tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull TPM updates from James Morris:

- Migrate away from PM runtime as explicit cmdReady/goIdle transactions
for every command is a spec requirement. PM runtime adds only a layer
of complexity on our case.

- tpm_tis drivers can now specify the hwrng quality.

- TPM 2.0 code uses now tpm_buf for constructing messages. Jarkko
thinks Tomas Winkler has done the same for TPM 1.2, and will start
digging those changes from the patchwork in the near future.

- Bug fixes and clean ups

* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead
ima: Use tpm_default_chip() and call TPM functions with a tpm_chip
tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED
tpm: Convert tpm_find_get_ops() to use tpm_default_chip()
tpm: Implement tpm_default_chip() to find a TPM chip
tpm: rename tpm_chip_find_get() to tpm_find_get_ops()
tpm: Allow tpm_tis drivers to set hwrng quality.
tpm: Return the actual size when receiving an unsupported command
tpm: separate cmd_ready/go_idle from runtime_pm
tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
tpm_tis_spi: Pass the SPI IRQ down to the driver
tpm: migrate tpm2_get_random() to use struct tpm_buf
tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf
tpm: migrate tpm2_probe() to use struct tpm_buf
tpm: migrate tpm2_shutdown() to use struct tpm_buf

Linus Torvalds c715ebeb 04743f89

+289 -308
+46 -22
drivers/char/tpm/tpm-chip.c
··· 81 81 EXPORT_SYMBOL_GPL(tpm_put_ops); 82 82 83 83 /** 84 - * tpm_chip_find_get() - find and reserve a TPM chip 84 + * tpm_default_chip() - find a TPM chip and get a reference to it 85 + */ 86 + struct tpm_chip *tpm_default_chip(void) 87 + { 88 + struct tpm_chip *chip, *res = NULL; 89 + int chip_num = 0; 90 + int chip_prev; 91 + 92 + mutex_lock(&idr_lock); 93 + 94 + do { 95 + chip_prev = chip_num; 96 + chip = idr_get_next(&dev_nums_idr, &chip_num); 97 + if (chip) { 98 + get_device(&chip->dev); 99 + res = chip; 100 + break; 101 + } 102 + } while (chip_prev != chip_num); 103 + 104 + mutex_unlock(&idr_lock); 105 + 106 + return res; 107 + } 108 + EXPORT_SYMBOL_GPL(tpm_default_chip); 109 + 110 + /** 111 + * tpm_find_get_ops() - find and reserve a TPM chip 85 112 * @chip: a &struct tpm_chip instance, %NULL for the default chip 86 113 * 87 114 * Finds a TPM chip and reserves its class device and operations. The chip must 88 - * be released with tpm_chip_put_ops() after use. 115 + * be released with tpm_put_ops() after use. 116 + * This function is for internal use only. It supports existing TPM callers 117 + * by accepting NULL, but those callers should be converted to pass in a chip 118 + * directly. 89 119 * 90 120 * Return: 91 121 * A reserved &struct tpm_chip instance. 92 122 * %NULL if a chip is not found. 93 123 * %NULL if the chip is not available. 94 124 */ 95 - struct tpm_chip *tpm_chip_find_get(struct tpm_chip *chip) 125 + struct tpm_chip *tpm_find_get_ops(struct tpm_chip *chip) 96 126 { 97 - struct tpm_chip *res = NULL; 98 - int chip_num = 0; 99 - int chip_prev; 127 + int rc; 100 128 101 - mutex_lock(&idr_lock); 102 - 103 - if (!chip) { 104 - do { 105 - chip_prev = chip_num; 106 - chip = idr_get_next(&dev_nums_idr, &chip_num); 107 - if (chip && !tpm_try_get_ops(chip)) { 108 - res = chip; 109 - break; 110 - } 111 - } while (chip_prev != chip_num); 112 - } else { 129 + if (chip) { 113 130 if (!tpm_try_get_ops(chip)) 114 - res = chip; 131 + return chip; 132 + return NULL; 115 133 } 116 134 117 - mutex_unlock(&idr_lock); 118 - 119 - return res; 135 + chip = tpm_default_chip(); 136 + if (!chip) 137 + return NULL; 138 + rc = tpm_try_get_ops(chip); 139 + /* release additional reference we got from tpm_default_chip() */ 140 + put_device(&chip->dev); 141 + if (rc) 142 + return NULL; 143 + return chip; 120 144 } 121 145 122 146 /**
+51 -21
drivers/char/tpm/tpm-interface.c
