tpm: fix a race condition in tpm2_unseal_trusted()

+1 -1

drivers/char/tpm/tpm-dev.c

··· 145 145 return -EPIPE; 146 146 } 147 147 out_size = tpm_transmit(priv->chip, priv->data_buffer, 148 - sizeof(priv->data_buffer)); 148 + sizeof(priv->data_buffer), 0); 149 149 150 150 tpm_put_ops(priv->chip); 151 151 if (out_size < 0) {

+28 -23

drivers/char/tpm/tpm-interface.c

··· 330 330 /* 331 331 * Internal kernel interface to transmit TPM commands 332 332 */ 333 - ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, 334 - size_t bufsiz) 333 + ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, 334 + unsigned int flags) 335 335 { 336 336 ssize_t rc; 337 337 u32 count, ordinal; ··· 350 350 return -E2BIG; 351 351 } 352 352 353 - mutex_lock(&chip->tpm_mutex); 353 + if (!(flags & TPM_TRANSMIT_UNLOCKED)) 354 + mutex_lock(&chip->tpm_mutex); 354 355 355 356 rc = chip->ops->send(chip, (u8 *) buf, count); 356 357 if (rc < 0) { ··· 394 393 dev_err(&chip->dev, 395 394 "tpm_transmit: tpm_recv: error %zd\n", rc); 396 395 out: 397 - mutex_unlock(&chip->tpm_mutex); 396 + if (!(flags & TPM_TRANSMIT_UNLOCKED)) 397 + mutex_unlock(&chip->tpm_mutex); 398 398 return rc; 399 399 } 400 400 401 401 #define TPM_DIGEST_SIZE 20 402 402 #define TPM_RET_CODE_IDX 6 403 403 404 - ssize_t tpm_transmit_cmd(struct tpm_chip *chip, void *cmd, 405 - int len, const char *desc) 404 + ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd, 405 + int len, unsigned int flags, const char *desc) 406 406 { 407 - struct tpm_output_header *header; 407 + const struct tpm_output_header *header; 408 408 int err; 409 409 410 - len = tpm_transmit(chip, (u8 *) cmd, len); 410 + len = tpm_transmit(chip, (const u8 *)cmd, len, flags); 411 411 if (len < 0) 412 412 return len; 413 413 else if (len < TPM_HEADER_SIZE) ··· 455 453 tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); 456 454 tpm_cmd.params.getcap_in.subcap = subcap_id; 457 455 } 458 - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, desc); 456 + rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, 457 + desc); 459 458 if (!rc) 460 459 *cap = tpm_cmd.params.getcap_out.cap; 461 460 return rc; ··· 472 469 tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); 473 470 tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_TIMEOUT; 474 471 475 - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 472 + rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, 476 473 "attempting to determine the timeouts"); 477 474 } 478 475 EXPORT_SYMBOL_GPL(tpm_gen_interrupt); ··· 493 490 start_cmd.header.in = tpm_startup_header; 494 491 495 492 start_cmd.params.startup_in.startup_type = startup_type; 496 - return tpm_transmit_cmd(chip, &start_cmd, TPM_INTERNAL_RESULT_SIZE, 493 + return tpm_transmit_cmd(chip, &start_cmd, TPM_INTERNAL_RESULT_SIZE, 0, 497 494 "attempting to start the TPM"); 498 495 } 499 496 ··· 524 521 tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP; 525 522 tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); 526 523 tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_TIMEOUT; 527 - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, NULL); 524 + rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, 525 + NULL); 528 526 529 527 if (rc == TPM_ERR_INVALID_POSTINIT) { 530 528 /* The TPM is not started, we are the first to talk to it. ··· 539 535 tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); 540 536 tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_TIMEOUT; 541 537 rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 542 - NULL); 538 + 0, NULL); 543 539 } 544 540 if (rc) { 545 541 dev_err(&chip->dev, ··· 600 596 tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); 601 597 tpm_cmd.params.getcap_in.subcap = TPM_CAP_PROP_TIS_DURATION; 602 598 603 - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 599 + rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, 0, 604 600 "attempting to determine the durations"); 605 601 if (rc) 606 602 return rc; ··· 656 652 struct tpm_cmd_t cmd; 657 653 658 654 cmd.header.in = continue_selftest_header; 659 - rc = tpm_transmit_cmd(chip, &cmd, CONTINUE_SELFTEST_RESULT_SIZE, 655 + rc = tpm_transmit_cmd(chip, &cmd, CONTINUE_SELFTEST_RESULT_SIZE, 0, 660 656 "continue selftest"); 661 657 return rc; 662 658 } ··· 676 672 677 673 cmd.header.in = pcrread_header; 678 674 cmd.params.pcrread_in.pcr_idx = cpu_to_be32(pcr_idx); 679 - rc = tpm_transmit_cmd(chip, &cmd, READ_PCR_RESULT_SIZE, 675 + rc = tpm_transmit_cmd(chip, &cmd, READ_PCR_RESULT_SIZE, 0, 680 676 "attempting to read a pcr value"); 681 677 682 678 if (rc == 0) ··· 774 770 cmd.header.in = pcrextend_header; 775 771 cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); 776 772 memcpy(cmd.params.pcrextend_in.hash, hash, TPM_DIGEST_SIZE); 777 - rc = tpm_transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, 773 + rc = tpm_transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, 0, 778 774 "attempting extend a PCR value"); 779 775 780 776 tpm_put_ops(chip); ··· 813 809 /* Attempt to read a PCR value */ 814 810 cmd.header.in = pcrread_header; 815 811 cmd.params.pcrread_in.pcr_idx = cpu_to_be32(0); 816 - rc = tpm_transmit(chip, (u8 *) &cmd, READ_PCR_RESULT_SIZE); 812 + rc = tpm_transmit(chip, (u8 *) &cmd, READ_PCR_RESULT_SIZE, 0); 817 813 /* Some buggy TPMs will not respond to tpm_tis_ready() for 818 814 * around 300ms while the self test is ongoing, keep trying 819 815 * until the self test duration expires. */ ··· 883 879 if (chip == NULL) 884 880 return -ENODEV; 885 881 886 - rc = tpm_transmit_cmd(chip, cmd, buflen, "attempting tpm_cmd"); 882 + rc = tpm_transmit_cmd(chip, cmd, buflen, 0, "attempting tpm_cmd"); 887 883 888 884 tpm_put_ops(chip); 889 885 return rc; ··· 985 981 cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(tpm_suspend_pcr); 986 982 memcpy(cmd.params.pcrextend_in.hash, dummy_hash, 987 983 TPM_DIGEST_SIZE); 988 - rc = tpm_transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, 984 + rc = tpm_transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, 0, 989 985 "extending dummy pcr before suspend"); 990 986 } 991 987 992 988 /* now do the actual savestate */ 993 989 for (try = 0; try < TPM_RETRY; try++) { 994 990 cmd.header.in = savestate_header; 995 - rc = tpm_transmit_cmd(chip, &cmd, SAVESTATE_RESULT_SIZE, NULL); 991 + rc = tpm_transmit_cmd(chip, &cmd, SAVESTATE_RESULT_SIZE, 0, 992 + NULL); 996 993 997 994 /* 998 995 * If the TPM indicates that it is too busy to respond to ··· 1077 1072 tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); 1078 1073 1079 1074 err = tpm_transmit_cmd(chip, &tpm_cmd, 1080 - TPM_GETRANDOM_RESULT_SIZE + num_bytes, 1081 - "attempting get random"); 1075 + TPM_GETRANDOM_RESULT_SIZE + num_bytes, 1076 + 0, "attempting get random"); 1082 1077 if (err) 1083 1078 break; 1084 1079

