Hi James,
Sorry for a late PR.
Summary of the content:
* Reduced polling delays in tpm_tis.
* Support for retrieving TPM 2.0 Event Log through EFI before
ExitBootServices.
* Replaced tpm-rng.c with a hwrng device managed by the driver for each
TPM device.
* TPM resource manager synthesizes TPM_RC_COMMAND_CODE response instead
of returning -EINVAL for unknown TPM commands. This makes user space
more sound.
* CLKRUN fixes:
* Keep #CLKRUN disable through the entier TPM command/response flow.
* Check whether #CLKRUN is enabled before disabling and enabling it
again because enabling it breaks PS/2 devices on a system where it
is disabled.
/Jarkko
The following changes since commit d21bd6898336a7892914d308d5e0868f0b863571:
Sync to v4.15-rc3 for security subsystem developers to work against. (2017-12-11 17:01:08 +1100)
are available in the git repository at:
git://git.infradead.org/users/jjs/linux-tpmdd.git tags/tpmdd-next-20180108
for you to fetch changes up to 68021bf4734d15c9a9ed1c1072b9ebcfda3e39cc:
tpm: remove unused variables (2018-01-08 12:58:54 +0200)
----------------------------------------------------------------
tpmdd updates for Linux 4.16
----------------------------------------------------------------
[email protected] (1):
tpm2-cmd: allow more attempts for selftest execution
Arnd Bergmann (1):
tpm: remove unused variables
Azhar Shaikh (2):
tpm_tis: Move ilb_base_addr to tpm_tis_data
tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd()
Jarkko Sakkinen (1):
tpm: use struct tpm_chip for tpm_chip_find_get()
Jason Gunthorpe (2):
tpm: Move Linux RNG connection to hwrng
tpm: Update MAINTAINERS for Jason Gunthorpe
Javier Martinez Canillas (5):
tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented
tpm: delete the TPM_TIS_CLK_ENABLE flag
tpm: follow coding style for variable declaration in tpm_tis_core_init()
tpm: only attempt to disable the LPC CLKRUN if is already enabled
tpm: remove unused data fields from I2C and OF device ID tables
Nayna Jain (3):
tpm: move wait_for_tpm_stat() to respective driver files
tpm: reduce tpm polling delay in tpm_tis_core
tpm: use tpm_msleep() value as max delay
Thiebaud Weksteen (5):
tpm: move tpm_eventlog.h outside of drivers folder
tpm: rename event log provider files
tpm: add event log format version
efi: call get_event_log before ExitBootServices
tpm: parse TPM event logs based on EFI table
MAINTAINERS | 3 +-
arch/x86/boot/compressed/eboot.c | 1 +
drivers/char/hw_random/Kconfig | 13 --
drivers/char/hw_random/Makefile | 1 -
drivers/char/hw_random/tpm-rng.c | 50 -----
drivers/char/tpm/Kconfig | 11 +
drivers/char/tpm/Makefile | 5 +-
drivers/char/tpm/tpm-chip.c | 67 ++++--
drivers/char/tpm/tpm-interface.c | 231 +++++++++------------
drivers/char/tpm/tpm.h | 52 ++++-
drivers/char/tpm/tpm1_eventlog.c | 13 +-
drivers/char/tpm/tpm2-cmd.c | 12 +-
drivers/char/tpm/tpm2_eventlog.c | 2 +-
.../char/tpm/{tpm_acpi.c => tpm_eventlog_acpi.c} | 4 +-
drivers/char/tpm/tpm_eventlog_efi.c | 66 ++++++
drivers/char/tpm/{tpm_of.c => tpm_eventlog_of.c} | 6 +-
drivers/char/tpm/tpm_i2c_infineon.c | 27 +--
drivers/char/tpm/tpm_tis.c | 108 ----------
drivers/char/tpm/tpm_tis_core.c | 193 ++++++++++++++++-
drivers/char/tpm/tpm_tis_core.h | 16 ++
drivers/char/tpm/xen-tpmfront.c | 61 ++++++
drivers/firmware/efi/Makefile | 2 +-
drivers/firmware/efi/efi.c | 4 +
drivers/firmware/efi/libstub/Makefile | 3 +-
drivers/firmware/efi/libstub/tpm.c | 81 ++++++++
drivers/firmware/efi/tpm.c | 40 ++++
include/linux/efi.h | 46 ++++
include/linux/tpm.h | 39 ++--
{drivers/char/tpm => include/linux}/tpm_eventlog.h | 34 +--
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_queue.c | 2 +-
security/keys/trusted.c | 35 ++--
33 files changed, 789 insertions(+), 443 deletions(-)
delete mode 100644 drivers/char/hw_random/tpm-rng.c
rename drivers/char/tpm/{tpm_acpi.c => tpm_eventlog_acpi.c} (97%)
create mode 100644 drivers/char/tpm/tpm_eventlog_efi.c
rename drivers/char/tpm/{tpm_of.c => tpm_eventlog_of.c} (93%)
create mode 100644 drivers/firmware/efi/tpm.c
rename {drivers/char/tpm => include/linux}/tpm_eventlog.h (78%)
On Mon, 8 Jan 2018, Jarkko Sakkinen wrote:
> Hi James,
>
> Sorry for a late PR.
