* [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-20 17:05 ` Nayna Jain 0 siblings, 0 replies; 32+ messages in thread From: Nayna Jain @ 2017-01-20 17:05 UTC (permalink / raw) To: tpmdd-devel Cc: peterhuewe, tpmdd, jarkko.sakkinen, jgunthorpe, linux-security-module, linux-kernel, Nayna Jain IMA extends its hash measurements in the TPM PCRs, based on policy. The existing in-kernel TPM extend function extends only the SHA1 PCR bank. TPM 2.0 defines multiple PCR banks, to support different hash algorithms. The TCG TPM 2.0 Specification[1] recommends extending all active PCR banks to prevent malicious users from setting unused PCR banks with fake measurements and quoting them. This patch set adds support for extending all active PCR banks, as recommended. The first patch implements the TPM 2.0 capability to retrieve the list of active PCR banks. The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() interface to support extending multiple PCR banks. The existing tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to extend all active PCR banks with differing digest sizes for TPM 2.0, the SHA1 digest is padded with 0's as needed. [1] TPM 2.0 Specification referred here is "TCG PC Client Specific Platform Firmware Profile for TPM 2.0" Changelog v6: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Fixed the regression - missing tpm_buf_destroy() in in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. Changelog v5: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Included Jarkko's feedbacks - Moved variable declaration to start of function in tpm_pcr_extend() Changelog v4: - Updated cover letter as per Mimi's feedback. - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use default timeout value if chip reports it as zero) - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Included Jarkko's feedbacks - Moved call to tpm2_get_pcr_allocation to Patch 2 - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection and moved the struct to before tpm2_get_pcr_allocation() - Fixed code formatting - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" - Included Jarkkos' feedbacks - Updated commit msg to mention dependency on CRYPTO_HASH_INFO - Renamed struct tpmt_hash to struct tpm2_digest - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts count and digests list as two separate arguments. Added check for count of hashes passed. - Cleaned up struct tpm2_pcr_extend_in as not required anymore with use of tpm_buf - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as it is the only function using it for now. - Fixed code formatting Changelog v3: - Rebased to the Jarkko's latest master branch (8e25809 tpm: Do not print an error message when doing TPM auto startup) - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Included Jarkko's feedbacks - Removed getcap_in, getcap_out and used tpm_buf for getting capability. - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included other feedbacks. - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" - Fixed kbuild errors - Fixed buf.data uninitialized warning. - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. Changelog v2: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - defined structs definition in tpm2-cmd.c. - no_of_active_banks field is removed. Instead, constant TPM2_MAX_PCR_BANKS is defined. - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() - removed generic function tpm2_get_capability(). - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" - Removed tpm2.h, and defined structs common for extend and event log in tpm_eventlog.h - uses tpm_buf in tpm2_pcr_extend(). Nayna Jain (2): tpm: implement TPM 2.0 capability to get active PCR banks tpm: enhance TPM 2.0 PCR extend to support multiple banks drivers/char/tpm/Kconfig | 1 + drivers/char/tpm/tpm-interface.c | 15 +++- drivers/char/tpm/tpm.h | 8 ++- drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- drivers/char/tpm/tpm_eventlog.h | 7 ++ 5 files changed, 137 insertions(+), 44 deletions(-) -- 2.5.0 ^ permalink raw reply [flat|nested] 32+ messages in thread
