tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull tpm updates from James Morris:
- Clean up the transmission flow
Cleaned up the whole transmission flow. Locking of the chip is now
done in the level of tpm_try_get_ops() and tpm_put_ops() instead
taking the chip lock inside tpm_transmit(). The nested calls inside
tpm_transmit(), used with the resource manager, have been refactored
out.
Should make easier to perform more complex transactions with the TPM
without making the subsystem a bigger mess (e.g. encrypted channel
patches by James Bottomley).
- PPI 1.3 support
TPM PPI 1.3 introduces an additional optional command parameter that
may be needed for some commands. Display the parameter if the command
requires such a parameter. Only command 23 (SetPCRBanks) needs one.
The PPI request file will show output like this then:
# echo "23 16" > request
# cat request
23 16
# echo "5" > request
# cat request
5
- Extend all PCR banks in IMA
Instead of static PCR banks array, the array of available PCR banks
is now allocated dynamically. The digests sizes are determined
dynamically using a probe PCR read without relying crypto's static
list of hash algorithms.
This should finally make sealing of measurements in IMA safe and
secure.
- TPM 2.0 selftests
Added a test suite to tools/testing/selftests/tpm2 previously outside
of the kernel tree: https://github.com/jsakkine-intel/tpm2-scripts
* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (37 commits)
tpm/ppi: Enable submission of optional command parameter for PPI 1.3
tpm/ppi: Possibly show command parameter if TPM PPI 1.3 is used
tpm/ppi: Display up to 101 operations as define for version 1.3
tpm/ppi: rename TPM_PPI_REVISION_ID to TPM_PPI_REVISION_ID_1
tpm/ppi: pass function revision ID to tpm_eval_dsm()
tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()
KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()
tpm: move tpm_chip definition to include/linux/tpm.h
tpm: retrieve digest size of unknown algorithms with PCR read
tpm: rename and export tpm2_digest and tpm2_algorithms
tpm: dynamically allocate the allocated_banks array
tpm: remove @flags from tpm_transmit()
tpm: take TPM chip power gating out of tpm_transmit()
tpm: introduce tpm_chip_start() and tpm_chip_stop()
tpm: remove TPM_TRANSMIT_UNLOCKED flag
tpm: use tpm_try_get_ops() in tpm-sysfs.c.
tpm: remove @space from tpm_transmit()
tpm: move TPM space code out of tpm_transmit()
tpm: move tpm_validate_commmand() to tpm2-space.c
tpm: clean up tpm_try_transmit() error handling flow
...
+1875
-743
+16
-25
drivers/char/tpm/eventlog/tpm1.c
+16
-25
drivers/char/tpm/eventlog/tpm1.c
···
74
74
/* returns pointer to start of pos. entry of tcg log */
75
75
static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos)
76
76
{
77
-
loff_t i;
77
+
loff_t i = 0;
78
78
struct tpm_chip *chip = m->private;
79
79
struct tpm_bios_log *log = &chip->log;
80
80
void *addr = log->bios_event_log;
···
83
83
u32 converted_event_size;
84
84
u32 converted_event_type;
85
85
86
-
87
86
/* read over *pos measurements */
88
-
for (i = 0; i < *pos; i++) {
87
+
do {
89
88
event = addr;
89
+
90
+
/* check if current entry is valid */
91
+
if (addr + sizeof(struct tcpa_event) > limit)
92
+
return NULL;
90
93
91
94
converted_event_size =
92
95
do_endian_conversion(event->event_size);
93
96
converted_event_type =
94
97
do_endian_conversion(event->event_type);
95
98
96
-
if ((addr + sizeof(struct tcpa_event)) < limit) {
97
-
if ((converted_event_type == 0) &&
98
-
(converted_event_size == 0))
99
-
return NULL;
100
-
addr += (sizeof(struct tcpa_event) +
101
-
converted_event_size);
102
-
}
103
-
}
99
+
if (((converted_event_type == 0) && (converted_event_size == 0))
100
+
|| ((addr + sizeof(struct tcpa_event) + converted_event_size)
101
+
> limit))
102
+
return NULL;
104
103
105
-
/* now check if current entry is valid */
106
-
if ((addr + sizeof(struct tcpa_event)) >= limit)
107
-
return NULL;
104
+
if (i++ == *pos)
105
+
break;
108
106
109
-
event = addr;
110
-
111
-
converted_event_size = do_endian_conversion(event->event_size);
112
-
converted_event_type = do_endian_conversion(event->event_type);
113
-
114
-
if (((converted_event_type == 0) && (converted_event_size == 0))
115
-
|| ((addr + sizeof(struct tcpa_event) + converted_event_size)
116
-
>= limit))
117
-
return NULL;
107
+
addr += (sizeof(struct tcpa_event) + converted_event_size);
108
+
} while (1);
118
109
119
110
return addr;
120
111
}
···
125
134
v += sizeof(struct tcpa_event) + converted_event_size;
126
135
127
136
/* now check if current entry is valid */
128
-
if ((v + sizeof(struct tcpa_event)) >= limit)
137
+
if ((v + sizeof(struct tcpa_event)) > limit)
129
138
return NULL;
130
139
131
140
event = v;
···
134
143
converted_event_type = do_endian_conversion(event->event_type);
135
144
136
145
if (((converted_event_type == 0) && (converted_event_size == 0)) ||
137
-
((v + sizeof(struct tcpa_event) + converted_event_size) >= limit))
146
+
((v + sizeof(struct tcpa_event) + converted_event_size) > limit))
138
147
return NULL;
139
148
140
149
(*pos)++;
+6
-6
drivers/char/tpm/eventlog/tpm2.c
+6
-6
drivers/char/tpm/eventlog/tpm2.c
···
37
37
*
38
38
* Returns size of the event. If it is an invalid event, returns 0.
39
39
*/
40
-
static int calc_tpm2_event_size(struct tcg_pcr_event2 *event,
40
+
static int calc_tpm2_event_size(struct tcg_pcr_event2_head *event,
41
41
struct tcg_pcr_event *event_header)
42
42
{
43
-
struct tcg_efi_specid_event *efispecid;
43
+
struct tcg_efi_specid_event_head *efispecid;
44
44
struct tcg_event_field *event_field;
45
45
void *marker;
46
46
void *marker_start;
···
55
55
marker = marker + sizeof(event->pcr_idx) + sizeof(event->event_type)
56
56
+ sizeof(event->count);
57
57
58
-
efispecid = (struct tcg_efi_specid_event *)event_header->event;
58
+
efispecid = (struct tcg_efi_specid_event_head *)event_header->event;
59
59
60
60
/* Check if event is malformed. */
61
61
if (event->count > efispecid->num_algs)
···
95
95
void *addr = log->bios_event_log;
96
96
void *limit = log->bios_event_log_end;
97
97
struct tcg_pcr_event *event_header;
98
-
struct tcg_pcr_event2 *event;
98
+
struct tcg_pcr_event2_head *event;
99
99
size_t size;
100
100
int i;
101
101
···
136
136
loff_t *pos)
137
137
{
138
138
struct tcg_pcr_event *event_header;
139
-
struct tcg_pcr_event2 *event;
139
+
struct tcg_pcr_event2_head *event;
140
140
struct tpm_chip *chip = m->private;
141
141
struct tpm_bios_log *log = &chip->log;
142
142
void *limit = log->bios_event_log_end;
···
180
180
struct tpm_chip *chip = m->private;
181
181
struct tpm_bios_log *log = &chip->log;
182
182
struct tcg_pcr_event *event_header = log->bios_event_log;
183
-
struct tcg_pcr_event2 *event = v;
183
+
struct tcg_pcr_event2_head *event = v;
184
184
void *temp_ptr;
185
185
size_t size;
186
186
+1
-1
drivers/char/tpm/st33zp24/i2c.c
+1
-1
drivers/char/tpm/st33zp24/i2c.c
+1
-1
drivers/char/tpm/st33zp24/spi.c
+1
-1
drivers/char/tpm/st33zp24/spi.c
···
63
63
* some latency byte before the answer is available (max 15).
64
64
* We have 2048 + 1024 + 15.
65
65
*/
66
-
#define ST33ZP24_SPI_BUFFER_SIZE (TPM_BUFSIZE + (TPM_BUFSIZE / 2) +\
66
+
#define ST33ZP24_SPI_BUFFER_SIZE (ST33ZP24_BUFSIZE + (ST33ZP24_BUFSIZE / 2) +\
67
67
MAX_SPI_LATENCY)
68
68
69
69
+1
-1
drivers/char/tpm/st33zp24/st33zp24.c
+1
-1
drivers/char/tpm/st33zp24/st33zp24.c
+2
-2
drivers/char/tpm/st33zp24/st33zp24.h
+2
-2
drivers/char/tpm/st33zp24/st33zp24.h
+121
-3
drivers/char/tpm/tpm-chip.c
+121
-3
drivers/char/tpm/tpm-chip.c
···
37
37
struct class *tpmrm_class;
38
38
dev_t tpm_devt;
39
39
40
+
static int tpm_request_locality(struct tpm_chip *chip)
41
+
{
42
+
int rc;
43
+
44
+
if (!chip->ops->request_locality)
45
+
return 0;
46
+
47
+
rc = chip->ops->request_locality(chip, 0);
48
+
if (rc < 0)
49
+
return rc;
50
+
51
+
chip->locality = rc;
52
+
return 0;
53
+
}
54
+
55
+
static void tpm_relinquish_locality(struct tpm_chip *chip)
56
+
{
57
+
int rc;
58
+
59
+
if (!chip->ops->relinquish_locality)
60
+
return;
61
+
62
+
rc = chip->ops->relinquish_locality(chip, chip->locality);
63
+
if (rc)
64
+
dev_err(&chip->dev, "%s: : error %d\n", __func__, rc);
65
+
66
+
chip->locality = -1;
67
+
}
68
+
69
+
static int tpm_cmd_ready(struct tpm_chip *chip)
70
+
{
71
+
if (!chip->ops->cmd_ready)
72
+
return 0;
73
+
74
+
return chip->ops->cmd_ready(chip);
75
+
}
76
+
77
+
static int tpm_go_idle(struct tpm_chip *chip)
78
+
{
79
+
if (!chip->ops->go_idle)
80
+
return 0;
81
+
82
+
return chip->ops->go_idle(chip);
83
+
}
84
+
85
+
/**
86
+
* tpm_chip_start() - power on the TPM
87
+
* @chip: a TPM chip to use
88
+
*
89
+
* Return:
90
+
* * The response length - OK
91
+
* * -errno - A system error
92
+
*/
93
+
int tpm_chip_start(struct tpm_chip *chip)
94
+
{
95
+
int ret;
96
+
97
+
if (chip->ops->clk_enable)
98
+
chip->ops->clk_enable(chip, true);
99
+
100
+
if (chip->locality == -1) {
101
+
ret = tpm_request_locality(chip);
102
+
if (ret) {
103
+
chip->ops->clk_enable(chip, false);
104
+
return ret;
105
+
}
106
+
}
107
+
108
+
ret = tpm_cmd_ready(chip);
109
+
if (ret) {
110
+
tpm_relinquish_locality(chip);
111
+
if (chip->ops->clk_enable)
112
+
chip->ops->clk_enable(chip, false);
113
+
return ret;
114
+
}
115
+
116
+
return 0;
117
+
}
118
+
EXPORT_SYMBOL_GPL(tpm_chip_start);
119
+
120
+
/**
121
+
* tpm_chip_stop() - power off the TPM
122
+
* @chip: a TPM chip to use
123
+
*
124
+
* Return:
125
+
* * The response length - OK
126
+
* * -errno - A system error
127
+
*/
128
+
void tpm_chip_stop(struct tpm_chip *chip)
129
+
{
130
+
tpm_go_idle(chip);
131
+
tpm_relinquish_locality(chip);
132
+
if (chip->ops->clk_enable)
133
+
chip->ops->clk_enable(chip, false);
134
+
}
135
+
EXPORT_SYMBOL_GPL(tpm_chip_stop);
136
+
40
137
/**
41
138
* tpm_try_get_ops() - Get a ref to the tpm_chip
42
139
* @chip: Chip to ref
···
153
56
154
57
down_read(&chip->ops_sem);
155
58
if (!chip->ops)
59
+
goto out_ops;
60
+
61
+
mutex_lock(&chip->tpm_mutex);
62
+
rc = tpm_chip_start(chip);
63
+
if (rc)
156
64
goto out_lock;
157
65
158
66
return 0;
159
67
out_lock:
68
+
mutex_unlock(&chip->tpm_mutex);
69
+
out_ops:
160
70
up_read(&chip->ops_sem);
161
71
put_device(&chip->dev);
162
72
return rc;
···
179
75
*/
180
76
void tpm_put_ops(struct tpm_chip *chip)
181
77
{
78
+
tpm_chip_stop(chip);
79
+
mutex_unlock(&chip->tpm_mutex);
182
80
up_read(&chip->ops_sem);
183
81
put_device(&chip->dev);
184
82
}
···
266
160
kfree(chip->log.bios_event_log);
267
161
kfree(chip->work_space.context_buf);
268
162
kfree(chip->work_space.session_buf);
163
+
kfree(chip->allocated_banks);
269
164
kfree(chip);
270
165
}
271
166
···
296
189
297
190
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
298
191
down_write(&chip->ops_sem);
299
-
tpm2_shutdown(chip, TPM2_SU_CLEAR);
192
+
if (!tpm_chip_start(chip)) {
193
+
tpm2_shutdown(chip, TPM2_SU_CLEAR);
194
+
tpm_chip_stop(chip);
195
+
}
300
196
chip->ops = NULL;
301
197
up_write(&chip->ops_sem);
302
198
}
···
478
368
479
369
/* Make the driver uncallable. */
480
370
down_write(&chip->ops_sem);
481
-
if (chip->flags & TPM_CHIP_FLAG_TPM2)
482
-
tpm2_shutdown(chip, TPM2_SU_CLEAR);
371
+
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
372
+
if (!tpm_chip_start(chip)) {
373
+
tpm2_shutdown(chip, TPM2_SU_CLEAR);
374
+
tpm_chip_stop(chip);
375
+
}
376
+
}
483
377
chip->ops = NULL;
484
378
up_write(&chip->ops_sem);
485
379
}
···
565
451
{
566
452
int rc;
567
453
454
+
rc = tpm_chip_start(chip);
455
+
if (rc)
456
+
return rc;
568
457
rc = tpm_auto_startup(chip);
458
+
tpm_chip_stop(chip);
569
459
if (rc)
570
460
return rc;
571
461
+37
-7
drivers/char/tpm/tpm-dev-common.c
+37
-7
drivers/char/tpm/tpm-dev-common.c
···
27
27
static struct workqueue_struct *tpm_dev_wq;
28
28
static DEFINE_MUTEX(tpm_dev_wq_lock);
29
29
30
-
static void tpm_async_work(struct work_struct *work)
30
+
static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
31
+
u8 *buf, size_t bufsiz)
32
+
{
33
+
struct tpm_header *header = (void *)buf;
34
+
ssize_t ret, len;
35
+
36
+
ret = tpm2_prepare_space(chip, space, buf, bufsiz);
37
+
/* If the command is not implemented by the TPM, synthesize a
38
+
* response with a TPM2_RC_COMMAND_CODE return for user-space.
39
+
*/
40
+
if (ret == -EOPNOTSUPP) {
41
+
header->length = cpu_to_be32(sizeof(*header));
42
+
header->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
43
+
header->return_code = cpu_to_be32(TPM2_RC_COMMAND_CODE |
44
+
TSS2_RESMGR_TPM_RC_LAYER);
45
+
ret = sizeof(*header);
46
+
}
47
+
if (ret)
48
+
goto out_rc;
49
+
50
+
len = tpm_transmit(chip, buf, bufsiz);
51
+
if (len < 0)
52
+
ret = len;
53
+
54
+
if (!ret)
55
+
ret = tpm2_commit_space(chip, space, buf, &len);
56
+
57
+
out_rc:
58
+
return ret ? ret : len;
59
+
}
60
+
61
+
static void tpm_dev_async_work(struct work_struct *work)
31
62
{
32
63
struct file_priv *priv =
33
64
container_of(work, struct file_priv, async_work);
···
66
35
67
36
mutex_lock(&priv->buffer_mutex);
68
37
priv->command_enqueued = false;
69
-
ret = tpm_transmit(priv->chip, priv->space, priv->data_buffer,
70
-
sizeof(priv->data_buffer), 0);
71
-
38
+
ret = tpm_dev_transmit(priv->chip, priv->space, priv->data_buffer,
39
+
sizeof(priv->data_buffer));
72
40
tpm_put_ops(priv->chip);
73
41
if (ret > 0) {
74
42
priv->response_length = ret;
···
110
80
mutex_init(&priv->buffer_mutex);
111
81
timer_setup(&priv->user_read_timer, user_reader_timeout, 0);
112
82
INIT_WORK(&priv->timeout_work, tpm_timeout_work);
113
-
INIT_WORK(&priv->async_work, tpm_async_work);
83
+
INIT_WORK(&priv->async_work, tpm_dev_async_work);
114
84
init_waitqueue_head(&priv->async_wait);
115
85
file->private_data = priv;
116
86
}
···
213
183
return size;
214
184
}
215
185
216
-
ret = tpm_transmit(priv->chip, priv->space, priv->data_buffer,
217
-
sizeof(priv->data_buffer), 0);
186
+
ret = tpm_dev_transmit(priv->chip, priv->space, priv->data_buffer,
187
+
sizeof(priv->data_buffer));
218
188
tpm_put_ops(priv->chip);
219
189
220
190
if (ret > 0) {
+82
-245
drivers/char/tpm/tpm-interface.c
+82
-245
drivers/char/tpm/tpm-interface.c
···
62
62
}
63
63
EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration);
64
64
65
-
static int tpm_validate_command(struct tpm_chip *chip,
66
-
struct tpm_space *space,
67
-
const u8 *cmd,
68
-
size_t len)
65
+
static ssize_t tpm_try_transmit(struct tpm_chip *chip, void *buf, size_t bufsiz)
69
66
{
70
-
const struct tpm_input_header *header = (const void *)cmd;
71
-
int i;
72
-
u32 cc;
73
-
u32 attrs;
74
-
unsigned int nr_handles;
75
-
76
-
if (len < TPM_HEADER_SIZE)
77
-
return -EINVAL;
78
-
79
-
if (!space)
80
-
return 0;
81
-
82
-
if (chip->flags & TPM_CHIP_FLAG_TPM2 && chip->nr_commands) {
83
-
cc = be32_to_cpu(header->ordinal);
84
-
85
-
i = tpm2_find_cc(chip, cc);
86
-
if (i < 0) {
87
-
dev_dbg(&chip->dev, "0x%04X is an invalid command\n",
88
-
cc);
89
-
return -EOPNOTSUPP;
90
-
}
91
-
92
-
attrs = chip->cc_attrs_tbl[i];
93
-
nr_handles =
94
-
4 * ((attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0));
95
-
if (len < TPM_HEADER_SIZE + 4 * nr_handles)
96
-
goto err_len;
97
-
}
98
-
99
-
return 0;
100
-
err_len:
101
-
dev_dbg(&chip->dev,
102
-
"%s: insufficient command length %zu", __func__, len);
103
-
return -EINVAL;
104
-
}
105
-
106
-
static int tpm_request_locality(struct tpm_chip *chip, unsigned int flags)
107
-
{
108
-
int rc;
109
-
110
-
if (flags & TPM_TRANSMIT_NESTED)
111
-
return 0;
112
-
113
-
if (!chip->ops->request_locality)
114
-
return 0;
115
-
116
-
rc = chip->ops->request_locality(chip, 0);
117
-
if (rc < 0)
118
-
return rc;
119
-
120
-
chip->locality = rc;
121
-
122
-
return 0;
123
-
}
124
-
125
-
static void tpm_relinquish_locality(struct tpm_chip *chip, unsigned int flags)
126
-
{
127
-
int rc;
128
-
129
-
if (flags & TPM_TRANSMIT_NESTED)
130
-
return;
131
-
132
-
if (!chip->ops->relinquish_locality)
133
-
return;
134
-
135
-
rc = chip->ops->relinquish_locality(chip, chip->locality);
136
-
if (rc)
137
-
dev_err(&chip->dev, "%s: : error %d\n", __func__, rc);
138
-
139
-
chip->locality = -1;
140
-
}
141
-
142
-
static int tpm_cmd_ready(struct tpm_chip *chip, unsigned int flags)
143
-
{
144
-
if (flags & TPM_TRANSMIT_NESTED)
145
-
return 0;
146
-
147
-
if (!chip->ops->cmd_ready)
148
-
return 0;
149
-
150
-
return chip->ops->cmd_ready(chip);
151
-
}
152
-
153
-
static int tpm_go_idle(struct tpm_chip *chip, unsigned int flags)
154
-
{
155
-
if (flags & TPM_TRANSMIT_NESTED)
156
-
return 0;
157
-
158
-
if (!chip->ops->go_idle)
159
-
return 0;
160
-
161
-
return chip->ops->go_idle(chip);
162
-
}
163
-
164
-
static ssize_t tpm_try_transmit(struct tpm_chip *chip,
165
-
struct tpm_space *space,
166
-
u8 *buf, size_t bufsiz,
167
-
unsigned int flags)
168
-
{
169
-
struct tpm_output_header *header = (void *)buf;
67
+
struct tpm_header *header = buf;
170
68
int rc;
171
69
ssize_t len = 0;
172
70
u32 count, ordinal;
173
71
unsigned long stop;
174
-
bool need_locality;
175
72
176
-
rc = tpm_validate_command(chip, space, buf, bufsiz);
177
-
if (rc == -EINVAL)
178
-
return rc;
179
-
/*
180
-
* If the command is not implemented by the TPM, synthesize a
181
-
* response with a TPM2_RC_COMMAND_CODE return for user-space.
