tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'tpmdd-next-v5.17-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd
Pull TPM updates from Jarkko Sakkinen:
"Other than bug fixes for TPM, this includes a patch for asymmetric
keys to allow to look up and verify with self-signed certificates
(keys without so called AKID - Authority Key Identifier) using a new
"dn:" prefix in the query"
* tag 'tpmdd-next-v5.17-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
lib: remove redundant assignment to variable ret
tpm: fix NPE on probe for missing device
tpm: fix potential NULL pointer access in tpm_del_char_device
tpm: Add Upgrade/Reduced mode support for TPM2 modules
char: tpm: cr50: Set TPM_FIRMWARE_POWER_MANAGED based on device property
keys: X.509 public key issuer lookup without AKID
tpm_tis: Fix an error handling path in 'tpm_tis_core_init()'
tpm: tpm_tis_spi_cr50: Add default RNG quality
tpm/st33zp24: drop unneeded over-commenting
tpm: add request_locality before write TPM_INT_ENABLE
+205
-161
+44
-13
crypto/asymmetric_keys/asymmetric_type.c
+44
-13
crypto/asymmetric_keys/asymmetric_type.c
···
36
36
* find_asymmetric_key - Find a key by ID.
37
37
* @keyring: The keys to search.
38
38
* @id_0: The first ID to look for or NULL.
39
-
* @id_1: The second ID to look for or NULL.
40
-
* @partial: Use partial match if true, exact if false.
39
+
* @id_1: The second ID to look for or NULL, matched together with @id_0
40
+
* against @keyring keys' id[0] and id[1].
41
+
* @id_2: The fallback ID to match against @keyring keys' id[2] if both of the
42
+
* other IDs are NULL.
43
+
* @partial: Use partial match for @id_0 and @id_1 if true, exact if false.
41
44
*
42
45
* Find a key in the given keyring by identifier. The preferred identifier is
43
46
* the id_0 and the fallback identifier is the id_1. If both are given, the
44
-
* lookup is by the former, but the latter must also match.
47
+
* former is matched (exactly or partially) against either of the sought key's
48
+
* identifiers and the latter must match the found key's second identifier
49
+
* exactly. If both are missing, id_2 must match the sought key's third
50
+
* identifier exactly.
45
51
*/
46
52
struct key *find_asymmetric_key(struct key *keyring,
47
53
const struct asymmetric_key_id *id_0,
48
54
const struct asymmetric_key_id *id_1,
55
+
const struct asymmetric_key_id *id_2,
49
56
bool partial)
50
57
{
51
58
struct key *key;
···
61
54
char *req, *p;
62
55
int len;
63
56
64
-
BUG_ON(!id_0 && !id_1);
57
+
WARN_ON(!id_0 && !id_1 && !id_2);
65
58
66
59
if (id_0) {
67
60
lookup = id_0->data;
68
61
len = id_0->len;
69
-
} else {
62
+
} else if (id_1) {
70
63
lookup = id_1->data;
71
64
len = id_1->len;
65
+
} else {
66
+
lookup = id_2->data;
67
+
len = id_2->len;
72
68
}
73
69
74
70
/* Construct an identifier "id:<keyid>". */
···
79
69
if (!req)
80
70
return ERR_PTR(-ENOMEM);
81
71
82
-
if (partial) {
72
+
if (!id_0 && !id_1) {
73
+
*p++ = 'd';
74
+
*p++ = 'n';
75
+
} else if (partial) {
83
76
*p++ = 'i';
84
77
*p++ = 'd';
85
78
} else {
···
198
185
EXPORT_SYMBOL_GPL(asymmetric_key_id_partial);
199
186
200
187
/**
201
-
* asymmetric_match_key_ids - Search asymmetric key IDs
202
-
* @kids: The list of key IDs to check
188
+
* asymmetric_match_key_ids - Search asymmetric key IDs 1 & 2
189
+
* @kids: The pair of key IDs to check
203
190
* @match_id: The key ID we're looking for
204
191
* @match: The match function to use
205
192
*/
···
213
200
214
201
if (!kids || !match_id)
215
202
return false;
216
-
for (i = 0; i < ARRAY_SIZE(kids->id); i++)
203
+
for (i = 0; i < 2; i++)
217
204
if (match(kids->id[i], match_id))
218
205
return true;
219
206
return false;
···
257
244
}
258
245
259
246
/*
260
-
* Match asymmetric keys by an exact match on an ID.
247
+
* Match asymmetric keys by an exact match on one of the first two IDs.