··· 29 29 #include <linux/mutex.h> 30 30 #include <linux/spinlock.h> 31 31 #include <linux/freezer.h> 32 - #include <linux/pm_runtime.h> 33 32 #include <linux/tpm_eventlog.h> 34 33 35 34 #include "tpm.h" ··· 368 369 return -EINVAL; 369 370 } 370 371 371 - static int tpm_request_locality(struct tpm_chip *chip) 372 + static int tpm_request_locality(struct tpm_chip *chip, unsigned int flags) 372 373 { 373 374 int rc; 375 + 376 + if (flags & TPM_TRANSMIT_NESTED) 377 + return 0; 374 378 375 379 if (!chip->ops->request_locality) 376 380 return 0; ··· 387 385 return 0; 388 386 } 389 387 390 - static void tpm_relinquish_locality(struct tpm_chip *chip) 388 + static void tpm_relinquish_locality(struct tpm_chip *chip, unsigned int flags) 391 389 { 392 390 int rc; 391 + 392 + if (flags & TPM_TRANSMIT_NESTED) 393 + return; 393 394 394 395 if (!chip->ops->relinquish_locality) 395 396 return; ··· 402 397 dev_err(&chip->dev, "%s: : error %d\n", __func__, rc); 403 398 404 399 chip->locality = -1; 400 + } 401 + 402 + static int tpm_cmd_ready(struct tpm_chip *chip, unsigned int flags) 403 + { 404 + if (flags & TPM_TRANSMIT_NESTED) 405 + return 0; 406 + 407 + if (!chip->ops->cmd_ready) 408 + return 0; 409 + 410 + return chip->ops->cmd_ready(chip); 411 + } 412 + 413 + static int tpm_go_idle(struct tpm_chip *chip, unsigned int flags) 414 + { 415 + if (flags & TPM_TRANSMIT_NESTED) 416 + return 0; 417 + 418 + if (!chip->ops->go_idle) 419 + return 0; 420 + 421 + return chip->ops->go_idle(chip); 405 422 } 406 423 407 424 static ssize_t tpm_try_transmit(struct tpm_chip *chip, ··· 450 423 header->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); 451 424 header->return_code = cpu_to_be32(TPM2_RC_COMMAND_CODE | 452 425 TSS2_RESMGR_TPM_RC_LAYER); 453 - return bufsiz; 426 + return sizeof(*header); 454 427 } 455 428 456 429 if (bufsiz > TPM_BUFSIZE) ··· 466 439 return -E2BIG; 467 440 } 468 441 469 - if (!(flags & TPM_TRANSMIT_UNLOCKED)) 442 + if (!(flags & TPM_TRANSMIT_UNLOCKED) && !(flags & TPM_TRANSMIT_NESTED)) 470 443 mutex_lock(&chip->tpm_mutex); 471 - 472 444 473 445 if (chip->ops->clk_enable != NULL) 474 446 chip->ops->clk_enable(chip, true); ··· 475 449 /* Store the decision as chip->locality will be changed. */ 476 450 need_locality = chip->locality == -1; 477 451 478 - if (!(flags & TPM_TRANSMIT_RAW) && need_locality) { 479 - rc = tpm_request_locality(chip); 452 + if (need_locality) { 453 + rc = tpm_request_locality(chip, flags); 480 454 if (rc < 0) 481 455 goto out_no_locality; 482 456 } 483 457 484 - if (chip->dev.parent) 485 - pm_runtime_get_sync(chip->dev.parent); 458 + rc = tpm_cmd_ready(chip, flags); 459 + if (rc) 460 + goto out; 486 461 487 462 rc = tpm2_prepare_space(chip, space, ordinal, buf); 488 463 if (rc) ··· 543 516 } 544 517 545 518 rc = tpm2_commit_space(chip, space, ordinal, buf, &len); 519 + if (rc) 520 + dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc); 546 521 547 522 out: 548 - if (chip->dev.parent) 549 - pm_runtime_put_sync(chip->dev.parent); 523 + rc = tpm_go_idle(chip, flags); 524 + if (rc) 525 + goto out; 550 526 551 527 if (need_locality) 552 - tpm_relinquish_locality(chip); 528 + tpm_relinquish_locality(chip, flags); 553 529 554 530 out_no_locality: 555 531 if (chip->ops->clk_enable != NULL) 556 532 chip->ops->clk_enable(chip, false); 557 533 558 - if (!(flags & TPM_TRANSMIT_UNLOCKED)) 534 + if (!(flags & TPM_TRANSMIT_UNLOCKED) && !(flags & TPM_TRANSMIT_NESTED)) 559 535 mutex_unlock(&chip->tpm_mutex); 560 536 return rc ? rc : len; 561 537 } ··· 960 930 { 961 931 int rc; 962 932 963 - chip = tpm_chip_find_get(chip); 933 + chip = tpm_find_get_ops(chip); 964 934 if (!chip) 965 935 return -ENODEV; 966 936 ··· 984 954 { 985 955 int rc; 986 956 987 - chip = tpm_chip_find_get(chip); 957 + chip = tpm_find_get_ops(chip); 988 958 if (!chip) 989 959 return -ENODEV; 990 960 if (chip->flags & TPM_CHIP_FLAG_TPM2) ··· 1043 1013 u32 count = 0; 1044 1014 int i; 1045 1015 1046 - chip = tpm_chip_find_get(chip); 1016 + chip = tpm_find_get_ops(chip); 1047 1017 if (!chip) 1048 1018 return -ENODEV; 1049 1019 ··· 1172 1142 { 1173 1143 int rc; 1174 1144 1175 - chip = tpm_chip_find_get(chip); 1145 + chip = tpm_find_get_ops(chip); 1176 1146 if (!chip) 1177 1147 return -ENODEV; 1178 1148 ··· 1292 1262 if (!out || !num_bytes || max > TPM_MAX_RNG_DATA) 1293 1263 return -EINVAL; 1294 1264 1295 - chip = tpm_chip_find_get(chip); 1265 + chip = tpm_find_get_ops(chip); 1296 1266 if (!chip) 1297 1267 return -ENODEV; 1298 1268 ··· 1354 1324 { 1355 1325 int rc; 1356 1326 1357 - chip = tpm_chip_find_get(chip); 1327 + chip = tpm_find_get_ops(chip); 1358 1328 if (!chip || !(chip->flags & TPM_CHIP_FLAG_TPM2)) 1359 1329 return -ENODEV; 1360 1330 ··· 1382 1352 { 1383 1353 int rc; 1384 1354 1385 - chip = tpm_chip_find_get(chip); 1355 + chip = tpm_find_get_ops(chip); 1386 1356 if (!chip || !(chip->flags & TPM_CHIP_FLAG_TPM2)) 1387 1357 return -ENODEV; 1388 1358
+20 -11
