Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1334420lqo;
        Fri, 17 May 2024 21:31:24 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUNW9MR34pGOLi3KcZcJSiMDVFbfKvAWwjuwMEOMp8QZfslyxnvuNj9OkNF1+Cn0OQ8X3f/APSSP8XTHhrW5hPjzx/lr7ngEezUAO4wBQ==
X-Google-Smtp-Source: AGHT+IGSp70tBPjKk2ZXDof3vdKHagQhOgH2a9nET1KlY7JVCpUqAXxorTvMc7qkVx2CZY0wDF9M
X-Received: by 2002:ac8:570a:0:b0:43a:fc66:35d8 with SMTP id d75a77b69052e-43dfdb06fccmr318104101cf.7.1716006684184;
        Fri, 17 May 2024 21:31:24 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716006684; cv=pass;
        d=google.com; s=arc-20160816;
        b=kIoCAVACBrtGJ8BrWFvgpj5h4G854iWcvWzmtAvxTJ9jDMwfLOM9K8FnPeXxfbXcBM
         OY7E2NdJZ11hniNIx6NRohKXyHzE4Vmsx/Bc+iMKuYgACE5o6TCdAPj7GpYj6H5CDLgS
         d/FDJgmBpz1lu7tSvUOizjk6j5UZ5h6LFEDl3cF+2J5jv7aem2JsmKaDqMEKxdChtofI
         KqH4XXC2YkRZdeA2OZerFE4Yz0zaa73g1lhlvp82dKPvBG8RJ3LqniNlZUlYd91C4lO1
         tvFs2NcYLkpmFJ1rcH54KsogDjEFzONySysJplk7+uxoA6cbnFEb4cKC9Eh79WuNe19y
         AAvw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=D28/j4Tv7oVWkuTaBv7EDHoGVWo1tqfoW2GaG21QedI=;
        fh=O1MreifpjctahbrjucD/gkY3oFP8Dy+0HuOhD06RsTQ=;
        b=V7YRx6l9yYpqwdYD2mbCmKk2tmmq9+qfL6crJIh/Cz4p3LX5N+mCxAdXOpN0H/pITp
         QLbSQVdc0p/B9LvjQG25alKN7AyU/slihxyncLb6rIUyrJsXbT7RfzRyEcD03PvRvaQU
         PNUSUqPfJMipLeQ677BuBAZ74usk32Cs2HKOWz7K+rEzK0oj5hj9NXVAvp7PE3993URB
         uGiY4kcWFxCEsmP7zYSWgzi9QsCS7EUuUy7kJrOgGiTvoYY1D41NEpV7ieBNi8/U6De0
         uXWvFqF7Li5K3WHcbxeeB88x9chOBM6Va8dPCsQ+JImsg93uOq4PyZ0XOSKKvxQtN/yu
         mMLQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TCTwAgtz;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-crypto+bounces-4234-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-4234-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto+bounces-4234-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id d75a77b69052e-43df54a129asi208374311cf.80.2024.05.17.21.31.24
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 17 May 2024 21:31:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-4234-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TCTwAgtz;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-crypto+bounces-4234-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-4234-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id CC9251C21F75
	for <linux.lists.archive@gmail.com>; Sat, 18 May 2024 04:31:23 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 86EF4946F;
	Sat, 18 May 2024 04:31:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TCTwAgtz"