261
248
*/
262
249
static bool asymmetric_key_cmp(const struct key *key,
263
250
const struct key_match_data *match_data)
···
270
257
}
271
258
272
259
/*
273
-
* Match asymmetric keys by a partial match on an IDs.
260
+
* Match asymmetric keys by a partial match on one of the first two IDs.
274
261
*/
275
262
static bool asymmetric_key_cmp_partial(const struct key *key,
276
263
const struct key_match_data *match_data)
···
283
270
}
284
271
285
272
/*
273
+
* Match asymmetric keys by an exact match on the third IDs.
274
+
*/
275
+
static bool asymmetric_key_cmp_name(const struct key *key,
276
+
const struct key_match_data *match_data)
277
+
{
278
+
const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
279
+
const struct asymmetric_key_id *match_id = match_data->preparsed;
280
+
281
+
return kids && asymmetric_key_id_same(kids->id[2], match_id);
282
+
}
283
+
284
+
/*
286
285
* Preparse the match criterion. If we don't set lookup_type and cmp,
287
286
* the default will be an exact match on the key description.
288
287
*
289
288
* There are some specifiers for matching key IDs rather than by the key
290
289
* description:
291
290
*
292
-
* "id:<id>" - find a key by partial match on any available ID
293
-
* "ex:<id>" - find a key by exact match on any available ID
291
+
* "id:<id>" - find a key by partial match on one of the first two IDs
292
+
* "ex:<id>" - find a key by exact match on one of the first two IDs
293
+
* "dn:<id>" - find a key by exact match on the third ID
294
294
*
295
295
* These have to be searched by iteration rather than by direct lookup because
296
296
* the key is hashed according to its description.
···
327
301
spec[1] == 'x' &&
328
302
spec[2] == ':') {
329
303
id = spec + 3;
304
+
} else if (spec[0] == 'd' &&
305
+
spec[1] == 'n' &&
306
+
spec[2] == ':') {
307
+
id = spec + 3;
308
+
cmp = asymmetric_key_cmp_name;
330
309
} else {
331
310
goto default_match;
332
311
}
+3
-3
crypto/asymmetric_keys/pkcs7_trust.c
+3
-3
crypto/asymmetric_keys/pkcs7_trust.c
···
48
48
* keys.
49
49
*/
50
50
key = find_asymmetric_key(trust_keyring,
51
-
x509->id, x509->skid, false);
51
+
x509->id, x509->skid, NULL, false);
52
52
if (!IS_ERR(key)) {
53
53
/* One of the X.509 certificates in the PKCS#7 message
54
54
* is apparently the same as one we already trust.
···
82
82
key = find_asymmetric_key(trust_keyring,
83
83
last->sig->auth_ids[0],
84
84
last->sig->auth_ids[1],
85
-
false);
85
+
NULL, false);
86
86
if (!IS_ERR(key)) {
87
87
x509 = last;
88
88
pr_devel("sinfo %u: Root cert %u signer is key %x\n",
···
97
97
* the signed info directly.
98
98
*/
99
99
key = find_asymmetric_key(trust_keyring,
100
-
sinfo->sig->auth_ids[0], NULL, false);
100
+
sinfo->sig->auth_ids[0], NULL, NULL, false);
101
101
if (!IS_ERR(key)) {
102
102
pr_devel("sinfo %u: Direct signer is key %x\n",
103
103
sinfo->index, key_serial(key));
+29
-19
crypto/asymmetric_keys/restrict.c
+29
-19
crypto/asymmetric_keys/restrict.c
···
87
87
sig = payload->data[asym_auth];
88
88
if (!sig)
89
89
return -ENOPKG;
90
-
if (!sig->auth_ids[0] && !sig->auth_ids[1])
90
+
if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])
91
91
return -ENOKEY;
92
92
93
93
if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
···
96
96
/* See if we have a key that signed this one. */
97
97
key = find_asymmetric_key(trust_keyring,
98
98
sig->auth_ids[0], sig->auth_ids[1],
99
-
false);
99
+
sig->auth_ids[2], false);
100
100
if (IS_ERR(key))
101
101
return -ENOKEY;
102
102
···
108
108
return ret;
109
109
}
110
110
111
-
static bool match_either_id(const struct asymmetric_key_ids *pair,
111
+
static bool match_either_id(const struct asymmetric_key_id **pair,
112
112
const struct asymmetric_key_id *single)
113
113
{
114
-
return (asymmetric_key_id_same(pair->id[0], single) ||
115
-
asymmetric_key_id_same(pair->id[1], single));
114
+
return (asymmetric_key_id_same(pair[0], single) ||
115
+
asymmetric_key_id_same(pair[1], single));
116
116
}
117
117
118
118
static int key_or_keyring_common(struct key *dest_keyring,
···
140
140
sig = payload->data[asym_auth];
141
141
if (!sig)
142
142
return -ENOPKG;
143
-
if (!sig->auth_ids[0] && !sig->auth_ids[1])
143
+
if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])