>
> Summary of the content:
>
> * Reduced polling delays in tpm_tis.
> * Support for retrieving TPM 2.0 Event Log through EFI before
> ExitBootServices.
> * Replaced tpm-rng.c with a hwrng device managed by the driver for each
> TPM device.
> * TPM resource manager synthesizes TPM_RC_COMMAND_CODE response instead
> of returning -EINVAL for unknown TPM commands. This makes user space
> more sound.
> * CLKRUN fixes:
> * Keep #CLKRUN disable through the entier TPM command/response flow.
> * Check whether #CLKRUN is enabled before disabling and enabling it
> again because enabling it breaks PS/2 devices on a system where it
> is disabled.
>
Thanks, merged to:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
next-tpm
next-testing
--
James Morris
<[email protected]>
On 08.01.2018 12:18, Jarkko Sakkinen wrote:
> Hi James,
>
> Sorry for a late PR.
>
> Summary of the content:
>
> * Reduced polling delays in tpm_tis.
> * Support for retrieving TPM 2.0 Event Log through EFI before
> ExitBootServices.
> * Replaced tpm-rng.c with a hwrng device managed by the driver for each
> TPM device.
> * TPM resource manager synthesizes TPM_RC_COMMAND_CODE response instead
> of returning -EINVAL for unknown TPM commands. This makes user space
> more sound.
> * CLKRUN fixes:
> * Keep #CLKRUN disable through the entier TPM command/response flow.
> * Check whether #CLKRUN is enabled before disabling and enabling it
> again because enabling it breaks PS/2 devices on a system where it
> is disabled.
I just spent some time trying to run all that (tpmdd-next-20180108)
through my test system and hit a couple of non-TPM problems. In case you
see similar issues, this is what I found out:
1. rmmod for the TPM driver hangs indefinitely. The TPM driver now
registers itself as a hwrng, but in case it is the only hwrng in a
system, the call to hwrng_unregister never returns. Known bug, but still
not fixed in 4.15-rc7 (see
https://www.mail-archive.com/[email protected]/msg29884.html
for details).
2. Raspberry Pis (which I use to test tpm_tis_spi and tpm_i2c_infineon)
boot with that kernel, but have no USB or ethernet support. Also a known
problem
(http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552280.html).
3. Device tree overlays with references to non-existent target-paths are
rejected now (whereas before the invalid parts were just ignored). I
guess this is an intentional change, but the error message does not
really point to the problem (applying the overlay just returns with EINVAL).
With all that fixed in my environment, my tests now pass successfully.
Alexander
On Tue, Jan 09, 2018 at 10:59:07AM +0100, Alexander Steffen wrote:
> On 08.01.2018 12:18, Jarkko Sakkinen wrote:
> > Hi James,
> >
> > Sorry for a late PR.
> >
> > Summary of the content:
> >
> > * Reduced polling delays in tpm_tis.
> > * Support for retrieving TPM 2.0 Event Log through EFI before
> > ExitBootServices.
> > * Replaced tpm-rng.c with a hwrng device managed by the driver for each
> > TPM device.
> > * TPM resource manager synthesizes TPM_RC_COMMAND_CODE response instead
> > of returning -EINVAL for unknown TPM commands. This makes user space
> > more sound.
> > * CLKRUN fixes:
> > * Keep #CLKRUN disable through the entier TPM command/response flow.
> > * Check whether #CLKRUN is enabled before disabling and enabling it
> > again because enabling it breaks PS/2 devices on a system where it
> > is disabled.
>
> I just spent some time trying to run all that (tpmdd-next-20180108) through
> my test system and hit a couple of non-TPM problems. In case you see similar
> issues, this is what I found out:
>
> 1. rmmod for the TPM driver hangs indefinitely. The TPM driver now registers
> itself as a hwrng, but in case it is the only hwrng in a system, the call to
> hwrng_unregister never returns. Known bug, but still not fixed in 4.15-rc7
> (see https://www.mail-archive.com/[email protected]/msg29884.html
> for details).