drivers/char/tpm/tpm.h
··· 424 424 u8 *data; 425 425 }; 426 426 427 - static inline int tpm_buf_init(struct tpm_buf *buf, u16 tag, u32 ordinal) 427 + static inline void tpm_buf_reset(struct tpm_buf *buf, u16 tag, u32 ordinal) 428 428 { 429 429 struct tpm_input_header *head; 430 + head = (struct tpm_input_header *)buf->data; 431 + head->tag = cpu_to_be16(tag); 432 + head->length = cpu_to_be32(sizeof(*head)); 433 + head->ordinal = cpu_to_be32(ordinal); 434 + } 430 435 436 + static inline int tpm_buf_init(struct tpm_buf *buf, u16 tag, u32 ordinal) 437 + { 431 438 buf->data_page = alloc_page(GFP_HIGHUSER); 432 439 if (!buf->data_page) 433 440 return -ENOMEM; 434 441 435 442 buf->flags = 0; 436 443 buf->data = kmap(buf->data_page); 437 - 438 - head = (struct tpm_input_header *) buf->data; 439 - 440 - head->tag = cpu_to_be16(tag); 441 - head->length = cpu_to_be32(sizeof(*head)); 442 - head->ordinal = cpu_to_be32(ordinal); 443 - 444 + tpm_buf_reset(buf, tag, ordinal); 444 445 return 0; 445 446 } 446 447 ··· 512 511 extern const struct file_operations tpmrm_fops; 513 512 extern struct idr dev_nums_idr; 514 513 514 + /** 515 + * enum tpm_transmit_flags - flags for tpm_transmit() 516 + * 517 + * @TPM_TRANSMIT_UNLOCKED: do not lock the chip 518 + * @TPM_TRANSMIT_NESTED: discard setup steps (power management, 519 + * locality) including locking (i.e. implicit 520 + * UNLOCKED) 521 + */ 515 522 enum tpm_transmit_flags { 516 523 TPM_TRANSMIT_UNLOCKED = BIT(0), 517 - TPM_TRANSMIT_RAW = BIT(1), 524 + TPM_TRANSMIT_NESTED = BIT(1), 518 525 }; 519 526 520 527 ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, ··· 547 538 delay_msec * 1000); 548 539 }; 549 540 550 - struct tpm_chip *tpm_chip_find_get(struct tpm_chip *chip); 541 + struct tpm_chip *tpm_find_get_ops(struct tpm_chip *chip); 551 542 __must_check int tpm_try_get_ops(struct tpm_chip *chip); 552 543 void tpm_put_ops(struct tpm_chip *chip); 553 544 ··· 578 569 int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); 579 570 int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, 580 571 struct tpm2_digest *digests); 581 - int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); 572 + int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max); 582 573 void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, 583 574 unsigned int flags); 584 575 int tpm2_seal_trusted(struct tpm_chip *chip,
+106 -152
drivers/char/tpm/tpm2-cmd.c
··· 27 27 TPM2_SA_CONTINUE_SESSION = BIT(0), 28 28 }; 29 29 30 - struct tpm2_startup_in { 31 - __be16 startup_type; 32 - } __packed; 33 - 34 - struct tpm2_get_tpm_pt_in { 35 - __be32 cap_id; 36 - __be32 property_id; 37 - __be32 property_cnt; 38 - } __packed; 39 - 40 - struct tpm2_get_tpm_pt_out { 41 - u8 more_data; 42 - __be32 subcap_id; 43 - __be32 property_cnt; 44 - __be32 property_id; 45 - __be32 value; 46 - } __packed; 47 - 48 - struct tpm2_get_random_in { 49 - __be16 size; 50 - } __packed; 51 - 52 - struct tpm2_get_random_out { 53 - __be16 size; 54 - u8 buffer[TPM_MAX_RNG_DATA]; 55 - } __packed; 56 - 57 - union tpm2_cmd_params { 58 - struct tpm2_startup_in startup_in; 59 - struct tpm2_get_tpm_pt_in get_tpm_pt_in; 60 - struct tpm2_get_tpm_pt_out get_tpm_pt_out; 61 - struct tpm2_get_random_in getrandom_in; 62 - struct tpm2_get_random_out getrandom_out; 63 - }; 64 - 65 - struct tpm2_cmd { 66 - tpm_cmd_header header; 67 - union tpm2_cmd_params params; 68 - } __packed; 69 - 70 30 struct tpm2_hash { 71 31 unsigned int crypto_id; 72 32 unsigned int tpm_id; ··· 281 321 } 282 322 283 323 284 - #define TPM2_GETRANDOM_IN_SIZE \ 285 - (sizeof(struct tpm_input_header) + \ 286 - sizeof(struct tpm2_get_random_in)) 287 - 288 - static const struct tpm_input_header tpm2_getrandom_header = { 289 - .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 290 - .length = cpu_to_be32(TPM2_GETRANDOM_IN_SIZE), 291 - .ordinal = cpu_to_be32(TPM2_CC_GET_RANDOM) 292 - }; 324 + struct tpm2_get_random_out { 325 + __be16 size; 326 + u8 buffer[TPM_MAX_RNG_DATA]; 327 + } __packed; 293 328 294 329 /** 295 330 * tpm2_get_random() - get random bytes from the TPM RNG 296 331 * 297 - * @chip: TPM chip to use 298 - * @out: destination buffer for the random bytes 299 - * @max: the max number of bytes to write to @out 332 + * @chip: a &tpm_chip instance 333 + * @dest: destination buffer 334 + * @max: the max number of random bytes to pull 300 335 * 301 336 * Return: 302 - * Size of the output buffer, or -EIO on error. 