182
-
*/
183
-
if (rc == -EOPNOTSUPP) {
184
-
header->length = cpu_to_be32(sizeof(*header));
185
-
header->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
186
-
header->return_code = cpu_to_be32(TPM2_RC_COMMAND_CODE |
187
-
TSS2_RESMGR_TPM_RC_LAYER);
188
-
return sizeof(*header);
189
-
}
73
+
if (bufsiz < TPM_HEADER_SIZE)
74
+
return -EINVAL;
190
75
191
76
if (bufsiz > TPM_BUFSIZE)
192
77
bufsiz = TPM_BUFSIZE;
193
78
194
-
count = be32_to_cpu(*((__be32 *) (buf + 2)));
195
-
ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
79
+
count = be32_to_cpu(header->length);
80
+
ordinal = be32_to_cpu(header->ordinal);
196
81
if (count == 0)
197
82
return -ENODATA;
198
83
if (count > bufsiz) {
···
86
201
return -E2BIG;
87
202
}
88
203
89
-
if (!(flags & TPM_TRANSMIT_UNLOCKED) && !(flags & TPM_TRANSMIT_NESTED))
90
-
mutex_lock(&chip->tpm_mutex);
91
-
92
-
if (chip->ops->clk_enable != NULL)
93
-
chip->ops->clk_enable(chip, true);
94
-
95
-
/* Store the decision as chip->locality will be changed. */
96
-
need_locality = chip->locality == -1;
97
-
98
-
if (need_locality) {
99
-
rc = tpm_request_locality(chip, flags);
100
-
if (rc < 0) {
101
-
need_locality = false;
102
-
goto out_locality;
103
-
}
104
-
}
105
-
106
-
rc = tpm_cmd_ready(chip, flags);
107
-
if (rc)
108
-
goto out_locality;
109
-
110
-
rc = tpm2_prepare_space(chip, space, ordinal, buf);
111
-
if (rc)
112
-
goto out;
113
-
114
204
rc = chip->ops->send(chip, buf, count);
115
205
if (rc < 0) {
116
206
if (rc != -EPIPE)
117
207
dev_err(&chip->dev,
118
-
"%s: tpm_send: error %d\n", __func__, rc);
119
-
goto out;
208
+
"%s: send(): error %d\n", __func__, rc);
209
+
return rc;
210
+
}
211
+
212
+
/* A sanity check. send() should just return zero on success e.g.
213
+
* not the command length.
214
+
*/
215
+
if (rc > 0) {
216
+
dev_warn(&chip->dev,
217
+
"%s: send(): invalid value %d\n", __func__, rc);
218
+
rc = 0;
120
219
}
121
220
122
221
if (chip->flags & TPM_CHIP_FLAG_IRQ)
···
115
246
116
247
if (chip->ops->req_canceled(chip, status)) {
117
248
dev_err(&chip->dev, "Operation Canceled\n");
118
-
rc = -ECANCELED;
119
-
goto out;
249
+
return -ECANCELED;
120
250
}
121
251
122
252
tpm_msleep(TPM_TIMEOUT_POLL);
···
124
256
125
257
chip->ops->cancel(chip);
126
258
dev_err(&chip->dev, "Operation Timed out\n");
127
-
rc = -ETIME;
128
-
goto out;
259
+
return -ETIME;
129
260
130
261
out_recv:
131
262
len = chip->ops->recv(chip, buf, bufsiz);
132
263
if (len < 0) {
133
264
rc = len;
134
-
dev_err(&chip->dev,
135
-
"tpm_transmit: tpm_recv: error %d\n", rc);
136
-
goto out;
137
-
} else if (len < TPM_HEADER_SIZE) {
265
+
dev_err(&chip->dev, "tpm_transmit: tpm_recv: error %d\n", rc);
266
+
} else if (len < TPM_HEADER_SIZE || len != be32_to_cpu(header->length))
138
267
rc = -EFAULT;
139
-
goto out;
140
-
}
141
268
142
-
if (len != be32_to_cpu(header->length)) {
143
-
rc = -EFAULT;
144
-
goto out;
145
-
}
146
-
147
-
rc = tpm2_commit_space(chip, space, ordinal, buf, &len);
148
-
if (rc)
149
-
dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc);
150
-
151
-
out:
152
-
/* may fail but do not override previous error value in rc */
153
-
tpm_go_idle(chip, flags);
154
-
155
-
out_locality:
156
-
if (need_locality)
157
-
tpm_relinquish_locality(chip, flags);
158
-
159
-
if (chip->ops->clk_enable != NULL)
160
-
chip->ops->clk_enable(chip, false);
161
-
162
-
if (!(flags & TPM_TRANSMIT_UNLOCKED) && !(flags & TPM_TRANSMIT_NESTED))
163
-
mutex_unlock(&chip->tpm_mutex);
164
269
return rc ? rc : len;
165
270
}
166
271
167
272
/**
168
273
* tpm_transmit - Internal kernel interface to transmit TPM commands.
274
+
* @chip: a TPM chip to use
275
+
* @buf: a TPM command buffer
276
+
* @bufsiz: length of the TPM command buffer
169
277
*
170
-
* @chip: TPM chip to use
171
-
* @space: tpm space
172
-
* @buf: TPM command buffer
173
-
* @bufsiz: length of the TPM command buffer
174
-
* @flags: tpm transmit flags - bitmap
278
+
* A wrapper around tpm_try_transmit() that handles TPM2_RC_RETRY returns from
279
+
* the TPM and retransmits the command after a delay up to a maximum wait of
280
+
* TPM2_DURATION_LONG.
175
281
*
176
-
* A wrapper around tpm_try_transmit that handles TPM2_RC_RETRY
177
-
* returns from the TPM and retransmits the command after a delay up
178
-
* to a maximum wait of TPM2_DURATION_LONG.
179
-
*
180
-
* Note: TPM1 never returns TPM2_RC_RETRY so the retry logic is TPM2
181
-
* only
282
+
* Note that TPM 1.x never returns TPM2_RC_RETRY so the retry logic is TPM 2.0
283
+
* only.
182
284
*
183
285
* Return:
184
-
* the length of the return when the operation is successful.
185
-
* A negative number for system errors (errno).
286
+
* * The response length - OK
287
+
* * -errno - A system error
186
288
*/
187
-
ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
188
-
u8 *buf, size_t bufsiz, unsigned int flags)
289
+
ssize_t tpm_transmit(struct tpm_chip *chip, u8 *buf, size_t bufsiz)
189
290
{
190
-
struct tpm_output_header *header = (struct tpm_output_header *)buf;
291
+
struct tpm_header *header = (struct tpm_header *)buf;
191
292
/* space for header and handles */
192
293
u8 save[TPM_HEADER_SIZE + 3*sizeof(u32)];
193
294
unsigned int delay_msec = TPM2_DURATION_SHORT;
194
295
u32 rc = 0;
195
296
ssize_t ret;
196
-
const size_t save_size = min(space ? sizeof(save) : TPM_HEADER_SIZE,
197
-
bufsiz);
297
+
const size_t save_size = min(sizeof(save), bufsiz);
198
298
/* the command code is where the return code will be */
199
299
u32 cc = be32_to_cpu(header->return_code);
200
300
···
174
338
memcpy(save, buf, save_size);
175
339
176
340
for (;;) {
177
-
ret = tpm_try_transmit(chip, space, buf, bufsiz, flags);
341
+
ret = tpm_try_transmit(chip, buf, bufsiz);
178
342
if (ret < 0)
179
343
break;
180
344
rc = be32_to_cpu(header->return_code);
···
201
365
}
202
366
return ret;
203
367
}
368
+
204
369
/**
205
370
* tpm_transmit_cmd - send a tpm command to the device
206
-
* The function extracts tpm out header return code
207
-
*
208
-
* @chip: TPM chip to use
209
-
* @space: tpm space
210
-
* @buf: TPM command buffer
211
-
* @bufsiz: length of the buffer
212
-
* @min_rsp_body_length: minimum expected length of response body
213
-
* @flags: tpm transmit flags - bitmap
214
-
* @desc: command description used in the error message
371
+
* @chip: a TPM chip to use
372
+
* @buf: a TPM command buffer
373
+
* @min_rsp_body_length: minimum expected length of response body
374
+
* @desc: command description used in the error message
215
375
*
216
376
* Return:
217
-
* 0 when the operation is successful.
218
-
* A negative number for system errors (errno).
219
-
* A positive number for a TPM error.
377
+
* * 0 - OK
378
+
* * -errno - A system error
379
+
* * TPM_RC - A TPM error
220
380
*/
221
-
ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_space *space,
222
-
void *buf, size_t bufsiz,
223
-
size_t min_rsp_body_length, unsigned int flags,
224
-
const char *desc)
381
+
ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_buf *buf,
382
+
size_t min_rsp_body_length, const char *desc)
225
383
{
226
-
const struct tpm_output_header *header = buf;
384
+
const struct tpm_header *header = (struct tpm_header *)buf->data;
227
385
int err;
228
386
ssize_t len;
229
387
230
-
len = tpm_transmit(chip, space, buf, bufsiz, flags);
388
+
len = tpm_transmit(chip, buf->data, PAGE_SIZE);
231
389
if (len < 0)
232
390
return len;
233
391
234
392
err = be32_to_cpu(header->return_code);
235
393
if (err != 0 && err != TPM_ERR_DISABLED && err != TPM_ERR_DEACTIVATED
236
-
&& desc)
394
+
&& err != TPM2_RC_TESTING && desc)
237
395
dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err,
238
396
desc);
239
397
if (err)
···
281
451
* tpm_pcr_read - read a PCR value from SHA1 bank
282
452
* @chip: a &struct tpm_chip instance, %NULL for the default chip
283
453
* @pcr_idx: the PCR to be retrieved
284
-
* @res_buf: the value of the PCR
454
+
* @digest: the PCR bank and buffer current PCR value is written to
285
455
*
286
456
* Return: same as with tpm_transmit_cmd()
287
457
*/
288
-
int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
458
+
int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
459
+
struct tpm_digest *digest)
289
460
{
290
461
int rc;
291
462
···
295
464
return -ENODEV;
296
465
297
466
if (chip->flags & TPM_CHIP_FLAG_TPM2)
298
-
rc = tpm2_pcr_read(chip, pcr_idx, res_buf);
467
+
rc = tpm2_pcr_read(chip, pcr_idx, digest, NULL);
299
468
else
300
-
rc = tpm1_pcr_read(chip, pcr_idx, res_buf);
469
+
rc = tpm1_pcr_read(chip, pcr_idx, digest->digest);
301
470
302
471
tpm_put_ops(chip);
303
472
return rc;
···
308
477
* tpm_pcr_extend - extend a PCR value in SHA1 bank.
309
478
* @chip: a &struct tpm_chip instance, %NULL for the default chip
310
479
* @pcr_idx: the PCR to be retrieved
311
-
* @hash: the hash value used to extend the PCR value
480
+
* @digests: array of tpm_digest structures used to extend PCRs
312
481
*
313
-
* Note: with TPM 2.0 extends also those banks with a known digest size to the
314
-
* cryto subsystem in order to prevent malicious use of those PCR banks. In the
315
-
* future we should dynamically determine digest sizes.
482
+
* Note: callers must pass a digest for every allocated PCR bank, in the same
483
+
* order of the banks in chip->allocated_banks.
316
484
*
317
485
* Return: same as with tpm_transmit_cmd()
318
486
*/
319
-
int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, const u8 *hash)
487
+
int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
488
+
struct tpm_digest *digests)
320
489
{
321
490
int rc;
322
-
struct tpm2_digest digest_list[ARRAY_SIZE(chip->active_banks)];
323
-
u32 count = 0;
324
491
int i;
325
492
326
493
chip = tpm_find_get_ops(chip);
327
494
if (!chip)
328
495
return -ENODEV;
329
496
497
+
for (i = 0; i < chip->nr_allocated_banks; i++)
498
+
if (digests[i].alg_id != chip->allocated_banks[i].alg_id)
499
+
return -EINVAL;
500
+
330
501
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
331
-
memset(digest_list, 0, sizeof(digest_list));
332
-
333
-
for (i = 0; i < ARRAY_SIZE(chip->active_banks) &&
334
-
chip->active_banks[i] != TPM2_ALG_ERROR; i++) {
335
-
digest_list[i].alg_id = chip->active_banks[i];
336
-
memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE);
337
-
count++;
338
-
}
339
-
340
-
rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
502
+
rc = tpm2_pcr_extend(chip, pcr_idx, digests);
341
503
tpm_put_ops(chip);
342
504
return rc;
343
505
}
344
506
345
-
rc = tpm1_pcr_extend(chip, pcr_idx, hash,
507
+
rc = tpm1_pcr_extend(chip, pcr_idx, digests[0].digest,
346
508
"attempting extend a PCR value");
347
509
tpm_put_ops(chip);
348
510
return rc;
···
352
528
*/
353
529
int tpm_send(struct tpm_chip *chip, void *cmd, size_t buflen)
354
530
{
531
+
struct tpm_buf buf;
355
532
int rc;
356
533
357
534
chip = tpm_find_get_ops(chip);
358
535
if (!chip)
359
536
return -ENODEV;
360
537
361
-
rc = tpm_transmit_cmd(chip, NULL, cmd, buflen, 0, 0,
362
-
"attempting to a send a command");
538
+
rc = tpm_buf_init(&buf, 0, 0);
539
+
if (rc)
540
+
goto out;
541
+
542
+
memcpy(buf.data, cmd, buflen);
543
+
rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to a send a command");
544
+
tpm_buf_destroy(&buf);
545
+
out:
363
546
tpm_put_ops(chip);
364
547
return rc;
365
548
}
···
402
571
if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED)
403
572
return 0;
404
573
405
-
if (chip->flags & TPM_CHIP_FLAG_TPM2)
406
-
tpm2_shutdown(chip, TPM2_SU_STATE);
407
-
else
574
+
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
575
+
mutex_lock(&chip->tpm_mutex);
576
+
if (!tpm_chip_start(chip)) {
577
+
tpm2_shutdown(chip, TPM2_SU_STATE);
578
+
tpm_chip_stop(chip);
579
+
}
580
+
mutex_unlock(&chip->tpm_mutex);
581
+
} else {
408
582
rc = tpm1_pm_suspend(chip, tpm_suspend_pcr);
583
+
}
409
584
410
585
return rc;
411
586
}
+84
-54
drivers/char/tpm/tpm-sysfs.c
+84
-54
drivers/char/tpm/tpm-sysfs.c
···
39
39
{
40
40
struct tpm_buf tpm_buf;
41
41
struct tpm_readpubek_out *out;
42
-
ssize_t rc;
43
42
int i;
44
43
char *str = buf;
45
44
struct tpm_chip *chip = to_tpm_chip(dev);
···
46
47
47
48
memset(&anti_replay, 0, sizeof(anti_replay));
48
49
49
-
rc = tpm_buf_init(&tpm_buf, TPM_TAG_RQU_COMMAND, TPM_ORD_READPUBEK);
50
-
if (rc)
51
-
return rc;
50
+
if (tpm_try_get_ops(chip))
51
+
return 0;
52
+
53
+
if (tpm_buf_init(&tpm_buf, TPM_TAG_RQU_COMMAND, TPM_ORD_READPUBEK))
54
+
goto out_ops;
52
55
53
56
tpm_buf_append(&tpm_buf, anti_replay, sizeof(anti_replay));
54
57
55
-
rc = tpm_transmit_cmd(chip, NULL, tpm_buf.data, PAGE_SIZE,
56
-
READ_PUBEK_RESULT_MIN_BODY_SIZE, 0,
57
-
"attempting to read the PUBEK");
58
-
if (rc) {
59
-
tpm_buf_destroy(&tpm_buf);
60
-
return 0;
61
-
}
58
+
if (tpm_transmit_cmd(chip, &tpm_buf, READ_PUBEK_RESULT_MIN_BODY_SIZE,
59
+
"attempting to read the PUBEK"))
60
+
goto out_buf;
62
61
63
62
out = (struct tpm_readpubek_out *)&tpm_buf.data[10];
64
63
str +=
···
87
90
str += sprintf(str, "\n");
88
91
}
89
92
90
-
rc = str - buf;
93
+
out_buf:
91
94
tpm_buf_destroy(&tpm_buf);
92
-
return rc;
95
+
out_ops:
96
+
tpm_put_ops(chip);
97
+
return str - buf;
93
98
}
94
99
static DEVICE_ATTR_RO(pubek);
95
100
···
100
101
{
101
102
cap_t cap;
102
103
u8 digest[TPM_DIGEST_SIZE];
103
-
ssize_t rc;
104
104
u32 i, j, num_pcrs;
105
105
char *str = buf;
106
106
struct tpm_chip *chip = to_tpm_chip(dev);
107
107
108
-
rc = tpm1_getcap(chip, TPM_CAP_PROP_PCR, &cap,
109
-
"attempting to determine the number of PCRS",
110
-
sizeof(cap.num_pcrs));
111
-
if (rc)
108
+
if (tpm_try_get_ops(chip))
112
109
return 0;
110
+
111
+
if (tpm1_getcap(chip, TPM_CAP_PROP_PCR, &cap,
112
+
"attempting to determine the number of PCRS",
113
+
sizeof(cap.num_pcrs))) {
114
+
tpm_put_ops(chip);
115
+
return 0;
116
+
}
113
117
114
118
num_pcrs = be32_to_cpu(cap.num_pcrs);
115
119
for (i = 0; i < num_pcrs; i++) {
116
-
rc = tpm1_pcr_read(chip, i, digest);
117
-
if (rc)
120
+
if (tpm1_pcr_read(chip, i, digest)) {
121
+
str = buf;
118
122
break;
123
+
}
119
124
str += sprintf(str, "PCR-%02d: ", i);
120
125
for (j = 0; j < TPM_DIGEST_SIZE; j++)
121
126
str += sprintf(str, "%02X ", digest[j]);
122
127
str += sprintf(str, "\n");
123
128
}
129
+
tpm_put_ops(chip);
124
130
return str - buf;
125
131
}
126
132
static DEVICE_ATTR_RO(pcrs);
···
133
129
static ssize_t enabled_show(struct device *dev, struct device_attribute *attr,
134
130
char *buf)
135
131
{
132
+
struct tpm_chip *chip = to_tpm_chip(dev);
133
+
ssize_t rc = 0;
136
134
cap_t cap;
137
-
ssize_t rc;
138
135
139
-
rc = tpm1_getcap(to_tpm_chip(dev), TPM_CAP_FLAG_PERM, &cap,
140
-
"attempting to determine the permanent enabled state",
141
-
sizeof(cap.perm_flags));
142
-
if (rc)
136
+
if (tpm_try_get_ops(chip))
143
137
return 0;
144
138
139
+
if (tpm1_getcap(chip, TPM_CAP_FLAG_PERM, &cap,
140
+
"attempting to determine the permanent enabled state",
141
+
sizeof(cap.perm_flags)))
142
+
goto out_ops;
143
+
145
144
rc = sprintf(buf, "%d\n", !cap.perm_flags.disable);
145
+
out_ops:
146
+
tpm_put_ops(chip);
146
147
return rc;
147
148
}
148
149
static DEVICE_ATTR_RO(enabled);
···
155
146
static ssize_t active_show(struct device *dev, struct device_attribute *attr,
156
147
char *buf)
157
148
{
149
+
struct tpm_chip *chip = to_tpm_chip(dev);
150
+
ssize_t rc = 0;
158
151
cap_t cap;
159
-
ssize_t rc;
160
152
161
-
rc = tpm1_getcap(to_tpm_chip(dev), TPM_CAP_FLAG_PERM, &cap,
162
-
"attempting to determine the permanent active state",
163
-
sizeof(cap.perm_flags));
164
-
if (rc)
153
+
if (tpm_try_get_ops(chip))
165
154
return 0;
166
155
156
+
if (tpm1_getcap(chip, TPM_CAP_FLAG_PERM, &cap,
157
+
"attempting to determine the permanent active state",
158
+
sizeof(cap.perm_flags)))
159
+
goto out_ops;
160
+
167
161
rc = sprintf(buf, "%d\n", !cap.perm_flags.deactivated);
162
+
out_ops:
163
+
tpm_put_ops(chip);
168
164
return rc;
169
165
}
170
166
static DEVICE_ATTR_RO(active);
···
177
163
static ssize_t owned_show(struct device *dev, struct device_attribute *attr,
178
164
char *buf)
179
165
{
166
+
struct tpm_chip *chip = to_tpm_chip(dev);