>
> 2. Raspberry Pis (which I use to test tpm_tis_spi and
> tpm_i2c_infineon) boot with that kernel, but have no USB or ethernet
> support. Also a known problem
> (http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552280.html).
>
> 3. Device tree overlays with references to non-existent target-paths are
> rejected now (whereas before the invalid parts were just ignored). I guess
> this is an intentional change, but the error message does not really point
> to the problem (applying the overlay just returns with EINVAL).
Do we have these?
> With all that fixed in my environment, my tests now pass successfully.
>
> Alexander
Thank you for reporting these issues.
/Jarkko
On Tue, Jan 09, 2018 at 11:42:16AM +1100, James Morris wrote:
> On Mon, 8 Jan 2018, Jarkko Sakkinen wrote:
>
> > Hi James,
> >
> > Sorry for a late PR.
> >
> > Summary of the content:
> >
> > * Reduced polling delays in tpm_tis.
> > * Support for retrieving TPM 2.0 Event Log through EFI before
> > ExitBootServices.
> > * Replaced tpm-rng.c with a hwrng device managed by the driver for each
> > TPM device.
> > * TPM resource manager synthesizes TPM_RC_COMMAND_CODE response instead
> > of returning -EINVAL for unknown TPM commands. This makes user space
> > more sound.
> > * CLKRUN fixes:
> > * Keep #CLKRUN disable through the entier TPM command/response flow.
> > * Check whether #CLKRUN is enabled before disabling and enabling it
> > again because enabling it breaks PS/2 devices on a system where it
> > is disabled.
> >
>
> Thanks, merged to:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
> next-tpm
> next-testing
Thank you. We'll follow the issues that Alexander described.
/Jarkko
On 10.01.2018 17:08, Jarkko Sakkinen wrote:
> On Tue, Jan 09, 2018 at 10:59:07AM +0100, Alexander Steffen wrote:
>> On 08.01.2018 12:18, Jarkko Sakkinen wrote:
>>> Hi James,
>>>
>>> Sorry for a late PR.
>>>
>>> Summary of the content:
>>>
>>> * Reduced polling delays in tpm_tis.
>>> * Support for retrieving TPM 2.0 Event Log through EFI before
>>> ExitBootServices.
>>> * Replaced tpm-rng.c with a hwrng device managed by the driver for each
>>> TPM device.
>>> * TPM resource manager synthesizes TPM_RC_COMMAND_CODE response instead
>>> of returning -EINVAL for unknown TPM commands. This makes user space
>>> more sound.
>>> * CLKRUN fixes:
>>> * Keep #CLKRUN disable through the entier TPM command/response flow.
>>> * Check whether #CLKRUN is enabled before disabling and enabling it
>>> again because enabling it breaks PS/2 devices on a system where it
>>> is disabled.
>>
>> I just spent some time trying to run all that (tpmdd-next-20180108) through
>> my test system and hit a couple of non-TPM problems. In case you see similar
>> issues, this is what I found out:
>>
>> 1. rmmod for the TPM driver hangs indefinitely. The TPM driver now registers
>> itself as a hwrng, but in case it is the only hwrng in a system, the call to
>> hwrng_unregister never returns. Known bug, but still not fixed in 4.15-rc7
>> (see https://www.mail-archive.com/[email protected]/msg29884.html
>> for details).
>>
>> 2. Raspberry Pis (which I use to test tpm_tis_spi and
>> tpm_i2c_infineon) boot with that kernel, but have no USB or ethernet
>> support. Also a known problem
>> (http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552280.html).
>>
>> 3. Device tree overlays with references to non-existent target-paths are
>> rejected now (whereas before the invalid parts were just ignored). I guess
>> this is an intentional change, but the error message does not really point
>> to the problem (applying the overlay just returns with EINVAL).
>
> Do we have these?
No, otherwise I would have sent a fix :)
It is just something that I used for my tests: I had an overlay that I
could use for both the mainline kernel and the RPi kernel. On the RPi
kernel it would deactivate the spidev entry, so that tpm_tis_spi was
able to use the device. On the mainline kernel, there is no spidev in
the device tree, so this part is not necessary and I simply removed it
now to fix the problem (I'm not using the RPi kernels anymore).
Alexander
>> With all that fixed in my environment, my tests now pass successfully.
>>
>> Alexander
>
> Thank you for reporting these issues.
>
> /Jarkko