144
144
return -ENOKEY;
145
145
146
146
if (trusted) {
147
147
if (trusted->type == &key_type_keyring) {
148
148
/* See if we have a key that signed this one. */
149
149
key = find_asymmetric_key(trusted, sig->auth_ids[0],
150
-
sig->auth_ids[1], false);
150
+
sig->auth_ids[1],
151
+
sig->auth_ids[2], false);
151
152
if (IS_ERR(key))
152
153
key = NULL;
153
154
} else if (trusted->type == &key_type_asymmetric) {
154
-
const struct asymmetric_key_ids *signer_ids;
155
+
const struct asymmetric_key_id **signer_ids;
155
156
156
-
signer_ids = asymmetric_key_ids(trusted);
157
+
signer_ids = (const struct asymmetric_key_id **)
158
+
asymmetric_key_ids(trusted)->id;
157
159
158
160
/*
159
161
* The auth_ids come from the candidate key (the
···
166
164
* The signer_ids are identifiers for the
167
165
* signing key specified for dest_keyring.
168
166
*
169
-
* The first auth_id is the preferred id, and
170
-
* the second is the fallback. If only one
171
-
* auth_id is present, it may match against
172
-
* either signer_id. If two auth_ids are
173
-
* present, the first auth_id must match one
174
-
* signer_id and the second auth_id must match
175
-
* the second signer_id.
167
+
* The first auth_id is the preferred id, 2nd and
168
+
* 3rd are the fallbacks. If exactly one of
169
+
* auth_ids[0] and auth_ids[1] is present, it may
170
+
* match either signer_ids[0] or signed_ids[1].
171
+
* If both are present the first one may match
172
+
* either signed_id but the second one must match
173
+
* the second signer_id. If neither of them is
174
+
* available, auth_ids[2] is matched against
175
+
* signer_ids[2] as a fallback.
176
176
*/
177
-
if (!sig->auth_ids[0] || !sig->auth_ids[1]) {
177
+
if (!sig->auth_ids[0] && !sig->auth_ids[1]) {
178
+
if (asymmetric_key_id_same(signer_ids[2],
179
+
sig->auth_ids[2]))
180
+
key = __key_get(trusted);
181
+
182
+
} else if (!sig->auth_ids[0] || !sig->auth_ids[1]) {
178
183
const struct asymmetric_key_id *auth_id;
179
184
180
185
auth_id = sig->auth_ids[0] ?: sig->auth_ids[1];
181
186
if (match_either_id(signer_ids, auth_id))
182
187
key = __key_get(trusted);
183
188
184
-
} else if (asymmetric_key_id_same(signer_ids->id[1],
189
+
} else if (asymmetric_key_id_same(signer_ids[1],
185
190
sig->auth_ids[1]) &&
186
191
match_either_id(signer_ids,
187
192
sig->auth_ids[0])) {
···
202
193
if (check_dest && !key) {
203
194
/* See if the destination has a key that signed this one. */
204
195
key = find_asymmetric_key(dest_keyring, sig->auth_ids[0],
205
-
sig->auth_ids[1], false);
196
+
sig->auth_ids[1], sig->auth_ids[2],
197
+
false);
206
198
if (IS_ERR(key))
207
199
key = NULL;
208
200
}
+10
crypto/asymmetric_keys/x509_cert_parser.c
+10
crypto/asymmetric_keys/x509_cert_parser.c
···
441
441
const void *value, size_t vlen)
442
442
{
443
443
struct x509_parse_context *ctx = context;
444
+
struct asymmetric_key_id *kid;
445
+
444
446
ctx->cert->raw_issuer = value;
445
447
ctx->cert->raw_issuer_size = vlen;
448
+
449
+
if (!ctx->cert->sig->auth_ids[2]) {
450
+
kid = asymmetric_key_generate_id(value, vlen, "", 0);
451
+
if (IS_ERR(kid))
452
+
return PTR_ERR(kid);
453
+
ctx->cert->sig->auth_ids[2] = kid;
454
+
}
455
+
446
456
return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
447
457
}
448
458
+10
crypto/asymmetric_keys/x509_public_key.c
+10
crypto/asymmetric_keys/x509_public_key.c
···
223
223
goto error_free_desc;
224
224
kids->id[0] = cert->id;
225
225
kids->id[1] = cert->skid;
226
+
kids->id[2] = asymmetric_key_generate_id(cert->raw_subject,
227
+
cert->raw_subject_size,
228
+
"", 0);
229
+
if (IS_ERR(kids->id[2])) {
230
+
ret = PTR_ERR(kids->id[2]);
231
+
goto error_free_kids;
232
+
}
226
233
227
234
/* We're pinning the module by being linked against it */
228
235
__module_get(public_key_subtype.owner);
···
246
239
cert->skid = NULL;
247
240
cert->sig = NULL;
248
241
desc = NULL;
242
+
kids = NULL;
249
243
ret = 0;
250
244
245
+
error_free_kids:
246
+
kfree(kids);
251
247
error_free_desc:
252
248
kfree(desc);
253
249
error_free_cert:
+17
-105
drivers/char/tpm/st33zp24/st33zp24.c
+17
-105
drivers/char/tpm/st33zp24/st33zp24.c
···
61
61
};
62
62
63
63
/*
64
-
* clear_interruption clear the pending interrupt.