167
+
ssize_t rc = 0;
180
168
cap_t cap;
181
-
ssize_t rc;
182
169
183
-
rc = tpm1_getcap(to_tpm_chip(dev), TPM_CAP_PROP_OWNER, &cap,
184
-
"attempting to determine the owner state",
185
-
sizeof(cap.owned));
186
-
if (rc)
170
+
if (tpm_try_get_ops(chip))
187
171
return 0;
188
172
173
+
if (tpm1_getcap(to_tpm_chip(dev), TPM_CAP_PROP_OWNER, &cap,
174
+
"attempting to determine the owner state",
175
+
sizeof(cap.owned)))
176
+
goto out_ops;
177
+
189
178
rc = sprintf(buf, "%d\n", cap.owned);
179
+
out_ops:
180
+
tpm_put_ops(chip);
190
181
return rc;
191
182
}
192
183
static DEVICE_ATTR_RO(owned);
···
199
180
static ssize_t temp_deactivated_show(struct device *dev,
200
181
struct device_attribute *attr, char *buf)
201
182
{
183
+
struct tpm_chip *chip = to_tpm_chip(dev);
184
+
ssize_t rc = 0;
202
185
cap_t cap;
203
-
ssize_t rc;
204
186
205
-
rc = tpm1_getcap(to_tpm_chip(dev), TPM_CAP_FLAG_VOL, &cap,
206
-
"attempting to determine the temporary state",
207
-
sizeof(cap.stclear_flags));
208
-
if (rc)
187
+
if (tpm_try_get_ops(chip))
209
188
return 0;
210
189
190
+
if (tpm1_getcap(to_tpm_chip(dev), TPM_CAP_FLAG_VOL, &cap,
191
+
"attempting to determine the temporary state",
192
+
sizeof(cap.stclear_flags)))
193
+
goto out_ops;
194
+
211
195
rc = sprintf(buf, "%d\n", cap.stclear_flags.deactivated);
196
+
out_ops:
197
+
tpm_put_ops(chip);
212
198
return rc;
213
199
}
214
200
static DEVICE_ATTR_RO(temp_deactivated);
···
222
198
char *buf)
223
199
{
224
200
struct tpm_chip *chip = to_tpm_chip(dev);
225
-
cap_t cap;
226
-
ssize_t rc;
201
+
ssize_t rc = 0;
227
202
char *str = buf;
203
+
cap_t cap;
228
204
229
-
rc = tpm1_getcap(chip, TPM_CAP_PROP_MANUFACTURER, &cap,
230
-
"attempting to determine the manufacturer",
231
-
sizeof(cap.manufacturer_id));
232
-
if (rc)
205
+
if (tpm_try_get_ops(chip))
233
206
return 0;
207
+
208
+
if (tpm1_getcap(chip, TPM_CAP_PROP_MANUFACTURER, &cap,
209
+
"attempting to determine the manufacturer",
210
+
sizeof(cap.manufacturer_id)))
211
+
goto out_ops;
212
+
234
213
str += sprintf(str, "Manufacturer: 0x%x\n",
235
214
be32_to_cpu(cap.manufacturer_id));
236
215
···
250
223
cap.tpm_version_1_2.revMinor);
251
224
} else {
252
225
/* Otherwise just use TPM_STRUCT_VER */
253
-
rc = tpm1_getcap(chip, TPM_CAP_VERSION_1_1, &cap,
254
-
"attempting to determine the 1.1 version",
255
-
sizeof(cap.tpm_version));
256
-
if (rc)
257
-
return 0;
226
+
if (tpm1_getcap(chip, TPM_CAP_VERSION_1_1, &cap,
227
+
"attempting to determine the 1.1 version",
228
+
sizeof(cap.tpm_version)))
229
+
goto out_ops;
258
230
str += sprintf(str,
259
231
"TCG version: %d.%d\nFirmware version: %d.%d\n",
260
232
cap.tpm_version.Major,
···
261
235
cap.tpm_version.revMajor,
262
236
cap.tpm_version.revMinor);
263
237
}
264
-
265
-
return str - buf;
238
+
rc = str - buf;
239
+
out_ops:
240
+
tpm_put_ops(chip);
241
+
return rc;
266
242
}
267
243
static DEVICE_ATTR_RO(caps);
268
244
···
272
244
const char *buf, size_t count)
273
245
{
274
246
struct tpm_chip *chip = to_tpm_chip(dev);
275
-
if (chip == NULL)
247
+
248
+
if (tpm_try_get_ops(chip))
276
249
return 0;
277
250
278
251
chip->ops->cancel(chip);
252
+
tpm_put_ops(chip);
279
253
return count;
280
254
}
281
255
static DEVICE_ATTR_WO(cancel);
+31
-149
drivers/char/tpm/tpm.h
+31
-149
drivers/char/tpm/tpm.h
···
25
25
26
26
#include <linux/module.h>
27
27
#include <linux/delay.h>
28
-
#include <linux/fs.h>
29
-
#include <linux/hw_random.h>
30
28
#include <linux/mutex.h>
31
29
#include <linux/sched.h>
32
30
#include <linux/platform_device.h>
33
31
#include <linux/io.h>
34
32
#include <linux/tpm.h>
35
-
#include <linux/acpi.h>
36
-
#include <linux/cdev.h>
37
33
#include <linux/highmem.h>
38
34
#include <linux/tpm_eventlog.h>
39
-
#include <crypto/hash_info.h>
40
35
41
36
#ifdef CONFIG_X86
42
37
#include <asm/intel-family.h>
43
38
#endif
44
39
45
-
enum tpm_const {
46
-
TPM_MINOR = 224, /* officially assigned */
47
-
TPM_BUFSIZE = 4096,
48
-
TPM_NUM_DEVICES = 65536,
49
-
TPM_RETRY = 50, /* 5 seconds */
50
-
TPM_NUM_EVENT_LOG_FILES = 3,
51
-
};
40
+
#define TPM_MINOR 224 /* officially assigned */
41
+
#define TPM_BUFSIZE 4096
42
+
#define TPM_NUM_DEVICES 65536
43
+
#define TPM_RETRY 50
52
44
53
45
enum tpm_timeout {
54
46
TPM_TIMEOUT = 5, /* msecs */
···
55
63
enum tpm_addr {
56
64
TPM_SUPERIO_ADDR = 0x2E,
57
65
TPM_ADDR = 0x4E,
58
-
};
59
-
60
-
/* Indexes the duration array */
61
-
enum tpm_duration {
62
-
TPM_SHORT = 0,
63
-
TPM_MEDIUM = 1,
64
-
TPM_LONG = 2,
65
-
TPM_LONG_LONG = 3,
66
-
TPM_UNDEFINED,
67
-
TPM_NUM_DURATIONS = TPM_UNDEFINED,
68
66
};
69
67
70
68
#define TPM_WARN_RETRY 0x800
···
102
120
TPM2_RC_TESTING = 0x090A, /* RC_WARN */
103
121
TPM2_RC_REFERENCE_H0 = 0x0910,
104
122
TPM2_RC_RETRY = 0x0922,
105
-
};
106
-
107
-
enum tpm2_algorithms {
108
-
TPM2_ALG_ERROR = 0x0000,
109
-
TPM2_ALG_SHA1 = 0x0004,
110
-
TPM2_ALG_KEYEDHASH = 0x0008,
111
-
TPM2_ALG_SHA256 = 0x000B,
112
-
TPM2_ALG_SHA384 = 0x000C,
113
-
TPM2_ALG_SHA512 = 0x000D,
114
-
TPM2_ALG_NULL = 0x0010,
115
-
TPM2_ALG_SM3_256 = 0x0012,
116
123
};
117
124
118
125
enum tpm2_command_codes {
···
161
190
#define TPM_VID_WINBOND 0x1050
162
191
#define TPM_VID_STM 0x104A
163
192
164
-
#define TPM_PPI_VERSION_LEN 3
165
-
166
-
struct tpm_space {
167
-
u32 context_tbl[3];
168
-
u8 *context_buf;
169
-
u32 session_tbl[3];
170
-
u8 *session_buf;
171
-
};
172
-
173
193
enum tpm_chip_flags {
174
194
TPM_CHIP_FLAG_TPM2 = BIT(1),
175
195
TPM_CHIP_FLAG_IRQ = BIT(2),
···
169
207
TPM_CHIP_FLAG_ALWAYS_POWERED = BIT(5),
170
208
};
171
209
172
-
struct tpm_bios_log {
173
-
void *bios_event_log;
174
-
void *bios_event_log_end;
175
-
};
176
-
177
-
struct tpm_chip_seqops {
178
-
struct tpm_chip *chip;
179
-
const struct seq_operations *seqops;
180
-
};
181
-
182
-
struct tpm_chip {
183
-
struct device dev;
184
-
struct device devs;
185
-
struct cdev cdev;
186
-
struct cdev cdevs;
187
-
188
-
/* A driver callback under ops cannot be run unless ops_sem is held
189
-
* (sometimes implicitly, eg for the sysfs code). ops becomes null
190
-
* when the driver is unregistered, see tpm_try_get_ops.
191
-
*/
192
-
struct rw_semaphore ops_sem;
193
-
const struct tpm_class_ops *ops;
194
-
195
-
struct tpm_bios_log log;
196
-
struct tpm_chip_seqops bin_log_seqops;
197
-
struct tpm_chip_seqops ascii_log_seqops;
198
-
199
-
unsigned int flags;
200
-
201
-
int dev_num; /* /dev/tpm# */
202
-
unsigned long is_open; /* only one allowed */
203
-
204
-
char hwrng_name[64];
205
-
struct hwrng hwrng;
206
-
207
-
struct mutex tpm_mutex; /* tpm is processing */
208
-
209
-
unsigned long timeout_a; /* jiffies */
210
-
unsigned long timeout_b; /* jiffies */
211
-
unsigned long timeout_c; /* jiffies */
212
-
unsigned long timeout_d; /* jiffies */
213
-
bool timeout_adjusted;
214
-
unsigned long duration[TPM_NUM_DURATIONS]; /* jiffies */
215
-
bool duration_adjusted;
216
-
217
-
struct dentry *bios_dir[TPM_NUM_EVENT_LOG_FILES];
218
-
219
-
const struct attribute_group *groups[3];
220
-
unsigned int groups_cnt;
221
-
222
-
u16 active_banks[7];
223
-
#ifdef CONFIG_ACPI
224
-
acpi_handle acpi_dev_handle;
225
-
char ppi_version[TPM_PPI_VERSION_LEN + 1];
226
-
#endif /* CONFIG_ACPI */
227
-
228
-
struct tpm_space work_space;
229
-
u32 nr_commands;
230
-
u32 *cc_attrs_tbl;
231
-
232
-
/* active locality */
233
-
int locality;
234
-
};
235
-
236
210
#define to_tpm_chip(d) container_of(d, struct tpm_chip, dev)
237
211
238
-
struct tpm_input_header {
239
-
__be16 tag;
240
-
__be32 length;
241
-
__be32 ordinal;
242
-
} __packed;
243
-
244
-
struct tpm_output_header {
245
-
__be16 tag;
246
-
__be32 length;
247
-
__be32 return_code;
212
+
struct tpm_header {
213
+
__be16 tag;
214
+
__be32 length;
215
+
union {
216
+
__be32 ordinal;
217
+
__be32 return_code;
218
+
};
248
219
} __packed;
249
220
250
221
#define TPM_TAG_RQU_COMMAND 193
···
296
401
297
402
static inline void tpm_buf_reset(struct tpm_buf *buf, u16 tag, u32 ordinal)
298
403
{
299
-
struct tpm_input_header *head;
300
-
head = (struct tpm_input_header *)buf->data;
404
+
struct tpm_header *head = (struct tpm_header *)buf->data;
405
+
301
406
head->tag = cpu_to_be16(tag);
302
407
head->length = cpu_to_be32(sizeof(*head));
303
408
head->ordinal = cpu_to_be32(ordinal);
···
323
428
324
429
static inline u32 tpm_buf_length(struct tpm_buf *buf)
325
430
{
326
-
struct tpm_input_header *head = (struct tpm_input_header *) buf->data;
431
+
struct tpm_header *head = (struct tpm_header *)buf->data;
327
432
328
433
return be32_to_cpu(head->length);
329
434
}
330
435
331
436
static inline u16 tpm_buf_tag(struct tpm_buf *buf)
332
437
{
333
-
struct tpm_input_header *head = (struct tpm_input_header *) buf->data;
438
+
struct tpm_header *head = (struct tpm_header *)buf->data;
334
439
335
440
return be16_to_cpu(head->tag);
336
441
}
···
339
444
const unsigned char *new_data,
340
445
unsigned int new_len)
341
446
{
342
-
struct tpm_input_header *head = (struct tpm_input_header *) buf->data;
447
+
struct tpm_header *head = (struct tpm_header *)buf->data;
343
448
u32 len = tpm_buf_length(buf);
344
449
345
450
/* Return silently if overflow has already happened. */
···
382
487
extern const struct file_operations tpmrm_fops;
383
488
extern struct idr dev_nums_idr;
384
489
385
-
/**
386
-
* enum tpm_transmit_flags - flags for tpm_transmit()
387
-
*
388
-
* @TPM_TRANSMIT_UNLOCKED: do not lock the chip
389
-
* @TPM_TRANSMIT_NESTED: discard setup steps (power management,
390
-
* locality) including locking (i.e. implicit
391
-
* UNLOCKED)
392
-
*/
393
-
enum tpm_transmit_flags {
394
-
TPM_TRANSMIT_UNLOCKED = BIT(0),
395
-
TPM_TRANSMIT_NESTED = BIT(1),
396
-
};
397
-
398
-
ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
399
-
u8 *buf, size_t bufsiz, unsigned int flags);
400
-
ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_space *space,
401
-
void *buf, size_t bufsiz,
402
-
size_t min_rsp_body_length, unsigned int flags,
403
-
const char *desc);
490
+
ssize_t tpm_transmit(struct tpm_chip *chip, u8 *buf, size_t bufsiz);
491
+
ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_buf *buf,
492
+
size_t min_rsp_body_length, const char *desc);
404
493
int tpm_get_timeouts(struct tpm_chip *);
405
494
int tpm_auto_startup(struct tpm_chip *chip);
406
495
···
409
530
delay_msec * 1000);
410
531
};
411
532
533
+
int tpm_chip_start(struct tpm_chip *chip);
534
+
void tpm_chip_stop(struct tpm_chip *chip);
412
535
struct tpm_chip *tpm_find_get_ops(struct tpm_chip *chip);
413
536
__must_check int tpm_try_get_ops(struct tpm_chip *chip);
414
537
void tpm_put_ops(struct tpm_chip *chip);
···
439
558
}
440
559
441
560
int tpm2_get_timeouts(struct tpm_chip *chip);
442
-
int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf);
443
-
int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, u32 count,
444
-
struct tpm2_digest *digests);
561
+
int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
562
+
struct tpm_digest *digest, u16 *digest_size_ptr);
563
+
int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
564
+
struct tpm_digest *digests);
445
565
int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max);
446
-
void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle,
447
-
unsigned int flags);
566
+
void tpm2_flush_context(struct tpm_chip *chip, u32 handle);
448
567
int tpm2_seal_trusted(struct tpm_chip *chip,
449
568
struct trusted_key_payload *payload,
450
569
struct trusted_key_options *options);
···
461
580
int tpm2_find_cc(struct tpm_chip *chip, u32 cc);
462
581
int tpm2_init_space(struct tpm_space *space);
463
582
void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space);
464
-
int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc,
465
-
u8 *cmd);
466
-
int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
467
-
u32 cc, u8 *buf, size_t *bufsiz);
583
+
void tpm2_flush_space(struct tpm_chip *chip);
584
+
int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u8 *cmd,
585
+
size_t cmdsiz);
586
+
int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, void *buf,
587
+
size_t *bufsiz);
468
588
469
589
int tpm_bios_log_setup(struct tpm_chip *chip);
470
590
void tpm_bios_log_teardown(struct tpm_chip *chip);
+20
-23
drivers/char/tpm/tpm1-cmd.c
+20
-23
drivers/char/tpm/tpm1-cmd.c
···
334
334
335
335
tpm_buf_append_u16(&buf, TPM_ST_CLEAR);
336
336
337
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0,
338
-
"attempting to start the TPM");
339
-
337
+
rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to start the TPM");
340
338
tpm_buf_destroy(&buf);
341
-
342
339
return rc;
343
340
}
344
341
···
377
380
* of misreporting.
378
381
*/
379
382
if (chip->ops->update_timeouts)
380
-
chip->timeout_adjusted =
381
-
chip->ops->update_timeouts(chip, timeout_eff);
383
+
chip->ops->update_timeouts(chip, timeout_eff);
382
384
383
385
if (!chip->timeout_adjusted) {
384
386
/* Restore default if chip reported 0 */
···
458
462
tpm_buf_append_u32(&buf, pcr_idx);
459
463
tpm_buf_append(&buf, hash, TPM_DIGEST_SIZE);
460
464
461
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
462
-
TPM_DIGEST_SIZE, 0, log_msg);
463
-
465
+
rc = tpm_transmit_cmd(chip, &buf, TPM_DIGEST_SIZE, log_msg);
464
466
tpm_buf_destroy(&buf);
465
467
return rc;
466
468
}
···
488
494
tpm_buf_append_u32(&buf, 4);
489
495
tpm_buf_append_u32(&buf, subcap_id);
490
496
}
491
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
492
-
min_cap_length, 0, desc);
497
+
rc = tpm_transmit_cmd(chip, &buf, min_cap_length, desc);
493
498
if (!rc)
494
499
*cap = *(cap_t *)&buf.data[TPM_HEADER_SIZE + 4];
495
-
496
500
tpm_buf_destroy(&buf);
497
501
return rc;
498
502
}
···
529
537
do {
530
538
tpm_buf_append_u32(&buf, num_bytes);
531
539
532
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
533
-
sizeof(out->rng_data_len), 0,
540
+
rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len),
534
541
"attempting get random");
535
542
if (rc)
536
543
goto out;
···
574
583
575
584
tpm_buf_append_u32(&buf, pcr_idx);
576
585
577
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
578
-
TPM_DIGEST_SIZE, 0,
586
+
rc = tpm_transmit_cmd(chip, &buf, TPM_DIGEST_SIZE,
579
587
"attempting to read a pcr value");
580
588
if (rc)
581
589
goto out;
···
608
618
if (rc)
609
619
return rc;
610
620
611
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
612
-
0, 0, "continue selftest");
613
-
621
+
rc = tpm_transmit_cmd(chip, &buf, 0, "continue selftest");
614
622
tpm_buf_destroy(&buf);
615
-
616
623
return rc;
617
624
}
618
625
···
696
709
goto out;
697
710
}
698
711
712
+
chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks),
713
+
GFP_KERNEL);
714
+
if (!chip->allocated_banks) {
715
+
rc = -ENOMEM;
716
+
goto out;
717
+
}
718
+
719
+
chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
720
+
chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
721
+
chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
722
+
chip->nr_allocated_banks = 1;
723
+
699
724
return rc;
700
725
out:
701
726
if (rc > 0)
···
746
747
return rc;
747
748
/* now do the actual savestate */
748
749
for (try = 0; try < TPM_RETRY; try++) {
749
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
750
-
0, 0, NULL);
751
-
750
+
rc = tpm_transmit_cmd(chip, &buf, 0, NULL);
752
751
/*
753
752
* If the TPM indicates that it is too busy to respond to
754
753
* this command then retry before giving up. It can take
+121
-85
drivers/char/tpm/tpm2-cmd.c
+121
-85
drivers/char/tpm/tpm2-cmd.c
···
33
33
};
34
34
35
35
static struct tpm2_hash tpm2_hash_map[] = {
36
-
{HASH_ALGO_SHA1, TPM2_ALG_SHA1},
37
-
{HASH_ALGO_SHA256, TPM2_ALG_SHA256},
38
-
{HASH_ALGO_SHA384, TPM2_ALG_SHA384},
39
-
{HASH_ALGO_SHA512, TPM2_ALG_SHA512},
40
-
{HASH_ALGO_SM3_256, TPM2_ALG_SM3_256},
36
+
{HASH_ALGO_SHA1, TPM_ALG_SHA1},
37
+
{HASH_ALGO_SHA256, TPM_ALG_SHA256},
38
+
{HASH_ALGO_SHA384, TPM_ALG_SHA384},
39
+
{HASH_ALGO_SHA512, TPM_ALG_SHA512},
40
+
{HASH_ALGO_SM3_256, TPM_ALG_SM3_256},
41
41
};
42
42
43
43
int tpm2_get_timeouts(struct tpm_chip *chip)
···
171
171
* tpm2_pcr_read() - read a PCR value
172
172
* @chip: TPM chip to use.