337 + * size of the buffer on success, 338 + * -errno otherwise 303 339 */ 304 - int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max) 340 + int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) 305 341 { 306 - struct tpm2_cmd cmd; 307 - u32 recd, rlength; 308 - u32 num_bytes; 342 + struct tpm2_get_random_out *out; 343 + struct tpm_buf buf; 344 + u32 recd; 345 + u32 num_bytes = max; 309 346 int err; 310 347 int total = 0; 311 348 int retries = 5; 312 - u8 *dest = out; 349 + u8 *dest_ptr = dest; 313 350 314 - num_bytes = min_t(u32, max, sizeof(cmd.params.getrandom_out.buffer)); 315 - 316 - if (!out || !num_bytes || 317 - max > sizeof(cmd.params.getrandom_out.buffer)) 351 + if (!num_bytes || max > TPM_MAX_RNG_DATA) 318 352 return -EINVAL; 319 353 320 - do { 321 - cmd.header.in = tpm2_getrandom_header; 322 - cmd.params.getrandom_in.size = cpu_to_be16(num_bytes); 354 + err = tpm_buf_init(&buf, 0, 0); 355 + if (err) 356 + return err; 323 357 324 - err = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 358 + do { 359 + tpm_buf_reset(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_RANDOM); 360 + tpm_buf_append_u16(&buf, num_bytes); 361 + err = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 325 362 offsetof(struct tpm2_get_random_out, 326 363 buffer), 327 364 0, "attempting get random"); 328 365 if (err) 329 - break; 366 + goto out; 330 367 331 - recd = min_t(u32, be16_to_cpu(cmd.params.getrandom_out.size), 332 - num_bytes); 333 - rlength = be32_to_cpu(cmd.header.out.length); 334 - if (rlength < offsetof(struct tpm2_get_random_out, buffer) + 335 - recd) 336 - return -EFAULT; 337 - memcpy(dest, cmd.params.getrandom_out.buffer, recd); 368 + out = (struct tpm2_get_random_out *) 369 + &buf.data[TPM_HEADER_SIZE]; 370 + recd = min_t(u32, be16_to_cpu(out->size), num_bytes); 371 + if (tpm_buf_length(&buf) < 372 + offsetof(struct tpm2_get_random_out, buffer) + recd) { 373 + err = -EFAULT; 374 + goto out; 375 + } 376 + memcpy(dest_ptr, out->buffer, recd); 338 377 339 - dest += recd; 378 + dest_ptr += recd; 340 379 total += recd; 341 380 num_bytes -= recd; 342 381 } while (retries-- && total < max); 343 382 383 + tpm_buf_destroy(&buf); 344 384 return total ? total : -EIO; 385 + out: 386 + tpm_buf_destroy(&buf); 387 + return err; 345 388 } 346 - 347 - #define TPM2_GET_TPM_PT_IN_SIZE \ 348 - (sizeof(struct tpm_input_header) + \ 349 - sizeof(struct tpm2_get_tpm_pt_in)) 350 - 351 - #define TPM2_GET_TPM_PT_OUT_BODY_SIZE \ 352 - sizeof(struct tpm2_get_tpm_pt_out) 353 - 354 - static const struct tpm_input_header tpm2_get_tpm_pt_header = { 355 - .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 356 - .length = cpu_to_be32(TPM2_GET_TPM_PT_IN_SIZE), 357 - .ordinal = cpu_to_be32(TPM2_CC_GET_CAPABILITY) 358 - }; 359 389 360 390 /** 361 391 * tpm2_flush_context_cmd() - execute a TPM2_FlushContext command ··· 421 471 { 422 472 unsigned int blob_len; 423 473 struct tpm_buf buf; 424 - u32 hash, rlength; 474 + u32 hash; 425 475 int i; 426 476 int rc; 427 477 ··· 496 546 rc = -E2BIG; 497 547 goto out; 498 548 } 499 - rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)->header.out.length); 500 - if (rlength < TPM_HEADER_SIZE + 4 + blob_len) { 549 + if (tpm_buf_length(&buf) < TPM_HEADER_SIZE + 4 + blob_len) { 501 550 rc = -EFAULT; 502 551 goto out; 503 552 } ··· 606 657 u16 data_len; 607 658 u8 *data; 608 659 int rc; 609 - u32 rlength; 610 660 611 661 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL); 612 662 if (rc) ··· 633 685 goto out; 634 686 } 635 687 636 - rlength = be32_to_cpu(((struct tpm2_cmd *)&buf) 637 - ->header.out.length); 638 - if (rlength < TPM_HEADER_SIZE + 6 + data_len) { 688 + if (tpm_buf_length(&buf) < TPM_HEADER_SIZE + 6 + data_len) { 639 689 rc = -EFAULT; 640 690 goto out; 641 691 } ··· 679 733 return rc; 680 734 } 681 735 736 + struct tpm2_get_cap_out { 737 + u8 more_data; 738 + __be32 subcap_id; 739 + __be32 property_cnt; 740 + __be32 property_id; 741 + __be32 value; 742 + } __packed; 743 + 682 744 /** 683 745 * tpm2_get_tpm_pt() - get value of a TPM_CAP_TPM_PROPERTIES type property 684 - * @chip: TPM chip to use. 746 + * @chip: a &tpm_chip instance 685 747 * @property_id: property ID. 686 748 * @value: output variable. 