65
-
* @param: tpm_dev, the tpm device device.
66
-
* @return: the interrupt status value.
64
+
* clear the pending interrupt.
67
65
*/
68
66
static u8 clear_interruption(struct st33zp24_dev *tpm_dev)
69
67
{
···
70
72
tpm_dev->ops->recv(tpm_dev->phy_id, TPM_INT_STATUS, &interrupt, 1);
71
73
tpm_dev->ops->send(tpm_dev->phy_id, TPM_INT_STATUS, &interrupt, 1);
72
74
return interrupt;
73
-
} /* clear_interruption() */
75
+
}
74
76
75
77
/*
76
-
* st33zp24_cancel, cancel the current command execution or
77
-
* set STS to COMMAND READY.
78
-
* @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h
78
+
* cancel the current command execution or set STS to COMMAND READY.
79
79
*/
80
80
static void st33zp24_cancel(struct tpm_chip *chip)
81
81
{
···
82
86
83
87
data = TPM_STS_COMMAND_READY;
84
88
tpm_dev->ops->send(tpm_dev->phy_id, TPM_STS, &data, 1);
85
-
} /* st33zp24_cancel() */
89
+
}
86
90
87
91
/*
88
-
* st33zp24_status return the TPM_STS register
89
-
* @param: chip, the tpm chip description
90
-
* @return: the TPM_STS register value.
92
+
* return the TPM_STS register
91
93
*/
92
94
static u8 st33zp24_status(struct tpm_chip *chip)
93
95
{
···
94
100
95
101
tpm_dev->ops->recv(tpm_dev->phy_id, TPM_STS, &data, 1);
96
102
return data;
97
-
} /* st33zp24_status() */
103
+
}
98
104
99
105
/*
100
-
* check_locality if the locality is active
101
-
* @param: chip, the tpm chip description
102
-
* @return: true if LOCALITY0 is active, otherwise false
106
+
* if the locality is active
103
107
*/
104
108
static bool check_locality(struct tpm_chip *chip)
105
109
{
···
112
120
return true;
113
121
114
122
return false;
115
-
} /* check_locality() */
123
+
}
116
124
117
-
/*
118
-
* request_locality request the TPM locality
119
-
* @param: chip, the chip description
120
-
* @return: the active locality or negative value.
121
-
*/
122
125
static int request_locality(struct tpm_chip *chip)
123
126
{
124
127
struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
···
140
153
141
154
/* could not get locality */
142
155
return -EACCES;
143
-
} /* request_locality() */
156
+
}
144
157
145
-
/*
146
-
* release_locality release the active locality
147
-
* @param: chip, the tpm chip description.
148
-
*/
149
158
static void release_locality(struct tpm_chip *chip)
150
159
{
151
160
struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
···
154
171
155
172
/*
156
173
* get_burstcount return the burstcount value
157
-
* @param: chip, the chip description
158
-
* return: the burstcount or negative value.
159
174
*/
160
175
static int get_burstcount(struct tpm_chip *chip)
161
176
{
···
181
200
msleep(TPM_TIMEOUT);
182
201
} while (time_before(jiffies, stop));
183
202
return -EBUSY;
184
-
} /* get_burstcount() */
203
+
}
185
204
186
-
187
-
/*
188
-
* wait_for_tpm_stat_cond
189
-
* @param: chip, chip description
190
-
* @param: mask, expected mask value
191
-
* @param: check_cancel, does the command expected to be canceled ?