173
173
* @pcr_idx: index of the PCR to read.
174
-
* @res_buf: buffer to store the resulting hash.
174
+
* @digest: PCR bank and buffer current PCR value is written to.
175
+
* @digest_size_ptr: pointer to variable that stores the digest size.
175
176
*
176
177
* Return: Same as with tpm_transmit_cmd.
177
178
*/
178
-
int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
179
+
int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
180
+
struct tpm_digest *digest, u16 *digest_size_ptr)
179
181
{
182
+
int i;
180
183
int rc;
181
184
struct tpm_buf buf;
182
185
struct tpm2_pcr_read_out *out;
183
186
u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
187
+
u16 digest_size;
188
+
u16 expected_digest_size = 0;
184
189
185
190
if (pcr_idx >= TPM2_PLATFORM_PCR)
186
191
return -EINVAL;
192
+
193
+
if (!digest_size_ptr) {
194
+
for (i = 0; i < chip->nr_allocated_banks &&
195
+
chip->allocated_banks[i].alg_id != digest->alg_id; i++)
196
+
;
197
+
198
+
if (i == chip->nr_allocated_banks)
199
+
return -EINVAL;
200
+
201
+
expected_digest_size = chip->allocated_banks[i].digest_size;
202
+
}
187
203
188
204
rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
189
205
if (rc)
···
208
192
pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
209
193
210
194
tpm_buf_append_u32(&buf, 1);
211
-
tpm_buf_append_u16(&buf, TPM2_ALG_SHA1);
195
+
tpm_buf_append_u16(&buf, digest->alg_id);
212
196
tpm_buf_append_u8(&buf, TPM2_PCR_SELECT_MIN);
213
197
tpm_buf_append(&buf, (const unsigned char *)pcr_select,
214
198
sizeof(pcr_select));
215
199
216
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0,
217
-
res_buf ? "attempting to read a pcr value" : NULL);
218
-
if (rc == 0 && res_buf) {
219
-
out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
220
-
memcpy(res_buf, out->digest, SHA1_DIGEST_SIZE);
200
+
rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to read a pcr value");
201
+
if (rc)
202
+
goto out;
203
+
204
+
out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
205
+
digest_size = be16_to_cpu(out->digest_size);
206
+
if (digest_size > sizeof(digest->digest) ||
207
+
(!digest_size_ptr && digest_size != expected_digest_size)) {
208
+
rc = -EINVAL;
209
+
goto out;
221
210
}
222
211
212
+
if (digest_size_ptr)
213
+
*digest_size_ptr = digest_size;
214
+
215
+
memcpy(digest->digest, out->digest, digest_size);
216
+
out:
223
217
tpm_buf_destroy(&buf);
224
218
return rc;
225
219
}
···
246
220
*
247
221
* @chip: TPM chip to use.
248
222
* @pcr_idx: index of the PCR.
249
-
* @count: number of digests passed.
250
223
* @digests: list of pcr banks and corresponding digest values to extend.
251
224
*
252
225
* Return: Same as with tpm_transmit_cmd.
253
226
*/
254
-
int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, u32 count,
255
-
struct tpm2_digest *digests)
227
+
int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
228
+
struct tpm_digest *digests)
256
229
{
257
230
struct tpm_buf buf;
258
231
struct tpm2_null_auth_area auth_area;
259
232
int rc;
260
233
int i;
261
-
int j;
262
-
263
-
if (count > ARRAY_SIZE(chip->active_banks))
264
-
return -EINVAL;
265
234
266
235
rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND);
267
236
if (rc)
···
272
251
tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area));
273
252
tpm_buf_append(&buf, (const unsigned char *)&auth_area,
274
253
sizeof(auth_area));
275
-
tpm_buf_append_u32(&buf, count);
254
+
tpm_buf_append_u32(&buf, chip->nr_allocated_banks);
276
255
277
-
for (i = 0; i < count; i++) {
278
-
for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) {
279
-
if (digests[i].alg_id != tpm2_hash_map[j].tpm_id)
280
-
continue;
281
-
tpm_buf_append_u16(&buf, digests[i].alg_id);
282
-
tpm_buf_append(&buf, (const unsigned char
283
-
*)&digests[i].digest,
284
-
hash_digest_size[tpm2_hash_map[j].crypto_id]);
285
-
}
256
+
for (i = 0; i < chip->nr_allocated_banks; i++) {
257
+
tpm_buf_append_u16(&buf, digests[i].alg_id);
258
+
tpm_buf_append(&buf, (const unsigned char *)&digests[i].digest,
259
+
chip->allocated_banks[i].digest_size);
286
260
}
287
261
288
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0,
289
-
"attempting extend a PCR value");
262
+
rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value");
290
263
291
264
tpm_buf_destroy(&buf);
292
265
···
324
309
do {
325
310
tpm_buf_reset(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_RANDOM);
326
311
tpm_buf_append_u16(&buf, num_bytes);
327
-
err = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
312
+
err = tpm_transmit_cmd(chip, &buf,
328
313
offsetof(struct tpm2_get_random_out,
329
314
buffer),
330
-
0, "attempting get random");
315
+
"attempting get random");
331
316
if (err)
332
317
goto out;
333
318
···
356
341
}
357
342
358
343
/**
359
-
* tpm2_flush_context_cmd() - execute a TPM2_FlushContext command
344
+
* tpm2_flush_context() - execute a TPM2_FlushContext command
360
345
* @chip: TPM chip to use
361
346
* @handle: context handle
362
-
* @flags: tpm transmit flags - bitmap
363
-
*
364
347
*/
365
-
void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle,
366
-
unsigned int flags)
348
+
void tpm2_flush_context(struct tpm_chip *chip, u32 handle)
367
349
{
368
350
struct tpm_buf buf;
369
351
int rc;
···
374
362
375
363
tpm_buf_append_u32(&buf, handle);
376
364
377
-
(void) tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, flags,
378
-
"flushing context");
379
-
365
+
tpm_transmit_cmd(chip, &buf, 0, "flushing context");
380
366
tpm_buf_destroy(&buf);
381
367
}
382
368
···
459
449
460
450
/* public */
461
451
tpm_buf_append_u16(&buf, 14 + options->policydigest_len);
462
-
tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH);
452
+
tpm_buf_append_u16(&buf, TPM_ALG_KEYEDHASH);
463
453
tpm_buf_append_u16(&buf, hash);
464
454
465
455
/* policy */
···
474
464
}
475
465
476
466
/* public parameters */
477
-
tpm_buf_append_u16(&buf, TPM2_ALG_NULL);
467
+
tpm_buf_append_u16(&buf, TPM_ALG_NULL);
478
468
tpm_buf_append_u16(&buf, 0);
479
469
480
470
/* outside info */
···
488
478
goto out;
489
479
}
490
480
491
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 4, 0,
492
-
"sealing data");
481
+
rc = tpm_transmit_cmd(chip, &buf, 4, "sealing data");
493
482
if (rc)
494
483
goto out;
495
484
···
525
516
* @payload: the key data in clear and encrypted form
526
517
* @options: authentication values and other options
527
518
* @blob_handle: returned blob handle
528
-
* @flags: tpm transmit flags
529
519
*
530
520
* Return: 0 on success.
531
521
* -E2BIG on wrong payload size.
···
534
526
static int tpm2_load_cmd(struct tpm_chip *chip,
535
527
struct trusted_key_payload *payload,
536
528
struct trusted_key_options *options,
537
-
u32 *blob_handle, unsigned int flags)
529
+
u32 *blob_handle)
538
530
{
539
531
struct tpm_buf buf;
540
532
unsigned int private_len;
···
569
561
goto out;
570
562
}
571
563
572
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 4, flags,
573
-
"loading blob");
564
+
rc = tpm_transmit_cmd(chip, &buf, 4, "loading blob");
574
565
if (!rc)
575
566
*blob_handle = be32_to_cpup(
576
567
(__be32 *) &buf.data[TPM_HEADER_SIZE]);
···
590
583
* @payload: the key data in clear and encrypted form
591
584
* @options: authentication values and other options
592
585
* @blob_handle: blob handle
593
-
* @flags: tpm_transmit_cmd flags
594
586
*
595
587
* Return: 0 on success
596
588
* -EPERM on tpm error status
···
598
592
static int tpm2_unseal_cmd(struct tpm_chip *chip,
599
593
struct trusted_key_payload *payload,
600
594
struct trusted_key_options *options,
601
-
u32 blob_handle, unsigned int flags)
595
+
u32 blob_handle)
602
596
{
603
597
struct tpm_buf buf;
604
598
u16 data_len;
···
618
612
options->blobauth /* hmac */,
619
613
TPM_DIGEST_SIZE);
620
614
621
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 6, flags,
622
-
"unsealing");
615
+
rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing");
623
616
if (rc > 0)
624
617
rc = -EPERM;
625
618
···
662
657
u32 blob_handle;
663
658
int rc;
664
659
665
-
mutex_lock(&chip->tpm_mutex);
666
-
rc = tpm2_load_cmd(chip, payload, options, &blob_handle,
667
-
TPM_TRANSMIT_UNLOCKED);
660
+
rc = tpm2_load_cmd(chip, payload, options, &blob_handle);
668
661
if (rc)
669
-
goto out;
662
+
return rc;
670
663
671
-
rc = tpm2_unseal_cmd(chip, payload, options, blob_handle,
672
-
TPM_TRANSMIT_UNLOCKED);
673
-
tpm2_flush_context_cmd(chip, blob_handle, TPM_TRANSMIT_UNLOCKED);
674
-
out:
675
-
mutex_unlock(&chip->tpm_mutex);
664
+
rc = tpm2_unseal_cmd(chip, payload, options, blob_handle);
665
+
tpm2_flush_context(chip, blob_handle);
676
666
return rc;
677
667
}
678
668
···
703
703
tpm_buf_append_u32(&buf, TPM2_CAP_TPM_PROPERTIES);
704
704
tpm_buf_append_u32(&buf, property_id);
705
705
tpm_buf_append_u32(&buf, 1);
706
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, NULL);
706
+
rc = tpm_transmit_cmd(chip, &buf, 0, NULL);
707
707
if (!rc) {
708
708
out = (struct tpm2_get_cap_out *)
709
709
&buf.data[TPM_HEADER_SIZE];
···
733
733
if (rc)
734
734
return;
735
735
tpm_buf_append_u16(&buf, shutdown_type);
736
-
tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0,
737
-
"stopping the TPM");
736
+
tpm_transmit_cmd(chip, &buf, 0, "stopping the TPM");
738
737
tpm_buf_destroy(&buf);
739
738
}
740
739
···
762
763
return rc;
763
764
764
765
tpm_buf_append_u8(&buf, full);
765
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0,
766
+
rc = tpm_transmit_cmd(chip, &buf, 0,
766
767
"attempting the self test");
767
768
tpm_buf_destroy(&buf);
768
769
···
789
790
*/
790
791
int tpm2_probe(struct tpm_chip *chip)
791
792
{
792
-
struct tpm_output_header *out;
793
+
struct tpm_header *out;
793
794
struct tpm_buf buf;
794
795
int rc;
795
796
···
799
800
tpm_buf_append_u32(&buf, TPM2_CAP_TPM_PROPERTIES);
800
801
tpm_buf_append_u32(&buf, TPM_PT_TOTAL_COMMANDS);
801
802
tpm_buf_append_u32(&buf, 1);
802
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, NULL);
803
+
rc = tpm_transmit_cmd(chip, &buf, 0, NULL);
803
804
/* We ignore TPM return codes on purpose. */
804
805
if (rc >= 0) {
805
-
out = (struct tpm_output_header *)buf.data;
806
+
out = (struct tpm_header *)buf.data;
806
807
if (be16_to_cpu(out->tag) == TPM2_ST_NO_SESSIONS)
807
808
chip->flags |= TPM_CHIP_FLAG_TPM2;
808
809
}
···
810
811
return 0;
811
812
}
812
813
EXPORT_SYMBOL_GPL(tpm2_probe);
814
+
815
+
static int tpm2_init_bank_info(struct tpm_chip *chip, u32 bank_index)
816
+
{
817
+
struct tpm_bank_info *bank = chip->allocated_banks + bank_index;
818
+
struct tpm_digest digest = { .alg_id = bank->alg_id };
819
+
int i;
820
+
821
+
/*
822
+
* Avoid unnecessary PCR read operations to reduce overhead
823
+
* and obtain identifiers of the crypto subsystem.
824
+
*/
825
+
for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {
826
+
enum hash_algo crypto_algo = tpm2_hash_map[i].crypto_id;
827
+
828
+
if (bank->alg_id != tpm2_hash_map[i].tpm_id)
829
+
continue;
830
+
831
+
bank->digest_size = hash_digest_size[crypto_algo];
832
+
bank->crypto_id = crypto_algo;
833
+
return 0;
834
+
}
835
+
836
+
return tpm2_pcr_read(chip, 0, &digest, &bank->digest_size);
837
+
}
813
838
814
839
struct tpm2_pcr_selection {
815
840
__be16 hash_alg;
···
848
825
void *marker;
849
826
void *end;
850
827
void *pcr_select_offset;
851
-
unsigned int count;
852
828
u32 sizeof_pcr_selection;
829
+
u32 nr_possible_banks;
830
+
u32 nr_alloc_banks = 0;
831
+
u16 hash_alg;
853
832
u32 rsp_len;
854
833
int rc;
855
834
int i = 0;
···
864
839
tpm_buf_append_u32(&buf, 0);
865
840
tpm_buf_append_u32(&buf, 1);
866
841
867
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 9, 0,
868
-
"get tpm pcr allocation");
842
+
rc = tpm_transmit_cmd(chip, &buf, 9, "get tpm pcr allocation");
869
843
if (rc)
870
844
goto out;
871
845
872
-
count = be32_to_cpup(
846
+
nr_possible_banks = be32_to_cpup(
873
847
(__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
874
848
875
-
if (count > ARRAY_SIZE(chip->active_banks)) {
876
-
rc = -ENODEV;
849
+
chip->allocated_banks = kcalloc(nr_possible_banks,
850
+
sizeof(*chip->allocated_banks),
851
+
GFP_KERNEL);
852
+
if (!chip->allocated_banks) {
853
+
rc = -ENOMEM;
877
854
goto out;
878
855
}
879
856
···
884
857
rsp_len = be32_to_cpup((__be32 *)&buf.data[2]);
885
858
end = &buf.data[rsp_len];
886
859
887
-
for (i = 0; i < count; i++) {
860
+
for (i = 0; i < nr_possible_banks; i++) {
888
861
pcr_select_offset = marker +
889
862
offsetof(struct tpm2_pcr_selection, size_of_select);
890
863
if (pcr_select_offset >= end) {
···
893
866
}
894
867
895
868
memcpy(&pcr_selection, marker, sizeof(pcr_selection));
896
-
chip->active_banks[i] = be16_to_cpu(pcr_selection.hash_alg);
869
+
hash_alg = be16_to_cpu(pcr_selection.hash_alg);
870
+
871
+
pcr_select_offset = memchr_inv(pcr_selection.pcr_select, 0,
872
+
pcr_selection.size_of_select);
873
+
if (pcr_select_offset) {
874
+
chip->allocated_banks[nr_alloc_banks].alg_id = hash_alg;
875
+
876
+
rc = tpm2_init_bank_info(chip, nr_alloc_banks);
877
+
if (rc < 0)
878
+
break;
879
+
880
+
nr_alloc_banks++;
881
+
}
882
+
897
883
sizeof_pcr_selection = sizeof(pcr_selection.hash_alg) +
898
884
sizeof(pcr_selection.size_of_select) +
899
885
pcr_selection.size_of_select;
900
886
marker = marker + sizeof_pcr_selection;
901
887
}
902
888
889
+
chip->nr_allocated_banks = nr_alloc_banks;
903
890
out:
904
-
if (i < ARRAY_SIZE(chip->active_banks))
905
-
chip->active_banks[i] = TPM2_ALG_ERROR;
906
-
907
891
tpm_buf_destroy(&buf);
908
892
909
893
return rc;
···
949
911
tpm_buf_append_u32(&buf, TPM2_CC_FIRST);
950
912
tpm_buf_append_u32(&buf, nr_commands);
951
913
952
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
953
-
9 + 4 * nr_commands, 0, NULL);
914
+
rc = tpm_transmit_cmd(chip, &buf, 9 + 4 * nr_commands, NULL);
954
915
if (rc) {
955
916
tpm_buf_destroy(&buf);
956
917
goto out;
···
1006
969
return rc;
1007
970
1008
971
tpm_buf_append_u16(&buf, TPM2_SU_CLEAR);
1009
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0,
1010
-
"attempting to start the TPM");
972
+
rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to start the TPM");
1011
973
tpm_buf_destroy(&buf);
1012
974
1013
975
return rc;
+66
-24
drivers/char/tpm/tpm2-space.c
+66
-24
drivers/char/tpm/tpm2-space.c
···
38
38
39
39
for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
40
40
if (space->session_tbl[i])
41
-
tpm2_flush_context_cmd(chip, space->session_tbl[i],
42
-
TPM_TRANSMIT_NESTED);
41
+
tpm2_flush_context(chip, space->session_tbl[i]);
43
42
}
44
43
}
45
44
···
60
61
void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
61
62
{
62
63
mutex_lock(&chip->tpm_mutex);
63
-
tpm2_flush_sessions(chip, space);
64
+
if (!tpm_chip_start(chip)) {
65
+
tpm2_flush_sessions(chip, space);
66
+
tpm_chip_stop(chip);
67
+
}
64
68
mutex_unlock(&chip->tpm_mutex);
65
69
kfree(space->context_buf);
66
70
kfree(space->session_buf);
···
85
83
body_size = sizeof(*ctx) + be16_to_cpu(ctx->blob_size);
86
84
tpm_buf_append(&tbuf, &buf[*offset], body_size);
87
85
88
-
rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
89
-
TPM_TRANSMIT_NESTED, NULL);
86
+
rc = tpm_transmit_cmd(chip, &tbuf, 4, NULL);
90
87
if (rc < 0) {
91
88
dev_warn(&chip->dev, "%s: failed with a system error %d\n",
92
89
__func__, rc);
···
133
132
134
133
tpm_buf_append_u32(&tbuf, handle);
135
134
136
-
rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0,
137
-
TPM_TRANSMIT_NESTED, NULL);
135
+
rc = tpm_transmit_cmd(chip, &tbuf, 0, NULL);
138
136
if (rc < 0) {
139
137
dev_warn(&chip->dev, "%s: failed with a system error %d\n",
140
138
__func__, rc);
···
162
162
return 0;
163
163
}
164
164
165
-
static void tpm2_flush_space(struct tpm_chip *chip)
165
+
void tpm2_flush_space(struct tpm_chip *chip)
166
166
{
167
167
struct tpm_space *space = &chip->work_space;
168
168
int i;
169
169
170
170
for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
171
171
if (space->context_tbl[i] && ~space->context_tbl[i])
172
-
tpm2_flush_context_cmd(chip, space->context_tbl[i],
173
-
TPM_TRANSMIT_NESTED);
172
+
tpm2_flush_context(chip, space->context_tbl[i]);
174
173
175
174
tpm2_flush_sessions(chip, space);
176
175
}
···
263
264
return 0;
264
265
}
265
266
266
-
int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc,
267
-
u8 *cmd)
267
+
static int tpm_find_and_validate_cc(struct tpm_chip *chip,
268
+
struct tpm_space *space,
269
+
const void *cmd, size_t len)
270
+
{
271
+
const struct tpm_header *header = (const void *)cmd;
272
+
int i;
273
+
u32 cc;
274
+
u32 attrs;
275
+
unsigned int nr_handles;
276
+
277
+
if (len < TPM_HEADER_SIZE || !chip->nr_commands)
278
+
return -EINVAL;
279
+
280
+
cc = be32_to_cpu(header->ordinal);
281
+
282
+
i = tpm2_find_cc(chip, cc);
283
+
if (i < 0) {
284
+
dev_dbg(&chip->dev, "0x%04X is an invalid command\n",
285
+
cc);
286
+
return -EOPNOTSUPP;
287
+
}
288
+
289
+
attrs = chip->cc_attrs_tbl[i];
290
+
nr_handles =
291
+
4 * ((attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0));
292
+
if (len < TPM_HEADER_SIZE + 4 * nr_handles)
293
+
goto err_len;
294
+
295
+
return cc;
296
+
err_len:
297
+
dev_dbg(&chip->dev, "%s: insufficient command length %zu", __func__,
298
+
len);
299
+
return -EINVAL;
300
+
}
301
+
302
+
int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u8 *cmd,
303
+
size_t cmdsiz)
268
304
{
269
305
int rc;
306
+
int cc;
270
307
271
308
if (!space)
272
309
return 0;
310
+
311
+
cc = tpm_find_and_validate_cc(chip, space, cmd, cmdsiz);
312
+
if (cc < 0)
313
+
return cc;
273
314
274
315
memcpy(&chip->work_space.context_tbl, &space->context_tbl,
275
316
sizeof(space->context_tbl));
···
330
291
return rc;
331
292
}
332
293
294
+
chip->last_cc = cc;
333
295
return 0;
334
296
}
335
297
···
374
334
size_t len)
375
335
{
376
336
struct tpm_space *space = &chip->work_space;
377
-
struct tpm_output_header *header = (void *)rsp;
337
+
struct tpm_header *header = (struct tpm_header *)rsp;
378
338
u32 phandle;
379
339
u32 phandle_type;
380
340
u32 vhandle;
···
417
377
418
378
return 0;
419
379
out_no_slots:
420
-
tpm2_flush_context_cmd(chip, phandle, TPM_TRANSMIT_NESTED);
380
+
tpm2_flush_context(chip, phandle);
421
381
dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__,
422
382
phandle);
423
383
return -ENOMEM;
···
434
394
size_t len)
435
395
{
436
396
struct tpm_space *space = &chip->work_space;
437
-
struct tpm_output_header *header = (void *)rsp;
397
+
struct tpm_header *header = (struct tpm_header *)rsp;
438
398
struct tpm2_cap_handles *data;
439
399
u32 phandle;
440
400
u32 phandle_type;
···
504
464
} else if (rc)
505
465
return rc;
506
466
507
-
tpm2_flush_context_cmd(chip, space->context_tbl[i],
508
-
TPM_TRANSMIT_NESTED);
467
+
tpm2_flush_context(chip, space->context_tbl[i]);
509
468
space->context_tbl[i] = ~0;
510
469
}
511
470
···
529
490
}
530
491
531
492
int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
532
-
u32 cc, u8 *buf, size_t *bufsiz)
493
+
void *buf, size_t *bufsiz)
533
494
{
534
-
struct tpm_output_header *header = (void *)buf;
495
+
struct tpm_header *header = buf;
535
496
int rc;
536
497
537
498
if (!space)
538
499
return 0;
539
500
540
-
rc = tpm2_map_response_header(chip, cc, buf, *bufsiz);
501
+
rc = tpm2_map_response_header(chip, chip->last_cc, buf, *bufsiz);
541
502
if (rc) {
542
503
tpm2_flush_space(chip);
543
-
return rc;
504
+
goto out;
544
505
}
545
506
546
-
rc = tpm2_map_response_body(chip, cc, buf, *bufsiz);
507
+
rc = tpm2_map_response_body(chip, chip->last_cc, buf, *bufsiz);
547
508
if (rc) {
548
509
tpm2_flush_space(chip);
549
-
return rc;
510
+
goto out;
550
511
}
551
512
552
513
rc = tpm2_save_space(chip);
553
514
if (rc) {
554
515
tpm2_flush_space(chip);
555
-
return rc;
516
+
goto out;
556
517
}
557
518
558
519
*bufsiz = be32_to_cpu(header->length);
···
565
526
memcpy(space->session_buf, chip->work_space.session_buf, PAGE_SIZE);
566
527
567
528
return 0;
529
+
out:
530
+
dev_err(&chip->dev, "%s: error %d\n", __func__, rc);
531
+
return rc;
568
532
}
+1
-1
drivers/char/tpm/tpm_atmel.c
+1
-1
drivers/char/tpm/tpm_atmel.c
+16
-6
drivers/char/tpm/tpm_crb.c
+16
-6
drivers/char/tpm/tpm_crb.c
···
287
287
struct crb_priv *priv = dev_get_drvdata(&chip->dev);
288
288
unsigned int expected;
289
289
290
-
/* sanity check */
291
-
if (count < 6)
290
+
/* A sanity check that the upper layer wants to get at least the header
291
+
* as that is the minimum size for any TPM response.