* [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-20 17:05 ` Nayna Jain 0 siblings, 0 replies; 32+ messages in thread From: Nayna Jain @ 2017-01-20 17:05 UTC (permalink / raw) To: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA IMA extends its hash measurements in the TPM PCRs, based on policy. The existing in-kernel TPM extend function extends only the SHA1 PCR bank. TPM 2.0 defines multiple PCR banks, to support different hash algorithms. The TCG TPM 2.0 Specification[1] recommends extending all active PCR banks to prevent malicious users from setting unused PCR banks with fake measurements and quoting them. This patch set adds support for extending all active PCR banks, as recommended. The first patch implements the TPM 2.0 capability to retrieve the list of active PCR banks. The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() interface to support extending multiple PCR banks. The existing tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to extend all active PCR banks with differing digest sizes for TPM 2.0, the SHA1 digest is padded with 0's as needed. [1] TPM 2.0 Specification referred here is "TCG PC Client Specific Platform Firmware Profile for TPM 2.0" Changelog v6: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Fixed the regression - missing tpm_buf_destroy() in in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. Changelog v5: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Included Jarkko's feedbacks - Moved variable declaration to start of function in tpm_pcr_extend() Changelog v4: - Updated cover letter as per Mimi's feedback. - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use default timeout value if chip reports it as zero) - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Included Jarkko's feedbacks - Moved call to tpm2_get_pcr_allocation to Patch 2 - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection and moved the struct to before tpm2_get_pcr_allocation() - Fixed code formatting - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" - Included Jarkkos' feedbacks - Updated commit msg to mention dependency on CRYPTO_HASH_INFO - Renamed struct tpmt_hash to struct tpm2_digest - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts count and digests list as two separate arguments. Added check for count of hashes passed. - Cleaned up struct tpm2_pcr_extend_in as not required anymore with use of tpm_buf - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as it is the only function using it for now. - Fixed code formatting Changelog v3: - Rebased to the Jarkko's latest master branch (8e25809 tpm: Do not print an error message when doing TPM auto startup) - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - Included Jarkko's feedbacks - Removed getcap_in, getcap_out and used tpm_buf for getting capability. - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included other feedbacks. - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" - Fixed kbuild errors - Fixed buf.data uninitialized warning. - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. Changelog v2: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - defined structs definition in tpm2-cmd.c. - no_of_active_banks field is removed. Instead, constant TPM2_MAX_PCR_BANKS is defined. - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() - removed generic function tpm2_get_capability(). - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" - Removed tpm2.h, and defined structs common for extend and event log in tpm_eventlog.h - uses tpm_buf in tpm2_pcr_extend(). Nayna Jain (2): tpm: implement TPM 2.0 capability to get active PCR banks tpm: enhance TPM 2.0 PCR extend to support multiple banks drivers/char/tpm/Kconfig | 1 + drivers/char/tpm/tpm-interface.c | 15 +++- drivers/char/tpm/tpm.h | 8 ++- drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- drivers/char/tpm/tpm_eventlog.h | 7 ++ 5 files changed, 137 insertions(+), 44 deletions(-) -- 2.5.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* [PATCH v6 1/2] tpm: implement TPM 2.0 capability to get active PCR banks @ 2017-01-20 17:05 ` Nayna Jain 0 siblings, 0 replies; 32+ messages in thread From: Nayna Jain @ 2017-01-20 17:05 UTC (permalink / raw) To: tpmdd-devel Cc: peterhuewe, tpmdd, jarkko.sakkinen, jgunthorpe, linux-security-module, linux-kernel, Nayna Jain This patch implements the TPM 2.0 capability TPM_CAP_PCRS to retrieve the active PCR banks from the TPM. This is needed to enable extending all active banks as recommended by TPM 2.0 TCG Specification. Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- drivers/char/tpm/tpm.h | 5 ++++ drivers/char/tpm/tpm2-cmd.