192
-
* @param: canceled, did we received a cancel request ?
193
-
* @return: true if status == mask or if the command is canceled.
194
-
* false in other cases.
195
-
*/
196
205
static bool wait_for_tpm_stat_cond(struct tpm_chip *chip, u8 mask,
197
206
bool check_cancel, bool *canceled)
198
207
{
···
199
228
}
200
229
201
230
/*
202
-
* wait_for_stat wait for a TPM_STS value
203
-
* @param: chip, the tpm chip description
204
-
* @param: mask, the value mask to wait
205
-
* @param: timeout, the timeout
206
-
* @param: queue, the wait queue.
207
-
* @param: check_cancel, does the command can be cancelled ?
208
-
* @return: the tpm status, 0 if success, -ETIME if timeout is reached.
231
+
* wait for a TPM_STS value
209
232
*/
210
233
static int wait_for_stat(struct tpm_chip *chip, u8 mask, unsigned long timeout,
211
234
wait_queue_head_t *queue, bool check_cancel)
···
257
292
}
258
293
259
294
return -ETIME;
260
-
} /* wait_for_stat() */
295
+
}
261
296
262
-
/*
263
-
* recv_data receive data
264
-
* @param: chip, the tpm chip description
265
-
* @param: buf, the buffer where the data are received
266
-
* @param: count, the number of data to receive
267
-
* @return: the number of bytes read from TPM FIFO.
268
-
*/
269
297
static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
270
298
{
271
299
struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
···
283
325
return size;
284
326
}
285
327
286
-
/*
287
-
* tpm_ioserirq_handler the serirq irq handler
288
-
* @param: irq, the tpm chip description
289
-
* @param: dev_id, the description of the chip
290
-
* @return: the status of the handler.
291
-
*/
292
328
static irqreturn_t tpm_ioserirq_handler(int irq, void *dev_id)
293
329
{
294
330
struct tpm_chip *chip = dev_id;
···
293
341
disable_irq_nosync(tpm_dev->irq);
294
342
295
343
return IRQ_HANDLED;
296
-
} /* tpm_ioserirq_handler() */
344
+
}
297
345
298
346
/*
299
-
* st33zp24_send send TPM commands through the I2C bus.
300
-
*
301
-
* @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h
302
-
* @param: buf, the buffer to send.
303
-
* @param: count, the number of bytes to send.
304
-
* @return: In case of success the number of bytes sent.
305
-
* In other case, a < 0 value describing the issue.
347
+
* send TPM commands through the I2C bus.
306
348
*/
307
349
static int st33zp24_send(struct tpm_chip *chip, unsigned char *buf,
308
350
size_t len)
···
377
431
return ret;
378
432
}
379
433
380
-
/*
381
-
* st33zp24_recv received TPM response through TPM phy.
382
-
* @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h.
383
-
* @param: buf, the buffer to store datas.
384
-
* @param: count, the number of bytes to send.
385
-
* @return: In case of success the number of bytes received.
386
-
* In other case, a < 0 value describing the issue.
387
-
*/
388
434
static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
389
435
size_t count)
390
436
{
···
416
478
return size;
417
479
}
418
480
419
-
/*
420
-
* st33zp24_req_canceled
421
-
* @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h.
422
-
* @param: status, the TPM status.
423
-
* @return: Does TPM ready to compute a new command ? true.
424
-
*/
425
481
static bool st33zp24_req_canceled(struct tpm_chip *chip, u8 status)
426
482
{
427
483
return (status == TPM_STS_COMMAND_READY);
···
433
501
};
434
502
435
503
/*
436
-
* st33zp24_probe initialize the TPM device
437
-
* @param: client, the i2c_client description (TPM I2C description).
438
-
* @param: id, the i2c_device_id struct.
439
-
* @return: 0 in case of success.
440
-
* -1 in other case.
504
+
* initialize the TPM device
441
505
*/
442
506
int st33zp24_probe(void *phy_id, const struct st33zp24_phy_ops *ops,
443
507
struct device *dev, int irq, int io_lpcpd)
···
511
583
}
512
584
EXPORT_SYMBOL(st33zp24_probe);
513
585
514
-
/*
515
-
* st33zp24_remove remove the TPM device
516
-
* @param: tpm_data, the tpm phy.
517
-
* @return: 0 in case of success.