687 749 * @desc: passed to tpm_transmit_cmd() 688 750 * 689 - * Return: Same as with tpm_transmit_cmd. 751 + * Return: 752 + * 0 on success, 753 + * -errno or a TPM return code otherwise 690 754 */ 691 755 ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32 property_id, u32 *value, 692 756 const char *desc) 693 757 { 694 - struct tpm2_cmd cmd; 758 + struct tpm2_get_cap_out *out; 759 + struct tpm_buf buf; 695 760 int rc; 696 761 697 - cmd.header.in = tpm2_get_tpm_pt_header; 698 - cmd.params.get_tpm_pt_in.cap_id = cpu_to_be32(TPM2_CAP_TPM_PROPERTIES); 699 - cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(property_id); 700 - cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); 701 - 702 - rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 703 - TPM2_GET_TPM_PT_OUT_BODY_SIZE, 0, desc); 704 - if (!rc) 705 - *value = be32_to_cpu(cmd.params.get_tpm_pt_out.value); 706 - 762 + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); 763 + if (rc) 764 + return rc; 765 + tpm_buf_append_u32(&buf, TPM2_CAP_TPM_PROPERTIES); 766 + tpm_buf_append_u32(&buf, property_id); 767 + tpm_buf_append_u32(&buf, 1); 768 + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, NULL); 769 + if (!rc) { 770 + out = (struct tpm2_get_cap_out *) 771 + &buf.data[TPM_HEADER_SIZE]; 772 + *value = be32_to_cpu(out->value); 773 + } 774 + tpm_buf_destroy(&buf); 707 775 return rc; 708 776 } 709 777 EXPORT_SYMBOL_GPL(tpm2_get_tpm_pt); 710 778 711 - #define TPM2_SHUTDOWN_IN_SIZE \ 712 - (sizeof(struct tpm_input_header) + \ 713 - sizeof(struct tpm2_startup_in)) 714 - 715 - static const struct tpm_input_header tpm2_shutdown_header = { 716 - .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 717 - .length = cpu_to_be32(TPM2_SHUTDOWN_IN_SIZE), 718 - .ordinal = cpu_to_be32(TPM2_CC_SHUTDOWN) 719 - }; 720 - 721 779 /** 722 - * tpm2_shutdown() - send shutdown command to the TPM chip 780 + * tpm2_shutdown() - send a TPM shutdown command 723 781 * 724 - * @chip: TPM chip to use. 725 - * @shutdown_type: shutdown type. The value is either 726 - * TPM_SU_CLEAR or TPM_SU_STATE. 782 + * Sends a TPM shutdown command. The shutdown command is used in call 783 + * sites where the system is going down. If it fails, there is not much 784 + * that can be done except print an error message. 785 + * 786 + * @chip: a &tpm_chip instance 787 + * @shutdown_type: TPM_SU_CLEAR or TPM_SU_STATE. 727 788 */ 728 789 void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type) 729 790 { 730 - struct tpm2_cmd cmd; 791 + struct tpm_buf buf; 731 792 int rc; 732 793 733 - cmd.header.in = tpm2_shutdown_header; 734 - cmd.params.startup_in.startup_type = cpu_to_be16(shutdown_type); 735 - 736 - rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, 737 - "stopping the TPM"); 738 - 739 - /* In places where shutdown command is sent there's no much we can do 740 - * except print the error code on a system failure. 741 - */ 742 - if (rc < 0 && rc != -EPIPE) 743 - dev_warn(&chip->dev, "transmit returned %d while stopping the TPM", 744 - rc); 794 + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SHUTDOWN); 795 + if (rc) 796 + return; 797 + tpm_buf_append_u16(&buf, shutdown_type); 798 + tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, 799 + "stopping the TPM"); 800 + tpm_buf_destroy(&buf); 745 801 } 746 802 747 803 /* ··· 811 863 } 812 864 813 865 /** 814 - * tpm2_probe() - probe TPM 2.0 815 - * @chip: TPM chip to use 866 + * tpm2_probe() - probe for the TPM 2.0 protocol 867 + * @chip: a &tpm_chip instance 816 868 * 817 - * Return: < 0 error and 0 on success. 869 + * Send an idempotent TPM 2.0 command and see whether there is TPM2 chip in the 870 + * other end based on the response tag. The flag TPM_CHIP_FLAG_TPM2 is set by 871 + * this function if this is the case. 818 872 * 819 - * Send idempotent TPM 2.0 command and see whether TPM 2.0 chip replied based on 820 - * the reply tag. 873 + * Return: 874 + * 0 on success, 875 + * -errno otherwise 821 876 */ 822 877 int tpm2_probe(struct tpm_chip *chip) 823 878 { 824 - struct tpm2_cmd cmd; 879 + struct tpm_output_header *out; 880 + struct tpm_buf buf; 825 881 int rc; 826 882 827 - cmd.header.in = tpm2_get_tpm_pt_header; 828 - cmd.params.get_tpm_pt_in.cap_id = cpu_to_be32(TPM2_CAP_TPM_PROPERTIES); 829 - cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(0x100); 830 - cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); 831 - 832 - rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, NULL); 833 - if (rc < 0) 883 + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); 884 + if (rc) 834 885 return rc; 835 - 836 - if (be16_to_cpu(cmd.header.out.tag) == TPM2_ST_NO_SESSIONS) 837 - chip->flags |= TPM_CHIP_FLAG_TPM2; 838 - 886 + tpm_buf_append_u32(&buf, TPM2_CAP_TPM_PROPERTIES); 887 + tpm_buf_append_u32(&buf, TPM_PT_TOTAL_COMMANDS); 888 + tpm_buf_append_u32(&buf, 1); 889 + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, NULL); 890 + /* We ignore TPM return codes on purpose. */ 891 + if (rc >= 0) { 892 + out = (struct tpm_output_header *)buf.data; 893 + if (be16_to_cpu(out->tag) == TPM2_ST_NO_SESSIONS) 894 + chip->flags |= TPM_CHIP_FLAG_TPM2; 895 + } 896 + tpm_buf_destroy(&buf); 839 897 return 0; 840 898 } 841 899 EXPORT_SYMBOL_GPL(tpm2_probe);
+6 -6
drivers/char/tpm/tpm2-space.c
··· 39 39 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) { 40 40 if (space->session_tbl[i]) 41 41 tpm2_flush_context_cmd(chip, space->session_tbl[i], 42 - TPM_TRANSMIT_UNLOCKED); 42 + TPM_TRANSMIT_NESTED); 43 43 } 44 44 } 45 45 ··· 84 84 tpm_buf_append(&tbuf, &buf[*offset], body_size); 85 85 86 86 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4, 87 - TPM_TRANSMIT_UNLOCKED, NULL); 87 + TPM_TRANSMIT_NESTED, NULL); 88 88 if (rc < 0) { 89 89 dev_warn(&chip->dev, "%s: failed with a system error %d\n", 90 90 __func__, rc); ··· 133 133 tpm_buf_append_u32(&tbuf, handle); 134 134 135 135 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0, 136 - TPM_TRANSMIT_UNLOCKED, NULL); 136 + TPM_TRANSMIT_NESTED, NULL); 137 137 if (rc < 0) { 138 138 dev_warn(&chip->dev, "%s: failed with a system error %d\n", 139 139 __func__, rc); ··· 170 170 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) 171 171 if (space->context_tbl[i] && ~space->context_tbl[i]) 172 172 tpm2_flush_context_cmd(chip, space->context_tbl[i], 173 - TPM_TRANSMIT_UNLOCKED); 173 + TPM_TRANSMIT_NESTED); 174 174 175 175 tpm2_flush_sessions(chip, space); 176 176 } ··· 377 377 378 378 return 0; 379 379 out_no_slots: 380 - tpm2_flush_context_cmd(chip, phandle, TPM_TRANSMIT_UNLOCKED); 380 + tpm2_flush_context_cmd(chip, phandle, TPM_TRANSMIT_NESTED); 381 381 dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__, 382 382 phandle); 383 383 return -ENOMEM; ··· 465 465 return rc; 466 466 467 467 tpm2_flush_context_cmd(chip, space->context_tbl[i], 468 - TPM_TRANSMIT_UNLOCKED); 468 + TPM_TRANSMIT_NESTED); 469 469 space->context_tbl[i] = ~0; 470 470 } 471 471
+27 -74
drivers/char/tpm/tpm_crb.c
··· 132 132 } 133 133 134 134 /** 135 - * crb_go_idle - request tpm crb device to go the idle state 135 + * __crb_go_idle - request tpm crb device to go the idle state 136 136 * 137 137 * @dev: crb device 138 138 * @priv: crb private data ··· 147 147 * 148 148 * Return: 0 always 149 149 */ 150 - static int crb_go_idle(struct device *dev, struct crb_priv *priv) 150 + static int __crb_go_idle(struct device *dev, struct crb_priv *priv) 151 151 { 152 152 if ((priv->sm == ACPI_TPM2_START_METHOD) || 153 153 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) || ··· 163 163 dev_warn(dev, "goIdle timed out\n"); 164 164 return -ETIME; 165 165 } 166 + 166 167 return 0; 167 168 } 168 169 170 + static int crb_go_idle(struct tpm_chip *chip) 171 + { 172 + struct device *dev = &chip->dev; 173 + struct crb_priv *priv = dev_get_drvdata(dev); 174 + 175 + return __crb_go_idle(dev, priv); 176 + } 177 + 169 178 /** 170 - * crb_cmd_ready - request tpm crb device to enter ready state 179 + * __crb_cmd_ready - request tpm crb device to enter ready state 171 180 * 172 181 * @dev: crb device 173 182 * @priv: crb private data ··· 190 181 * 191 182 * Return: 0 on success -ETIME on timeout; 192 183 */ 193 - static int crb_cmd_ready(struct device *dev, struct crb_priv *priv) 184 + static int __crb_cmd_ready(struct device *dev, struct crb_priv *priv) 194 185 { 195 186 if ((priv->sm == ACPI_TPM2_START_METHOD) || 196 187 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) || ··· 207 198 } 208 199 209 200 return 0; 201 + } 202 + 203 + static int crb_cmd_ready(struct tpm_chip *chip) 204 + { 205 + struct device *dev = &chip->dev; 206 + struct crb_priv *priv = dev_get_drvdata(dev); 207 + 208 + return __crb_cmd_ready(dev, priv); 210 209 } 211 210 212 211 static int __crb_request_locality(struct device *dev, ··· 418 401 .send = crb_send, 419 402 .cancel = crb_cancel, 420 403 .req_canceled = crb_req_canceled, 404 + .go_idle = crb_go_idle, 405 + .cmd_ready = crb_cmd_ready, 421 406 .request_locality = crb_request_locality, 422 407 .relinquish_locality = crb_relinquish_locality, 423 408 .req_complete_mask = CRB_DRV_STS_COMPLETE, ··· 539 520 * PTT HW bug w/a: wake up the device to access 540 521 * possibly not retained registers. 