+1 -1

drivers/char/tpm/tpm-sysfs.c

··· 39 39 struct tpm_chip *chip = to_tpm_chip(dev); 40 40 41 41 tpm_cmd.header.in = tpm_readpubek_header; 42 - err = tpm_transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE, 42 + err = tpm_transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE, 0, 43 43 "attempting to read the PUBEK"); 44 44 if (err) 45 45 goto out;

+8 -4

drivers/char/tpm/tpm.h

··· 476 476 extern const struct file_operations tpm_fops; 477 477 extern struct idr dev_nums_idr; 478 478 479 + enum tpm_transmit_flags { 480 + TPM_TRANSMIT_UNLOCKED = BIT(0), 481 + }; 482 + 483 + ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, 484 + unsigned int flags); 485 + ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd, int len, 486 + unsigned int flags, const char *desc); 479 487 ssize_t tpm_getcap(struct tpm_chip *chip, __be32 subcap_id, cap_t *cap, 480 488 const char *desc); 481 - ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, 482 - size_t bufsiz); 483 - ssize_t tpm_transmit_cmd(struct tpm_chip *chip, void *cmd, int len, 484 - const char *desc); 485 489 extern int tpm_get_timeouts(struct tpm_chip *); 486 490 extern void tpm_gen_interrupt(struct tpm_chip *); 487 491 int tpm1_auto_startup(struct tpm_chip *chip);