X-Original-To: linux-crypto@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 363B64C8B;
	Sat, 18 May 2024 04:31:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716006678; cv=none; b=cWdt4VMc8rHctT/1ySee88JUinZHLtWQ/KqOffx+fk4OQlRo9H+YR13X1dn+soLOX8qiaBVU+rKa3tGXVizSlZo2BFteIHQGuPih/FeNu3I+hCoU7KErXME5YjFNAjtt2RHscDkK7y+iv50UZdpLjjlcJ2dFhopVnRGqONiSSMc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716006678; c=relaxed/simple;
	bh=yHlF0RNK2ZiLjSzvRN9fYJygVVSLmdKT2x521bdwC7I=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=PZpo8HEABKhrkp+82dgRsGIJ444nmKBSiaiLztcEtXMWPpwGztFzezEGc1uwYHWSq0suO4EDIYiSUJvfX+XNgbSCJEAkD8qJiMMI70I9Dmt1nLA3pZq8LkfdzMmwEHU7yuwIjJv7/A1jJ+jLTp7b8EGPipx2JaNLkdSeNPC2O4k=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TCTwAgtz; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A29CC113CC;
	Sat, 18 May 2024 04:31:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1716006677;
	bh=yHlF0RNK2ZiLjSzvRN9fYJygVVSLmdKT2x521bdwC7I=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=TCTwAgtzxxcO1hbNtL5uw9Fdh7H+FT2osw50t6TWju3ccYJ+tvjHbiP+ZhNYy27gK
	 19wLPSri/cGVdjfWr73MOZfzNN/tvYWtYEnNwYaHE99dmcVHO4hUcwR5MmA40/hlkf
	 MTxPqFNtOXMu67CnuvD7wAAsX3qXUj0hkcMw/O6Gx38QEqNwlLQObkfezhCD63nIMY
	 2FpxIO9+rcoXSAqlO761WTECJJukBkWnMEDlTnhBpd/EOjDoAfv/M36XNmYSbDCGAB
	 selUJIx7EgcCHjFCB7niRXOGa0TkmzLVuiVBlVRsCEOzOiKEMYDeLNkHdlStlcJhsR
	 5Kmd/5BcbgA+Q==
Date: Fri, 17 May 2024 21:31:15 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: =?iso-8859-1?Q?N=EDcolas_F=2E_R=2E_A=2E?= Prado <nfraprado@collabora.com>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	Ard Biesheuvel <ardb@kernel.org>,
	Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
	regressions@lists.linux.dev, kernel@collabora.com
Subject: Re: [PATCH v8 18/22] tpm: add session encryption protection to
 tpm2_get_random()
Message-ID: <20240518043115.GA53815@sol.localdomain>
References: <20240429202811.13643-1-James.Bottomley@HansenPartnership.com>
 <20240429202811.13643-19-James.Bottomley@HansenPartnership.com>
 <119dc5ed-f159-41be-9dda-1a056f29888d@notapiano>
 <0f68c283ff4bbb89b8a019d47891f798c6fff287.camel@HansenPartnership.com>
 <CAMj1kXHi4r8KY9GvX573kwqvLpMfX-J=K2hWiGAKkf5bnicwYQ@mail.gmail.com>
 <0d260c2f7a9f67ec8bd2305919636678d06000d1.camel@HansenPartnership.com>
 <CAMj1kXFE_R_x10BVkU+8vrMz0RHiX0+rz-ZL+w08FH2CLQHZXA@mail.gmail.com>
 <66ec985f3ee229135bf748f1b0874d5367a74d7f.camel@HansenPartnership.com>
 <dfb0d930-7cbe-46c5-be19-d132b4906ecf@notapiano>
 <D1C2NPOBHAHK.20O4IME8OK1FH@kernel.org>
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <D1C2NPOBHAHK.20O4IME8OK1FH@kernel.org>