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 1ae9768..c291f19 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -97,6 +97,7 @@ enum tpm2_return_codes { }; enum tpm2_algorithms { + TPM2_ALG_ERROR = 0x0000, TPM2_ALG_SHA1 = 0x0004, TPM2_ALG_KEYEDHASH = 0x0008, TPM2_ALG_SHA256 = 0x000B, @@ -127,6 +128,7 @@ enum tpm2_permanent_handles { }; enum tpm2_capabilities { + TPM2_CAP_PCRS = 5, TPM2_CAP_TPM_PROPERTIES = 6, }; @@ -187,6 +189,8 @@ struct tpm_chip { const struct attribute_group *groups[3]; unsigned int groups_cnt; + + u16 active_banks[7]; #ifdef CONFIG_ACPI acpi_handle acpi_dev_handle; char ppi_version[TPM_PPI_VERSION_LEN + 1]; @@ -545,4 +549,5 @@ int tpm2_auto_startup(struct tpm_chip *chip); void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type); unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); int tpm2_probe(struct tpm_chip *chip); +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip); #endif diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 6eda239..0e000a3 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -998,3 +998,62 @@ int tpm2_auto_startup(struct tpm_chip *chip) rc = -ENODEV; return rc; } + +struct tpm2_pcr_selection { + __be16 hash_alg; + u8 size_of_select; + u8 pcr_select[3]; +} __packed; + +/** + * tpm2_get_pcr_allocation() - get TPM active PCR banks. + * + * @chip: TPM chip to use. + * + * Return: Same as with tpm_transmit_cmd. + */ +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) +{ + struct tpm2_pcr_selection pcr_selection; + struct tpm_buf buf; + void *marker; + unsigned int count = 0; + int rc; + int i; + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); + if (rc) + return rc; + + tpm_buf_append_u32(&buf, TPM2_CAP_PCRS); + tpm_buf_append_u32(&buf, 0); + tpm_buf_append_u32(&buf, 1); + + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, + "get tpm pcr allocation"); + if (rc < 0) + goto out; + + count = be32_to_cpup( + (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); + + if (count > ARRAY_SIZE(chip->active_banks)) { + rc = -ENODEV; + goto out; + } + + marker = &buf.data[TPM_HEADER_SIZE + 9]; + for (i = 0; i < count; i++) { + memcpy(&pcr_selection, marker, sizeof(pcr_selection)); + chip->active_banks[i] = be16_to_cpu(pcr_selection.hash_alg); + marker = marker + sizeof(struct tpm2_pcr_selection); + } + +out: + if (count < ARRAY_SIZE(chip->active_banks)) + chip->active_banks[count] = TPM2_ALG_ERROR; + + tpm_buf_destroy(&buf); + + return rc; +} -- 2.5.0 ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH v6 1/2] tpm: implement TPM 2.0 capability to get active PCR banks @ 2017-01-20 17:05 ` Nayna Jain 0 siblings, 0 replies; 32+ messages in thread From: Nayna Jain @ 2017-01-20 17:05 UTC (permalink / raw) To: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA This patch implements the TPM 2.0 capability TPM_CAP_PCRS to retrieve the active PCR banks from the TPM. This is needed to enable extending all active banks as recommended by TPM 2.0 TCG Specification. Signed-off-by: Nayna Jain <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> --- drivers/char/tpm/tpm.h | 5 ++++ drivers/char/tpm/tpm2-cmd.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 1ae9768..c291f19 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -97,6 +97,7 @@ enum tpm2_return_codes { }; enum tpm2_algorithms { + TPM2_ALG_ERROR = 0x0000, TPM2_ALG_SHA1 = 0x0004, TPM2_ALG_KEYEDHASH = 0x0008, TPM2_ALG_SHA256 = 0x000B, @@ -127,6 +128,7 @@ enum tpm2_permanent_handles { }; enum tpm2_capabilities { + TPM2_CAP_PCRS = 5, TPM2_CAP_TPM_PROPERTIES = 6, }; @@ -187,6 +189,8 @@ struct tpm_chip { const struct attribute_group *groups[3]; unsigned int groups_cnt; + + u16 active_banks[7]; #ifdef CONFIG_ACPI acpi_handle acpi_dev_handle; char ppi_version[TPM_PPI_VERSION_LEN + 1]; @@ -545,4 +549,5 @@ int tpm2_auto_startup(struct tpm_chip *chip); void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type); unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); int tpm2_probe(struct tpm_chip *chip); +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip); #endif diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 6eda239..0e000a3 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -998,3 +998,62 @@ int tpm2_auto_startup(struct tpm_chip *chip) rc = -ENODEV; return rc; } + +struct tpm2_pcr_selection { + __be16 hash_alg; + u8 size_of_select; + u8 pcr_select[3]; +} __packed; + +/** + * tpm2_get_pcr_allocation() - get TPM active PCR banks. + * + * @chip: TPM chip to use. + * + * Return: Same as with tpm_transmit_cmd. + */ +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) +{ + struct tpm2_pcr_selection pcr_selection; + struct tpm_buf buf; + void *marker; + unsigned int count = 0; + int rc; + int i; + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); + if (rc) + return rc; + + tpm_buf_append_u32(&buf, TPM2_CAP_PCRS); + tpm_buf_append_u32(&buf, 0); + tpm_buf_append_u32(&buf, 1); + + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, + "get tpm pcr allocation"); + if (rc < 0) + goto out; + + count = be32_to_cpup( + (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); + + if (count > ARRAY_SIZE(chip->active_banks)) { + rc = -ENODEV; + goto out; + } + + marker = &buf.data[TPM_HEADER_SIZE + 9]; + for (i = 0; i < count; i++) { + memcpy(&pcr_selection, marker, sizeof(pcr_selection)); + chip->active_banks[i] = be16_to_cpu(pcr_selection.hash_alg); + marker = marker + sizeof(struct tpm2_pcr_selection); + } + +out: + if (count < ARRAY_SIZE(chip->active_banks)) + chip->active_banks[count] = TPM2_ALG_ERROR; + + tpm_buf_destroy(&buf); + + return rc; +} -- 2.5.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply related [flat|nested] 32+ messages in thread
* Re: [tpmdd-devel] [PATCH v6 1/2] tpm: implement TPM 2.0 capability to get active PCR banks 2017-01-20 17:05 ` Nayna Jain (?) @ 2017-01-26 12:23 ` Stefan Berger 2017-01-27 6:30 ` Jarkko Sakkinen -1 siblings, 1 reply; 32+ messages in thread From: Stefan Berger @ 2017-01-26 12:23 UTC (permalink / raw) To: Nayna Jain, tpmdd-devel; +Cc: linux-kernel, linux-security-module On 01/20/2017 12:05 PM, Nayna Jain wrote: > This patch implements the TPM 2.0 capability TPM_CAP_PCRS to > retrieve the active PCR banks from the TPM. This is needed > to enable extending all active banks as recommended by TPM 2.0 > TCG Specification. > > Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > drivers/char/tpm/tpm.h | 5 ++++ > drivers/char/tpm/tpm2-cmd.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 64 insertions(+) > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index 1ae9768..c291f19 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -97,6 +97,7 @@ enum tpm2_return_codes { > }; > > enum tpm2_algorithms { > + TPM2_ALG_ERROR = 0x0000, > TPM2_ALG_SHA1 = 0x0004, > TPM2_ALG_KEYEDHASH = 0x0008, > TPM2_ALG_SHA256 = 0x000B, > @@ -127,6 +128,7 @@ enum tpm2_permanent_handles { > }; > > enum tpm2_capabilities { > + TPM2_CAP_PCRS = 5, > TPM2_CAP_TPM_PROPERTIES = 6, > }; > > @@ -187,6 +189,8 @@ struct tpm_chip { > > const struct attribute_group *groups[3]; > unsigned int groups_cnt; > + > + u16 active_banks[7]; > #ifdef CONFIG_ACPI > acpi_handle acpi_dev_handle; > char ppi_version[TPM_PPI_VERSION_LEN + 1]; > @@ -545,4 +549,5 @@ int tpm2_auto_startup(struct tpm_chip *chip); > void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type); > unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); > int tpm2_probe(struct tpm_chip *chip); > +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip); > #endif > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index 6eda239..0e000a3 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -998,3 +998,62 @@ int tpm2_auto_startup(struct tpm_chip *chip) > rc = -ENODEV; > return rc; > } > + > +struct tpm2_pcr_selection { > + __be16 hash_alg; > + u8 size_of_select; > + u8 pcr_select[3]; > +} __packed; > + > +/** > + * tpm2_get_pcr_allocation() - get TPM active PCR banks. > + * > + * @chip: TPM chip to use. > + * > + * Return: Same as with tpm_transmit_cmd. > + */ > +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) > +{ > + struct tpm2_pcr_selection pcr_selection; > + struct tpm_buf buf; > + void *marker; > + unsigned int count = 0; > + int rc; > + int i; > + > + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); > + if (rc) > + return rc; > + > + tpm_buf_append_u32(&buf, TPM2_CAP_PCRS); > + tpm_buf_append_u32(&buf, 0); > + tpm_buf_append_u32(&buf, 1); > + > + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, > + "get tpm pcr allocation"); > + if (rc < 0) > + goto out; > + > + count = be32_to_cpup( > + (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); > + > + if (count > ARRAY_SIZE(chip->active_banks)) { > + rc = -ENODEV; > + goto out; > + } > + > + marker = &buf.data[TPM_HEADER_SIZE + 9]; Now that we are checking access to the returned buffer, we should do an additional check here: end = &buf.data[TPM_HEADER_SIZE + rc]; > + for (i = 0; i < count; i++) { if (marker + sizeof(pcr_selection) >= end) { rc = -EFAULT; goto out; } > + memcpy(&pcr_selection, marker, sizeof(pcr_selection)); > + chip->active_banks[i] = be16_to_cpu(pcr_selection.hash_alg); > + marker = marker + sizeof(struct tpm2_pcr_selection); > + } > + > +out: > + if (count < ARRAY_SIZE(chip->active_banks)) if (rc < 0 || count < ARRAY_SIZE(...)) I can send a separate patch for this. Let me know. > + chip->active_banks[count] = TPM2_ALG_ERROR; > + > + tpm_buf_destroy(&buf); > + > + return rc; > +} ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [tpmdd-devel] [PATCH v6 1/2] tpm: implement TPM 2.0 capability to get active PCR banks 2017-01-26 12:23 ` [tpmdd-devel] " Stefan Berger @ 2017-01-27 6:30 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-27 6:30 UTC (permalink / raw) To: Stefan Berger Cc: Nayna Jain, tpmdd-devel, linux-security-module, linux-kernel On Thu, Jan 26, 2017 at 07:23:15AM -0500, Stefan Berger wrote: > On 01/20/2017 12:05 PM, Nayna Jain wrote: > > This patch implements the TPM 2.0 capability TPM_CAP_PCRS to > > retrieve the active PCR banks from the TPM. This is needed > > to enable extending all active banks as recommended by TPM 2.0 > > TCG Specification. > > > > Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > --- > > drivers/char/tpm/tpm.h | 5 ++++ > > drivers/char/tpm/tpm2-cmd.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ > > 2 files changed, 64 insertions(+) > > > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > > index 1ae9768..c291f19 100644 > > --- a/drivers/char/tpm/tpm.h > > +++ b/drivers/char/tpm/tpm.h > > @@ -97,6 +97,7 @@ enum tpm2_return_codes { > > }; > > > > enum tpm2_algorithms { > > + TPM2_ALG_ERROR = 0x0000, > > TPM2_ALG_SHA1 = 0x0004, > > TPM2_ALG_KEYEDHASH = 0x0008, > > TPM2_ALG_SHA256 = 0x000B, > > @@ -127,6 +128,7 @@ enum tpm2_permanent_handles { > > }; > > > > enum tpm2_capabilities { > > + TPM2_CAP_PCRS = 5, > > TPM2_CAP_TPM_PROPERTIES = 6, > > }; > > > > @@ -187,6 +189,8 @@ struct tpm_chip { > > > > const struct attribute_group *groups[3]; > > unsigned int groups_cnt; > > + > > + u16 active_banks[7]; > > #ifdef CONFIG_ACPI > > acpi_handle acpi_dev_handle; > > char ppi_version[TPM_PPI_VERSION_LEN + 1]; > > @@ -545,4 +549,5 @@ int tpm2_auto_startup(struct tpm_chip *chip); > > void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type); > > unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); > > int tpm2_probe(struct tpm_chip *chip); > > +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip); > > #endif > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > > index 6eda239..0e000a3 100644 > > --- a/drivers/char/tpm/tpm2-cmd.c > > +++ b/drivers/char/tpm/tpm2-cmd.c > > @@ -998,3 +998,62 @@ int tpm2_auto_startup(struct tpm_chip *chip) > > rc = -ENODEV; > > return rc; > > } > > + > > +struct tpm2_pcr_selection { > > + __be16 hash_alg; > > + u8 size_of_select; > > + u8 pcr_select[3]; > > +} __packed; > > + > > +/** > > + * tpm2_get_pcr_allocation() - get TPM active PCR banks. > > + * > > + * @chip: TPM chip to use. > > + * > > + * Return: Same as with tpm_transmit_cmd. > > + */ > > +ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) > > +{ > > + struct tpm2_pcr_selection pcr_selection; > > + struct tpm_buf buf; > > + void *marker; > > + unsigned int count = 0; > > + int rc; > > + int i; > > + > > + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); > > + if (rc) > > + return rc; > > + > > + tpm_buf_append_u32(&buf, TPM2_CAP_PCRS); > > + tpm_buf_append_u32(&buf, 0); > > + tpm_buf_append_u32(&buf, 1); > > + > > + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, > > + "get tpm pcr allocation"); > > + if (rc < 0) > > + goto out; > > + > > + count = be32_to_cpup( > > + (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); > > + > > + if (count > ARRAY_SIZE(chip->active_banks)) { > > + rc = -ENODEV; > > + goto out; > > + } > > + > > + marker = &buf.data[TPM_HEADER_SIZE + 9]; > > Now that we are checking access to the returned buffer, we should do an > additional check here: > > end = &buf.data[TPM_HEADER_SIZE + rc]; > > > > + for (i = 0; i < count; i++) { > > if (marker + sizeof(pcr_selection) >= end) { > rc = -EFAULT; > goto out; > } > > > > + memcpy(&pcr_selection, marker, sizeof(pcr_selection)); > > + chip->active_banks[i] = be16_to_cpu(pcr_selection.hash_alg); > > + marker = marker + sizeof(struct tpm2_pcr_selection); > > + } > > + > > +out: > > + if (count < ARRAY_SIZE(chip->active_banks)) > > if (rc < 