518
-
*/
519
586
int st33zp24_remove(struct tpm_chip *chip)
520
587
{
521
588
tpm_chip_unregister(chip);
···
519
596
EXPORT_SYMBOL(st33zp24_remove);
520
597
521
598
#ifdef CONFIG_PM_SLEEP
522
-
/*
523
-
* st33zp24_pm_suspend suspend the TPM device
524
-
* @param: tpm_data, the tpm phy.
525
-
* @param: mesg, the power management message.
526
-
* @return: 0 in case of success.
527
-
*/
528
599
int st33zp24_pm_suspend(struct device *dev)
529
600
{
530
601
struct tpm_chip *chip = dev_get_drvdata(dev);
···
532
615
ret = tpm_pm_suspend(dev);
533
616
534
617
return ret;
535
-
} /* st33zp24_pm_suspend() */
618
+
}
536
619
EXPORT_SYMBOL(st33zp24_pm_suspend);
537
620
538
-
/*
539
-
* st33zp24_pm_resume resume the TPM device
540
-
* @param: tpm_data, the tpm phy.
541
-
* @return: 0 in case of success.
542
-
*/
543
621
int st33zp24_pm_resume(struct device *dev)
544
622
{
545
623
struct tpm_chip *chip = dev_get_drvdata(dev);
···
552
640
tpm1_do_selftest(chip);
553
641
}
554
642
return ret;
555
-
} /* st33zp24_pm_resume() */
643
+
}
556
644
EXPORT_SYMBOL(st33zp24_pm_resume);
557
645
#endif
558
646
+25
-12
drivers/char/tpm/tpm-chip.c
+25
-12
drivers/char/tpm/tpm-chip.c
···
444
444
return rc;
445
445
}
446
446
447
-
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
447
+
if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_firmware_upgrade(chip)) {
448
448
rc = cdev_device_add(&chip->cdevs, &chip->devs);
449
449
if (rc) {
450
450
dev_err(&chip->devs,
···
474
474
475
475
/* Make the driver uncallable. */
476
476
down_write(&chip->ops_sem);
477
-
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
478
-
if (!tpm_chip_start(chip)) {
479
-
tpm2_shutdown(chip, TPM2_SU_CLEAR);
480
-
tpm_chip_stop(chip);
477
+
478
+
/*
479
+
* Check if chip->ops is still valid: In case that the controller
480
+
* drivers shutdown handler unregisters the controller in its
481
+
* shutdown handler we are called twice and chip->ops to NULL.
482
+
*/
483
+
if (chip->ops) {
484
+
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
485
+
if (!tpm_chip_start(chip)) {
486
+
tpm2_shutdown(chip, TPM2_SU_CLEAR);
487
+
tpm_chip_stop(chip);
488
+
}
481
489
}
490
+
chip->ops = NULL;
482
491
}
483
-
chip->ops = NULL;
484
492
up_write(&chip->ops_sem);
485
493
}
486
494
···
496
488
{
497
489
struct attribute **i;
498
490
499
-
if (chip->flags & (TPM_CHIP_FLAG_TPM2 | TPM_CHIP_FLAG_VIRTUAL))
491
+
if (chip->flags & (TPM_CHIP_FLAG_TPM2 | TPM_CHIP_FLAG_VIRTUAL) ||
492
+
tpm_is_firmware_upgrade(chip))
500
493
return;
501
494
502
495
sysfs_remove_link(&chip->dev.parent->kobj, "ppi");
···
515
506
struct attribute **i;
516
507
int rc;
517
508
518
-
if (chip->flags & (TPM_CHIP_FLAG_TPM2 | TPM_CHIP_FLAG_VIRTUAL))
509
+
if (chip->flags & (TPM_CHIP_FLAG_TPM2 | TPM_CHIP_FLAG_VIRTUAL) ||
510
+
tpm_is_firmware_upgrade(chip))
519
511
return 0;
520
512
521
513
rc = compat_only_sysfs_link_entry_to_kobj(
···
546
536
547
537
static int tpm_add_hwrng(struct tpm_chip *chip)
548
538
{
549
-
if (!IS_ENABLED(CONFIG_HW_RANDOM_TPM))
539
+
if (!IS_ENABLED(CONFIG_HW_RANDOM_TPM) || tpm_is_firmware_upgrade(chip))
550
540
return 0;
551
541
552
542
snprintf(chip->hwrng_name, sizeof(chip->hwrng_name),
···
559
549
static int tpm_get_pcr_allocation(struct tpm_chip *chip)
560
550
{
561
551
int rc;
552
+
553
+
if (tpm_is_firmware_upgrade(chip))
554
+
return 0;
562
555
563
556
rc = (chip->flags & TPM_CHIP_FLAG_TPM2) ?
