm_tis", .pm = &tpm_tis_pm, + .of_match_table = of_match_ptr(tis_of_platform_match), }, }; -- cgit v1.2.3-70-g09d2 From cbef69a9e190aeaae65e8ba52ebff1f4884ca0dc Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Sun, 6 Nov 2016 11:02:45 +0200 Subject: char: tpm: fix kerneldoc tpm2_unseal_trusted name typo Signed-off-by: Baruch Siach Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 7df55d58c939..da5b782a9731 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -680,7 +680,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, } /** - * tpm_unseal_trusted() - unseal the payload of a trusted key + * tpm2_unseal_trusted() - unseal the payload of a trusted key * @chip_num: TPM chip to use * @payload: the key data in clear and encrypted form * @options: authentication values and other options -- cgit v1.2.3-70-g09d2 From b1a9b7b602c5320ab3827a3f6a6a5211826308c4 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Nov 2016 05:00:49 -0500 Subject: tpm: replace symbolic permission with octal for securityfs files checkpatch.pl flags warning for symbolic permissions and suggests to replace with octal value. This patch changes securityfs pseudo files permission to octal values in tpm_bios_log_setup(). Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_eventlog.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 42b49c4dff01..9467e316324a 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -378,7 +378,7 @@ struct dentry **tpm_bios_log_setup(const char *name) bin_file = securityfs_create_file("binary_bios_measurements", - S_IRUSR | S_IRGRP, tpm_dir, + 0440, tpm_dir, (void *)&tpm_binary_b_measurements_seqops, &tpm_bios_measurements_ops); if (is_bad(bin_file)) @@ -386,7 +386,7 @@ struct dentry **tpm_bios_log_setup(const char *name) ascii_file = securityfs_create_file("ascii_bios_measurements", - S_IRUSR | S_IRGRP, tpm_dir, + 0440, tpm_dir, (void *)&tpm_ascii_b_measurements_seqops, &tpm_bios_measurements_ops); if (is_bad(ascii_file)) -- cgit v1.2.3-70-g09d2 From cd9b7631a888f6615dac148c10d72a253b98c64b Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Mon, 14 Nov 2016 05:00:50 -0500 Subject: tpm: replace dynamically allocated bios_dir with a static array This commit is based on a commit by Nayna Jain. Replaced dynamically allocated bios_dir with a static array as the size is always constant. Suggested-by: Jason Gunthorpe Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 9 ++--- drivers/char/tpm/tpm.h | 3 +- drivers/char/tpm/tpm_eventlog.c | 75 +++++++++++++++++------------------------ drivers/char/tpm/tpm_eventlog.h | 10 +++--- 4 files changed, 43 insertions(+), 54 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 836f056f7d27..d0c187269ef4 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -278,14 +278,16 @@ static void tpm_del_char_device(struct tpm_chip *chip) static int tpm1_chip_register(struct tpm_chip *chip) { + int rc; + if (chip->flags & TPM_CHIP_FLAG_TPM2) return 0; tpm_sysfs_add_device(chip); - chip->bios_dir = tpm_bios_log_setup(dev_name(&chip->dev)); + rc = tpm_bios_log_setup(chip); - return 0; + return rc; } static void tpm1_chip_unregister(struct tpm_chip *chip) @@ -293,8 +295,7 @@ static void tpm1_chip_unregister(struct tpm_chip *chip) if (chip->flags & TPM_CHIP_FLAG_TPM2) return; - if (chip->bios_dir) - tpm_bios_log_teardown(chip->bios_dir); + tpm_bios_log_teardown(chip); } static void tpm_del_legacy_sysfs(struct tpm_chip *chip) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index f9401ca0454c..9d69580a9743 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -40,6 +40,7 @@ enum tpm_const { TPM_BUFSIZE = 4096, TPM_NUM_DEVICES = 65536, TPM_RETRY = 50, /* 5 seconds */ + TPM_NUM_EVENT_LOG_FILES = 3, }; enum tpm_timeout { @@ -171,7 +172,7 @@ struct tpm_chip { unsigned long duration[3]; /* jiffies */ bool duration_adjusted; - struct dentry **bios_dir; + struct dentry *bios_dir[TPM_NUM_EVENT_LOG_FILES]; const struct attribute_group *groups[3]; unsigned int groups_cnt; diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 9467e316324a..9c6447642144 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -359,63 +359,50 @@ static const struct file_operations tpm_bios_measurements_ops = { .release = tpm_bios_measurements_release, }; -static int is_bad(void *p) +int tpm_bios_log_setup(struct tpm_chip *chip) { - if (!p) - return 1; - if (IS_ERR(p) && (PTR_ERR(p) != -ENODEV)) - return 1; - return 0; -} - -struct dentry **tpm_bios_log_setup(const char *name) -{ - struct dentry **ret = NULL, *tpm_dir, *bin_file, *ascii_file; - - tpm_dir = securityfs_create_dir(name, NULL); - if (is_bad(tpm_dir)) - goto out; - - bin_file = + const char *name = dev_name(&chip->dev); + unsigned int cnt; + + cnt = 0; + chip->bios_dir[cnt] = securityfs_create_dir(name, NULL); + /* NOTE: securityfs_create_dir can return ENODEV if securityfs is + * compiled out. The caller should ignore the ENODEV return code. + */ + if (IS_ERR(chip->bios_dir[cnt])) + goto err; + cnt++; + + chip->bios_dir[cnt] = securityfs_create_file("binary_bios_measurements", - 0440, tpm_dir, + 0440, chip->bios_dir[0], (void *)&tpm_binary_b_measurements_seqops, &tpm_bios_measurements_ops); - if (is_bad(bin_file)) - goto out_tpm; + if (IS_ERR(chip->bios_dir[cnt])) + goto err; + cnt++; - ascii_file = + chip->bios_dir[cnt] = securityfs_create_file("ascii_bios_measurements", - 0440, tpm_dir, + 0440, chip->bios_dir[0], (void *)&tpm_ascii_b_measurements_seqops, &tpm_bios_measurements_ops); - if (is_bad(ascii_file)) - goto out_bin; - - ret = kmalloc(3 * sizeof(struct dentry *), GFP_KERNEL); - if (!ret) - goto out_ascii; - - ret[0] = ascii_file; - ret[1] = bin_file; - ret[2] = tpm_dir; + if (IS_ERR(chip->bios_dir[cnt])) + goto err; + cnt++; - return ret; + return 0; -out_ascii: - securityfs_remove(ascii_file); -out_bin: - securityfs_remove(bin_file); -out_tpm: - securityfs_remove(tpm_dir); -out: - return NULL; +err: + chip->bios_dir[cnt] = NULL; + tpm_bios_log_teardown(chip); + return -EIO; } -void tpm_bios_log_teardown(struct dentry **lst) +void tpm_bios_log_teardown(struct tpm_chip *chip) { int i; - for (i = 0; i < 3; i++) - securityfs_remove(lst[i]); + for (i = (TPM_NUM_EVENT_LOG_FILES - 1); i >= 0; i--) + securityfs_remove(chip->bios_dir[i]); } diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h index 8de62b09be51..fd3357e3a322 100644 --- a/drivers/char/tpm/tpm_eventlog.h +++ b/drivers/char/tpm/tpm_eventlog.h @@ -77,14 +77,14 @@ int read_log(struct tpm_bios_log *log); #if defined(CONFIG_TCG_IBMVTPM) || defined(CONFIG_TCG_IBMVTPM_MODULE) || \ defined(CONFIG_ACPI) -extern struct dentry **tpm_bios_log_setup(const char *); -extern void tpm_bios_log_teardown(struct dentry **); +extern int tpm_bios_log_setup(struct tpm_chip *chip); +extern void tpm_bios_log_teardown(struct tpm_chip *chip); #else -static inline struct dentry **tpm_bios_log_setup(const char *name) +static inline int tpm_bios_log_setup(struct tpm_chip *chip) { - return NULL; + return 0; } -static inline void tpm_bios_log_teardown(struct dentry **dir) +static inline void tpm_bios_log_teardown(struct tpm_chip *chip) { } #endif -- cgit v1.2.3-70-g09d2 From 7518a21a9da39dc605ae08714ad046bfeca26f9b Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Mon, 14 Nov 2016 05:00:51 -0500 Subject: tpm: drop tpm1_chip_register(/unregister) Check for TPM2 chip in tpm_sysfs_add_device, tpm_bios_log_setup and tpm_bios_log_teardown in order to make code flow cleaner and to enable to implement TPM 2.0 support later on. This is partially derived from the commit by Nayna Jain with the extension that also tpm1_chip_register is dropped. Signed-off-by: Jarkko Sakkinen Reviewed-by: Jason Gunthorpe Reviewed-by: Nayna Jain Tested-by: Jason Gunthorpe Tested-by: Nayna Jain --- drivers/char/tpm/tpm-chip.c | 31 +++++-------------------------- drivers/char/tpm/tpm-sysfs.c | 3 +++ drivers/char/tpm/tpm_eventlog.c | 3 +++ 3 files changed, 11 insertions(+), 26 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index d0c187269ef4..250a651ebd95 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -276,28 +276,6 @@ static void tpm_del_char_device(struct tpm_chip *chip) up_write(&chip->ops_sem); } -static int tpm1_chip_register(struct tpm_chip *chip) -{ - int rc; - - if (chip->flags & TPM_CHIP_FLAG_TPM2) - return 0; - - tpm_sysfs_add_device(chip); - - rc = tpm_bios_log_setup(chip); - - return rc; -} - -static void tpm1_chip_unregister(struct tpm_chip *chip) -{ - if (chip->flags & TPM_CHIP_FLAG_TPM2) - return; - - tpm_bios_log_teardown(chip); -} - static void tpm_del_legacy_sysfs(struct tpm_chip *chip) { struct attribute **i; @@ -364,7 +342,9 @@ int tpm_chip_register(struct tpm_chip *chip) return rc; } - rc = tpm1_chip_register(chip); + tpm_sysfs_add_device(chip); + + rc = tpm_bios_log_setup(chip); if (rc) return rc; @@ -372,7 +352,7 @@ int tpm_chip_register(struct tpm_chip *chip) rc = tpm_add_char_device(chip); if (rc) { - tpm1_chip_unregister(chip); + tpm_bios_log_teardown(chip); return rc; } @@ -402,8 +382,7 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); void tpm_chip_unregister(struct tpm_chip *chip) { tpm_del_legacy_sysfs(chip); - - tpm1_chip_unregister(chip); + tpm_bios_log_teardown(chip); tpm_del_char_device(chip); } EXPORT_SYMBOL_GPL(tpm_chip_unregister); diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c index 59a1ead4d141..848ad6580b46 100644 --- a/drivers/char/tpm/tpm-sysfs.c +++ b/drivers/char/tpm/tpm-sysfs.c @@ -284,6 +284,9 @@ static const struct attribute_group tpm_dev_group = { void tpm_sysfs_add_device(struct tpm_chip *chip) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) + return; + /* The sysfs routines rely on an implicit tpm_try_get_ops, device_del * is called before ops is null'd and the sysfs core synchronizes this * removal so that no callbacks are running or can run again diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 9c6447642144..0afb0f4e81f0 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -364,6 +364,9 @@ int tpm_bios_log_setup(struct tpm_chip *chip) const char *name = dev_name(&chip->dev); unsigned int cnt; + if (chip->flags & TPM_CHIP_FLAG_TPM2) + return 0; + cnt = 0; chip->bios_dir[cnt] = securityfs_create_dir(name, NULL); /* NOTE: securityfs_create_dir can return ENODEV if securityfs is -- cgit v1.2.3-70-g09d2 From 748935eeb72c34368ab514a2bfdf75161768cec0 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Nov 2016 05:00:52 -0500 Subject: tpm: have event log use the tpm_chip Move the backing memory for the event log into tpm_chip and push the tpm_chip into read_log. This optimizes read_log processing by only doing it once and prepares things for the next patches in the series which require the tpm_chip to locate the event log via ACPI and OF handles instead of searching. This is straightfoward except for the issue of passing a kref through i_private with securityfs. Since securityfs_remove does not have any removal fencing like sysfs we use the inode lock to safely get a kref on the tpm_chip. Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 3 +- drivers/char/tpm/tpm.h | 11 ++++++ drivers/char/tpm/tpm_acpi.c | 15 +++++-- drivers/char/tpm/tpm_eventlog.c | 86 +++++++++++++++++++++++++++-------------- drivers/char/tpm/tpm_eventlog.h | 2 +- drivers/char/tpm/tpm_of.c | 4 +- 6 files changed, 84 insertions(+), 37 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 250a651ebd95..3f27753d96aa 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -127,6 +127,7 @@ static void tpm_dev_release(struct device *dev) idr_remove(&dev_nums_idr, chip->dev_num); mutex_unlock(&idr_lock); + kfree(chip->log.bios_event_log); kfree(chip); } @@ -345,7 +346,7 @@ int tpm_chip_register(struct tpm_chip *chip) tpm_sysfs_add_device(chip); rc = tpm_bios_log_setup(chip); - if (rc) + if (rc == -ENODEV) return rc; tpm_add_ppi(chip); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 9d69580a9743..1ae976894257 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -35,6 +35,8 @@ #include #include +#include "tpm_eventlog.h" + enum tpm_const { TPM_MINOR = 224, /* officially assigned */ TPM_BUFSIZE = 4096, @@ -146,6 +148,11 @@ enum tpm_chip_flags { TPM_CHIP_FLAG_HAVE_TIMEOUTS = BIT(4), }; +struct tpm_chip_seqops { + struct tpm_chip *chip; + const struct seq_operations *seqops; +}; + struct tpm_chip { struct device dev; struct cdev cdev; @@ -157,6 +164,10 @@ struct tpm_chip { struct rw_semaphore ops_sem; const struct tpm_class_ops *ops; + struct tpm_bios_log log; + struct tpm_chip_seqops bin_log_seqops; + struct tpm_chip_seqops ascii_log_seqops; + unsigned int flags; int dev_num; /* /dev/tpm# */ diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c index 565a9478cb94..01dfb35a30e4 100644 --- a/drivers/char/tpm/tpm_acpi.c +++ b/drivers/char/tpm/tpm_acpi.c @@ -9,7 +9,7 @@ * * Maintained by: * - * Access to the eventlog extended by the TCG BIOS of PC platform + * Access to the event log extended by the TCG BIOS of PC platform * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -45,13 +45,15 @@ struct acpi_tcpa { }; /* read binary bios log */ -int read_log(struct tpm_bios_log *log) +int read_log(struct tpm_chip *chip) { struct acpi_tcpa *buff; acpi_status status; void __iomem *virt; u64 len, start; + struct tpm_bios_log *log; + log = &chip->log; if (log->bios_event_log != NULL) { printk(KERN_ERR "%s: ERROR - Eventlog already initialized\n", @@ -97,13 +99,18 @@ int read_log(struct tpm_bios_log *log) virt = acpi_os_map_iomem(start, len); if (!virt) { - kfree(log->bios_event_log); printk("%s: ERROR - Unable to map memory\n", __func__); - return -EIO; + goto err; } memcpy_fromio(log->bios_event_log, virt, len); acpi_os_unmap_iomem(virt, len); return 0; + +err: + kfree(log->bios_event_log); + log->bios_event_log = NULL; + return -EIO; + } diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 0afb0f4e81f0..2c4bc99729e5 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -11,7 +11,7 @@ * * Maintained by: * - * Access to the eventlog created by a system's firmware / BIOS + * Access to the event log created by a system's firmware / BIOS * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -73,7 +73,8 @@ static const char* tcpa_pc_event_id_strings[] = { static void *tpm_bios_measurements_start(struct seq_file *m, loff_t *pos) { loff_t i; - struct tpm_bios_log *log = m->private; + struct tpm_chip *chip = m->private; + struct tpm_bios_log *log = &chip->log; void *addr = log->bios_event_log; void *limit = log->bios_event_log_end; struct tcpa_event *event; @@ -120,7 +121,8 @@ static void *tpm_bios_measurements_next(struct seq_file *m, void *v, loff_t *pos) { struct tcpa_event *event = v; - struct tpm_bios_log *log = m->private; + struct tpm_chip *chip = m->private; + struct tpm_bios_log *log = &chip->log; void *limit = log->bios_event_log_end; u32 converted_event_size; u32 converted_event_type; @@ -261,13 +263,10 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v) static int tpm_bios_measurements_release(struct inode *inode, struct file *file) { - struct seq_file *seq = file->private_data; - struct tpm_bios_log *log = seq->private; + struct seq_file *seq = (struct seq_file *)file->private_data; + struct tpm_chip *chip = (struct tpm_chip *)seq->private; - if (log) { - kfree(log->bios_event_log); - kfree(log); - } + put_device(&chip->dev); return seq_release(inode, file); } @@ -323,33 +322,30 @@ static int tpm_bios_measurements_open(struct inode *inode, struct file *file) { int err; - struct tpm_bios_log *log; struct seq_file *seq; - const struct seq_operations *seqops = - (const struct seq_operations *)inode->i_private; - - log = kzalloc(sizeof(struct tpm_bios_log), GFP_KERNEL); - if (!log) - return -ENOMEM; - - if ((err = read_log(log))) - goto out_free; + struct tpm_chip_seqops *chip_seqops; + const struct seq_operations *seqops; + struct tpm_chip *chip; + + inode_lock(inode); + if (!inode->i_private) { + inode_unlock(inode); + return -ENODEV; + } + chip_seqops = (struct tpm_chip_seqops *)inode->i_private; + seqops = chip_seqops->seqops; + chip = chip_seqops->chip; + get_device(&chip->dev); + inode_unlock(inode); /* now register seq file */ err = seq_open(file, seqops); if (!err) { seq = file->private_data; - seq->private = log; - } else { - goto out_free; + seq->private = chip; } -out: return err; -out_free: - kfree(log->bios_event_log); - kfree(log); - goto out; } static const struct file_operations tpm_bios_measurements_ops = { @@ -363,10 +359,22 @@ int tpm_bios_log_setup(struct tpm_chip *chip) { const char *name = dev_name(&chip->dev); unsigned int cnt; + int rc = 0; if (chip->flags & TPM_CHIP_FLAG_TPM2) return 0; + rc = read_log(chip); + /* + * read_log failure means event log is not supported except for ENOMEM. + */ + if (rc < 0) { + if (rc == -ENOMEM) + return -ENODEV; + else + return rc; + } + cnt = 0; chip->bios_dir[cnt] = securityfs_create_dir(name, NULL); /* NOTE: securityfs_create_dir can return ENODEV if securityfs is @@ -376,19 +384,25 @@ int tpm_bios_log_setup(struct tpm_chip *chip) goto err; cnt++; + chip->bin_log_seqops.chip = chip; + chip->bin_log_seqops.seqops = &tpm_binary_b_measurements_seqops; + chip->bios_dir[cnt] = securityfs_create_file("binary_bios_measurements", 0440, chip->bios_dir[0], - (void *)&tpm_binary_b_measurements_seqops, + (void *)&chip->bin_log_seqops, &tpm_bios_measurements_ops); if (IS_ERR(chip->bios_dir[cnt])) goto err; cnt++; + chip->ascii_log_seqops.chip = chip; + chip->ascii_log_seqops.seqops = &tpm_ascii_b_measurements_seqops; + chip->bios_dir[cnt] = securityfs_create_file("ascii_bios_measurements", 0440, chip->bios_dir[0], - (void *)&tpm_ascii_b_measurements_seqops, + (void *)&chip->ascii_log_seqops, &tpm_bios_measurements_ops); if (IS_ERR(chip->bios_dir[cnt])) goto err; @@ -405,7 +419,19 @@ err: void tpm_bios_log_teardown(struct tpm_chip *chip) { int i; + struct inode *inode; - for (i = (TPM_NUM_EVENT_LOG_FILES - 1); i >= 0; i--) + /* securityfs_remove currently doesn't take care of handling sync + * between removal and opening of pseudo files. To handle this, a + * workaround is added by making i_private = NULL here during removal + * and to check it during open(), both within inode_lock()/unlock(). + * This design ensures that open() either safely gets kref or fails. + */ + for (i = (TPM_NUM_EVENT_LOG_FILES - 1); i >= 0; i--) { + inode = d_inode(chip->bios_dir[i]); + inode_lock(inode); + inode->i_private = NULL; + inode_unlock(inode); securityfs_remove(chip->bios_dir[i]); + } } diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h index fd3357e3a322..6df2f8e79a8e 100644 --- a/drivers/char/tpm/tpm_eventlog.h +++ b/drivers/char/tpm/tpm_eventlog.h @@ -73,7 +73,7 @@ enum tcpa_pc_event_ids { HOST_TABLE_OF_DEVICES, }; -int read_log(struct tpm_bios_log *log); +int read_log(struct tpm_chip *chip); #if defined(CONFIG_TCG_IBMVTPM) || defined(CONFIG_TCG_IBMVTPM_MODULE) || \ defined(CONFIG_ACPI) diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 570f30c5c5f4..68d891ab55db 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -20,12 +20,14 @@ #include "tpm.h" #include "tpm_eventlog.h" -int read_log(struct tpm_bios_log *log) +int read_log(struct tpm_chip *chip) { struct device_node *np; const u32 *sizep; const u64 *basep; + struct tpm_bios_log *log; + log = &chip->log; if (log->bios_event_log != NULL) { pr_err("%s: ERROR - Eventlog already initialized\n", __func__); return -EFAULT; -- cgit v1.2.3-70-g09d2 From f40e68ef4a111d194a801abd1695f1ec8ef119ff Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Nov 2016 05:00:53 -0500 Subject: tpm: fix the missing .owner in tpm_bios_measurements_ops This patch fixes the missing .owner field in tpm_bios_measurements_ops definition. Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_eventlog.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 2c4bc99729e5..c6c80f0f25a2 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -349,6 +349,7 @@ static int tpm_bios_measurements_open(struct inode *inode, } static const struct file_operations tpm_bios_measurements_ops = { + .owner = THIS_MODULE, .open = tpm_bios_measurements_open, .read = seq_read, .llseek = seq_lseek, -- cgit v1.2.3-70-g09d2 From 02ae1382882f08c5804b996ca9c8d79b399dbe36 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Nov 2016 05:00:54 -0500 Subject: tpm: redefine read_log() to handle ACPI/OF at runtime Currently, read_log() has two implementations: one for ACPI platforms and the other for device tree(OF) based platforms. The proper one is selected at compile time using Kconfig and #ifdef in the Makefile, which is not the recommended approach. This patch removes the #ifdef in the Makefile