Received: by 2002:a05:7412:ba23:b0:fa:4c10:6cad with SMTP id jp35csp1264668rdb; Fri, 19 Jan 2024 13:29:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IHYtq2LXCB7zAzG+2e5P2NJeGBdJhYDGn2ZTHKEOtAPDjniavf3p3wsD+t6Nu8h0JVlKWeC X-Received: by 2002:a05:6808:2381:b0:3bd:3d16:7ad3 with SMTP id bp1-20020a056808238100b003bd3d167ad3mr505372oib.101.1705699773816; Fri, 19 Jan 2024 13:29:33 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705699773; cv=pass; d=google.com; s=arc-20160816; b=uIikgeWo1VD6fZ8EhFUEflJsRvAbpiyONwayfbXkyXeFdF23oJP4+/XzLo+4X3TSGM whLgRBffgeV1505eBLUA+3keU5nu041vcXxhpx5LBp9q52mElNyfCf2tkVGioMzBcyF/ PUczmBlQguCbrlIjarfvGr99FiaDbj+N98HiRlMRaRKhmKLZav47g3rhUQpXwJ1UUVPZ V8HvPbUUkx1tZJpjEe+VIFGuoGQ5EVFZUb3hyO+/0Ma3Kz7Haf2tnmcE6eQdc2V56k64 5n41gPgtuX9F1aJMIhJmNYuCbbBa4GtriKg2yRxi50O5RVoOPXfcKnUx4PvbiPN154BQ YR6Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:to:from:subject:cc:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=x4JHWEUvhP5LZLLDm1r+wtKRx2DA0jAwDTRPauVbFlw=; fh=MMfPQckyWySKaOIm9vtvCneSjGpWDEoPZp4kOaheqCo=; b=iQp63FMrRPPXigXXq33xpd9Lka0qlkG+THuYz4wQ1/DbXLq5Putje+2YU8slBuR8wN iyNTXEEBb0L65lmmJ3QEz06zFdxyWX3isfHSJC7NFzeOSEuuMw5zEH7ncE8H8RpL4u5+ 1Sm9xpNWrospOpU0f/QDTL/9UXl6aRKWCN4tZy/BS62s1e9CRk1g3rEiSFNkLqENe1XX pdlEvwrdjzeW3gdPDQ8ejW2rr8hPS6VAd5JWA5tZaTVcnNaibQjqf17vKSesvciYZkls a68w8oft8Fka9mvG33yksFWaEG8gJ8xB4WXmhZNfNooXsKResQFjGizJr9BwYR4luCuQ H3Lg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HXIcRZiF; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-31576-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-31576-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id m30-20020a05620a215e00b007835b80b398si96584qkm.655.2024.01.19.13.29.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jan 2024 13:29:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-31576-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HXIcRZiF; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-31576-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-31576-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 483361C21D33 for ; Fri, 19 Jan 2024 21:29:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7549758AC6; Fri, 19 Jan 2024 21:28:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HXIcRZiF" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 558DD58AA1; Fri, 19 Jan 2024 21:28:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705699698; cv=none; b=dKQtuKbrJsQ6p85KuU+U8dtolwrD2Wr/4tdO1MhGHhiIAhHkpXomD6awxULCujFDHTmkBlrWXNcGzt6REX0RhJe7/KYlJFDscovnzhUNyUaZy/M+kpYqwvB+TMgsrKTy/SUFapgWkPIOFH3rqOql08EQz1GmCkitKoXxiadTmIc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705699698; c=relaxed/simple; bh=v2H0OsNvV9pPT/cbypaewkMjFcAe/8sPxD7dGqZRydQ=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=GYPpN4tbUMkK6i0jhc3IGi2oxFoNVZa74V0t6az731Nq/Jx+hH3A0qHsKanwnfatf6e7P81jPuU06X4Duz0ZdBRmPaQ38B3p9vCkCJW+fmKDNXxlByrupkHbC27ZqJedH4Uj40USibSY2DquN57ebZrn432UAk0byKvTSjV0etA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HXIcRZiF; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id F2C68C433F1; Fri, 19 Jan 2024 21:28:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1705699697; bh=v2H0OsNvV9pPT/cbypaewkMjFcAe/8sPxD7dGqZRydQ=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=HXIcRZiFrVdvUhgprPNf053LqngMHiFs9JduqN28Lir2w7+lpwpMZMHS+U8R0V5W1 NshFSsHaWKlmVAbFo8dWAGqL/ou+h5OizkGqe8vGPwiGcFdcKr9jMbILTmkGdagOO0 HX5tuppDuLlFgqS6Qz/+imrIVG66dAijBv2NrNX3c46uZSj+xXNyq9B0BzGWkSQyG4 V7Cbhq2SWG+56d9tk+Z6ujyU5rc3rbixqZIiddfgdvVsYDQF96UmwAYByFvmRdc008 +ifUDbgqWKRdw8ViR2DnPSYfGO9bHjDO4btnnoWsUAEC4fRznvOeTcH2RL6qM02C3R G1k30cg+JtXyg== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Fri, 19 Jan 2024 21:28:14 +0000 Message-Id: Cc: "Ross Philipson" , "Kanth Ghatraju" , "Peter Huewe" Subject: Re: [PATCH] tpm: make locality handling resilient From: "Jarkko Sakkinen" To: "Daniel P. Smith" , "Jason Gunthorpe" , "Lino Sanfilippo" , "Sasha Levin" , , X-Mailer: aerc 0.15.2 References: <20240115011546.21193-1-dpsmith@apertussolutions.com> In-Reply-To: <20240115011546.21193-1-dpsmith@apertussolutions.com> On Mon Jan 15, 2024 at 1:15 AM UTC, Daniel P. Smith wrote: > Commit 933bfc5ad213 introduced the use of a locality counter to control w= hen > locality request was actually sent to the TPM. This locality counter crea= ted a > hard enforcement that the TPM had no active locality at the time of the d= river > initialization. The reality is that this may not always be the case coupl= ed > with the fact that the commit indiscriminately decremented the counter cr= eated > the condition for integer underflow of the counter. The underflow was tri= ggered > by the first pair of request/relinquish calls made in