564
557
tpm2_get_pcr_allocation(chip) :
···
625
612
return 0;
626
613
627
614
out_hwrng:
628
-
if (IS_ENABLED(CONFIG_HW_RANDOM_TPM))
615
+
if (IS_ENABLED(CONFIG_HW_RANDOM_TPM) && !tpm_is_firmware_upgrade(chip))
629
616
hwrng_unregister(&chip->hwrng);
630
617
out_ppi:
631
618
tpm_bios_log_teardown(chip);
···
650
637
void tpm_chip_unregister(struct tpm_chip *chip)
651
638
{
652
639
tpm_del_legacy_sysfs(chip);
653
-
if (IS_ENABLED(CONFIG_HW_RANDOM_TPM))
640
+
if (IS_ENABLED(CONFIG_HW_RANDOM_TPM) && !tpm_is_firmware_upgrade(chip))
654
641
hwrng_unregister(&chip->hwrng);
655
642
tpm_bios_log_teardown(chip);
656
-
if (chip->flags & TPM_CHIP_FLAG_TPM2)
643
+
if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_firmware_upgrade(chip))
657
644
cdev_device_del(&chip->cdevs, &chip->devs);
658
645
tpm_del_char_device(chip);
659
646
}
+3
drivers/char/tpm/tpm-sysfs.c
+3
drivers/char/tpm/tpm-sysfs.c
+6
drivers/char/tpm/tpm2-cmd.c
+6
drivers/char/tpm/tpm2-cmd.c
···
745
745
rc = tpm2_get_cc_attrs_tbl(chip);
746
746
747
747
out:
748
+
if (rc == TPM2_RC_UPGRADE) {
749
+
dev_info(&chip->dev, "TPM in field upgrade mode, requires firmware upgrade\n");
750
+
chip->flags |= TPM_CHIP_FLAG_FIRMWARE_UPGRADE;
751
+
rc = 0;
752
+
}
753
+
748
754
if (rc > 0)
749
755
rc = -ENODEV;
750
756
return rc;
+11
-3
drivers/char/tpm/tpm_tis_core.c
+11
-3
drivers/char/tpm/tpm_tis_core.c
···
950
950
priv->timeout_max = TPM_TIMEOUT_USECS_MAX;
951
951
priv->phy_ops = phy_ops;
952
952
953
+
dev_set_drvdata(&chip->dev, priv);
954
+
953
955
rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor);
954
956
if (rc < 0)
955
-
goto out_err;
957
+
return rc;
956
958
957
959
priv->manufacturer_id = vendor;
958
960
···
963
961
priv->timeout_min = TIS_TIMEOUT_MIN_ATML;
964
962
priv->timeout_max = TIS_TIMEOUT_MAX_ATML;
965
963
}
966
-
967
-
dev_set_drvdata(&chip->dev, priv);
968
964
969
965
if (is_bsw()) {
970
966
priv->ilb_base_addr = ioremap(INTEL_LEGACY_BLK_BASE_ADDR,
···
994
994
intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT |
995
995
TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT;
996
996
intmask &= ~TPM_GLOBAL_INT_ENABLE;
997
+
998
+
rc = request_locality(chip, 0);
999
+
if (rc < 0) {
1000
+
rc = -ENODEV;
1001
+
goto out_err;
1002
+
}
1003
+
997
1004
tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask);
1005
+
release_locality(chip, 0);
998
1006
999
1007
rc = tpm_chip_start(chip);
1000
1008
if (rc)
+15
-1
drivers/char/tpm/tpm_tis_i2c_cr50.c
+15
-1
drivers/char/tpm/tpm_tis_i2c_cr50.c
···
628
628
return status == TPM_STS_COMMAND_READY;
629
629
}
630
630
631
+
static bool tpm_cr50_i2c_is_firmware_power_managed(struct device *dev)
632
+
{
633
+
u8 val;
634
+
int ret;
635
+
636
+
/* This flag should default true when the device property is not present */
637
+
ret = device_property_read_u8(dev, "firmware-power-managed", &val);
638
+
if (ret)
639
+
return true;
640
+
641
+
return val;
642
+
}
643
+
631
644
static const struct tpm_class_ops cr50_i2c = {
632
645
.flags = TPM_OPS_AUTO_STARTUP,
633
646
.status = &tpm_cr50_i2c_tis_status,
···
699
686
700
687
/* cr50 is a TPM 2.0 chip */
701
688
chip->flags |= TPM_CHIP_FLAG_TPM2;
702
-
chip->flags |= TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED;
689
+
if (tpm_cr50_i2c_is_firmware_power_managed(dev))
690