by defining a single read_log() method, which checks for ACPI/OF event log properties at runtime. [jarkko.sakkinen@linux.intel.com: added tpm_ prefix to read_log*] Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Reviewed-by: Jason Gunthorpe Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/Makefile | 14 ++++---------- drivers/char/tpm/tpm_acpi.c | 9 ++------- drivers/char/tpm/tpm_eventlog.c | 22 +++++++++++++++++++++- drivers/char/tpm/tpm_eventlog.h | 22 +++++++++++++--------- drivers/char/tpm/tpm_of.c | 8 ++------ 5 files changed, 42 insertions(+), 33 deletions(-) diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index a385fb8c17de..a05b1ebd0b26 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -2,16 +2,10 @@ # Makefile for the kernel tpm device drivers. # obj-$(CONFIG_TCG_TPM) += tpm.o -tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o -tpm-$(CONFIG_ACPI) += tpm_ppi.o - -ifdef CONFIG_ACPI - tpm-y += tpm_eventlog.o tpm_acpi.o -else -ifdef CONFIG_TCG_IBMVTPM - tpm-y += tpm_eventlog.o tpm_of.o -endif -endif +tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o \ + tpm_eventlog.o +tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_acpi.o +tpm-$(CONFIG_OF) += tpm_of.o obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o obj-$(CONFIG_TCG_TIS) += tpm_tis.o obj-$(CONFIG_TCG_TIS_SPI) += tpm_tis_spi.o diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c index 01dfb35a30e4..04663cba3a0b 100644 --- a/drivers/char/tpm/tpm_acpi.c +++ b/drivers/char/tpm/tpm_acpi.c @@ -6,6 +6,7 @@ * Stefan Berger * Reiner Sailer * Kylene Hall + * Nayna Jain * * Maintained by: * @@ -45,7 +46,7 @@ struct acpi_tcpa { }; /* read binary bios log */ -int read_log(struct tpm_chip *chip) +int tpm_read_log_acpi(struct tpm_chip *chip) { struct acpi_tcpa *buff; acpi_status status; @@ -54,12 +55,6 @@ int read_log(struct tpm_chip *chip) struct tpm_bios_log *log; log = &chip->log; - if (log->bios_event_log != NULL) { - printk(KERN_ERR - "%s: ERROR - Eventlog already initialized\n", - __func__); - return -EFAULT; - } /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */ status = acpi_get_table(ACPI_SIG_TCPA, 1, diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index c6c80f0f25a2..8ee4ea10714b 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -356,6 +356,26 @@ static const struct file_operations tpm_bios_measurements_ops = { .release = tpm_bios_measurements_release, }; +static int tpm_read_log(struct tpm_chip *chip) +{ + int rc; + + if (chip->log.bios_event_log != NULL) { + dev_dbg(&chip->dev, + "%s: ERROR - event log already initialized\n", + __func__); + return -EFAULT; + } + + rc = tpm_read_log_acpi(chip); + if ((rc == 0) || (rc == -ENOMEM)) + return rc; + + rc = tpm_read_log_of(chip); + + return rc; +} + int tpm_bios_log_setup(struct tpm_chip *chip) { const char *name = dev_name(&chip->dev); @@ -365,7 +385,7 @@ int tpm_bios_log_setup(struct tpm_chip *chip) if (chip->flags & TPM_CHIP_FLAG_TPM2) return 0; - rc = read_log(chip); + rc = tpm_read_log(chip); /* * read_log failure means event log is not supported except for ENOMEM. */ diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h index 6df2f8e79a8e..1660d74ea79a 100644 --- a/drivers/char/tpm/tpm_eventlog.h +++ b/drivers/char/tpm/tpm_eventlog.h @@ -73,20 +73,24 @@ enum tcpa_pc_event_ids { HOST_TABLE_OF_DEVICES, }; -int read_log(struct tpm_chip *chip); - -#if defined(CONFIG_TCG_IBMVTPM) || defined(CONFIG_TCG_IBMVTPM_MODULE) || \ - defined(CONFIG_ACPI) -extern int tpm_bios_log_setup(struct tpm_chip *chip); -extern void tpm_bios_log_teardown(struct tpm_chip *chip); +#if defined(CONFIG_ACPI) +int tpm_read_log_acpi(struct tpm_chip *chip); #else -static inline int tpm_bios_log_setup(struct tpm_chip *chip) +static inline int tpm_read_log_acpi(struct tpm_chip *chip) { - return 0; + return -ENODEV; } -static inline void tpm_bios_log_teardown(struct tpm_chip *chip) +#endif +#if defined(CONFIG_OF) +int tpm_read_log_of(struct tpm_chip *chip); +#else +static inline int tpm_read_log_of(struct tpm_chip *chip) { + return -ENODEV; } #endif +int tpm_bios_log_setup(struct tpm_chip *chip); +void tpm_bios_log_teardown(struct tpm_chip *chip); + #endif diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 68d891ab55db..83c26bffb150 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -2,6 +2,7 @@ * Copyright 2012 IBM Corporation * * Author: Ashley Lai + * Nayna Jain * * Maintained by: * @@ -20,7 +21,7 @@ #include "tpm.h" #include "tpm_eventlog.h" -int read_log(struct tpm_chip *chip) +int tpm_read_log_of(struct tpm_chip *chip) { struct device_node *np; const u32 *sizep; @@ -28,11 +29,6 @@ int read_log(struct tpm_chip *chip) struct tpm_bios_log *log; log = &chip->log; - if (log->bios_event_log != NULL) { - pr_err("%s: ERROR - Eventlog already initialized\n", __func__); - return -EFAULT; - } - np = of_find_node_by_name(NULL, "vtpm"); if (!np) { pr_err("%s: ERROR - IBMVTPM not supported\n", __func__); -- cgit v1.2.3-70-g09d2 From ed4fdb4f5dc758e9d5bfb5582c701b08a87115a6 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Nov 2016 05:00:55 -0500 Subject: tpm: replace of_find_node_by_name() with dev of_node property Using the device of_node property is a better way to refer to the device tree node rather than of_find_node_by_name(). Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_of.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 83c26bffb150..12a86dda3b69 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -29,7 +29,8 @@ int tpm_read_log_of(struct tpm_chip *chip) struct tpm_bios_log *log; log = &chip->log; - np = of_find_node_by_name(NULL, "vtpm"); + if (chip->dev.parent->of_node) + np = chip->dev.parent->of_node; if (!np) { pr_err("%s: ERROR - IBMVTPM not supported\n", __func__); return -ENODEV; @@ -55,18 +56,15 @@ int tpm_read_log_of(struct tpm_chip *chip) if (!log->bios_event_log) { pr_err("%s: ERROR - Not enough memory for BIOS measurements\n", __func__); - of_node_put(np); return -ENOMEM; } log->bios_event_log_end = log->bios_event_log + *sizep; memcpy(log->bios_event_log, __va(*basep), *sizep); - of_node_put(np); return 0; cleanup_eio: - of_node_put(np); return -EIO; } -- cgit v1.2.3-70-g09d2 From 5efae7d6b07f37939f8f99d0983d5346f0c3e4e6 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Nov 2016 05:00:56 -0500 Subject: tpm: cleanup of printk error messages This patch removes the unnecessary error messages on failing to allocate memory and replaces pr_err/printk with dev_dbg/dev_info as applicable. Suggested-by: Jason Gunthorpe Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_acpi.c | 16 ++++------------ drivers/char/tpm/tpm_of.c | 29 +++++++++-------------------- 2 files changed, 13 insertions(+), 32 deletions(-) diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c index 04663cba3a0b..0cb43ef5f79a 100644 --- a/drivers/char/tpm/tpm_acpi.c +++ b/drivers/char/tpm/tpm_acpi.c @@ -60,11 +60,8 @@ int tpm_read_log_acpi(struct tpm_chip *chip) status = acpi_get_table(ACPI_SIG_TCPA, 1, (struct acpi_table_header **)&buff); - if (ACPI_FAILURE(status)) { - printk(KERN_ERR "%s: ERROR - Could not get TCPA table\n", - __func__); + if (ACPI_FAILURE(status)) return -EIO; - } switch(buff->platform_class) { case BIOS_SERVER: @@ -78,25 +75,20 @@ int tpm_read_log_acpi(struct tpm_chip *chip) break; } if (!len) { - printk(KERN_ERR "%s: ERROR - TCPA log area empty\n", __func__); + dev_warn(&chip->dev, "%s: TCPA log area empty\n", __func__); return -EIO; } /* malloc EventLog space */ log->bios_event_log = kmalloc(len, GFP_KERNEL); - if (!log->bios_event_log) { - printk("%s: ERROR - Not enough Memory for BIOS measurements\n", - __func__); + if (!log->bios_event_log) return -ENOMEM; - } log->bios_event_log_end = log->bios_event_log + len; virt = acpi_os_map_iomem(start, len); - if (!virt) { - printk("%s: ERROR - Unable to map memory\n", __func__); + if (!virt) goto err; - } memcpy_fromio(log->bios_event_log, virt, len); diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 12a86dda3b69..643cc8ccb35b 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -31,40 +31,29 @@ int tpm_read_log_of(struct tpm_chip *chip) log = &chip->log; if (chip->dev.parent->of_node) np = chip->dev.parent->of_node; - if (!np) { - pr_err("%s: ERROR - IBMVTPM not supported\n", __func__); + if (!np) return -ENODEV; - } sizep = of_get_property(np, "linux,sml-size", NULL); - if (sizep == NULL) { - pr_err("%s: ERROR - SML size not found\n", __func__); - goto cleanup_eio; - } + if (sizep == NULL) + return -EIO; + if (*sizep == 0) { - pr_err("%s: ERROR - event log area empty\n", __func__); - goto cleanup_eio; + dev_warn(&chip->dev, "%s: Event log area empty\n", __func__); + return -EIO; } basep = of_get_property(np, "linux,sml-base", NULL); - if (basep == NULL) { - pr_err("%s: ERROR - SML not found\n", __func__); - goto cleanup_eio; - } + if (basep == NULL) + return -EIO; log->bios_event_log = kmalloc(*sizep, GFP_KERNEL); - if (!log->bios_event_log) { - pr_err("%s: ERROR - Not enough memory for BIOS measurements\n", - __func__); + if (!log->bios_event_log) return -ENOMEM; - } log->bios_event_log_end = log->bios_event_log + *sizep; memcpy(log->bios_event_log, __va(*basep), *sizep); return 0; - -cleanup_eio: - return -EIO; } -- cgit v1.2.3-70-g09d2 From 79eec5b940cffff14c7bd1b9eb856ccb36274cc2 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Tue, 15 Nov 2016 13:27:22 +0000 Subject: tpm: return -ENODEV if np is not set device_node np contains a garbage value from the stack and it is only set if chip->dev.parent->of_node is not null. Thus the check for a null np won't spot a garbage value of np from the stack if chip->dev.parent->of_node is null and if np contains an garbage non-null value. I believe the correct fix is to return -ENODEV if and only if chip->dev.parent->of_node is null. Found with static analysis by CoverityScan, CID 1377755 Signed-off-by: Colin Ian King Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_of.