Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4666557pxu; Tue, 13 Oct 2020 04:23:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqW14fKSKt61mn/pWxZmc746IOP/OMF/HpuQmZaCpF+kxR9rBr2MQ58xI8Xr7RhL+5WHsa X-Received: by 2002:a17:906:1d53:: with SMTP id o19mr34313363ejh.468.1602588191193; Tue, 13 Oct 2020 04:23:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602588191; cv=none; d=google.com; s=arc-20160816; b=FJPCb0ga2H5ktY7kZtT14w/PCipNe+m6aUj/xCATNR/UgL3MnC1bWq//61lMl8F2dl 1vgbNDFPYWU5LCCPIkgWQEkKhtyNuF5AQLcveXrs8Xd1oNv7TAL6//oPCmH+euTuKZc4 INwh4Rjf80/nAI6YDYQbyuJOdjnVxXw42Cht7qEWm2q3oYnhPdHFPYA6CnErel403ZvU R8P0q7mC1a4URZH/7kq58CtChtZhTnR3jE42UbJUPBCRC8x7Odbpc+VbD8Ps9VCrqsX6 SYhk0Zvheh79v5pjhMX/WNcNjv8JTenqHR9JzI7O2JzWdK3Zxm9SQBHI5AFRhL6x13FS ROkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=TmiULrcV7Y5cYdKThCm0kLLC//7mx2Z+Vb7D53NbNjw=; b=0Ji9PNkuUtJ6JgJqwRs++Xgm0NEFU1wq6AcmQ0Yuxjfb8ouIlhGou1S7AjdFPhFxwi e/mYw7lrKoafvnSJE4uIKMPg/DHe/KFnaVS7EmitVolCKBAeAXNCivGyG58IXmB8y6ZR 3TPaWrlvQEyCHtiB1/BzCtosAZAui1I38LEQUtfD6ZjvXaJqUu3EehUSwZzT1waPlDz9 w6tpsqxmDQdu7rRHsh4vnzKya6hNfH0ErP5bh3cXIskQQZjCMo8YeP2C+2tURoEpTW5u dO1/mbKGUYW5o3ueqPEofZUy8N7wuE44va2XSqV8bGErVxL505sbm0Isjr2bQaFA2vJw I4cA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d16si8920336ejb.732.2020.10.13.04.22.48; Tue, 13 Oct 2020 04:23:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728192AbgJMCwa (ORCPT + 99 others); Mon, 12 Oct 2020 22:52:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:32918 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727023AbgJMCw1 (ORCPT ); Mon, 12 Oct 2020 22:52:27 -0400 Received: from localhost (83-245-197-237.elisa-laajakaista.fi [83.245.197.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5240920735; Tue, 13 Oct 2020 02:52:25 +0000 (UTC) From: Jarkko Sakkinen To: linux-integrity@vger.kernel.org Cc: David Howells , Mimi Zohar , James Bottomley , Jarkko Sakkinen , "James E.J. Bottomley" , stable@vger.kernel.org, Sumit Garg , kernel test robot , Peter Huewe , Jason Gunthorpe , Arnd Bergmann , Greg Kroah-Hartman , James Morris , "Serge E. Hallyn" , Jerry Snitselaar , Alexey Klimov , linux-kernel@vger.kernel.org (open list), keyrings@vger.kernel.org (open list:KEYS-TRUSTED), linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) Subject: [PATCH v4 3/3] KEYS: trusted: Reserve TPM for seal and unseal operations Date: Tue, 13 Oct 2020 05:51:56 +0300 Message-Id: <20201013025156.111305-4-jarkko.sakkinen@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201013025156.111305-1-jarkko.sakkinen@linux.intel.com> References: <20201013025156.111305-1-jarkko.sakkinen@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When TPM 2.0 trusted keys code was moved to the trusted keys subsystem, the operations were unwrapped from tpm_try_get_ops() and tpm_put_ops(), which are used to take temporarily the ownership of the TPM chip. The ownership is only taken inside tpm_send(), but this is not sufficient, as in the key load TPM2_CC_LOAD, TPM2_CC_UNSEAL and TPM2_FLUSH_CONTEXT need to be done as a one single atom. Fix this issue by introducting trusted_tpm_load() and trusted_tpm_new(), which wrap these operations, and take the TPM chip ownership before sending anything. Use tpm_transmit_cmd() to send TPM commands instead of tpm_send(), reverting back to the old behaviour. Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") Reported-by: "James E.J. Bottomley" Cc: stable@vger.kernel.org Cc: David Howells Cc: Mimi Zohar Cc: Sumit Garg Signed-off-by: Jarkko Sakkinen Reported-by: kernel test robot --- drivers/char/tpm/tpm.h | 4 -- include/linux/tpm.h | 5 +- security/keys/trusted-keys/trusted_tpm1.c | 78 +++++++++++++++-------- security/keys/trusted-keys/trusted_tpm2.c | 6 +- 4 files changed, 60 insertions(+), 33 deletions(-) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 947d1db0a5cc..283f78211c3a 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -164,8 +164,6 @@ extern const struct file_operations tpmrm_fops; extern struct idr dev_nums_idr; ssize_t tpm_transmit(struct tpm_chip *chip, u8 *buf, size_t bufsiz); -ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_buf *buf, - size_t min_rsp_body_length, const char *desc); int tpm_get_timeouts(struct tpm_chip *); int tpm_auto_startup(struct tpm_chip *chip); @@ -194,8 +192,6 @@ static inline void tpm_msleep(unsigned int delay_msec) int tpm_chip_start(struct tpm_chip *chip); void tpm_chip_stop(struct tpm_chip *chip); struct tpm_chip *tpm_find_get_ops(struct tpm_chip *chip); -__must_check int tpm_try_get_ops(struct tpm_chip *chip); -void tpm_put_ops(struct tpm_chip *chip); struct tpm_chip *tpm_chip_alloc(struct device *dev, const struct tpm_class_ops *ops); diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 8f4ff39f51e7..804a3f69bbd9 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -397,6 +397,10 @@ static inline u32 tpm2_rc_value(u32 rc) #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) extern int tpm_is_tpm2(struct tpm_chip *chip); +extern __must_check int tpm_try_get_ops(struct tpm_chip *chip); +extern void tpm_put_ops(struct tpm_chip *chip); +extern ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_buf *buf, + size_t min_rsp_body_length, const char *desc); extern int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx, struct tpm_digest *digest); extern int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, @@ -410,7 +414,6 @@ static inline int tpm_is_tpm2(struct tpm_chip *chip) { return -ENODEV; } - static inline int tpm_pcr_read(struct tpm_chip *chip, int pcr_idx, struct tpm_digest *digest) { diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 7a937c3c5283..20ca18e17437 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -950,6 +950,51 @@ static struct trusted_key_payload *trusted_payload_alloc(struct key *key) return p; } +static int trusted_tpm_load(struct tpm_chip *chip, + struct trusted_key_payload *payload, + struct trusted_key_options *options) +{ + int ret; + + if (tpm_is_tpm2(chip)) { + ret = tpm_try_get_ops(chip); + if (!ret) { + ret = tpm2_unseal_trusted(chip, payload, options); + tpm_put_ops(chip); + } + } else { + ret = key_unseal(payload, options); + } + + return ret; +} + +static int trusted_tpm_new(struct tpm_chip *chip, + struct trusted_key_payload *payload, + struct trusted_key_options *options) +{ + int ret; + + ret = tpm_get_random(chip, payload->key, payload->key_len); + if (ret < 0) + return ret; + + if (ret != payload->key_len) + return -EIO; + + if (tpm_is_tpm2(chip)) { + ret = tpm_try_get_ops(chip); + if (!ret) { + ret = tpm2_seal_trusted(chip, payload, options); + tpm_put_ops(chip); + } + } else { + ret = key_seal(payload, options); + } + + return ret; +} + /* * trusted_instantiate - create a new trusted key * @@ -968,12 +1013,6 @@ static int trusted_instantiate(struct key *key, char *datablob; int ret = 0; int key_cmd; - size_t key_len; - int tpm2; - - tpm2 = tpm_is_tpm2(chip); - if (tpm2 < 0) - return tpm2; if (datalen <= 0 || datalen > 32767 || !prep->data) return -EINVAL; @@ -1011,32 +1050,21 @@ static int trusted_instantiate(struct key *key, switch (key_cmd) { case Opt_load: - if (tpm2) - ret = tpm2_unseal_trusted(chip, payload, options); - else - ret = key_unseal(payload, options); + ret = trusted_tpm_load(chip, payload, options); + dump_payload(payload); dump_options(options); + if (ret < 0) - pr_info("trusted_key: key_unseal failed (%d)\n", ret); + pr_info("%s: load failed (%d)\n", __func__, ret); + break; case Opt_new: - key_len = payload->key_len; - ret = tpm_get_random(chip, payload->key, key_len); - if (ret < 0) - goto out; + ret = trusted_tpm_new(chip, payload, options); - if (ret != key_len) { - pr_info("trusted_key: key_create failed (%d)\n", ret); - ret = -EIO; - goto out; - } - if (tpm2) - ret = tpm2_seal_trusted(chip, payload, options); - else - ret = key_seal(payload, options); if (ret < 0) - pr_info("trusted_key: key_seal failed (%d)\n", ret); + pr_info("%s: new failed (%d)\n", __func__, ret); + break; default: ret = -EINVAL; diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 08ec7f48f01d..effdb67fac6d 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -130,7 +130,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out; } - rc = tpm_send(chip, buf.data, tpm_buf_length(&buf)); + rc = tpm_transmit_cmd(chip, &buf, 4, "sealing data"); if (rc) goto out; @@ -211,7 +211,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, goto out; } - rc = tpm_send(chip, buf.data, tpm_buf_length(&buf)); + rc = tpm_transmit_cmd(chip, &buf, 4, "loading blob"); if (!rc) *blob_handle = be32_to_cpup( (__be32 *) &buf.data[TPM_HEADER_SIZE]); @@ -260,7 +260,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, options->blobauth /* hmac */, TPM_DIGEST_SIZE); - rc = tpm_send(chip, buf.data, tpm_buf_length(&buf)); + rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing"); if (rc > 0) rc = -EPERM; -- 2.25.1