292
+
*/
293
+
if (count < TPM_HEADER_SIZE)
292
294
return -EIO;
293
295
296
+
/* If this bit is set, according to the spec, the TPM is in
297
+
* unrecoverable condition.
298
+
*/
294
299
if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
295
300
return -EIO;
296
301
297
-
memcpy_fromio(buf, priv->rsp, 6);
298
-
expected = be32_to_cpup((__be32 *) &buf[2]);
299
-
if (expected > count || expected < 6)
302
+
/* Read the first 8 bytes in order to get the length of the response.
303
+
* We read exactly a quad word in order to make sure that the remaining
304
+
* reads will be aligned.
305
+
*/
306
+
memcpy_fromio(buf, priv->rsp, 8);
307
+
308
+
expected = be32_to_cpup((__be32 *)&buf[2]);
309
+
if (expected > count || expected < TPM_HEADER_SIZE)
300
310
return -EIO;
301
311
302
-
memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);
312
+
memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
303
313
304
314
return expected;
305
315
}
+11
-4
drivers/char/tpm/tpm_i2c_atmel.c
+11
-4
drivers/char/tpm/tpm_i2c_atmel.c
···
46
46
/* This is the amount we read on the first try. 25 was chosen to fit a
47
47
* fair number of read responses in the buffer so a 2nd retry can be
48
48
* avoided in small message cases. */
49
-
u8 buffer[sizeof(struct tpm_output_header) + 25];
49
+
u8 buffer[sizeof(struct tpm_header) + 25];
50
50
};
51
51
52
52
static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len)
···
65
65
dev_dbg(&chip->dev,
66
66
"%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__,
67
67
(int)min_t(size_t, 64, len), buf, len, status);
68
-
return status;
68
+
69
+
if (status < 0)
70
+
return status;
71
+
72
+
/* The upper layer does not support incomplete sends. */
73
+
if (status != len)
74
+
return -E2BIG;
75
+
76
+
return 0;
69
77
}
70
78
71
79
static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
72
80
{
73
81
struct priv_data *priv = dev_get_drvdata(&chip->dev);
74
82
struct i2c_client *client = to_i2c_client(chip->dev.parent);
75
-
struct tpm_output_header *hdr =
76
-
(struct tpm_output_header *)priv->buffer;
83
+
struct tpm_header *hdr = (struct tpm_header *)priv->buffer;
77
84
u32 expected_len;
78
85
int rc;
79
86
+9
-8
drivers/char/tpm/tpm_i2c_infineon.c
+9
-8
drivers/char/tpm/tpm_i2c_infineon.c
···
26
26
#include <linux/wait.h>
27
27
#include "tpm.h"
28
28
29
-
/* max. buffer size supported by our TPM */
30
-
#define TPM_BUFSIZE 1260
29
+
#define TPM_I2C_INFINEON_BUFSIZE 1260
31
30
32
31
/* max. number of iterations after I2C NAK */
33
32
#define MAX_COUNT 3
···
62
63
UNKNOWN,
63
64
};
64
65
65
-
/* Structure to store I2C TPM specific stuff */
66
66
struct tpm_inf_dev {
67
67
struct i2c_client *client;
68
68
int locality;
69
-
u8 buf[TPM_BUFSIZE + sizeof(u8)]; /* max. buffer size + addr */
69
+
/* In addition to the data itself, the buffer must fit the 7-bit I2C
70
+
* address and the direction bit.
71
+
*/
72
+
u8 buf[TPM_I2C_INFINEON_BUFSIZE + 1];
70
73
struct tpm_chip *chip;
71
74
enum i2c_chip_type chip_type;
72
75
unsigned int adapterlimit;
···
220
219
.buf = tpm_dev.buf
221
220
};
222
221
223
-
if (len > TPM_BUFSIZE)
222
+
if (len > TPM_I2C_INFINEON_BUFSIZE)
224
223
return -EINVAL;
225
224
226
225
if (!tpm_dev.client->adapter->algo->master_xfer)
···
528
527
u8 retries = 0;
529
528
u8 sts = TPM_STS_GO;
530
529
531
-
if (len > TPM_BUFSIZE)
532
-
return -E2BIG; /* command is too long for our tpm, sorry */
530
+
if (len > TPM_I2C_INFINEON_BUFSIZE)
531
+
return -E2BIG;
533
532
534
533
if (request_locality(chip, 0) < 0)
535
534
return -EBUSY;
···
588
587
/* go and do it */
589
588
iic_tpm_write(TPM_STS(tpm_dev.locality), &sts, 1);
590
589
591
-
return len;
590
+
return 0;
592
591
out_err:
593
592
tpm_tis_i2c_ready(chip);
594
593
/* The TPM needs some time to clean up here,
+8
-10
drivers/char/tpm/tpm_i2c_nuvoton.c
+8
-10
drivers/char/tpm/tpm_i2c_nuvoton.c
···
35
35
#include "tpm.h"
36
36
37
37
/* I2C interface offsets */
38
-
#define TPM_STS 0x00
39
-
#define TPM_BURST_COUNT 0x01
40
-
#define TPM_DATA_FIFO_W 0x20
41
-
#define TPM_DATA_FIFO_R 0x40
42
-
#define TPM_VID_DID_RID 0x60
43
-
/* TPM command header size */
44
-
#define TPM_HEADER_SIZE 10
45
-
#define TPM_RETRY 5
38
+
#define TPM_STS 0x00
39
+
#define TPM_BURST_COUNT 0x01
40
+
#define TPM_DATA_FIFO_W 0x20
41
+
#define TPM_DATA_FIFO_R 0x40
42
+
#define TPM_VID_DID_RID 0x60
43
+
#define TPM_I2C_RETRIES 5
46
44
/*
47
45
* I2C bus device maximum buffer size w/o counting I2C address or command
48
46
* i.e. max size required for I2C write is 34 = addr, command, 32 bytes data
···
290
292
dev_err(dev, "%s() count < header size\n", __func__);
291
293
return -EIO;
292
294
}
293
-
for (retries = 0; retries < TPM_RETRY; retries++) {
295
+
for (retries = 0; retries < TPM_I2C_RETRIES; retries++) {
294
296
if (retries > 0) {
295
297
/* if this is not the first trial, set responseRetry */
296
298
i2c_nuvoton_write_status(client,
···
465
467
}
466
468
467
469
dev_dbg(dev, "%s() -> %zd\n", __func__, len);
468
-
return len;
470
+
return 0;
469
471
}
470
472
471
473
static bool i2c_nuvoton_req_canceled(struct tpm_chip *chip, u8 status)
+4
-4
drivers/char/tpm/tpm_ibmvtpm.c
+4
-4
drivers/char/tpm/tpm_ibmvtpm.c
···
139
139
}
140
140
141
141
/**
142
-
* tpm_ibmvtpm_send - Send tpm request
143
-
*
142
+
* tpm_ibmvtpm_send() - Send a TPM command
144
143
* @chip: tpm chip struct
145
144
* @buf: buffer contains data to send
146
145
* @count: size of buffer
147
146
*
148
147
* Return:
149
-
* Number of bytes sent or < 0 on error.
148
+
* 0 on success,
149
+
* -errno on error
150
150
*/
151
151
static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count)
152
152
{
···
192
192
rc = 0;
193
193
ibmvtpm->tpm_processing_cmd = false;
194
194
} else
195
-
rc = count;
195
+
rc = 0;
196
196
197
197
spin_unlock(&ibmvtpm->rtce_lock);
198
198
return rc;
+1
-1
drivers/char/tpm/tpm_infineon.c
+1
-1
drivers/char/tpm/tpm_infineon.c
+1
-1
drivers/char/tpm/tpm_nsc.c
+1
-1
drivers/char/tpm/tpm_nsc.c
+58
-20
drivers/char/tpm/tpm_ppi.c
+58
-20
drivers/char/tpm/tpm_ppi.c
···
20
20
#include <linux/acpi.h>
21
21
#include "tpm.h"
22
22
23
-
#define TPM_PPI_REVISION_ID 1
23
+
#define TPM_PPI_REVISION_ID_1 1
24
+
#define TPM_PPI_REVISION_ID_2 2
24
25
#define TPM_PPI_FN_VERSION 1
25
26
#define TPM_PPI_FN_SUBREQ 2
26
27
#define TPM_PPI_FN_GETREQ 3
···
29
28
#define TPM_PPI_FN_GETRSP 5
30
29
#define TPM_PPI_FN_SUBREQ2 7
31
30
#define TPM_PPI_FN_GETOPR 8
32
-
#define PPI_TPM_REQ_MAX 22
31
+
#define PPI_TPM_REQ_MAX 101 /* PPI 1.3 for TPM 2 */
33
32
#define PPI_VS_REQ_START 128
34
33
#define PPI_VS_REQ_END 255
35
34
···
37
36
GUID_INIT(0x3DDDFAA6, 0x361B, 0x4EB4,
38
37
0xA4, 0x24, 0x8D, 0x10, 0x08, 0x9D, 0x16, 0x53);
39
38
39
+
static bool tpm_ppi_req_has_parameter(u64 req)
40
+
{
41
+
return req == 23;
42
+
}
43
+
40
44
static inline union acpi_object *
41
45
tpm_eval_dsm(acpi_handle ppi_handle, int func, acpi_object_type type,
42
-
union acpi_object *argv4)
46
+
union acpi_object *argv4, u64 rev)
43
47
{
44
48
BUG_ON(!ppi_handle);
45
49
return acpi_evaluate_dsm_typed(ppi_handle, &tpm_ppi_guid,
46
-
TPM_PPI_REVISION_ID,
47
-
func, argv4, type);
50
+
rev, func, argv4, type);
48
51
}
49
52
50
53
static ssize_t tpm_show_ppi_version(struct device *dev,
···
65
60
ssize_t size = -EINVAL;
66
61
union acpi_object *obj;
67
62
struct tpm_chip *chip = to_tpm_chip(dev);
63
+
u64 rev = TPM_PPI_REVISION_ID_2;
64
+
u64 req;
65
+
66
+
if (strcmp(chip->ppi_version, "1.2") < 0)
67
+
rev = TPM_PPI_REVISION_ID_1;
68
68
69
69
obj = tpm_eval_dsm(chip->acpi_dev_handle, TPM_PPI_FN_GETREQ,
70
-
ACPI_TYPE_PACKAGE, NULL);
70
+
ACPI_TYPE_PACKAGE, NULL, rev);
71
71
if (!obj)
72
72
return -ENXIO;
73
73
···
82
72
* error. The second is pending TPM operation requested by the OS, 0
83
73
* means none and >0 means operation value.
84
74
*/
85
-
if (obj->package.count == 2 &&
75
+
if (obj->package.count == 3 &&
76
+
obj->package.elements[0].type == ACPI_TYPE_INTEGER &&
77
+
obj->package.elements[1].type == ACPI_TYPE_INTEGER &&
78
+
obj->package.elements[2].type == ACPI_TYPE_INTEGER) {
79
+
if (obj->package.elements[0].integer.value)
80
+
size = -EFAULT;
81
+
else {
82
+
req = obj->package.elements[1].integer.value;
83
+
if (tpm_ppi_req_has_parameter(req))
84
+
size = scnprintf(buf, PAGE_SIZE,
85
+
"%llu %llu\n", req,
86
+
obj->package.elements[2].integer.value);
87
+
else
88
+
size = scnprintf(buf, PAGE_SIZE,
89
+
"%llu\n", req);
90
+
}
91
+
} else if (obj->package.count == 2 &&
86
92
obj->package.elements[0].type == ACPI_TYPE_INTEGER &&
87
93
obj->package.elements[1].type == ACPI_TYPE_INTEGER) {
88
94
if (obj->package.elements[0].integer.value)
···
120
94
u32 req;
121
95
u64 ret;
122
96
int func = TPM_PPI_FN_SUBREQ;
123
-
union acpi_object *obj, tmp;
124
-
union acpi_object argv4 = ACPI_INIT_DSM_ARGV4(1, &tmp);
97
+
union acpi_object *obj, tmp[2];
98
+
union acpi_object argv4 = ACPI_INIT_DSM_ARGV4(2, tmp);
125
99
struct tpm_chip *chip = to_tpm_chip(dev);
100
+
u64 rev = TPM_PPI_REVISION_ID_1;
126
101
127
102
/*
128
103
* the function to submit TPM operation request to pre-os environment
···
131
104
* version 1.1
132
105
*/
133
106
if (acpi_check_dsm(chip->acpi_dev_handle, &tpm_ppi_guid,
134
-
TPM_PPI_REVISION_ID, 1 << TPM_PPI_FN_SUBREQ2))
107
+
TPM_PPI_REVISION_ID_1, 1 << TPM_PPI_FN_SUBREQ2))
135
108
func = TPM_PPI_FN_SUBREQ2;
136
109
137
110
/*
···
140
113
* string/package type. For PPI version 1.0 and 1.1, use buffer type
141
114
* for compatibility, and use package type since 1.2 according to spec.
