Received-SPF: pass (google.com: domain of linux-kernel+bounces-49116-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Message-ID: <f04f1131-d83a-470d-b7fd-4a14f54fa899@kunbus.com>
Date: Fri, 2 Feb 2024 03:52:20 +0100
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH] tpm: make locality handling resilient
Content-Language: en-US
To: "Daniel P. Smith" <dpsmith@apertussolutions.com>,
 Jason Gunthorpe <jgg@ziepe.ca>, Jarkko Sakkinen <jarkko@kernel.org>,
 Sasha Levin <sashal@kernel.org>, linux-integrity@vger.kernel.org,
 linux-kernel@vger.kernel.org
Cc: Ross Philipson <ross.philipson@oracle.com>,
 Kanth Ghatraju <kanth.ghatraju@oracle.com>, Peter Huewe <peterhuewe@gmx.de>
References: <20240115011546.21193-1-dpsmith@apertussolutions.com>
From: Lino Sanfilippo <l.sanfilippo@kunbus.com>
In-Reply-To: <20240115011546.21193-1-dpsmith@apertussolutions.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
	=?utf-8?B?U3NLY0xaUlozbFBwcU84c2RLNWliaFhseUlYS3ppUmkyV3MzbmFFdytrTzRV?=
 =?utf-8?B?YkZLOUhIY1ZXSlBYTlVZVW96Q2FvbTRaY3B5K2Zqbk9TaXpaelJmRjlkQXN3?=
 =?utf-8?B?bVNaZ0Y5bHhHTG4ySnJsVnhIZUFFRUtONzQ2Z1pMUExkbjhxYmt2WmZtbDR1?=
 =?utf-8?B?MVFZU2JjL1kvQThGMlhsaGNqNS9Fc2FCb0JEaGxTbHAwMnFNcUVSQTFRU1B3?=
 =?utf-8?B?MVZRci82ZnJGWnZWK0VRc29vcGsxdytaSEVsbk5iRDBOYzVUV0R1cFhRZkdN?=
 =?utf-8?B?UUQ5WmlYWnhPdUp6azhyRjFCd05wWTAxRUhsR3VQcGl2R2JxczZOS3NTaXpt?=
 =?utf-8?B?SVF5MWQ1Qkt3V3hHU1JBNUdOb1Q1MkJrS0QzVE9jaEd4VkZSUG1qWmdTa1BX?=
 =?utf-8?B?eGhCeC9VS3o0U01rL3hOZUVpZUtmZmhweURGUFh0dEtaUGJHaUoyNU4zQTJ5?=
 =?utf-8?B?L1Uxd2lNbFFxNllLcjlOcmMyT1ZOK1BwOW4xWXZ4QkJnZ1BQdFMxeWJCZXZs?=
 =?utf-8?B?cnJFWUdGSGdqeE5XUG1oSzdhdEt6emdUTWFzL3A1UytpQUFRZUNvVWVnWlFZ?=
 =?utf-8?B?RDBJQVlENWE4WFVYK0JXK3ZZcWhQTldLNnI4SzdwN1VjU29EbW9wcWh1d1JM?=
 =?utf-8?B?alpFZ0s4dVpRZzJTNnFzMDF0VGFsV1RnNmY2ZWxGeXFWVGl5Q21wLzBQaURx?=
 =?utf-8?B?S3BCSDdRWCsrSVVoZFBJZUErM2daaEVyWnQwZzhXZDhhTHhRbnMwdGVhTGtx?=
 =?utf-8?B?Yi81aGRpMHhFTWZ1QTB4cVZXR0JlaDNiWVlHMkhEUjNURDhoTFZXbTQzR2s5?=
 =?utf-8?B?d0l6MWRESE1GWExZK2JqN1h1OG1XL3JmUFZYaWp3L0JwSHA1RVpOVXIxd0Ux?=
 =?utf-8?B?dHdYUDhscjViaUhXYnRSUU5oQVFtMWQzQUdod3F4VStuMzVlQ040SEEybURD?=
