Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755544AbYJVMsE (ORCPT ); Wed, 22 Oct 2008 08:48:04 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751797AbYJVMry (ORCPT ); Wed, 22 Oct 2008 08:47:54 -0400 Received: from igw2.br.ibm.com ([32.104.18.25]:51241 "EHLO igw2.br.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751771AbYJVMrx (ORCPT ); Wed, 22 Oct 2008 08:47:53 -0400 Subject: Re: [PATCH 1/3] integrity: TPM internel kernel interface From: Rajiv Andrade To: "Serge E. Hallyn" Cc: Mimi Zohar , linux-kernel@vger.kernel.org, James Morris , David Safford , Serge Hallyn In-Reply-To: <20081014222312.GA18343@hallyn.com> References: <20081014222312.GA18343@hallyn.com> Content-Type: text/plain Date: Wed, 22 Oct 2008 10:47:13 -0200 Message-Id: <1224679633.2786.20.camel@dyn536723.br.ibm.com> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 12671 Lines: 374 On Tue, 2008-10-14 at 17:23 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com): > > The internal TPM kernel interface did not protect itself from > > the removal of the TPM driver, while being used. We continue > > to protect the tpm_chip_list using the driver_lock as before, > > and are using an rcu lock to protect readers. The internal TPM > > I still would like to see this spelled out somewhere - correct me > if I'm wrong but none of the patches sent so far have this spelled > out in in-line comments, do they? > > It does look sane: > > 1. writes to tpm_chip_list are protected by driver_lock > 2. readers of the list are protected by rcu > 3. chips which are read from the tpm_chip_list, if they > are used outside of the rcu_read_lock(), are pinned > using get_device(chip->dev) before releasing the > rcu_read_lock. > > Like I say it looks sane, but something like the above summary > could stand to be in a comment on top of tpm.c or something. > No problem, I'll submit a patch containing a proper comment section to be applied on top of these, maybe after they get accepted. > > kernel interface now protects itself from the driver being > > removed by incrementing the module reference count. > > > > Resubmitting integrity-tpm-internal-kernel-interface.patch, which > > was previously Signed-off-by Kylene Hall. > > Updated per feedback: > > > > Adds the following support: > > - make internal kernel interface to transmit TPM commands global > > - adds reading a pcr value > > - adds extending a pcr value > > - adds lookup the tpm_chip for given chip number and type > > > > Signed-off-by: Mimi Zohar > > Signed-off-by: Rajiv Andrade > > Now there are other, existing callers of tpm_transmit. Are they > all protected by sysfs pinning the kobject and thereby the device, > for the duration of the call? > They aren't called through sysfs, but are still protected. These new functions get chip data consistently by using rcu_read. Then, after computing what's intended to be written back to the chip, tpm_transmit sends the new data while using tpm_mutex, so both operations are performed without the risk of a race condition. > thanks, > -serge > > > --- > > diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c > > index 1fee703..bcef771 100644 > > --- a/drivers/char/tpm/tpm.c > > +++ b/drivers/char/tpm/tpm.c > > @@ -1,11 +1,12 @@ > > /* > > - * Copyright (C) 2004 IBM Corporation > > + * Copyright (C) 2004,2007,2008 IBM Corporation > > * > > * Authors: > > * Leendert van Doorn > > * Dave Safford > > * Reiner Sailer > > * Kylene Hall > > + * Debora Velarde > > * > > * Maintained by: > > * > > @@ -28,6 +29,14 @@ > > #include > > #include > > > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > #include "tpm.h" > > > > enum tpm_const { > > @@ -50,6 +59,8 @@ enum tpm_duration { > > static LIST_HEAD(tpm_chip_list); > > static DEFINE_SPINLOCK(driver_lock); > > static DECLARE_BITMAP(dev_mask, TPM_NUM_DEVICES); > > +#define TPM_CHIP_NUM_MASK 0x0000ffff > > +#define TPM_CHIP_TYPE_SHIFT 16 > > > > /* > > * Array with one entry per ordinal defining the maximum amount > > @@ -366,8 +377,7 @@ EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration); > > /* > > * Internal kernel interface to transmit TPM commands > > */ > > -static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, > > - size_t bufsiz) > > +ssize_t tpm_transmit(struct tpm_chip *chip, char *buf, size_t bufsiz) > > { > > ssize_t rc; > > u32 count, ordinal; > > @@ -425,6 +435,7 @@ out: > > mutex_unlock(&chip->tpm_mutex); > > return rc; > > } > > +EXPORT_SYMBOL_GPL(tpm_transmit); > > > > #define TPM_DIGEST_SIZE 20 > > #define TPM_ERROR_SIZE 10 > > @@ -710,6 +721,7 @@ ssize_t tpm_show_temp_deactivated(struct device * dev, > > } > > EXPORT_SYMBOL_GPL(tpm_show_temp_deactivated); > > > > +#define READ_PCR_RESULT_SIZE 30 > > static const u8 pcrread[] = { > > 0, 193, /* TPM_TAG_RQU_COMMAND */ > > 0, 0, 0, 14, /* length */ > > @@ -765,6 +777,128 @@ out: > > } > > EXPORT_SYMBOL_GPL(tpm_show_pcrs); > > > > +/* > > + * tpm_chip_lookup - return tpm_chip for given chip number and type > > + * > > + * Must be called with rcu_read_lock. > > + */ > > +static struct tpm_chip *tpm_chip_lookup(int chip_num, int chip_typ) > > +{ > > + struct tpm_chip *pos; > > + int rc; > > + > > + list_for_each_entry_rcu(pos, &tpm_chip_list, list) { > > + rc = (chip_num == TPM_ANY_NUM || pos->dev_num == chip_num) > > + && (chip_typ == TPM_ANY_TYPE); > > + if (rc) > > + return pos; > > + } > > + return NULL; > > +} > > + > > +/** > > + * tpm_pcr_read - read a pcr value > > + * @chip_id: tpm chip identifier > > + * Upper 2 bytes: ANY, HW_ONLY or SW_ONLY > > + * Lower 2 bytes: tpm idx # or AN& > > + * @pcr_idx: pcr idx to retrieve > > + * @res_buf: TPM_PCR value > > + * size of res_buf is 20 bytes (or NULL if you don't care) > > + * > > + * The TPM driver should be built-in, but for whatever reason it > > + * isn't, protect against the chip disappearing, by incrementing > > + * the module usage count. > > + */ > > +int tpm_pcr_read(u32 chip_id, int pcr_idx, u8 *res_buf) > > +{ > > + u8 data[READ_PCR_RESULT_SIZE]; > > + int rc; > > + __be32 index; > > + int chip_num = chip_id & TPM_CHIP_NUM_MASK; > > + struct tpm_chip *chip; > > + > > + rcu_read_lock(); > > + chip = tpm_chip_lookup(chip_num, chip_id >> TPM_CHIP_TYPE_SHIFT); > > + if (chip == NULL) { > > + rcu_read_unlock(); > > + return -ENODEV; > > + } > > + if (!try_module_get(chip->dev->driver->owner)) { > > + rcu_read_unlock(); > > + return -ENODEV; > > + } > > + rcu_read_unlock(); > > + > > + BUILD_BUG_ON(sizeof(pcrread) > READ_PCR_RESULT_SIZE); > > + memcpy(data, pcrread, sizeof(pcrread)); > > + index = cpu_to_be32(pcr_idx); > > + memcpy(data + 10, &index, 4); > > + rc = tpm_transmit(chip, data, sizeof(data)); > > + if (rc > 0) > > + rc = get_unaligned_be32((__be32 *) (data + 6)); > > + > > + if (rc == 0 && res_buf) > > + memcpy(res_buf, data + 10, TPM_DIGEST_SIZE); > > + > > + module_put(chip->dev->driver->owner); > > + return rc; > > +} > > +EXPORT_SYMBOL_GPL(tpm_pcr_read); > > + > > +#define EXTEND_PCR_SIZE 34 > > +static const u8 pcrextend[] = { > > + 0, 193, /* TPM_TAG_RQU_COMMAND */ > > + 0, 0, 0, 34, /* length */ > > + 0, 0, 0, 20, /* TPM_ORD_Extend */ > > + 0, 0, 0, 0 /* PCR index */ > > +}; > > + > > +/** > > + * tpm_pcr_extend - extend pcr value with hash > > + * @chip_id: tpm chip identifier > > + * Upper 2 bytes: ANY, HW_ONLY or SW_ONLY > > + * Lower 2 bytes: tpm idx # or AN& > > + * @pcr_idx: pcr idx to extend > > + * @hash: hash value used to extend pcr value > > + * > > + * The TPM driver should be built-in, but for whatever reason it > > + * isn't, protect against the chip disappearing, by incrementing > > + * the module usage count. > > + */ > > +int tpm_pcr_extend(u32 chip_id, int pcr_idx, const u8 *hash) > > +{ > > + u8 data[EXTEND_PCR_SIZE]; > > + int rc; > > + __be32 index; > > + int chip_num = chip_id & TPM_CHIP_NUM_MASK; > > + struct tpm_chip *chip; > > + > > + rcu_read_lock(); > > + chip = tpm_chip_lookup(chip_num, chip_id >> TPM_CHIP_TYPE_SHIFT); > > + if (chip == NULL) { > > + rcu_read_unlock(); > > + return -ENODEV; > > + } > > + if (!try_module_get(chip->dev->driver->owner)) { > > + rcu_read_unlock(); > > + return -ENODEV; > > + } > > + rcu_read_unlock(); > > + > > + BUILD_BUG_ON(sizeof(pcrextend) > EXTEND_PCR_SIZE); > > + memcpy(data, pcrextend, sizeof(pcrextend)); > > + index = cpu_to_be32(pcr_idx); > > + memcpy(data + 10, &index, 4); > > + memcpy(data + 14, hash, TPM_DIGEST_SIZE); > > + rc = tpm_transmit(chip, data, sizeof(data)); > > + if (rc > 0) > > + rc = get_unaligned_be32((__be32 *) (data + 6)); > > + > > + module_put(chip->dev->driver->owner); > > + return rc; > > +} > > +EXPORT_SYMBOL_GPL(tpm_pcr_extend); > > + > > #define READ_PUBEK_RESULT_SIZE 314 > > static const u8 readpubek[] = { > > 0, 193, /* TPM_TAG_RQU_COMMAND */ > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > > index 8e30df4..e0ffddb 100644 > > --- a/drivers/char/tpm/tpm.h > > +++ b/drivers/char/tpm/tpm.h > > @@ -1,5 +1,5 @@ > > /* > > - * Copyright (C) 2004 IBM Corporation > > + * Copyright (C) 2004, 2007, 2008 IBM Corporation > > * > > * Authors: > > * Leendert van Doorn > > @@ -26,6 +26,7 @@ > > #include > > #include > > #include > > +#include > > > > enum tpm_timeout { > > TPM_TIMEOUT = 5, /* msecs */ > > @@ -128,6 +129,7 @@ extern void tpm_get_timeouts(struct tpm_chip *); > > extern void tpm_gen_interrupt(struct tpm_chip *); > > extern void tpm_continue_selftest(struct tpm_chip *); > > extern unsigned long tpm_calc_ordinal_duration(struct tpm_chip *, u32); > > +ssize_t tpm_transmit(struct tpm_chip *chip, char *buf, size_t bufsiz); > > extern struct tpm_chip* tpm_register_hardware(struct device *, > > const struct tpm_vendor_specific *); > > extern int tpm_open(struct inode *, struct file *); > > diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c > > index 717af7a..bc26116 100644 > > --- a/drivers/char/tpm/tpm_tis.c > > +++ b/drivers/char/tpm/tpm_tis.c > > @@ -642,6 +642,9 @@ static __devexit void tpm_tis_pnp_remove(struct pnp_dev *dev) > > > > static struct pnp_driver tis_pnp_driver = { > > .name = "tpm_tis", > > + .driver = { > > + .owner = THIS_MODULE, > > + }, > > .id_table = tpm_pnp_tbl, > > .probe = tpm_tis_pnp_init, > > .suspend = tpm_tis_pnp_suspend, > > diff --git a/include/linux/tpm.h b/include/linux/tpm.h > > new file mode 100644 > > index 0000000..355a442 > > --- /dev/null > > +++ b/include/linux/tpm.h > > @@ -0,0 +1,49 @@ > > +/* > > + * Copyright (C) 2004,2007,2008 IBM Corporation > > + * > > + * Authors: > > + * Leendert van Doorn > > + * Dave Safford > > + * Reiner Sailer > > + * Kylene Hall > > + * Debora Velarde > > + * > > + * Maintained by: > > + * > > + * Device driver for TCG/TCPA TPM (trusted platform module). > > + * Specifications at www.trustedcomputinggroup.org > > + * > > + * This program is free software; you can redistribute it and/or > > + * modify it under the terms of the GNU General Public License as > > + * published by the Free Software Foundation, version 2 of the > > + * License. > > + * > > + */ > > +#ifndef __LINUX_TPM_H__ > > +#define __LINUX_TPM_H__ > > + > > +#define PCI_DEVICE_ID_AMD_8111_LPC 0x7468 > > + > > +/* > > + * Chip type is one of these values in the upper two bytes of chip_id > > + */ > > +enum tpm_chip_type { > > + TPM_HW_TYPE = 0x0, > > + TPM_SW_TYPE = 0x1, > > + TPM_ANY_TYPE = 0xFFFF, > > +}; > > + > > +/* > > + * Chip num is this value or a valid tpm idx in lower two bytes of chip_id > > + */ > > +enum tpm_chip_num { > > + TPM_ANY_NUM = 0xFFFF, > > +}; > > + > > + > > +#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) > > + > > +extern int tpm_pcr_read(u32 chip_id, int pcr_idx, u8 *res_buf); > > +extern int tpm_pcr_extend(u32 chip_id, int pcr_idx, const u8 *hash); > > +#endif > > +#endif > > -- > > 1.5.5.1 > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Please read the FAQ at http://www.tux.org/lkml/ > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- Rajiv Andrade Security Development IBM Linux Technology Center -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/