142
115
*/
143
-
if (strcmp(chip->ppi_version, "1.2") < 0) {
116
+
if (strcmp(chip->ppi_version, "1.3") == 0) {
117
+
if (sscanf(buf, "%llu %llu", &tmp[0].integer.value,
118
+
&tmp[1].integer.value) != 2)
119
+
goto ppi12;
120
+
rev = TPM_PPI_REVISION_ID_2;
121
+
tmp[0].type = ACPI_TYPE_INTEGER;
122
+
tmp[1].type = ACPI_TYPE_INTEGER;
123
+
} else if (strcmp(chip->ppi_version, "1.2") < 0) {
144
124
if (sscanf(buf, "%d", &req) != 1)
145
125
return -EINVAL;
146
126
argv4.type = ACPI_TYPE_BUFFER;
147
127
argv4.buffer.length = sizeof(req);
148
128
argv4.buffer.pointer = (u8 *)&req;
149
129
} else {
150
-
tmp.type = ACPI_TYPE_INTEGER;
151
-
if (sscanf(buf, "%llu", &tmp.integer.value) != 1)
130
+
ppi12:
131
+
argv4.package.count = 1;
132
+
tmp[0].type = ACPI_TYPE_INTEGER;
133
+
if (sscanf(buf, "%llu", &tmp[0].integer.value) != 1)
152
134
return -EINVAL;
153
135
}
154
136
155
137
obj = tpm_eval_dsm(chip->acpi_dev_handle, func, ACPI_TYPE_INTEGER,
156
-
&argv4);
138
+
&argv4, rev);
157
139
if (!obj) {
158
140
return -ENXIO;
159
141
} else {
···
206
170
if (strcmp(chip->ppi_version, "1.2") < 0)
207
171
obj = &tmp;
208
172
obj = tpm_eval_dsm(chip->acpi_dev_handle, TPM_PPI_FN_GETACT,
209
-
ACPI_TYPE_INTEGER, obj);
173
+
ACPI_TYPE_INTEGER, obj, TPM_PPI_REVISION_ID_1);
210
174
if (!obj) {
211
175
return -ENXIO;
212
176
} else {
···
232
196
struct tpm_chip *chip = to_tpm_chip(dev);
233
197
234
198
obj = tpm_eval_dsm(chip->acpi_dev_handle, TPM_PPI_FN_GETRSP,
235
-
ACPI_TYPE_PACKAGE, NULL);
199
+
ACPI_TYPE_PACKAGE, NULL, TPM_PPI_REVISION_ID_1);
236
200
if (!obj)
237
201
return -ENXIO;
238
202
···
300
264
"User not required",
301
265
};
302
266
303
-
if (!acpi_check_dsm(dev_handle, &tpm_ppi_guid, TPM_PPI_REVISION_ID,
267
+
if (!acpi_check_dsm(dev_handle, &tpm_ppi_guid, TPM_PPI_REVISION_ID_1,
304
268
1 << TPM_PPI_FN_GETOPR))
305
269
return -EPERM;
306
270
···
308
272
for (i = start; i <= end; i++) {
309
273
tmp.integer.value = i;
310
274
obj = tpm_eval_dsm(dev_handle, TPM_PPI_FN_GETOPR,
311
-
ACPI_TYPE_INTEGER, &argv);
275
+
ACPI_TYPE_INTEGER, &argv,
276
+
TPM_PPI_REVISION_ID_1);
312
277
if (!obj) {
313
278
return -ENOMEM;
314
279
} else {
···
375
338
return;
376
339
377
340
if (!acpi_check_dsm(chip->acpi_dev_handle, &tpm_ppi_guid,
378
-
TPM_PPI_REVISION_ID, 1 << TPM_PPI_FN_VERSION))
341
+
TPM_PPI_REVISION_ID_1, 1 << TPM_PPI_FN_VERSION))
379
342
return;
380
343
381
344
/* Cache PPI version string. */
382
345
obj = acpi_evaluate_dsm_typed(chip->acpi_dev_handle, &tpm_ppi_guid,
383
-
TPM_PPI_REVISION_ID, TPM_PPI_FN_VERSION,
346
+
TPM_PPI_REVISION_ID_1,
347
+
TPM_PPI_FN_VERSION,
384
348
NULL, ACPI_TYPE_STRING);
385
349
if (obj) {
386
350
strlcpy(chip->ppi_version, obj->string.pointer,
+14
-7
drivers/char/tpm/tpm_tis_core.c
+14
-7
drivers/char/tpm/tpm_tis_core.c
···
481
481
goto out_err;
482
482
}
483
483
}
484
-
return len;
484
+
return 0;
485
485
out_err:
486
486
tpm_tis_ready(chip);
487
487
return rc;
···
521
521
(TIS_SHORT_TIMEOUT*1000), (TIS_SHORT_TIMEOUT*1000) } },
522
522
};
523
523
524
-
static bool tpm_tis_update_timeouts(struct tpm_chip *chip,
524
+
static void tpm_tis_update_timeouts(struct tpm_chip *chip,
525
525
unsigned long *timeout_cap)
526
526
{
527
527
struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
528
528
int i, rc;
529
529
u32 did_vid;
530
530
531
+
chip->timeout_adjusted = false;
532
+
531
533
if (chip->ops->clk_enable != NULL)
532
534
chip->ops->clk_enable(chip, true);
533
535
534
536
rc = tpm_tis_read32(priv, TPM_DID_VID(0), &did_vid);
535
-
if (rc < 0)
537
+
if (rc < 0) {
538
+
dev_warn(&chip->dev, "%s: failed to read did_vid: %d\n",
539
+
__func__, rc);
536
540
goto out;
541
+
}
537
542
538
543
for (i = 0; i != ARRAY_SIZE(vendor_timeout_overrides); i++) {
539
544
if (vendor_timeout_overrides[i].did_vid != did_vid)
540
545
continue;
541
546
memcpy(timeout_cap, vendor_timeout_overrides[i].timeout_us,
542
547
sizeof(vendor_timeout_overrides[i].timeout_us));
543
-
rc = true;
548
+
chip->timeout_adjusted = true;
544
549
}
545
-
546
-
rc = false;
547
550
548
551
out:
549
552
if (chip->ops->clk_enable != NULL)
550
553
chip->ops->clk_enable(chip, false);
551
554
552
-
return rc;
555
+
return;
553
556
}
554
557
555
558
/*
···
916
913
intmask &= ~TPM_GLOBAL_INT_ENABLE;
917
914
tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask);
918
915
916
+
rc = tpm_chip_start(chip);
917
+
if (rc)
918
+
goto out_err;
919
919
rc = tpm2_probe(chip);
920
+
tpm_chip_stop(chip);
920
921
if (rc)
921
922
goto out_err;
922
923
+6
-9
drivers/char/tpm/tpm_vtpm_proxy.c
+6
-9
drivers/char/tpm/tpm_vtpm_proxy.c
···
303
303
static int vtpm_proxy_is_driver_command(struct tpm_chip *chip,
304
304
u8 *buf, size_t count)
305
305
{
306
-
struct tpm_input_header *hdr = (struct tpm_input_header *)buf;
306
+
struct tpm_header *hdr = (struct tpm_header *)buf;
307
307
308
-
if (count < sizeof(struct tpm_input_header))
308
+
if (count < sizeof(struct tpm_header))
309
309
return 0;
310
310
311
311
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
···
335
335
static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t count)
336
336
{
337
337
struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev);
338
-
int rc = 0;
339
338
340
339
if (count > sizeof(proxy_dev->buffer)) {
341
340
dev_err(&chip->dev,
···
365
366
366
367
wake_up_interruptible(&proxy_dev->wq);
367
368
368
-
return rc;
369
+
return 0;
369
370
}
370
371
371
372
static void vtpm_proxy_tpm_op_cancel(struct tpm_chip *chip)
···
401
402
{
402
403
struct tpm_buf buf;
403
404
int rc;
404
-
const struct tpm_output_header *header;
405
+
const struct tpm_header *header;
405
406
struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev);
406
407
407
408
if (chip->flags & TPM_CHIP_FLAG_TPM2)
···
416
417
417
418
proxy_dev->state |= STATE_DRIVER_COMMAND;
418
419
419
-
rc = tpm_transmit_cmd(chip, NULL, buf.data, tpm_buf_length(&buf), 0,
420
-
TPM_TRANSMIT_NESTED,
421
-
"attempting to set locality");
420
+
rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to set locality");
422
421
423
422
proxy_dev->state &= ~STATE_DRIVER_COMMAND;
424
423
···
425
428
goto out;
426
429
}
427
430
428
-
header = (const struct tpm_output_header *)buf.data;
431
+
header = (const struct tpm_header *)buf.data;
429
432
rc = be32_to_cpu(header->return_code);
430
433
if (rc)
431
434
locality = -1;
+2
-2
drivers/char/tpm/xen-tpmfront.c
+2
-2
drivers/char/tpm/xen-tpmfront.c
···
163
163
wmb();
164
164
notify_remote_via_evtchn(priv->evtchn);
165
165
166
-
ordinal = be32_to_cpu(((struct tpm_input_header*)buf)->ordinal);
166
+
ordinal = be32_to_cpu(((struct tpm_header *)buf)->ordinal);
167
167
duration = tpm_calc_ordinal_duration(chip, ordinal);
168
168
169
169
if (wait_for_tpm_stat(chip, VTPM_STATUS_IDLE, duration,
···
173
173
return -ETIME;
174
174
}
175
175
176
-
return count;
176
+
return 0;
177
177
}
178
178
179
179
static int vtpm_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+124
-5
include/linux/tpm.h
+124
-5
include/linux/tpm.h
···
22
22
#ifndef __LINUX_TPM_H__
23
23
#define __LINUX_TPM_H__
24
24
25
+
#include <linux/hw_random.h>
26
+
#include <linux/acpi.h>
27
+
#include <linux/cdev.h>
28
+
#include <linux/fs.h>
29
+
#include <crypto/hash_info.h>
30
+
25
31
#define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
32
+
#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
26
33
27
34
struct tpm_chip;
28
35
struct trusted_key_payload;
29
36
struct trusted_key_options;
37
+
38
+
enum tpm_algorithms {
39
+
TPM_ALG_ERROR = 0x0000,
40
+
TPM_ALG_SHA1 = 0x0004,
41
+
TPM_ALG_KEYEDHASH = 0x0008,
42
+
TPM_ALG_SHA256 = 0x000B,
43
+
TPM_ALG_SHA384 = 0x000C,
44
+
TPM_ALG_SHA512 = 0x000D,
45
+
TPM_ALG_NULL = 0x0010,
46
+
TPM_ALG_SM3_256 = 0x0012,
47
+
};
48
+
49
+
struct tpm_digest {
50
+
u16 alg_id;
51
+
u8 digest[TPM_MAX_DIGEST_SIZE];
52
+
} __packed;
53
+
54
+
struct tpm_bank_info {
55
+
u16 alg_id;
56
+
u16 digest_size;
57
+
u16 crypto_id;
58
+
};
30
59
31
60
enum TPM_OPS_FLAGS {
32
61
TPM_OPS_AUTO_STARTUP = BIT(0),
···
70
41
int (*send) (struct tpm_chip *chip, u8 *buf, size_t len);
71
42
void (*cancel) (struct tpm_chip *chip);
72
43
u8 (*status) (struct tpm_chip *chip);
73
-
bool (*update_timeouts)(struct tpm_chip *chip,
44
+
void (*update_timeouts)(struct tpm_chip *chip,
74
45
unsigned long *timeout_cap);
75
46
int (*go_idle)(struct tpm_chip *chip);
76
47
int (*cmd_ready)(struct tpm_chip *chip);
···
79
50
void (*clk_enable)(struct tpm_chip *chip, bool value);
80
51
};
81
52
53
+
#define TPM_NUM_EVENT_LOG_FILES 3
54
+
55
+
/* Indexes the duration array */
56
+
enum tpm_duration {
57
+
TPM_SHORT = 0,
58
+
TPM_MEDIUM = 1,
59
+
TPM_LONG = 2,
60
+
TPM_LONG_LONG = 3,
61
+
TPM_UNDEFINED,
62
+
TPM_NUM_DURATIONS = TPM_UNDEFINED,
63
+
};
64
+
65
+
#define TPM_PPI_VERSION_LEN 3
66
+
67
+
struct tpm_space {
68
+
u32 context_tbl[3];
69
+
u8 *context_buf;
70
+
u32 session_tbl[3];
71
+
u8 *session_buf;
72
+
};
73
+
74
+
struct tpm_bios_log {
75
+
void *bios_event_log;
76
+
void *bios_event_log_end;
77
+
};
78
+
79
+
struct tpm_chip_seqops {
80
+
struct tpm_chip *chip;
81
+
const struct seq_operations *seqops;
82
+
};
83
+
84
+
struct tpm_chip {
85
+
struct device dev;
86
+
struct device devs;
87
+
struct cdev cdev;
88
+
struct cdev cdevs;
89
+
90
+
/* A driver callback under ops cannot be run unless ops_sem is held
91
+
* (sometimes implicitly, eg for the sysfs code). ops becomes null
92
+
* when the driver is unregistered, see tpm_try_get_ops.
93
+
*/
94
+
struct rw_semaphore ops_sem;
95
+
const struct tpm_class_ops *ops;
96
+
97
+
struct tpm_bios_log log;
98
+
struct tpm_chip_seqops bin_log_seqops;
99
+
struct tpm_chip_seqops ascii_log_seqops;
100
+
101
+
unsigned int flags;
102
+
103
+
int dev_num; /* /dev/tpm# */
104
+
unsigned long is_open; /* only one allowed */
105
+
106
+
char hwrng_name[64];
107
+
struct hwrng hwrng;
108
+
109
+
struct mutex tpm_mutex; /* tpm is processing */
110
+
111
+
unsigned long timeout_a; /* jiffies */
112
+
unsigned long timeout_b; /* jiffies */
113
+
unsigned long timeout_c; /* jiffies */
114
+
unsigned long timeout_d; /* jiffies */
115
+
bool timeout_adjusted;
116
+
unsigned long duration[TPM_NUM_DURATIONS]; /* jiffies */
117
+
bool duration_adjusted;
118
+
119
+
struct dentry *bios_dir[TPM_NUM_EVENT_LOG_FILES];
120
+
121
+
const struct attribute_group *groups[3];
122
+
unsigned int groups_cnt;
123
+
124
+
u32 nr_allocated_banks;
125
+
struct tpm_bank_info *allocated_banks;
126
+
#ifdef CONFIG_ACPI
127
+
acpi_handle acpi_dev_handle;
128
+
char ppi_version[TPM_PPI_VERSION_LEN + 1];
129
+
#endif /* CONFIG_ACPI */
130
+
131
+
struct tpm_space work_space;
132
+
u32 last_cc;
133
+
u32 nr_commands;
134
+
u32 *cc_attrs_tbl;
135
+
136
+
/* active locality */
137
+
int locality;
138
+
};
139
+
82
140
#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
83
141
84
142
extern int tpm_is_tpm2(struct tpm_chip *chip);
85
-
extern int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf);
86
-
extern int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, const u8 *hash);
143
+
extern int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
144
+
struct tpm_digest *digest);
145
+
extern int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
146
+
struct tpm_digest *digests);
87
147
extern int tpm_send(struct tpm_chip *chip, void *cmd, size_t buflen);
88
148
extern int tpm_get_random(struct tpm_chip *chip, u8 *data, size_t max);
89
149
extern int tpm_seal_trusted(struct tpm_chip *chip,
···
188
70
return -ENODEV;
189
71
}
190
72
191
-
static inline int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
73
+
static inline int tpm_pcr_read(struct tpm_chip *chip, int pcr_idx,
74
+
struct tpm_digest *digest)
192
75
{
193
76
return -ENODEV;
194
77
}
195
78
196
79
static inline int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
197
-
const u8 *hash)
80
+
struct tpm_digest *digests)
198
81
{
199
82
return -ENODEV;
200
83
}
+5
-14
include/linux/tpm_eventlog.h
+5
-14
include/linux/tpm_eventlog.h
···
3
3
#ifndef __LINUX_TPM_EVENTLOG_H__
4
4
#define __LINUX_TPM_EVENTLOG_H__
5
5
6
-
#include <crypto/hash_info.h>
6
+
#include <linux/tpm.h>
7
7
8
8
#define TCG_EVENT_NAME_LEN_MAX 255
9
9
#define MAX_TEXT_EVENT 1000 /* Max event string length */
10
10
#define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */
11
-
#define TPM2_ACTIVE_PCR_BANKS 3
12
11
13
12
#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2 0x1
14
13
#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 0x2
···
81
82
u16 digest_size;
82
83
} __packed;
83
84
84
-
struct tcg_efi_specid_event {
85
+
struct tcg_efi_specid_event_head {
85
86
u8 signature[16];
86
87
u32 platform_class;
87
88
u8 spec_version_minor;
···
89
90
u8 spec_errata;
90
91
u8 uintnsize;
91
92
u32 num_algs;
92
-
struct tcg_efi_specid_event_algs digest_sizes[TPM2_ACTIVE_PCR_BANKS];
93
-
u8 vendor_info_size;
94
-
u8 vendor_info[0];
93
+
struct tcg_efi_specid_event_algs digest_sizes[];
95
94
} __packed;
96
95
97
96
struct tcg_pcr_event {
···
105
108
u8 event[0];
106
109
} __packed;
107
110
108
-
struct tpm2_digest {
109
-
u16 alg_id;
110
-
u8 digest[SHA512_DIGEST_SIZE];
111
-
} __packed;
112
-
113
-
struct tcg_pcr_event2 {
111
+
struct tcg_pcr_event2_head {
114
112
u32 pcr_idx;
115
113
u32 event_type;
116
114
u32 count;
117
-
struct tpm2_digest digests[TPM2_ACTIVE_PCR_BANKS];
118
-
struct tcg_event_field event;
115
+
struct tpm_digest digests[];
119
116
} __packed;
120
117
121
118
#endif
+1
security/integrity/ima/ima.h
+1
security/integrity/ima/ima.h
+5
-5
security/integrity/ima/ima_crypto.c
+5
-5
security/integrity/ima/ima_crypto.c
···
643
643
return calc_buffer_shash(buf, len, hash);
644
644
}
645
645
646
-
static void __init ima_pcrread(u32 idx, u8 *pcr)
646
+
static void __init ima_pcrread(u32 idx, struct tpm_digest *d)
647
647
{
648
648
if (!ima_tpm_chip)
649
649
return;
650
650
651
-
if (tpm_pcr_read(ima_tpm_chip, idx, pcr) != 0)
651
+
if (tpm_pcr_read(ima_tpm_chip, idx, d) != 0)
652
652
pr_err("Error Communicating to TPM chip\n");
653
653
}
654
654
···
658
658
static int __init ima_calc_boot_aggregate_tfm(char *digest,
659
659
struct crypto_shash *tfm)
660
660
{
661
-
u8 pcr_i[TPM_DIGEST_SIZE];
661
+
struct tpm_digest d = { .alg_id = TPM_ALG_SHA1, .digest = {0} };
662
662
int rc;
663
663
u32 i;
664
664
SHASH_DESC_ON_STACK(shash, tfm);
···
672
672
673
673
/* cumulative sha1 over tpm registers 0-7 */
674
674
for (i = TPM_PCR0; i < TPM_PCR8; i++) {
675
-
ima_pcrread(i, pcr_i);
675
+
ima_pcrread(i, &d);
676
676
/* now accumulate with current aggregate */
677
-
rc = crypto_shash_update(shash, pcr_i, TPM_DIGEST_SIZE);
677
+
rc = crypto_shash_update(shash, d.digest, TPM_DIGEST_SIZE);
678
678
}
679
679
if (!rc)
680
680
crypto_shash_final(shash, digest);
+4
security/integrity/ima/ima_init.c
+4
security/integrity/ima/ima_init.c
···
123
123
if (rc != 0)
124
124
return rc;
125
125
126
+
/* It can be called before ima_init_digests(), it does not use TPM. */
126
127
ima_load_kexec_buffer();
127
128
129
+
rc = ima_init_digests();
130
+
if (rc != 0)
131
+
return rc;
128
132
rc = ima_add_boot_aggregate(); /* boot aggregate must be first entry */
129
133
if (rc != 0)
130
134
return rc;
+26
-1
security/integrity/ima/ima_queue.c
+26
-1
security/integrity/ima/ima_queue.c
···
27
27
28
28
#define AUDIT_CAUSE_LEN_MAX 32
29
29
30
+
/* pre-allocated array of tpm_digest structures to extend a PCR */
31
+
static struct tpm_digest *digests;
32
+
30
33
LIST_HEAD(ima_measurements); /* list of all measurements */
31
34
#ifdef CONFIG_IMA_KEXEC
32
35
static unsigned long binary_runtime_size;
···
143
140
static int ima_pcr_extend(const u8 *hash, int pcr)
144
141
{
145
142
int result = 0;
143
+
int i;
146
144
147
145
if (!ima_tpm_chip)
148
146
return result;