541 522 */ 542 - ret = crb_cmd_ready(dev, priv); 523 + ret = __crb_cmd_ready(dev, priv); 543 524 if (ret) 544 525 goto out_relinquish_locality; 545 526 ··· 584 565 if (!ret) 585 566 priv->cmd_size = cmd_size; 586 567 587 - crb_go_idle(dev, priv); 568 + __crb_go_idle(dev, priv); 588 569 589 570 out_relinquish_locality: 590 571 ··· 647 628 chip->acpi_dev_handle = device->handle; 648 629 chip->flags = TPM_CHIP_FLAG_TPM2; 649 630 650 - rc = __crb_request_locality(dev, priv, 0); 651 - if (rc) 652 - return rc; 653 - 654 - rc = crb_cmd_ready(dev, priv); 655 - if (rc) 656 - goto out; 657 - 658 - pm_runtime_get_noresume(dev); 659 - pm_runtime_set_active(dev); 660 - pm_runtime_enable(dev); 661 - 662 - rc = tpm_chip_register(chip); 663 - if (rc) { 664 - crb_go_idle(dev, priv); 665 - pm_runtime_put_noidle(dev); 666 - pm_runtime_disable(dev); 667 - goto out; 668 - } 669 - 670 - pm_runtime_put_sync(dev); 671 - 672 - out: 673 - __crb_relinquish_locality(dev, priv, 0); 674 - 675 - return rc; 631 + return tpm_chip_register(chip); 676 632 } 677 633 678 634 static int crb_acpi_remove(struct acpi_device *device) ··· 657 663 658 664 tpm_chip_unregister(chip); 659 665 660 - pm_runtime_disable(dev); 661 - 662 666 return 0; 663 667 } 664 668 665 - static int __maybe_unused crb_pm_runtime_suspend(struct device *dev) 666 - { 667 - struct tpm_chip *chip = dev_get_drvdata(dev); 668 - struct crb_priv *priv = dev_get_drvdata(&chip->dev); 669 - 670 - return crb_go_idle(dev, priv); 671 - } 672 - 673 - static int __maybe_unused crb_pm_runtime_resume(struct device *dev) 674 - { 675 - struct tpm_chip *chip = dev_get_drvdata(dev); 676 - struct crb_priv *priv = dev_get_drvdata(&chip->dev); 677 - 678 - return crb_cmd_ready(dev, priv); 679 - } 680 - 681 - static int __maybe_unused crb_pm_suspend(struct device *dev) 682 - { 683 - int ret; 684 - 685 - ret = tpm_pm_suspend(dev); 686 - if (ret) 687 - return ret; 688 - 689 - return crb_pm_runtime_suspend(dev); 690 - } 691 - 692 - static int __maybe_unused crb_pm_resume(struct device *dev) 693 - { 694 - int ret; 695 - 696 - ret = crb_pm_runtime_resume(dev); 697 - if (ret) 698 - return ret; 699 - 700 - return tpm_pm_resume(dev); 701 - } 702 - 703 669 static const struct dev_pm_ops crb_pm = { 704 - SET_SYSTEM_SLEEP_PM_OPS(crb_pm_suspend, crb_pm_resume) 705 - SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL) 670 + SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume) 706 671 }; 707 672 708 673 static const struct acpi_device_id crb_device_ids[] = {
+4 -4
drivers/char/tpm/tpm_i2c_infineon.c
··· 117 117 /* Lock the adapter for the duration of the whole sequence. */ 118 118 if (!tpm_dev.client->adapter->algo->master_xfer) 119 119 return -EOPNOTSUPP; 120 - i2c_lock_adapter(tpm_dev.client->adapter); 120 + i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); 121 121 122 122 if (tpm_dev.chip_type == SLB9645) { 123 123 /* use a combined read for newer chips ··· 192 192 } 193 193 194 194 out: 195 - i2c_unlock_adapter(tpm_dev.client->adapter); 195 + i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); 196 196 /* take care of 'guard time' */ 197 197 usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI); 198 198 ··· 224 224 225 225 if (!tpm_dev.client->adapter->algo->master_xfer) 226 226 return -EOPNOTSUPP; 227 - i2c_lock_adapter(tpm_dev.client->adapter); 227 + i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); 228 228 229 229 /* prepend the 'register address' to the buffer */ 230 230 tpm_dev.buf[0] = addr; ··· 243 243 usleep_range(sleep_low, sleep_hi); 244 244 } 245 245 246 - i2c_unlock_adapter(tpm_dev.client->adapter); 246 + i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); 247 247 /* take care of 'guard time' */ 248 248 usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI); 249 249
+2
drivers/char/tpm/tpm_tis_core.c
··· 875 875 chip->acpi_dev_handle = acpi_dev_handle; 876 876 #endif 877 877 878 + chip->hwrng.quality = priv->rng_quality; 879 + 878 880 /* Maximum timeouts */ 879 881 chip->timeout_a = msecs_to_jiffies(TIS_TIMEOUT_A_MAX); 880 882 chip->timeout_b = msecs_to_jiffies(TIS_TIMEOUT_B_MAX);
+1