+
chip->flags |= TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED;
703
691
704
692
/* Default timeouts */
705
693
chip->timeout_a = msecs_to_jiffies(TIS_SHORT_TIMEOUT);
+19
-1
drivers/char/tpm/tpm_tis_spi_cr50.c
+19
-1
drivers/char/tpm/tpm_tis_spi_cr50.c
···
36
36
#define TPM_CR50_FW_VER(l) (0x0f90 | ((l) << 12))
37
37
#define TPM_CR50_MAX_FW_VER_LEN 64
38
38
39
+
/* Default quality for hwrng. */
40
+
#define TPM_CR50_DEFAULT_RNG_QUALITY 700
41
+
39
42
struct cr50_spi_phy {
40
43
struct tpm_tis_spi_phy spi_phy;
41
44
···
185
182
return 0;
186
183
}
187
184
185
+
static bool tpm_cr50_spi_is_firmware_power_managed(struct device *dev)
186
+
{
187
+
u8 val;
188
+
int ret;
189
+
190
+
/* This flag should default true when the device property is not present */
191
+
ret = device_property_read_u8(dev, "firmware-power-managed", &val);
192
+
if (ret)
193
+
return true;
194
+
195
+
return val;
196
+
}
197
+
188
198
static int tpm_tis_spi_cr50_transfer(struct tpm_tis_data *data, u32 addr, u16 len,
189
199
u8 *in, const u8 *out)
190
200
{
···
280
264
phy = &cr50_phy->spi_phy;
281
265
phy->flow_control = cr50_spi_flow_control;
282
266
phy->wake_after = jiffies;
267
+
phy->priv.rng_quality = TPM_CR50_DEFAULT_RNG_QUALITY;
283
268
init_completion(&phy->ready);
284
269
285
270
cr50_phy->access_delay = CR50_NOIRQ_ACCESS_DELAY;
···
322
305
cr50_print_fw_version(&phy->priv);
323
306
324
307
chip = dev_get_drvdata(&spi->dev);
325
-
chip->flags |= TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED;
308
+
if (tpm_cr50_spi_is_firmware_power_managed(&spi->dev))
309
+
chip->flags |= TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED;
326
310
327
311
return 0;
328
312
}
+1
-1
include/crypto/public_key.h
+1
-1
include/crypto/public_key.h
+2
-1
include/keys/asymmetric-type.h
+2
-1
include/keys/asymmetric-type.h
···
53
53
};
54
54
55
55
struct asymmetric_key_ids {
56
-
void *id[2];
56
+
void *id[3];
57
57
};
58
58
59
59
extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
···
81
81
extern struct key *find_asymmetric_key(struct key *keyring,
82
82
const struct asymmetric_key_id *id_0,
83
83
const struct asymmetric_key_id *id_1,
84
+
const struct asymmetric_key_id *id_2,
84
85
bool partial);
85
86
86
87
/*
+10
include/linux/tpm.h
+10
include/linux/tpm.h
···
207
207
TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */
208
208
TPM2_RC_FAILURE = 0x0101,
209
209
TPM2_RC_DISABLED = 0x0120,
210
+
TPM2_RC_UPGRADE = 0x012D,
210
211
TPM2_RC_COMMAND_CODE = 0x0143,
211
212
TPM2_RC_TESTING = 0x090A, /* RC_WARN */
212
213
TPM2_RC_REFERENCE_H0 = 0x0910,
···
279
278
TPM_CHIP_FLAG_HAVE_TIMEOUTS = BIT(4),
280
279
TPM_CHIP_FLAG_ALWAYS_POWERED = BIT(5),
281
280
TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED = BIT(6),
281
+
TPM_CHIP_FLAG_FIRMWARE_UPGRADE = BIT(7),
282
282
};
283
283
284
284
#define to_tpm_chip(d) container_of(d, struct tpm_chip, dev)
···
399
397
__be32 value2 = cpu_to_be32(value);
400
398
401
399
tpm_buf_append(buf, (u8 *) &value2, 4);
400
+
}
401
+
402
+
/*
403
+
* Check if TPM device is in the firmware upgrade mode.
404
+
*/
405
+
static inline bool tpm_is_firmware_upgrade(struct tpm_chip *chip)
406
+
{
407
+
return chip->flags & TPM_CHIP_FLAG_FIRMWARE_UPGRADE;
402
408
}
403
409
404
410
static inline u32 tpm2_rc_value(u32 rc)