+65 -36

drivers/char/tpm/tpm2-cmd.c

··· 282 282 sizeof(cmd.params.pcrread_in.pcr_select)); 283 283 cmd.params.pcrread_in.pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7); 284 284 285 - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 285 + rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 286 286 "attempting to read a pcr value"); 287 287 if (rc == 0) { 288 288 buf = cmd.params.pcrread_out.digest; ··· 330 330 cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); 331 331 memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); 332 332 333 - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 333 + rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 334 334 "attempting extend a PCR value"); 335 335 336 336 return rc; ··· 376 376 cmd.header.in = tpm2_getrandom_header; 377 377 cmd.params.getrandom_in.size = cpu_to_be16(num_bytes); 378 378 379 - err = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 379 + err = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 380 380 "attempting get random"); 381 381 if (err) 382 382 break; ··· 434 434 } 435 435 436 436 /** 437 - * tpm2_seal_trusted() - seal a trusted key 438 - * @chip_num: A specific chip number for the request or TPM_ANY_NUM 439 - * @options: authentication values and other options 437 + * tpm2_seal_trusted() - seal the payload of a trusted key 438 + * @chip_num: TPM chip to use 440 439 * @payload: the key data in clear and encrypted form 440 + * @options: authentication values and other options 441 441 * 442 - * Returns < 0 on error and 0 on success. 442 + * Return: < 0 on error and 0 on success. 443 443 */ 444 444 int tpm2_seal_trusted(struct tpm_chip *chip, 445 445 struct trusted_key_payload *payload, ··· 512 512 goto out; 513 513 } 514 514 515 - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, "sealing data"); 515 + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, "sealing data"); 516 516 if (rc) 517 517 goto out; 518 518 ··· 538 538 return rc; 539 539 } 540 540 541 - static int tpm2_load(struct tpm_chip *chip, 542 - struct trusted_key_payload *payload, 543 - struct trusted_key_options *options, 544 - u32 *blob_handle) 541 + /** 542 + * tpm2_load_cmd() - execute a TPM2_Load command 543 + * @chip_num: TPM chip to use 544 + * @payload: the key data in clear and encrypted form 545 + * @options: authentication values and other options 546 + * 547 + * Return: same as with tpm_transmit_cmd 548 + */ 549 + static int tpm2_load_cmd(struct tpm_chip *chip, 550 + struct trusted_key_payload *payload, 551 + struct trusted_key_options *options, 552 + u32 *blob_handle, unsigned int flags) 545 553 { 546 554 struct tpm_buf buf; 547 555 unsigned int private_len; ··· 584 576 goto out; 585 577 } 586 578 587 - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, "loading blob"); 579 + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, flags, "loading blob"); 588 580 if (!rc) 589 581 *blob_handle = be32_to_cpup( 590 582 (__be32 *) &buf.data[TPM_HEADER_SIZE]); ··· 598 590 return rc; 599 591 } 600 592 601 - static void tpm2_flush_context(struct tpm_chip *chip, u32 handle) 593 + /** 594 + * tpm2_flush_context_cmd() - execute a TPM2_FlushContext command 595 + * @chip_num: TPM chip to use 596 + * @payload: the key data in clear and encrypted form 597 + * @options: authentication values and other options 598 + * 599 + * Return: same as with tpm_transmit_cmd 600 + */ 601 + static void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, 602 + unsigned int flags) 602 603 { 603 604 struct tpm_buf buf; 604 605 int rc; ··· 621 604 622 605 tpm_buf_append_u32(&buf, handle); 623 606 624 - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, "flushing context"); 607 + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, flags, 608 + "flushing context"); 625 609 if (rc) 626 610 dev_warn(&chip->dev, "0x%08x was not flushed, rc=%d\n", handle, 627 611 rc); ··· 630 612 tpm_buf_destroy(&buf); 631 613 } 632 614 633 - static int tpm2_unseal(struct tpm_chip *chip, 634 - struct trusted_key_payload *payload, 635 - struct trusted_key_options *options, 636 - u32 blob_handle) 615 + /** 616 + * tpm2_unseal_cmd() - execute a TPM2_Unload command 617 + * @chip_num: TPM chip to use 618 + * @payload: the key data in clear and encrypted form 619 + * @options: authentication values and other options 620 + * 621 + * Return: same as with tpm_transmit_cmd 622 + */ 623 + static int tpm2_unseal_cmd(struct tpm_chip *chip, 624 + struct trusted_key_payload *payload, 625 + struct trusted_key_options *options, 626 + u32 blob_handle, unsigned int flags) 637 627 { 638 628 struct tpm_buf buf; 639 629 u16 data_len; ··· 661 635 options->blobauth /* hmac */, 662 636 TPM_DIGEST_SIZE); 663 637 664 - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, "unsealing"); 638 + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, flags, "unsealing"); 665 639 if (rc > 0) 666 640 rc = -EPERM; 667 641 ··· 680 654 } 681 655 682 656 /** 683 - * tpm_unseal_trusted() - unseal a trusted key 684 - * @chip_num: A specific chip number for the request or TPM_ANY_NUM 685 - * @options: authentication values and other options 657 + * tpm_unseal_trusted() - unseal the payload of a trusted key 658 + * @chip_num: TPM chip to use 686 659 * @payload: the key data in clear and encrypted form 660 + * @options: authentication values and other options 687 661 * 688 - * Returns < 0 on error and 0 on success. 662 + * Return: < 0 on error and 0 on success. 689 663 */ 690 664 int tpm2_unseal_trusted(struct tpm_chip *chip, 691 665 struct trusted_key_payload *payload, ··· 694 668 u32 blob_handle; 695 669 int rc; 696 670 697 - rc = tpm2_load(chip, payload, options, &blob_handle); 671 + mutex_lock(&chip->tpm_mutex); 672 + rc = tpm2_load_cmd(chip, payload, options, &blob_handle, 673 + TPM_TRANSMIT_UNLOCKED); 698 674 if (rc) 699 - return rc; 675 + goto out; 700 676 701 - rc = tpm2_unseal(chip, payload, options, blob_handle); 702 - 703 - tpm2_flush_context(chip, blob_handle); 704 - 677 + rc = tpm2_unseal_cmd(chip, payload, options, blob_handle, 678 + TPM_TRANSMIT_UNLOCKED); 679 + tpm2_flush_context_cmd(chip, blob_handle, TPM_TRANSMIT_UNLOCKED); 680 + out: 681 + mutex_unlock(&chip->tpm_mutex); 705 682 return rc; 706 683 } 707 684 ··· 730 701 cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(property_id); 731 702 cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); 732 703 733 - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), desc); 704 + rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, desc); 734 705 if (!rc) 735 706 *value = be32_to_cpu(cmd.params.get_tpm_pt_out.value); 736 707 ··· 764 735 cmd.header.in = tpm2_startup_header; 765 736 766 737 cmd.params.startup_in.startup_type = cpu_to_be16(startup_type); 767 - return tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 738 + return tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 768 739 "attempting to start the TPM"); 769 740 } 770 741 ··· 792 763 cmd.header.in = tpm2_shutdown_header; 793 764 cmd.params.startup_in.startup_type = cpu_to_be16(shutdown_type); 794 765 795 - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), "stopping the TPM"); 766 + rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, "stopping the TPM"); 796 767 797 768 /* In places where shutdown command is sent there's no much we can do 798 769 * except print the error code on a system failure. ··· 857 828 cmd.header.in = tpm2_selftest_header; 858 829 cmd.params.selftest_in.full_test = full; 859 830 860 - rc = tpm_transmit_cmd(chip, &cmd, TPM2_SELF_TEST_IN_SIZE, 831 + rc = tpm_transmit_cmd(chip, &cmd, TPM2_SELF_TEST_IN_SIZE, 0, 861 832 "continue selftest"); 862 833 863 834 /* At least some prototype chips seem to give RC_TESTING error ··· 909 880 cmd.params.pcrread_in.pcr_select[1] = 0x00; 910 881 cmd.params.pcrread_in.pcr_select[2] = 0x00; 911 882 912 - rc = tpm_transmit_cmd(chip, (u8 *) &cmd, sizeof(cmd), NULL); 883 + rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, NULL); 913 884 if (rc < 0) 914 885 break; 915 886 ··· 957 928 cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(0x100); 958 929 cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); 959 930 960 - rc = tpm_transmit(chip, (const char *) &cmd, sizeof(cmd)); 931 + rc = tpm_transmit(chip, (const u8 *)&cmd, sizeof(cmd), 0); 961 932 if (rc < 0) 962 933 return rc; 963 934 else if (rc < TPM_HEADER_SIZE)