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 643cc8ccb35b..36df9df4c472 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -31,7 +31,7 @@ int tpm_read_log_of(struct tpm_chip *chip) log = &chip->log; if (chip->dev.parent->of_node) np = chip->dev.parent->of_node; - if (!np) + else return -ENODEV; sizep = of_get_property(np, "linux,sml-size", NULL); -- cgit v1.2.3-70-g09d2 From 005451d44ad46623aac8349df15d7c0d1d8914c1 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 16 Nov 2016 08:56:13 -0500 Subject: tpm: Check the bios_dir entry for NULL before accessing it Check the bios_dir entry for NULL before accessing it. Currently this crashes the driver when a TPM 2 is attached and the entries are NULL. Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_eventlog.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 8ee4ea10714b..34f0921f0203 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -449,10 +449,12 @@ void tpm_bios_log_teardown(struct tpm_chip *chip) * This design ensures that open() either safely gets kref or fails. */ for (i = (TPM_NUM_EVENT_LOG_FILES - 1); i >= 0; i--) { - inode = d_inode(chip->bios_dir[i]); - inode_lock(inode); - inode->i_private = NULL; - inode_unlock(inode); - securityfs_remove(chip->bios_dir[i]); + if (chip->bios_dir[i]) { + inode = d_inode(chip->bios_dir[i]); + inode_lock(inode); + inode->i_private = NULL; + inode_unlock(inode); + securityfs_remove(chip->bios_dir[i]); + } } } -- cgit v1.2.3-70-g09d2 From 0cf577a03f21a988f6dbe8133d07410967b8489a Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Sat, 19 Nov 2016 11:18:28 -0700 Subject: tpm: Fix handling of missing event log The event log is an optional firmware feature, if the firmware does not support it then the securityfs files should not be created and no other notification given. - Uniformly return -ENODEV from the tpm_bios_log_setup cone if no event log is detected. - Check in ACPI if this node was discovered via ACPI. - Improve the check in OF to make sure there is a parent and to fail detection if the two log properties are not declared - Pass through all other error codes instead of filtering just some Signed-off-by: Jason Gunthorpe Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 2 +- drivers/char/tpm/tpm_acpi.c | 8 +++++++- drivers/char/tpm/tpm_eventlog.c | 26 +++++++++++++------------- drivers/char/tpm/tpm_of.c | 11 +++++------ 4 files changed, 26 insertions(+), 21 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 3f27753d96aa..7a4869151d3b 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -346,7 +346,7 @@ int tpm_chip_register(struct tpm_chip *chip) tpm_sysfs_add_device(chip); rc = tpm_bios_log_setup(chip); - if (rc == -ENODEV) + if (rc != 0 && rc != -ENODEV) return rc; tpm_add_ppi(chip); diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c index 0cb43ef5f79a..b7718c95fd0b 100644 --- a/drivers/char/tpm/tpm_acpi.c +++ b/drivers/char/tpm/tpm_acpi.c @@ -56,12 +56,18 @@ int tpm_read_log_acpi(struct tpm_chip *chip) log = &chip->log; + /* Unfortuntely ACPI does not associate the event log with a specific + * TPM, like PPI. Thus all ACPI TPMs will read the same log. + */ + if (!chip->acpi_dev_handle) + return -ENODEV; + /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */ status = acpi_get_table(ACPI_SIG_TCPA, 1, (struct acpi_table_header **)&buff); if (ACPI_FAILURE(status)) - return -EIO; + return -ENODEV; switch(buff->platform_class) { case BIOS_SERVER: diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index 34f0921f0203..c73f88cdeadf 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -368,14 +368,21 @@ static int tpm_read_log(struct tpm_chip *chip) } rc = tpm_read_log_acpi(chip); - if ((rc == 0) || (rc == -ENOMEM)) + if (rc != -ENODEV) return rc; - rc = tpm_read_log_of(chip); - - return rc; + return tpm_read_log_of(chip); } +/* + * tpm_bios_log_setup() - Read the event log from the firmware + * @chip: TPM chip to use. + * + * If an event log is found then the securityfs files are setup to + * export it to userspace, otherwise nothing is done. + * + * Returns -ENODEV if the firmware has no event log. + */ int tpm_bios_log_setup(struct tpm_chip *chip) { const char *name = dev_name(&chip->dev); @@ -386,15 +393,8 @@ int tpm_bios_log_setup(struct tpm_chip *chip) return 0; rc = tpm_read_log(chip); - /* - * read_log failure means event log is not supported except for ENOMEM. - */ - if (rc < 0) { - if (rc == -ENOMEM) - return -ENODEV; - else - return rc; - } + if (rc) + return rc; cnt = 0; chip->bios_dir[cnt] = securityfs_create_dir(name, NULL); diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 36df9df4c472..7dee42d7b5e0 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -29,13 +29,16 @@ int tpm_read_log_of(struct tpm_chip *chip) struct tpm_bios_log *log; log = &chip->log; - if (chip->dev.parent->of_node) + if (chip->dev.parent && chip->dev.parent->of_node) np = chip->dev.parent->of_node; else return -ENODEV; sizep = of_get_property(np, "linux,sml-size", NULL); - if (sizep == NULL) + basep = of_get_property(np, "linux,sml-base", NULL); + if (sizep == NULL && basep == NULL) + return -ENODEV; + if (sizep == NULL || basep == NULL) return -EIO; if (*sizep == 0) { @@ -43,10 +46,6 @@ int tpm_read_log_of(struct tpm_chip *chip) return -EIO; } - basep = of_get_property(np, "linux,sml-base", NULL); - if (basep == NULL) - return -EIO; - log->bios_event_log = kmalloc(*sizep, GFP_KERNEL); if (!log->bios_event_log) return -ENOMEM; -- cgit v1.2.3-70-g09d2 From c4484f791c9434445db7fc1d6791af4388756479 Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Sat, 19 Nov 2016 11:32:55 -0700 Subject: tpm: vtpm_proxy: conditionally call tpm_chip_unregister If tpm_chip_register fails vtpm must not call tpm_chip_unregister: > [ 58.271017] [] dpm_sysfs_remove+0x22/0x60 > [ 58.271017] [] device_del+0x58/0x280 > [ 58.271017] [] tpm_chip_unregister+0x40/0xb0 [tpm] > [ 58.271017] [] vtpm_proxy_fops_release+0x40/0x60 [tpm_vtpm_proxy] [jarkko.sakkinen@linux.intel.com: cleaned up unneeded goto away] Signed-off-by: Jason Gunthorpe Tested-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_vtpm_proxy.