 =?utf-8?B?WFdPb25aWldCZ05JRjVZdVpNMWp6VDFhOWxUSFEvTkk5OEo2YlhNRHBzVVhX?=
 =?utf-8?B?YWlYN1pDZ1VscUhTSVdwajgzRHIrVEZwWmdKNFNVdGRtd0lTcE9adkpzQUk2?=
 =?utf-8?B?REFqb0kvUDZZUzh6SjdGVlhVY1h4bzJ4QllRUDUrN0ZGcm5zSnArNEtVMkpk?=
 =?utf-8?B?anFHRVM3R0xBYXViWW5yVmFHVlB5aEFzQzlQRE5SclJaZFZaOUVQbjZJV29u?=
 =?utf-8?B?TFN6OUJtVXdBTEkzN1RjTHNURTg4aFVzV1EraXhiL1dRY0ZCTjRLQWIvV053?=
 =?utf-8?B?b1A4Yy9OVDJjcXFKN0dibmRQZXE3c01xQVR0amRQM1JRWWlqU05CY1ZpVGgv?=
 =?utf-8?B?SmE5Q1BwU2xadDFXOGpDb09zTThoWVhJV2ZlcUVXcmtsc2xrd1RJaFNoWURj?=
 =?utf-8?B?L2Q1THRoeDYwdW40QmdvRUU1QVcvYkxhRndTYWRVN0t5WWpBaHRZUEErRXVG?=
 =?utf-8?B?SkZKaVVPWWZlTXcybUp0UWc1eGloSHloZkQ1SnFHY0orQy9hUGZNeVZWcnNp?=
 =?utf-8?B?OWVubXNMUXJ5RlpBbURCTEtLR0xyYS81Wk5LRjFjUTdvL3hRdFR3ZHlaMXVs?=
 =?utf-8?B?TTMvTTBUWmpHVGdqbUJpNU1Hamc1ODZxL2ZIUmZEV0pQSFlwcDl2L1VXT0Zv?=
 =?utf-8?B?V0VEVzNNSUZKVjVGNFE5UUdxUkc1RGtpTDRzbkR2UU9nNFdseDNlczNjUzNQ?=
 =?utf-8?B?K0VYR2Yxb05VUHVnYXZzTytlMmRkUGZBanJDbGFGc1R5bGNmSjZ0NVgwd3NJ?=
 =?utf-8?B?K2VjSmRHa2p0MjUvR3RLU3RQR002NlI3d2dpUDVGcS9TblVBcTFoTTREVFJn?=
 =?utf-8?B?UFl4S2d6a2hYcGxxMWtXTllqRVJTUWVmUlA2WXhkZ0sxckFPUnVJU0Nkajgz?=
 =?utf-8?B?c1FBZkgrU3h1bDUrK2NrY0JaU2FjbE1KSnYveEFCei9hVUEvcGk5a3BxdS9s?=
 =?utf-8?B?WGQ2cDNRWkdOcmZhbTVJcEIyc1B5S3JLV3lYdDdXb05NN2hMZWlPRFd4L0wx?=
 =?utf-8?B?dFI1clQ1RVMvcDVkcm5zanBvNVEvVG0xdGF4WkJYU3d4Zy9qRk1odmFKSSs0?=
 =?utf-8?B?UUpNeEdEMTFnK1dNdFdLNzU4TE1WczExTFE1dzkwb3FHa1FmR3VZUEhrRjdJ?=
 =?utf-8?B?Z1g5RlpNNnJXK2JEeHZmWUVMS2F1Vm9QQndUeWNBQzhpYUtTVmFVdXFWeWNX?=
 =?utf-8?Q?a9l0xkRupkE9aY2EPYCIhDldn2JSThT4Kop7qeHrnRxd?=
X-OriginatorOrg: kunbus.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c212fc41-2e88-4c84-537c-08dc2399fb35
X-MS-Exchange-CrossTenant-AuthSource: AM6P193MB0408.EURP193.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Feb 2024 02:52:23.3742
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: aaa4d814-e659-4b0a-9698-1c671f11520b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: l48vyIk6Sscw5t9/rtiINw8qzoW1O1b5mFZJRe0O51/rb4fXGL6QKgnfUiAxdUFzi3vPKqnf20MozSjHLbmA/g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXP193MB2108