149
147
150
-
result = tpm_pcr_extend(ima_tpm_chip, pcr, hash);
148
+
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++)
149
+
memcpy(digests[i].digest, hash, TPM_DIGEST_SIZE);
150
+
151
+
result = tpm_pcr_extend(ima_tpm_chip, pcr, digests);
151
152
if (result != 0)
152
153
pr_err("Error Communicating to TPM chip, result: %d\n", result);
153
154
return result;
···
217
210
result = ima_add_digest_entry(entry, 0);
218
211
mutex_unlock(&ima_extend_list_mutex);
219
212
return result;
213
+
}
214
+
215
+
int __init ima_init_digests(void)
216
+
{
217
+
int i;
218
+
219
+
if (!ima_tpm_chip)
220
+
return 0;
221
+
222
+
digests = kcalloc(ima_tpm_chip->nr_allocated_banks, sizeof(*digests),
223
+
GFP_NOFS);
224
+
if (!digests)
225
+
return -ENOMEM;
226
+
227
+
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++)
228
+
digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
229
+
230
+
return 0;
220
231
}
+54
-19
security/keys/trusted.c
+54
-19
security/keys/trusted.c
···
34
34
35
35
static const char hmac_alg[] = "hmac(sha1)";
36
36
static const char hash_alg[] = "sha1";
37
+
static struct tpm_chip *chip;
38
+
static struct tpm_digest *digests;
37
39
38
40
struct sdesc {
39
41
struct shash_desc shash;
···
364
362
int rc;
365
363
366
364
dump_tpm_buf(cmd);
367
-
rc = tpm_send(NULL, cmd, buflen);
365
+
rc = tpm_send(chip, cmd, buflen);
368
366
dump_tpm_buf(cmd);
369
367
if (rc > 0)
370
368
/* Can't return positive return codes values to keyctl */
···
381
379
*/
382
380
static int pcrlock(const int pcrnum)
383
381
{
384
-
unsigned char hash[SHA1_DIGEST_SIZE];
385
-
int ret;
386
-
387
382
if (!capable(CAP_SYS_ADMIN))
388
383
return -EPERM;
389
-
ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
390
-
if (ret != SHA1_DIGEST_SIZE)
391
-
return ret;
392
-
return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
384
+
385
+
return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0;
393
386
}
394
387
395
388
/*
···
397
400
unsigned char ononce[TPM_NONCE_SIZE];
398
401
int ret;
399
402
400
-
ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
403
+
ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE);
401
404
if (ret != TPM_NONCE_SIZE)
402
405
return ret;
403
406
···
493
496
if (ret < 0)
494
497
goto out;
495
498
496
-
ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
499
+
ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
497
500
if (ret != TPM_NONCE_SIZE)
498
501
goto out;
499
502
ordinal = htonl(TPM_ORD_SEAL);
···
603
606
604
607
ordinal = htonl(TPM_ORD_UNSEAL);
605
608
keyhndl = htonl(SRKHANDLE);
606
-
ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
609
+
ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE);
607
610
if (ret != TPM_NONCE_SIZE) {
608
611
pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
609
612
return ret;
···
748
751
int i;
749
752
int tpm2;
750
753
751
-
tpm2 = tpm_is_tpm2(NULL);
754
+
tpm2 = tpm_is_tpm2(chip);
752
755
if (tpm2 < 0)
753
756
return tpm2;
754
757
···
917
920
struct trusted_key_options *options;
918
921
int tpm2;
919
922
920
-
tpm2 = tpm_is_tpm2(NULL);
923
+
tpm2 = tpm_is_tpm2(chip);
921
924
if (tpm2 < 0)
922
925
return NULL;
923
926
···
967
970
size_t key_len;
968
971
int tpm2;
969
972
970
-
tpm2 = tpm_is_tpm2(NULL);
973
+
tpm2 = tpm_is_tpm2(chip);
971
974
if (tpm2 < 0)
972
975
return tpm2;
973
976
···
1008
1011
switch (key_cmd) {
1009
1012
case Opt_load:
1010
1013
if (tpm2)
1011
-
ret = tpm_unseal_trusted(NULL, payload, options);
1014
+
ret = tpm_unseal_trusted(chip, payload, options);
1012
1015
else
1013
1016
ret = key_unseal(payload, options);
1014
1017
dump_payload(payload);
···
1018
1021
break;
1019
1022
case Opt_new:
1020
1023
key_len = payload->key_len;
1021
-
ret = tpm_get_random(NULL, payload->key, key_len);
1024
+
ret = tpm_get_random(chip, payload->key, key_len);
1022
1025
if (ret != key_len) {
1023
1026
pr_info("trusted_key: key_create failed (%d)\n", ret);
1024
1027
goto out;
1025
1028
}
1026
1029
if (tpm2)
1027
-
ret = tpm_seal_trusted(NULL, payload, options);
1030
+
ret = tpm_seal_trusted(chip, payload, options);
1028
1031
else
1029
1032
ret = key_seal(payload, options);
1030
1033
if (ret < 0)
···
1218
1221
return ret;
1219
1222
}
1220
1223
1224
+
static int __init init_digests(void)
1225
+
{
1226
+
u8 digest[TPM_MAX_DIGEST_SIZE];
1227
+
int ret;
1228
+
int i;
1229
+
1230
+
ret = tpm_get_random(chip, digest, TPM_MAX_DIGEST_SIZE);
1231
+
if (ret < 0)
1232
+
return ret;
1233
+
if (ret < TPM_MAX_DIGEST_SIZE)
1234
+
return -EFAULT;
1235
+
1236
+
digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests),
1237
+
GFP_KERNEL);
1238
+
if (!digests)
1239
+
return -ENOMEM;
1240
+
1241
+
for (i = 0; i < chip->nr_allocated_banks; i++)
1242
+
memcpy(digests[i].digest, digest, TPM_MAX_DIGEST_SIZE);
1243
+
1244
+
return 0;
1245
+
}
1246
+
1221
1247
static int __init init_trusted(void)
1222
1248
{
1223
1249
int ret;
1224
1250
1251
+
chip = tpm_default_chip();
1252
+
if (!chip)
1253
+
return -ENOENT;
1254
+
ret = init_digests();
1255
+
if (ret < 0)
1256
+
goto err_put;
1225
1257
ret = trusted_shash_alloc();
1226
1258
if (ret < 0)
1227
-
return ret;
1259
+
goto err_free;
1228
1260
ret = register_key_type(&key_type_trusted);
1229
1261
if (ret < 0)
1230
-
trusted_shash_release();
1262
+
goto err_release;
1263
+
return 0;
1264
+
err_release:
1265
+
trusted_shash_release();
1266
+
err_free:
1267
+
kfree(digests);
1268
+
err_put:
1269
+
put_device(&chip->dev);
1231
1270
return ret;
1232
1271
}
1233
1272
1234
1273
static void __exit cleanup_trusted(void)
1235
1274
{
1275
+
put_device(&chip->dev);
1276
+
kfree(digests);
1236
1277
trusted_shash_release();
1237
1278
unregister_key_type(&key_type_trusted);
1238
1279
}
+1
tools/testing/selftests/Makefile
+1
tools/testing/selftests/Makefile
+4
tools/testing/selftests/tpm2/Makefile
+4
tools/testing/selftests/tpm2/Makefile
+4
tools/testing/selftests/tpm2/test_smoke.sh
+4
tools/testing/selftests/tpm2/test_smoke.sh
+4
tools/testing/selftests/tpm2/test_space.sh
+4
tools/testing/selftests/tpm2/test_space.sh
+696
tools/testing/selftests/tpm2/tpm2.py
+696
tools/testing/selftests/tpm2/tpm2.py
···
1
+
# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2
+
3
+
import hashlib
4
+
import os
5
+
import socket
6
+
import struct
7
+
import sys
8
+
import unittest
9
+
from fcntl import ioctl
10
+
11
+
12
+
TPM2_ST_NO_SESSIONS = 0x8001
13
+
TPM2_ST_SESSIONS = 0x8002
14
+
15
+
TPM2_CC_FIRST = 0x01FF
16
+
17
+
TPM2_CC_CREATE_PRIMARY = 0x0131
18
+
TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET = 0x0139
19
+
TPM2_CC_CREATE = 0x0153
20
+
TPM2_CC_LOAD = 0x0157
21
+
TPM2_CC_UNSEAL = 0x015E
22
+
TPM2_CC_FLUSH_CONTEXT = 0x0165
23
+
TPM2_CC_START_AUTH_SESSION = 0x0176
24
+
TPM2_CC_GET_CAPABILITY = 0x017A
25
+
TPM2_CC_PCR_READ = 0x017E
26
+
TPM2_CC_POLICY_PCR = 0x017F
27
+
TPM2_CC_PCR_EXTEND = 0x0182
28
+
TPM2_CC_POLICY_PASSWORD = 0x018C
29
+
TPM2_CC_POLICY_GET_DIGEST = 0x0189
30
+
31
+
TPM2_SE_POLICY = 0x01
32
+
TPM2_SE_TRIAL = 0x03
33
+
34
+
TPM2_ALG_RSA = 0x0001
35
+
TPM2_ALG_SHA1 = 0x0004
36
+
TPM2_ALG_AES = 0x0006
37
+
TPM2_ALG_KEYEDHASH = 0x0008
38
+
TPM2_ALG_SHA256 = 0x000B
39
+
TPM2_ALG_NULL = 0x0010
40
+
TPM2_ALG_CBC = 0x0042
41
+
TPM2_ALG_CFB = 0x0043
42
+
43
+
TPM2_RH_OWNER = 0x40000001
44
+
TPM2_RH_NULL = 0x40000007
45
+
TPM2_RH_LOCKOUT = 0x4000000A
46
+
TPM2_RS_PW = 0x40000009
47
+
48
+
TPM2_RC_SIZE = 0x01D5
49
+
TPM2_RC_AUTH_FAIL = 0x098E
50
+
TPM2_RC_POLICY_FAIL = 0x099D
51
+
TPM2_RC_COMMAND_CODE = 0x0143
52
+
53
+
TSS2_RC_LAYER_SHIFT = 16
54
+
TSS2_RESMGR_TPM_RC_LAYER = (11 << TSS2_RC_LAYER_SHIFT)
55
+
56
+
TPM2_CAP_HANDLES = 0x00000001
57
+
TPM2_CAP_COMMANDS = 0x00000002
58
+
TPM2_CAP_TPM_PROPERTIES = 0x00000006
59
+
60
+
TPM2_PT_FIXED = 0x100
61
+
TPM2_PT_TOTAL_COMMANDS = TPM2_PT_FIXED + 41
62
+
63
+
HR_SHIFT = 24
64
+
HR_LOADED_SESSION = 0x02000000
65
+
HR_TRANSIENT = 0x80000000
66
+
67
+
SHA1_DIGEST_SIZE = 20
68
+
SHA256_DIGEST_SIZE = 32
69
+
70
+
TPM2_VER0_ERRORS = {
71
+
0x000: "TPM_RC_SUCCESS",
72
+
0x030: "TPM_RC_BAD_TAG",
73
+
}
74
+
75
+
TPM2_VER1_ERRORS = {
76
+
0x000: "TPM_RC_FAILURE",
77
+
0x001: "TPM_RC_FAILURE",
78
+
0x003: "TPM_RC_SEQUENCE",
79
+
0x00B: "TPM_RC_PRIVATE",
80
+
0x019: "TPM_RC_HMAC",
81
+
0x020: "TPM_RC_DISABLED",
82
+
0x021: "TPM_RC_EXCLUSIVE",
83
+
0x024: "TPM_RC_AUTH_TYPE",
84
+
0x025: "TPM_RC_AUTH_MISSING",
85
+
0x026: "TPM_RC_POLICY",
86
+
0x027: "TPM_RC_PCR",
87
+
0x028: "TPM_RC_PCR_CHANGED",
88
+
0x02D: "TPM_RC_UPGRADE",
89
+
0x02E: "TPM_RC_TOO_MANY_CONTEXTS",
90
+
0x02F: "TPM_RC_AUTH_UNAVAILABLE",
91
+
0x030: "TPM_RC_REBOOT",
92
+
0x031: "TPM_RC_UNBALANCED",
93
+
0x042: "TPM_RC_COMMAND_SIZE",
94
+
0x043: "TPM_RC_COMMAND_CODE",
95
+
0x044: "TPM_RC_AUTHSIZE",
96
+
0x045: "TPM_RC_AUTH_CONTEXT",
97
+
0x046: "TPM_RC_NV_RANGE",
98
+
0x047: "TPM_RC_NV_SIZE",
99
+
0x048: "TPM_RC_NV_LOCKED",
100
+
0x049: "TPM_RC_NV_AUTHORIZATION",
101
+
0x04A: "TPM_RC_NV_UNINITIALIZED",
102
+
0x04B: "TPM_RC_NV_SPACE",
103
+
0x04C: "TPM_RC_NV_DEFINED",
104
+
0x050: "TPM_RC_BAD_CONTEXT",
105
+
0x051: "TPM_RC_CPHASH",
106
+
0x052: "TPM_RC_PARENT",
107
+
0x053: "TPM_RC_NEEDS_TEST",
108
+
0x054: "TPM_RC_NO_RESULT",
109
+
0x055: "TPM_RC_SENSITIVE",
110
+
0x07F: "RC_MAX_FM0",
111
+
}
112
+
113
+
TPM2_FMT1_ERRORS = {
114
+
0x001: "TPM_RC_ASYMMETRIC",
115
+
0x002: "TPM_RC_ATTRIBUTES",
116
+
0x003: "TPM_RC_HASH",
117
+
0x004: "TPM_RC_VALUE",
118
+
0x005: "TPM_RC_HIERARCHY",
119
+
0x007: "TPM_RC_KEY_SIZE",
120
+
0x008: "TPM_RC_MGF",
121
+
0x009: "TPM_RC_MODE",
122
+
0x00A: "TPM_RC_TYPE",
123
+
0x00B: "TPM_RC_HANDLE",
124
+
0x00C: "TPM_RC_KDF",
125
+
0x00D: "TPM_RC_RANGE",
126
+
0x00E: "TPM_RC_AUTH_FAIL",
127
+
0x00F: "TPM_RC_NONCE",
128
+
0x010: "TPM_RC_PP",
129
+
0x012: "TPM_RC_SCHEME",
130
+
0x015: "TPM_RC_SIZE",
131
+
0x016: "TPM_RC_SYMMETRIC",
132
+
0x017: "TPM_RC_TAG",
133
+
0x018: "TPM_RC_SELECTOR",
134
+
0x01A: "TPM_RC_INSUFFICIENT",
135
+
0x01B: "TPM_RC_SIGNATURE",
136
+
0x01C: "TPM_RC_KEY",
137
+
0x01D: "TPM_RC_POLICY_FAIL",
138
+
0x01F: "TPM_RC_INTEGRITY",
139
+
0x020: "TPM_RC_TICKET",
140
+
0x021: "TPM_RC_RESERVED_BITS",
141
+
0x022: "TPM_RC_BAD_AUTH",
142
+
0x023: "TPM_RC_EXPIRED",
143
+
0x024: "TPM_RC_POLICY_CC",
144
+
0x025: "TPM_RC_BINDING",
145
+
0x026: "TPM_RC_CURVE",
146
+
0x027: "TPM_RC_ECC_POINT",
147
+
}
148
+
149
+
TPM2_WARN_ERRORS = {
150
+
0x001: "TPM_RC_CONTEXT_GAP",
151
+
0x002: "TPM_RC_OBJECT_MEMORY",
152
+
0x003: "TPM_RC_SESSION_MEMORY",
153
+
0x004: "TPM_RC_MEMORY",
154
+
0x005: "TPM_RC_SESSION_HANDLES",
155
+
0x006: "TPM_RC_OBJECT_HANDLES",
156
+
0x007: "TPM_RC_LOCALITY",
157
+
0x008: "TPM_RC_YIELDED",
158
+
0x009: "TPM_RC_CANCELED",
159
+
0x00A: "TPM_RC_TESTING",
160
+
0x010: "TPM_RC_REFERENCE_H0",
161
+
0x011: "TPM_RC_REFERENCE_H1",
162
+
0x012: "TPM_RC_REFERENCE_H2",
163
+
0x013: "TPM_RC_REFERENCE_H3",
164
+
0x014: "TPM_RC_REFERENCE_H4",
165
+
0x015: "TPM_RC_REFERENCE_H5",
166
+
0x016: "TPM_RC_REFERENCE_H6",
167
+
0x018: "TPM_RC_REFERENCE_S0",
168
+
0x019: "TPM_RC_REFERENCE_S1",
169
+
0x01A: "TPM_RC_REFERENCE_S2",
170
+
0x01B: "TPM_RC_REFERENCE_S3",
171
+
0x01C: "TPM_RC_REFERENCE_S4",
172
+
0x01D: "TPM_RC_REFERENCE_S5",
173
+
0x01E: "TPM_RC_REFERENCE_S6",
174
+
0x020: "TPM_RC_NV_RATE",
175
+
0x021: "TPM_RC_LOCKOUT",
176
+
0x022: "TPM_RC_RETRY",
177
+
0x023: "TPM_RC_NV_UNAVAILABLE",
178
+
0x7F: "TPM_RC_NOT_USED",
179
+
}
180
+
181
+
RC_VER1 = 0x100
182
+
RC_FMT1 = 0x080
183
+
RC_WARN = 0x900
184
+
185
+
ALG_DIGEST_SIZE_MAP = {
186
+
TPM2_ALG_SHA1: SHA1_DIGEST_SIZE,
187
+
TPM2_ALG_SHA256: SHA256_DIGEST_SIZE,
188
+
}
189
+
190
+
ALG_HASH_FUNCTION_MAP = {
191
+
TPM2_ALG_SHA1: hashlib.sha1,
192
+
TPM2_ALG_SHA256: hashlib.sha256
193
+
}
194
+
195
+
NAME_ALG_MAP = {
196
+
"sha1": TPM2_ALG_SHA1,
197
+
"sha256": TPM2_ALG_SHA256,
198
+
}
199
+
200
+
201
+
class UnknownAlgorithmIdError(Exception):
202
+
def __init__(self, alg):
203
+
self.alg = alg
204
+
205
+
def __str__(self):
206
+
return '0x%0x' % (alg)
207
+
208
+
209
+
class UnknownAlgorithmNameError(Exception):
210
+
def __init__(self, name):
211
+
self.name = name
212
+
213
+
def __str__(self):
214
+
return name
215
+
216
+
217
+
class UnknownPCRBankError(Exception):
218
+
def __init__(self, alg):
219
+
self.alg = alg
220
+
221
+
def __str__(self):
222
+
return '0x%0x' % (alg)
223
+
224
+
225
+
class ProtocolError(Exception):
226
+
def __init__(self, cc, rc):
227
+
self.cc = cc
228
+
self.rc = rc
229
+
230
+
if (rc & RC_FMT1) == RC_FMT1:
231
+
self.name = TPM2_FMT1_ERRORS.get(rc & 0x3f, "TPM_RC_UNKNOWN")
232
+
elif (rc & RC_WARN) == RC_WARN:
233
+
self.name = TPM2_WARN_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
234
+
elif (rc & RC_VER1) == RC_VER1:
235
+
self.name = TPM2_VER1_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
236
+
else:
237
+
self.name = TPM2_VER0_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
238
+
239
+
def __str__(self):
240
+
if self.cc:
241
+
return '%s: cc=0x%08x, rc=0x%08x' % (self.name, self.cc, self.rc)
242
+
else:
243
+
return '%s: rc=0x%08x' % (self.name, self.rc)
244
+
245
+
246
+
class AuthCommand(object):
247
+
"""TPMS_AUTH_COMMAND"""
248
+
249
+
def __init__(self, session_handle=TPM2_RS_PW, nonce='', session_attributes=0,
250
+
hmac=''):
251
+
self.session_handle = session_handle
252
+
self.nonce = nonce
253
+
self.session_attributes = session_attributes
254
+
self.hmac = hmac
255
+
256
+
def __str__(self):
257
+
fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
258
+
return struct.pack(fmt, self.session_handle, len(self.nonce),
259
+
self.nonce, self.session_attributes, len(self.hmac),
260
+
self.hmac)
261
+
262
+
def __len__(self):
263
+
fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
264
+
return struct.calcsize(fmt)
265
+
266
+
267
+
class SensitiveCreate(object):
268
+
"""TPMS_SENSITIVE_CREATE"""
269
+
270
+
def __init__(self, user_auth='', data=''):
271
+
self.user_auth = user_auth
272
+
self.data = data
273
+
274
+
def __str__(self):
275
+
fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
276
+
return struct.pack(fmt, len(self.user_auth), self.user_auth,
277
+
len(self.data), self.data)
278
+
279
+
def __len__(self):
280
+
fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
281
+
return struct.calcsize(fmt)
282
+
283
+
284
+
class Public(object):
285
+
"""TPMT_PUBLIC"""
286
+
287
+
FIXED_TPM = (1 << 1)
288
+
FIXED_PARENT = (1 << 4)
289
+
SENSITIVE_DATA_ORIGIN = (1 << 5)
290
+
USER_WITH_AUTH = (1 << 6)
291
+
RESTRICTED = (1 << 16)
292
+
DECRYPT = (1 << 17)
293
+
294
+
def __fmt(self):
295
+
return '>HHIH%us%usH%us' % \
296
+
(len(self.auth_policy), len(self.parameters), len(self.unique))
297
+
298
+
def __init__(self, object_type, name_alg, object_attributes, auth_policy='',
299
+
parameters='', unique=''):
300
+
self.object_type = object_type
301
+
self.name_alg = name_alg
302
+
self.object_attributes = object_attributes
303
+
self.auth_policy = auth_policy
304
+
self.parameters = parameters
305
+
self.unique = unique
306
+
307
+
def __str__(self):
308
+
return struct.pack(self.__fmt(),
309
+
self.object_type,
310
+
self.name_alg,
311
+
self.object_attributes,
312
+
len(self.auth_policy),
313
+
self.auth_policy,
314
+
self.parameters,
315
+
len(self.unique),
316
+
self.unique)
317
+
318
+
def __len__(self):
319
+
return struct.calcsize(self.__fmt())
320
+
321
+
322
+
def get_digest_size(alg):
323
+
ds = ALG_DIGEST_SIZE_MAP.get(alg)
324
+
if not ds:
325
+
raise UnknownAlgorithmIdError(alg)
326
+
return ds
327
+
328
+
329
+
def get_hash_function(alg):
330
+
f = ALG_HASH_FUNCTION_MAP.get(alg)
331
+
if not f:
332
+
raise UnknownAlgorithmIdError(alg)
333
+
return f
334
+
335
+
336
+
def get_algorithm(name):
337
+
alg = NAME_ALG_MAP.get(name)
338
+
if not alg:
339
+
raise UnknownAlgorithmNameError(name)
340
+
return alg