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c index 3d6f6ca81def..5463b58af26e 100644 --- a/drivers/char/tpm/tpm_vtpm_proxy.c +++ b/drivers/char/tpm/tpm_vtpm_proxy.c @@ -42,6 +42,7 @@ struct proxy_dev { long state; /* internal state */ #define STATE_OPENED_FLAG BIT(0) #define STATE_WAIT_RESPONSE_FLAG BIT(1) /* waiting for emulator response */ +#define STATE_REGISTERED_FLAG BIT(2) size_t req_len; /* length of queued TPM request */ size_t resp_len; /* length of queued TPM response */ @@ -370,12 +371,9 @@ static void vtpm_proxy_work(struct work_struct *work) rc = tpm_chip_register(proxy_dev->chip); if (rc) - goto err; - - return; - -err: - vtpm_proxy_fops_undo_open(proxy_dev); + vtpm_proxy_fops_undo_open(proxy_dev); + else + proxy_dev->state |= STATE_REGISTERED_FLAG; } /* @@ -516,7 +514,8 @@ static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev) */ vtpm_proxy_fops_undo_open(proxy_dev); - tpm_chip_unregister(proxy_dev->chip); + if (proxy_dev->state & STATE_REGISTERED_FLAG) + tpm_chip_unregister(proxy_dev->chip); vtpm_proxy_delete_proxy_dev(proxy_dev); } -- cgit v1.2.3-70-g09d2 From 9430066a15d6f55a3d008a6f99bb462480870207 Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Tue, 22 Nov 2016 09:58:56 -0700 Subject: tpm: adjust return value of tpm_read_log Signed-off-by: Jason Gunthorpe Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_eventlog.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c index c73f88cdeadf..11bb1138a828 100644 --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -381,7 +381,8 @@ static int tpm_read_log(struct tpm_chip *chip) * If an event log is found then the securityfs files are setup to * export it to userspace, otherwise nothing is done. * - * Returns -ENODEV if the firmware has no event log. + * Returns -ENODEV if the firmware has no event log or securityfs is not + * supported. */ int tpm_bios_log_setup(struct tpm_chip *chip) { @@ -432,9 +433,10 @@ int tpm_bios_log_setup(struct tpm_chip *chip) return 0; err: + rc = PTR_ERR(chip->bios_dir[cnt]); chip->bios_dir[cnt] = NULL; tpm_bios_log_teardown(chip); - return -EIO; + return rc; } void tpm_bios_log_teardown(struct tpm_chip *chip) -- cgit v1.2.3-70-g09d2 From 50523a29d900d5a403e0352d3d7aeda6a33df25c Mon Sep 17 00:00:00 2001 From: Josh Stone Date: Fri, 2 Dec 2016 15:49:43 -0800 Subject: Yama: allow access for the current ptrace parent Under ptrace_scope=1, it's possible to have a tracee that is already ptrace-attached, but is no longer a direct descendant. For instance, a forking daemon will be re-parented to init, losing its ancestry to the tracer that launched it. The tracer can continue using ptrace in that state, but it will be denied other accesses that check PTRACE_MODE_ATTACH, like process_vm_rw and various procfs files. There's no reason to prevent such access for a tracer that already has ptrace control anyway. This patch adds a case to ptracer_exception_found to allow access for any task in the same thread group as the current ptrace parent. Signed-off-by: Josh Stone Cc: Kees Cook Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: James Morris --- security/yama/yama_lsm.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 0309f2111c70..968e5e0a3f81 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -309,7 +309,7 @@ static int task_is_descendant(struct task_struct *parent, * @tracer: the task_struct of the process attempting ptrace * @tracee: the task_struct of the process to be ptraced * - * Returns 1 if tracer has is ptracer exception ancestor for tracee. + * Returns 1 if tracer has a ptracer exception ancestor for tracee. */ static int ptracer_exception_found(struct task_struct *tracer, struct task_struct *tracee) @@ -320,6 +320,18 @@ static int ptracer_exception_found(struct task_struct *tracer, bool found = false; rcu_read_lock(); + + /* + * If there's already an active tracing relationship, then make an + * exception for the sake of other accesses, like process_vm_rw(). + */ + parent = ptrace_parent(tracee); + if (parent != NULL && same_thread_group(parent, tracer)) { + rc = 1; + goto unlock; + } + + /* Look for a PR_SET_PTRACER relationship. */ if (!thread_group_leader(tracee)) tracee = rcu_dereference(tracee->group_leader); list_for_each_entry_rcu(relation, &ptracer_relations, node) { @@ -334,6 +346,8 @@ static int ptracer_exception_found(struct task_struct *tracer, if (found && (parent == NULL || task_is_descendant(parent, tracer))) rc = 1; + +unlock: rcu_read_unlock(); return rc; -- cgit v1.2.3-70-g09d2