On Fri, May 17, 2024 at 07:48:48PM +0300, Jarkko Sakkinen wrote:
> On Fri May 17, 2024 at 7:22 PM EEST, N?colas F. R. A. Prado wrote:
> > On Fri, May 17, 2024 at 07:25:40AM -0700, James Bottomley wrote:
> > > On Fri, 2024-05-17 at 15:43 +0200, Ard Biesheuvel wrote:
> > > > On Fri, 17 May 2024 at 15:35, James Bottomley
> > > > <James.Bottomley@hansenpartnership.com> wrote:
> > > [...]
> > > > > Thanks for the analysis.? If I look at how CRYPTO_ECC does it, that
> > > > > selects CRYPTO_RNG_DEFAULT which pulls in CRYPTO_DRBG, so the fix
> > > > > would be the attached.? Does that look right to you Ard?
> > > > 
> > > > No it doesn't - it's CRYPTO_RNG_DEFAULT not CRYTPO_RNG_DEFAULT :-)
> > > > 
> > > > With that fixed,
> > > > 
> > > > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> > > 
> > > Erm, oops, sorry about that; so attached is the update.
> > > 
> > > James
> > > 
> > > ---8>8>8><8<8<8---
> > > 
> > > From 2ac337a33e6416ef806e2c692b9239d193e8468f Mon Sep 17 00:00:00 2001
> > > From: James Bottomley <James.Bottomley@HansenPartnership.com>
> > > Date: Fri, 17 May 2024 06:29:31 -0700
> > > Subject: [PATCH] tpm: Fix sessions cryptography requirement for Random Numbers
> > > MIME-Version: 1.0
> > > Content-Type: text/plain; charset=UTF-8
> > > Content-Transfer-Encoding: 8bit
> > > 
> > > The ECDH code in tpm2-sessions.c requires an initial random number
> > > generator to generate the key pair.  If the configuration doesn't have
> > > CONFIG_RNG_DEFAULT, it will try to pull this in as a module (which is
> > > impossible for the early kernel boot where the TPM starts).  Fix this
> > > by selecting the required RNG.
> > > 
> > > Reported-by: N?colas F. R. A. Prado <nfraprado@collabora.com>
> > > Fixes: 1b6d7f9eb150 ("tpm: add session encryption protection to tpm2_get_random()")
> > > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> > > ---
> > >  drivers/char/tpm/Kconfig | 1 +
> > >  1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> > > index 4f83ee7021d0..ecdd3db4be2b 100644
> > > --- a/drivers/char/tpm/Kconfig
> > > +++ b/drivers/char/tpm/Kconfig
> > > @@ -31,6 +31,7 @@ config TCG_TPM2_HMAC
> > >  	bool "Use HMAC and encrypted transactions on the TPM bus"
> > >  	default y
> > >  	select CRYPTO_ECDH
> > > +	select CRYPTO_RNG_DEFAULT
> > >  	select CRYPTO_LIB_AESCFB
> > >  	select CRYPTO_LIB_SHA256
> > >  	help
> > > -- 
> > > 2.35.3
> > > 
> > > 
> >
> > Hi James,
> >
> > thanks for the patch. But I actually already had that config enabled builtin. I
> > also had ECDH and DRBG which have been suggested previously:
> >
> > 	CONFIG_CRYPTO_RNG_DEFAULT=y
> >
> > 	CONFIG_CRYPTO_DRBG_MENU=y
> > 	CONFIG_CRYPTO_DRBG_HMAC=y
> > 	# CONFIG_CRYPTO_DRBG_HASH is not set
> > 	# CONFIG_CRYPTO_DRBG_CTR is not set
> > 	CONFIG_CRYPTO_DRBG=y
> >
> > 	CONFIG_CRYPTO_ECDH=y
> >
> > I've pasted my full config here: http://0x0.st/XPN_.txt
> >
> > Adding a debug print I see that the module that the code tries to load is
> > "crypto-hmac(sha512)". I would have expected to see 
> >
> > 	MODULE_ALIAS_CRYPTO("hmac(sha512)");
> >
> > in crypto/drbg.c, but I don't see it anywhere in the tree. Maybe it is missing?
> 

This is "normal" behavior when the crypto API instantiates a template:

    1. drbg.c asks for "hmac(sha512)"

    2. The crypto API looks for a direct implementation of "hmac(sha512)".
       This includes requesting a module with alias "crypto-hmac(sha512)".

    3. If none is found, the "hmac" template is instantiated instead.

There are two possible fixes for the bug.  Either fix ecc_gen_privkey() to just
use get_random_bytes() instead of the weird crypto API RNG, or make
drbg_init_hash_kernel() pass the CRYPTO_NOLOAD flag to crypto_alloc_shash().

Or if the TPM driver could be changed to not need to generate an ECC private key
at probe time, that would also avoid this problem.

- Eric