341
+
342
+
343
+
def hex_dump(d):
344
+
d = [format(ord(x), '02x') for x in d]
345
+
d = [d[i: i + 16] for i in xrange(0, len(d), 16)]
346
+
d = [' '.join(x) for x in d]
347
+
d = os.linesep.join(d)
348
+
349
+
return d
350
+
351
+
class Client:
352
+
FLAG_DEBUG = 0x01
353
+
FLAG_SPACE = 0x02
354
+
TPM_IOC_NEW_SPACE = 0xa200
355
+
356
+
def __init__(self, flags = 0):
357
+
self.flags = flags
358
+
359
+
if (self.flags & Client.FLAG_SPACE) == 0:
360
+
self.tpm = open('/dev/tpm0', 'r+b')
361
+
else:
362
+
self.tpm = open('/dev/tpmrm0', 'r+b')
363
+
364
+
def close(self):
365
+
self.tpm.close()
366
+
367
+
def send_cmd(self, cmd):
368
+
self.tpm.write(cmd)
369
+
rsp = self.tpm.read()
370
+
371
+
if (self.flags & Client.FLAG_DEBUG) != 0:
372
+
sys.stderr.write('cmd' + os.linesep)
373
+
sys.stderr.write(hex_dump(cmd) + os.linesep)
374
+
sys.stderr.write('rsp' + os.linesep)
375
+
sys.stderr.write(hex_dump(rsp) + os.linesep)
376
+
377
+
rc = struct.unpack('>I', rsp[6:10])[0]
378
+
if rc != 0:
379
+
cc = struct.unpack('>I', cmd[6:10])[0]
380
+
raise ProtocolError(cc, rc)
381
+
382
+
return rsp
383
+
384
+
def read_pcr(self, i, bank_alg = TPM2_ALG_SHA1):
385
+
pcrsel_len = max((i >> 3) + 1, 3)
386
+
pcrsel = [0] * pcrsel_len
387
+
pcrsel[i >> 3] = 1 << (i & 7)
388
+
pcrsel = ''.join(map(chr, pcrsel))
389
+
390
+
fmt = '>HII IHB%us' % (pcrsel_len)
391
+
cmd = struct.pack(fmt,
392
+
TPM2_ST_NO_SESSIONS,
393
+
struct.calcsize(fmt),
394
+
TPM2_CC_PCR_READ,
395
+
1,
396
+
bank_alg,
397
+
pcrsel_len, pcrsel)
398
+
399
+
rsp = self.send_cmd(cmd)
400
+
401
+
pcr_update_cnt, pcr_select_cnt = struct.unpack('>II', rsp[10:18])
402
+
assert pcr_select_cnt == 1
403
+
rsp = rsp[18:]
404
+
405
+
alg2, pcrsel_len2 = struct.unpack('>HB', rsp[:3])
406
+
assert bank_alg == alg2 and pcrsel_len == pcrsel_len2
407
+
rsp = rsp[3 + pcrsel_len:]
408
+
409
+
digest_cnt = struct.unpack('>I', rsp[:4])[0]
410
+
if digest_cnt == 0:
411
+
return None
412
+
rsp = rsp[6:]
413
+
414
+
return rsp
415
+
416
+
def extend_pcr(self, i, dig, bank_alg = TPM2_ALG_SHA1):
417
+
ds = get_digest_size(bank_alg)
418
+
assert(ds == len(dig))
419
+
420
+
auth_cmd = AuthCommand()
421
+
422
+
fmt = '>HII I I%us IH%us' % (len(auth_cmd), ds)
423
+
cmd = struct.pack(
424
+
fmt,
425
+
TPM2_ST_SESSIONS,
426
+
struct.calcsize(fmt),
427
+
TPM2_CC_PCR_EXTEND,
428
+
i,
429
+
len(auth_cmd),
430
+
str(auth_cmd),
431
+
1, bank_alg, dig)
432
+
433
+
self.send_cmd(cmd)
434
+
435
+
def start_auth_session(self, session_type, name_alg = TPM2_ALG_SHA1):
436
+
fmt = '>HII IIH16sHBHH'
437
+
cmd = struct.pack(fmt,
438
+
TPM2_ST_NO_SESSIONS,
439
+
struct.calcsize(fmt),
440
+
TPM2_CC_START_AUTH_SESSION,
441
+
TPM2_RH_NULL,
442
+
TPM2_RH_NULL,
443
+
16,
444
+
'\0' * 16,
445
+
0,
446
+
session_type,
447
+
TPM2_ALG_NULL,
448
+
name_alg)
449
+
450
+
return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
451
+
452
+
def __calc_pcr_digest(self, pcrs, bank_alg = TPM2_ALG_SHA1,
453
+
digest_alg = TPM2_ALG_SHA1):
454
+
x = []
455
+
f = get_hash_function(digest_alg)
456
+
457
+
for i in pcrs:
458
+
pcr = self.read_pcr(i, bank_alg)
459
+
if pcr == None:
460
+
return None
461
+
x += pcr
462
+
463
+
return f(bytearray(x)).digest()
464
+
465
+
def policy_pcr(self, handle, pcrs, bank_alg = TPM2_ALG_SHA1,
466
+
name_alg = TPM2_ALG_SHA1):
467
+
ds = get_digest_size(name_alg)
468
+
dig = self.__calc_pcr_digest(pcrs, bank_alg, name_alg)
469
+
if not dig:
470
+
raise UnknownPCRBankError(bank_alg)
471
+
472
+
pcrsel_len = max((max(pcrs) >> 3) + 1, 3)
473
+
pcrsel = [0] * pcrsel_len
474
+
for i in pcrs:
475
+
pcrsel[i >> 3] |= 1 << (i & 7)
476
+
pcrsel = ''.join(map(chr, pcrsel))
477
+
478
+
fmt = '>HII IH%usIHB3s' % ds
479
+
cmd = struct.pack(fmt,
480
+
TPM2_ST_NO_SESSIONS,
481
+
struct.calcsize(fmt),
482
+
TPM2_CC_POLICY_PCR,
483
+
handle,
484
+
len(dig), str(dig),
485
+
1,
486
+
bank_alg,
487
+
pcrsel_len, pcrsel)
488
+
489
+
self.send_cmd(cmd)
490
+
491
+
def policy_password(self, handle):
492
+
fmt = '>HII I'
493
+
cmd = struct.pack(fmt,
494
+
TPM2_ST_NO_SESSIONS,
495
+
struct.calcsize(fmt),
496
+
TPM2_CC_POLICY_PASSWORD,
497
+
handle)
498
+
499
+
self.send_cmd(cmd)
500
+
501
+
def get_policy_digest(self, handle):
502
+
fmt = '>HII I'
503
+
cmd = struct.pack(fmt,
504
+
TPM2_ST_NO_SESSIONS,
505
+
struct.calcsize(fmt),
506
+
TPM2_CC_POLICY_GET_DIGEST,
507
+
handle)
508
+
509
+
return self.send_cmd(cmd)[12:]
510
+
511
+
def flush_context(self, handle):
512
+
fmt = '>HIII'
513
+
cmd = struct.pack(fmt,
514
+
TPM2_ST_NO_SESSIONS,
515
+
struct.calcsize(fmt),
516
+
TPM2_CC_FLUSH_CONTEXT,
517
+
handle)
518
+
519
+
self.send_cmd(cmd)
520
+
521
+
def create_root_key(self, auth_value = ''):
522
+
attributes = \
523
+
Public.FIXED_TPM | \
524
+
Public.FIXED_PARENT | \
525
+
Public.SENSITIVE_DATA_ORIGIN | \
526
+
Public.USER_WITH_AUTH | \
527
+
Public.RESTRICTED | \
528
+
Public.DECRYPT
529
+
530
+
auth_cmd = AuthCommand()
531
+
sensitive = SensitiveCreate(user_auth=auth_value)
532
+
533
+
public_parms = struct.pack(
534
+
'>HHHHHI',
535
+
TPM2_ALG_AES,
536
+
128,
537
+
TPM2_ALG_CFB,
538
+
TPM2_ALG_NULL,
539
+
2048,
540
+
0)
541
+
542
+
public = Public(
543
+
object_type=TPM2_ALG_RSA,
544
+
name_alg=TPM2_ALG_SHA1,
545
+
object_attributes=attributes,
546
+
parameters=public_parms)
547
+
548
+
fmt = '>HIII I%us H%us H%us HI' % \
549
+
(len(auth_cmd), len(sensitive), len(public))
550
+
cmd = struct.pack(
551
+
fmt,
552
+
TPM2_ST_SESSIONS,
553
+
struct.calcsize(fmt),
554
+
TPM2_CC_CREATE_PRIMARY,
555
+
TPM2_RH_OWNER,
556
+
len(auth_cmd),
557
+
str(auth_cmd),
558
+
len(sensitive),
559
+
str(sensitive),
560
+
len(public),
561
+
str(public),
562
+
0, 0)
563
+
564
+
return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
565
+
566
+
def seal(self, parent_key, data, auth_value, policy_dig,
567
+
name_alg = TPM2_ALG_SHA1):
568
+
ds = get_digest_size(name_alg)
569
+
assert(not policy_dig or ds == len(policy_dig))
570
+
571
+
attributes = 0
572
+
if not policy_dig:
573
+
attributes |= Public.USER_WITH_AUTH
574
+
policy_dig = ''
575
+
576
+
auth_cmd = AuthCommand()
577
+
sensitive = SensitiveCreate(user_auth=auth_value, data=data)
578
+
579
+
public = Public(
580
+
object_type=TPM2_ALG_KEYEDHASH,
581
+
name_alg=name_alg,
582
+
object_attributes=attributes,
583
+
auth_policy=policy_dig,
584
+
parameters=struct.pack('>H', TPM2_ALG_NULL))
585
+
586
+
fmt = '>HIII I%us H%us H%us HI' % \
587
+
(len(auth_cmd), len(sensitive), len(public))
588
+
cmd = struct.pack(
589
+
fmt,
590
+
TPM2_ST_SESSIONS,
591
+
struct.calcsize(fmt),
592
+
TPM2_CC_CREATE,
593
+
parent_key,
594
+
len(auth_cmd),
595
+
str(auth_cmd),
596
+
len(sensitive),
597
+
str(sensitive),
598
+
len(public),
599
+
str(public),
600
+
0, 0)
601
+
602
+
rsp = self.send_cmd(cmd)
603
+
604
+
return rsp[14:]
605
+
606
+
def unseal(self, parent_key, blob, auth_value, policy_handle):
607
+
private_len = struct.unpack('>H', blob[0:2])[0]
608
+
public_start = private_len + 2
609
+
public_len = struct.unpack('>H', blob[public_start:public_start + 2])[0]
610
+
blob = blob[:private_len + public_len + 4]
611
+
612
+
auth_cmd = AuthCommand()
613
+
614
+
fmt = '>HII I I%us %us' % (len(auth_cmd), len(blob))
615
+
cmd = struct.pack(
616
+
fmt,
617
+
TPM2_ST_SESSIONS,
618
+
struct.calcsize(fmt),
619
+
TPM2_CC_LOAD,
620
+
parent_key,
621
+
len(auth_cmd),
622
+
str(auth_cmd),
623
+
blob)
624
+
625
+
data_handle = struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
626
+
627
+
if policy_handle:
628
+
auth_cmd = AuthCommand(session_handle=policy_handle, hmac=auth_value)
629
+
else:
630
+
auth_cmd = AuthCommand(hmac=auth_value)
631
+
632
+
fmt = '>HII I I%us' % (len(auth_cmd))
633
+
cmd = struct.pack(
634
+
fmt,
635
+
TPM2_ST_SESSIONS,
636
+
struct.calcsize(fmt),
637
+
TPM2_CC_UNSEAL,
638
+
data_handle,
639
+
len(auth_cmd),
640
+
str(auth_cmd))
641
+
642
+
try:
643
+
rsp = self.send_cmd(cmd)
644
+
finally:
645
+
self.flush_context(data_handle)
646
+
647
+
data_len = struct.unpack('>I', rsp[10:14])[0] - 2
648
+
649
+
return rsp[16:16 + data_len]
650
+
651
+
def reset_da_lock(self):
652
+
auth_cmd = AuthCommand()
653
+
654
+
fmt = '>HII I I%us' % (len(auth_cmd))
655
+
cmd = struct.pack(
656
+
fmt,
657
+
TPM2_ST_SESSIONS,
658
+
struct.calcsize(fmt),
659
+
TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET,
660
+
TPM2_RH_LOCKOUT,
661
+
len(auth_cmd),
662
+
str(auth_cmd))
663
+
664
+
self.send_cmd(cmd)
665
+
666
+
def __get_cap_cnt(self, cap, pt, cnt):
667
+
handles = []
668
+
fmt = '>HII III'
669
+
670
+
cmd = struct.pack(fmt,
671
+
TPM2_ST_NO_SESSIONS,
672
+
struct.calcsize(fmt),
673
+
TPM2_CC_GET_CAPABILITY,
674
+
cap, pt, cnt)
675
+
676
+
rsp = self.send_cmd(cmd)[10:]
677
+
more_data, cap, cnt = struct.unpack('>BII', rsp[:9])
678
+
rsp = rsp[9:]
679
+
680
+
for i in xrange(0, cnt):
681
+
handle = struct.unpack('>I', rsp[:4])[0]
682
+
handles.append(handle)
683
+
rsp = rsp[4:]
684
+
685
+
return handles, more_data
686
+
687
+
def get_cap(self, cap, pt):
688
+
handles = []
689
+
690
+
more_data = True
691
+
while more_data:
692
+
next_handles, more_data = self.__get_cap_cnt(cap, pt, 1)
693
+
handles += next_handles
694
+
pt += 1
695
+
696
+
return handles
+227
tools/testing/selftests/tpm2/tpm2_tests.py
+227
tools/testing/selftests/tpm2/tpm2_tests.py
···
1
+
# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2
+
3
+
from argparse import ArgumentParser
4
+
from argparse import FileType
5
+
import os
6
+
import sys
7
+
import tpm2
8
+
from tpm2 import ProtocolError
9
+
import unittest
10
+
import logging
11
+
import struct
12
+
13
+
class SmokeTest(unittest.TestCase):
14
+
def setUp(self):
15
+
self.client = tpm2.Client()
16
+
self.root_key = self.client.create_root_key()
17
+
18
+
def tearDown(self):
19
+
self.client.flush_context(self.root_key)
20
+
self.client.close()
21
+
22
+
def test_seal_with_auth(self):
23
+
data = 'X' * 64
24
+
auth = 'A' * 15
25
+
26
+
blob = self.client.seal(self.root_key, data, auth, None)
27
+
result = self.client.unseal(self.root_key, blob, auth, None)
28
+
self.assertEqual(data, result)
29
+
30
+
def test_seal_with_policy(self):
31
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
32
+
33
+
data = 'X' * 64
34
+
auth = 'A' * 15
35
+
pcrs = [16]
36
+
37
+
try:
38
+
self.client.policy_pcr(handle, pcrs)
39
+
self.client.policy_password(handle)
40
+
41
+
policy_dig = self.client.get_policy_digest(handle)
42
+
finally:
43
+
self.client.flush_context(handle)
44
+
45
+
blob = self.client.seal(self.root_key, data, auth, policy_dig)
46
+
47
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
48
+
49
+
try:
50
+
self.client.policy_pcr(handle, pcrs)
51
+
self.client.policy_password(handle)
52
+
53
+
result = self.client.unseal(self.root_key, blob, auth, handle)
54
+
except:
55
+
self.client.flush_context(handle)
56
+
raise
57
+
58
+
self.assertEqual(data, result)
59
+
60
+
def test_unseal_with_wrong_auth(self):
61
+
data = 'X' * 64
62
+
auth = 'A' * 20
63
+
rc = 0
64
+
65
+
blob = self.client.seal(self.root_key, data, auth, None)
66
+
try:
67
+
result = self.client.unseal(self.root_key, blob, auth[:-1] + 'B', None)
68
+
except ProtocolError, e:
69
+
rc = e.rc
70
+
71
+
self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
72
+
73
+
def test_unseal_with_wrong_policy(self):
74
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
75
+
76
+
data = 'X' * 64
77
+
auth = 'A' * 17
78
+
pcrs = [16]
79
+
80
+
try:
81
+
self.client.policy_pcr(handle, pcrs)
82
+
self.client.policy_password(handle)
83
+
84
+
policy_dig = self.client.get_policy_digest(handle)
85
+
finally:
86
+
self.client.flush_context(handle)
87
+
88
+
blob = self.client.seal(self.root_key, data, auth, policy_dig)
89
+
90
+
# Extend first a PCR that is not part of the policy and try to unseal.
91
+
# This should succeed.
92
+
93
+
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
94
+
self.client.extend_pcr(1, 'X' * ds)
95
+
96
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
97
+
98
+
try:
99
+
self.client.policy_pcr(handle, pcrs)
100
+
self.client.policy_password(handle)
101
+
102
+
result = self.client.unseal(self.root_key, blob, auth, handle)
103
+
except:
104
+
self.client.flush_context(handle)
105
+
raise
106
+
107
+
self.assertEqual(data, result)
108
+
109
+
# Then, extend a PCR that is part of the policy and try to unseal.
110
+
# This should fail.
111
+
self.client.extend_pcr(16, 'X' * ds)
112
+
113
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
114
+
115
+
rc = 0
116
+
117
+
try:
118
+
self.client.policy_pcr(handle, pcrs)
119
+
self.client.policy_password(handle)
120
+
121
+
result = self.client.unseal(self.root_key, blob, auth, handle)
122
+
except ProtocolError, e:
123
+
rc = e.rc
124
+
self.client.flush_context(handle)
125
+
except:
126
+
self.client.flush_context(handle)
127
+
raise
128
+
129
+
self.assertEqual(rc, tpm2.TPM2_RC_POLICY_FAIL)
130
+
131
+
def test_seal_with_too_long_auth(self):
132
+
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
133
+
data = 'X' * 64
134
+
auth = 'A' * (ds + 1)
135
+
136
+
rc = 0
137
+
try:
138
+
blob = self.client.seal(self.root_key, data, auth, None)
139
+
except ProtocolError, e:
140
+
rc = e.rc
141
+
142
+
self.assertEqual(rc, tpm2.TPM2_RC_SIZE)
143
+
144
+
def test_too_short_cmd(self):
145
+
rejected = False
146
+
try:
147
+
fmt = '>HIII'
148
+
cmd = struct.pack(fmt,
149
+
tpm2.TPM2_ST_NO_SESSIONS,
150
+
struct.calcsize(fmt) + 1,
151
+
tpm2.TPM2_CC_FLUSH_CONTEXT,
152
+
0xDEADBEEF)
153
+
154
+
self.client.send_cmd(cmd)
155
+
except IOError, e:
156
+
rejected = True
157
+
except:
158
+
pass
159
+
self.assertEqual(rejected, True)
160
+
161
+
class SpaceTest(unittest.TestCase):
162
+
def setUp(self):
163
+
logging.basicConfig(filename='SpaceTest.log', level=logging.DEBUG)
164
+
165
+
def test_make_two_spaces(self):
166
+
log = logging.getLogger(__name__)
167
+
log.debug("test_make_two_spaces")
168
+
169
+
space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
170
+
root1 = space1.create_root_key()
171
+
space2 = tpm2.Client(tpm2.Client.FLAG_SPACE)
172
+
root2 = space2.create_root_key()
173
+
root3 = space2.create_root_key()
174
+
175
+
log.debug("%08x" % (root1))
176
+
log.debug("%08x" % (root2))
177
+
log.debug("%08x" % (root3))
178
+
179
+
def test_flush_context(self):
180
+
log = logging.getLogger(__name__)
181
+
log.debug("test_flush_context")
182
+
183
+
space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
184
+
root1 = space1.create_root_key()
185
+
log.debug("%08x" % (root1))
186
+
187
+
space1.flush_context(root1)
188
+
189
+
def test_get_handles(self):
190
+
log = logging.getLogger(__name__)
191
+
log.debug("test_get_handles")
192
+
193
+
space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
194
+
space1.create_root_key()
195
+
space2 = tpm2.Client(tpm2.Client.FLAG_SPACE)
196
+
space2.create_root_key()
197
+
space2.create_root_key()
198
+
199
+
handles = space2.get_cap(tpm2.TPM2_CAP_HANDLES, tpm2.HR_TRANSIENT)
200
+
201
+
self.assertEqual(len(handles), 2)
202
+
203
+
log.debug("%08x" % (handles[0]))
204
+
log.debug("%08x" % (handles[1]))
205
+
206
+
def test_invalid_cc(self):
207
+
log = logging.getLogger(__name__)
208
+
log.debug(sys._getframe().f_code.co_name)
209
+
210
+
TPM2_CC_INVALID = tpm2.TPM2_CC_FIRST - 1
211
+
212
+
space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
213
+
root1 = space1.create_root_key()
214
+
log.debug("%08x" % (root1))
215
+
216
+
fmt = '>HII'
217
+
cmd = struct.pack(fmt, tpm2.TPM2_ST_NO_SESSIONS, struct.calcsize(fmt),
218
+
TPM2_CC_INVALID)
219
+
220
+
rc = 0
221
+
try:
222
+
space1.send_cmd(cmd)
223
+
except ProtocolError, e:
224
+
rc = e.rc
225
+
226
+
self.assertEqual(rc, tpm2.TPM2_RC_COMMAND_CODE |
227
+
tpm2.TSS2_RESMGR_TPM_RC_LAYER)