Hi,

On 15.01.24 02:15, Daniel P. Smith wrote:

> Commit 933bfc5ad213 introduced the use of a locality counter to control when
> locality request was actually sent to the TPM. This locality counter created a
> hard enforcement that the TPM had no active locality at the time of the driver
> initialization. The reality is that this may not always be the case coupled
> with the fact that the commit indiscriminately decremented the counter created
> the condition for integer underflow of the counter. The underflow was triggered
> by the first pair of request/relinquish calls made in tpm_tis_init_core and all
> subsequent calls to request/relinquished calls would have the counter flipping
> between the underflow value and 0. The result is that it appeared all calls to
> request/relinquish were successful, but they were not. The end result is that
> the locality that was active when the driver loaded would always remain active,
> to include after the driver shutdown. This creates a significant issue when
> using Intel TXT and Locality 2 is active at boot. After the GETSEC[SEXIT]
> instruction is called, the PCH will close access to Locality 2 MMIO address
> space, leaving the TPM locked in Locality 2 with no means to relinquish the
> locality until system reset.
> 
> The commit seeks to address this situation through three changes. The first is
> to walk the localities during initialization and close any open localities to
> ensure the TPM is in the assumed state. Next is to put guards around the
> counter and the requested locality to ensure they remain within valid values.
> The last change is to make the request locality functions be consistent in
> their return values. The functions will either return the locality requested if
> successful or a negative error code.
> 
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
> Reported-by: Kanth Ghatraju <kanth.ghatraju@oracle.com>
> Fixes: 933bfc5ad213 ("tpm, tpm: Implement usage counter for locality")
> ---
>  drivers/char/tpm/tpm-chip.c     |  2 +-
>  drivers/char/tpm/tpm_tis_core.c | 20 +++++++++++++++-----
>  include/linux/tpm.h             |  2 ++
>  3 files changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index 42b1062e33cd..e7293f85335a 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -49,7 +49,7 @@ static int tpm_request_locality(struct tpm_chip *chip)
>                 return rc;
> 
>         chip->locality = rc;
> -       return 0;
> +       return chip->locality;
>  }
> 
>  static void tpm_relinquish_locality(struct tpm_chip *chip)
> diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
> index 1b350412d8a6..c8b9b0b199dc 100644
> --- a/drivers/char/tpm/tpm_tis_core.c
> +++ b/drivers/char/tpm/tpm_tis_core.c
> @@ -180,7 +180,8 @@ static int tpm_tis_relinquish_locality(struct tpm_chip *chip, int l)
>         struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
> 
>         mutex_lock(&priv->locality_count_mutex);
> -       priv->locality_count--;
> +       if (priv->locality_count > 0)
> +               priv->locality_count--;
>         if (priv->locality_count == 0)
>                 __tpm_tis_relinquish_locality(priv, l);
>         mutex_unlock(&priv->locality_count_mutex);
> @@ -226,18 +227,21 @@ static int __tpm_tis_request_locality(struct tpm_chip *chip, int l)
>                         tpm_msleep(TPM_TIMEOUT);
>                 } while (time_before(jiffies, stop));
>         }
> -       return -1;
> +       return -EBUSY;

Why do we want to return -EBUSY now? This does not seem to have anything to do with the
issue you are trying to solve.

>  }
> 
>  static int tpm_tis_request_locality(struct tpm_chip *chip, int l)
>  {
>         struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
> -       int ret = 0;
> +       int ret = -EIO;
> +
> +       if (l > TPM_MAX_LOCALITY)
> +               return -EINVAL;

How can it happen that l > TPM_MAX_LOCALITY?

> 
>         mutex_lock(&priv->locality_count_mutex);
>         if (priv->locality_count == 0)
>                 ret = __tpm_tis_request_locality(chip, l);
> -       if (!ret)
> +       if (ret >= 0)
>                 priv->locality_count++;
>         mutex_unlock(&priv->locality_count_mutex);
>         return ret;
> @@ -1108,7 +1112,7 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
>         u32 intmask;
>         u32 clkrun_val;
>         u8 rid;
> -       int rc, probe;
> +       int rc, probe, locality;
>         struct tpm_chip *chip;
> 
>         chip = tpmm_chip_alloc(dev, &tpm_tis);
> @@ -1169,6 +1173,12 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
>                 goto out_err;
>         }
> 
> +       /* It is not safe to assume localities are closed on startup */
> +       for (locality = 0; locality <= TPM_MAX_LOCALITY; locality++) {
> +               if (check_locality(chip, locality))
> +                       tpm_tis_relinquish_locality(chip, locality);
> +       }
> +

wait_startup() already needs a locality, so this has to be done before that function.
Furthermore you can simply use __tpm_tis_relinquish_locality() as there
is not concurrency involved at this point.
With that you can IMHO spare everything else and the complete fix can be broken down to:

		for (i = 0; i <= MAX_LOCALITY; i++)
			__tpm_tis_relinquish_locality(priv, i);


>         /* Take control of the TPM's interrupt hardware and shut it off */
>         rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask);
>         if (rc < 0)
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index 4ee9d13749ad..f2651281f02e 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -116,6 +116,8 @@ struct tpm_chip_seqops {
>         const struct seq_operations *seqops;
>  };
> 
> +#define TPM_MAX_LOCALITY               4
> +
>  struct tpm_chip {
>         struct device dev;
>         struct device devs;
> --
> 2.30.2
> 

Regards,
Lino