drivers/char/tpm/tpm_tis_core.h
··· 99 99 wait_queue_head_t int_queue; 100 100 wait_queue_head_t read_queue; 101 101 const struct tpm_tis_phy_ops *phy_ops; 102 + unsigned short rng_quality; 102 103 }; 103 104 104 105 struct tpm_tis_phy_ops {
+8 -1
drivers/char/tpm/tpm_tis_spi.c
··· 199 199 static int tpm_tis_spi_probe(struct spi_device *dev) 200 200 { 201 201 struct tpm_tis_spi_phy *phy; 202 + int irq; 202 203 203 204 phy = devm_kzalloc(&dev->dev, sizeof(struct tpm_tis_spi_phy), 204 205 GFP_KERNEL); ··· 212 211 if (!phy->iobuf) 213 212 return -ENOMEM; 214 213 215 - return tpm_tis_core_init(&dev->dev, &phy->priv, -1, &tpm_spi_phy_ops, 214 + /* If the SPI device has an IRQ then use that */ 215 + if (dev->irq > 0) 216 + irq = dev->irq; 217 + else 218 + irq = -1; 219 + 220 + return tpm_tis_core_init(&dev->dev, &phy->priv, irq, &tpm_spi_phy_ops, 216 221 NULL); 217 222 } 218 223
+1 -1
drivers/char/tpm/tpm_vtpm_proxy.c
··· 418 418 proxy_dev->state |= STATE_DRIVER_COMMAND; 419 419 420 420 rc = tpm_transmit_cmd(chip, NULL, buf.data, tpm_buf_length(&buf), 0, 421 - TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, 421 + TPM_TRANSMIT_NESTED, 422 422 "attempting to set locality"); 423 423 424 424 proxy_dev->state &= ~STATE_DRIVER_COMMAND;
+7
include/linux/tpm.h
··· 43 43 u8 (*status) (struct tpm_chip *chip); 44 44 bool (*update_timeouts)(struct tpm_chip *chip, 45 45 unsigned long *timeout_cap); 46 + int (*go_idle)(struct tpm_chip *chip); 47 + int (*cmd_ready)(struct tpm_chip *chip); 46 48 int (*request_locality)(struct tpm_chip *chip, int loc); 47 49 int (*relinquish_locality)(struct tpm_chip *chip, int loc); 48 50 void (*clk_enable)(struct tpm_chip *chip, bool value); ··· 63 61 extern int tpm_unseal_trusted(struct tpm_chip *chip, 64 62 struct trusted_key_payload *payload, 65 63 struct trusted_key_options *options); 64 + extern struct tpm_chip *tpm_default_chip(void); 66 65 #else 67 66 static inline int tpm_is_tpm2(struct tpm_chip *chip) 68 67 { ··· 98 95 struct trusted_key_options *options) 99 96 { 100 97 return -ENODEV; 98 + } 99 + static inline struct tpm_chip *tpm_default_chip(void) 100 + { 101 + return NULL; 101 102 } 102 103 #endif 103 104 #endif
+1 -1
security/integrity/ima/ima.h
··· 53 53 extern int ima_policy_flag; 54 54 55 55 /* set during initialization */ 56 - extern int ima_used_chip; 57 56 extern int ima_hash_algo; 58 57 extern int ima_appraise; 58 + extern struct tpm_chip *ima_tpm_chip; 59 59 60 60 /* IMA event related data */ 61 61 struct ima_event_data {
+2 -2
security/integrity/ima/ima_crypto.c
··· 631 631 632 632 static void __init ima_pcrread(int idx, u8 *pcr) 633 633 { 634 - if (!ima_used_chip) 634 + if (!ima_tpm_chip) 635 635 return; 636 636 637 - if (tpm_pcr_read(NULL, idx, pcr) != 0) 637 + if (tpm_pcr_read(ima_tpm_chip, idx, pcr) != 0) 638 638 pr_err("Error Communicating to TPM chip\n"); 639 639 } 640 640
+5 -11
security/integrity/ima/ima_init.c
··· 26 26 27 27 /* name for boot aggregate entry */ 28 28 static const char *boot_aggregate_name = "boot_aggregate"; 29 - int ima_used_chip; 29 + struct tpm_chip *ima_tpm_chip; 30 30 31 31 /* Add the boot aggregate to the IMA measurement list and extend 32 32 * the PCR register. ··· 64 64 iint->ima_hash->algo = HASH_ALGO_SHA1; 65 65 iint->ima_hash->length = SHA1_DIGEST_SIZE; 66 66 67 - if (ima_used_chip) { 67 + if (ima_tpm_chip) { 68 68 result = ima_calc_boot_aggregate(&hash.hdr); 69 69 if (result < 0) { 70 70 audit_cause = "hashing_error"; ··· 106 106 107 107 int __init ima_init(void) 108 108 { 109 - u8 pcr_i[TPM_DIGEST_SIZE]; 110 109 int rc; 111 110 112 - ima_used_chip = 0; 113 - rc = tpm_pcr_read(NULL, 0, pcr_i); 114 - if (rc == 0) 115 - ima_used_chip = 1; 116 - 117 - if (!ima_used_chip) 118 - pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n", 119 - rc); 111 + ima_tpm_chip = tpm_default_chip(); 112 + if (!ima_tpm_chip) 113 + pr_info("No TPM chip found, activating TPM-bypass!\n"); 120 114 121 115 rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); 122 116 if (rc)
+2 -2
security/integrity/ima/ima_queue.c
··· 142 142 { 143 143 int result = 0; 144 144 145 - if (!ima_used_chip) 145 + if (!ima_tpm_chip) 146 146 return result; 147 147 148 - result = tpm_pcr_extend(NULL, pcr, hash); 148 + result = tpm_pcr_extend(ima_tpm_chip, pcr, hash); 149 149 if (result != 0) 150 150 pr_err("Error Communicating to TPM chip, result: %d\n", result); 151 151 return result;