tpm_tis_init_core a= nd all > subsequent calls to request/relinquished calls would have the counter fli= pping > between the underflow value and 0. The result is that it appeared all cal= ls to > request/relinquish were successful, but they were not. The end result is = that > the locality that was active when the driver loaded would always remain a= ctive, > to include after the driver shutdown. This creates a significant issue wh= en > using Intel TXT and Locality 2 is active at boot. After the GETSEC[SEXIT] > instruction is called, the PCH will close access to Locality 2 MMIO addre= ss > space, leaving the TPM locked in Locality 2 with no means to relinquish t= he > locality until system reset. > > The commit seeks to address this situation through three changes. The fir= st is > to walk the localities during initialization and close any open localitie= s to > ensure the TPM is in the assumed state. Next is to put guards around the > counter and the requested locality to ensure they remain within valid val= ues. > The last change is to make the request locality functions be consistent i= n > their return values. The functions will either return the locality reques= ted if > successful or a negative error code. > > Signed-off-by: Daniel P. Smith > Signed-off-by: Ross Philipson > Reported-by: Kanth Ghatraju > Fixes: 933bfc5ad213 ("tpm, tpm: Implement usage counter for locality") > --- > drivers/char/tpm/tpm-chip.c | 2 +- > drivers/char/tpm/tpm_tis_core.c | 20 +++++++++++++++----- > include/linux/tpm.h | 2 ++ > 3 files changed, 18 insertions(+), 6 deletions(-) > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c > index 42b1062e33cd..e7293f85335a 100644 > --- a/drivers/char/tpm/tpm-chip.c > +++ b/drivers/char/tpm/tpm-chip.c > @@ -49,7 +49,7 @@ static int tpm_request_locality(struct tpm_chip *chip) > return rc; > =20 > chip->locality =3D rc; > - return 0; > + return chip->locality; > } > =20 > static void tpm_relinquish_locality(struct tpm_chip *chip) > diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_c= ore.c > index 1b350412d8a6..c8b9b0b199dc 100644 > --- a/drivers/char/tpm/tpm_tis_core.c > +++ b/drivers/char/tpm/tpm_tis_core.c > @@ -180,7 +180,8 @@ static int tpm_tis_relinquish_locality(struct tpm_chi= p *chip, int l) > struct tpm_tis_data *priv =3D dev_get_drvdata(&chip->dev); > =20 > mutex_lock(&priv->locality_count_mutex); > - priv->locality_count--; > + if (priv->locality_count > 0) > + priv->locality_count--; > if (priv->locality_count =3D=3D 0) > __tpm_tis_relinquish_locality(priv, l); > mutex_unlock(&priv->locality_count_mutex); > @@ -226,18 +227,21 @@ static int __tpm_tis_request_locality(struct tpm_ch= ip *chip, int l) > tpm_msleep(TPM_TIMEOUT); > } while (time_before(jiffies, stop)); > } > - return -1; > + return -EBUSY; > } > =20 > static int tpm_tis_request_locality(struct tpm_chip *chip, int l) > { > struct tpm_tis_data *priv =3D dev_get_drvdata(&chip->dev); > - int ret =3D 0; > + int ret =3D -EIO; > + > + if (l > TPM_MAX_LOCALITY) > + return -EINVAL; > =20 > mutex_lock(&priv->locality_count_mutex); > if (priv->locality_count =3D=3D 0) > ret =3D __tpm_tis_request_locality(chip, l); > - if (!ret) > + if (ret >=3D 0) > priv->locality_count++; > mutex_unlock(&priv->locality_count_mutex); > return ret; > @@ -1108,7 +1112,7 @@ int tpm_tis_core_init(struct device *dev, struct tp= m_tis_data *priv, int irq, > u32 intmask; > u32 clkrun_val; > u8 rid; > - int rc, probe; > + int rc, probe, locality; s/locality/i/ We don't use long names for loop indices generally. > struct tpm_chip *chip; > =20 > chip =3D tpmm_chip_alloc(dev, &tpm_tis); > @@ -1169,6 +1173,12 @@ int tpm_tis_core_init(struct device *dev, struct t= pm_tis_data *priv, int irq, > goto out_err; > } > =20 > + /* It is not safe to assume localities are closed on startup */ This is somewhat useless comment. E.g. this would be way more useful: /* * Intel TXT starts with locality 2 active. Therefore, * localities cannot be assumed to be closed on startup. */ > + for (locality =3D 0; locality <=3D TPM_MAX_LOCALITY; locality++) { > + if (check_locality(chip, locality)) > + tpm_tis_relinquish_locality(chip, locality); > + } > + > /* Take control of the TPM's interrupt hardware and shut it off */ > rc =3D tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask); > if (rc < 0) > diff --git a/include/linux/tpm.h b/include/linux/tpm.h > index 4ee9d13749ad..f2651281f02e 100644 > --- a/include/linux/tpm.h > +++ b/include/linux/tpm.h > @@ -116,6 +116,8 @@ struct tpm_chip_seqops { > const struct seq_operations *seqops; > }; > =20 > +#define TPM_MAX_LOCALITY 4 Not documented. > + > struct tpm_chip { > struct device dev; > struct device devs; Thanks for the fix. BR, Jarkko