0 || count < ARRAY_SIZE(...)) > > > I can send a separate patch for this. Let me know. > > > + chip->active_banks[count] = TPM2_ALG_ERROR; > > + > > + tpm_buf_destroy(&buf); > > + > > + return rc; > > +} Can you submit a fixup that I could squash into existing patch? Thanks. /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-20 17:05 ` Nayna Jain 0 siblings, 0 replies; 32+ messages in thread From: Nayna Jain @ 2017-01-20 17:05 UTC (permalink / raw) To: tpmdd-devel Cc: peterhuewe, tpmdd, jarkko.sakkinen, jgunthorpe, linux-security-module, linux-kernel, Nayna Jain The current TPM 2.0 device driver extends only the SHA1 PCR bank but the TCG Specification[1] recommends extending all active PCR banks, to prevent malicious users from setting unused PCR banks with fake measurements and quoting them. The existing in-kernel interface(tpm_pcr_extend()) expects only a SHA1 digest. To extend all active PCR banks with differing digest sizes, the SHA1 digest is padded with trailing 0's as needed. This patch reuses the defined digest sizes from the crypto subsystem, adding a dependency on CRYPTO_HASH_INFO module. [1] TPM 2.0 Specification referred here is "TCG PC Client Specific Platform Firmware Profile for TPM 2.0" Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- drivers/char/tpm/Kconfig | 1 + drivers/char/tpm/tpm-interface.c | 15 ++++++- drivers/char/tpm/tpm.h | 3 +- drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- drivers/char/tpm/tpm_eventlog.h | 7 ++++ 5 files changed, 73 insertions(+), 44 deletions(-) diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index 277186d..af985cc 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -6,6 +6,7 @@ menuconfig TCG_TPM tristate "TPM Hardware Support" depends on HAS_IOMEM select SECURITYFS + select CRYPTO_HASH_INFO ---help--- If you have a TPM security chip in your system, which implements the Trusted Computing Group's specification, diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index a3461cb..cf959c3 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) struct tpm_cmd_t cmd; int rc; struct tpm_chip *chip; + int max_active_banks = ARRAY_SIZE(chip->active_banks); + struct tpm2_digest digest_list[max_active_banks]; + u32 count = 0; + int i; chip = tpm_chip_find_get(chip_num); if (chip == NULL) return -ENODEV; if (chip->flags & TPM_CHIP_FLAG_TPM2) { - rc = tpm2_pcr_extend(chip, pcr_idx, hash); + memset(digest_list, 0, sizeof(digest_list)); + + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && + (i < max_active_banks); i++) { + digest_list[i].alg_id = chip->active_banks[i]; + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); + count++; + } + + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); tpm_put_ops(chip); return rc; } diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index c291f19..07a0677 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) #endif int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, + struct tpm2_digest *digests); int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); int tpm2_seal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 0e000a3..d78adb8 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { u8 digest[TPM_DIGEST_SIZE]; } __packed; -struct tpm2_null_auth_area { - __be32 handle; - __be16 nonce_size; - u8 attributes; - __be16 auth_size; -} __packed; - -struct tpm2_pcr_extend_in { - __be32 pcr_idx; - __be32 auth_area_size; - struct tpm2_null_auth_area auth_area; - __be32 digest_cnt; - __be16 hash_alg; - u8 digest[TPM_DIGEST_SIZE]; -} __packed; - struct tpm2_get_tpm_pt_in { __be32 cap_id; __be32 property_id; @@ -97,7 +81,6 @@ union tpm2_cmd_params { struct tpm2_self_test_in selftest_in; struct tpm2_pcr_read_in pcrread_in; struct tpm2_pcr_read_out pcrread_out; - struct tpm2_pcr_extend_in pcrextend_in; struct tpm2_get_tpm_pt_in get_tpm_pt_in; struct tpm2_get_tpm_pt_out get_tpm_pt_out; struct tpm2_get_random_in getrandom_in; @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) return rc; } -#define TPM2_GET_PCREXTEND_IN_SIZE \ - (sizeof(struct tpm_input_header) + \ - sizeof(struct tpm2_pcr_extend_in)) - -static const struct tpm_input_header tpm2_pcrextend_header = { - .tag = cpu_to_be16(TPM2_ST_SESSIONS), - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) -}; +struct tpm2_null_auth_area { + __be32 handle; + __be16 nonce_size; + u8 attributes; + __be16 auth_size; +} __packed; /** * tpm2_pcr_extend() - extend a PCR value * * @chip: TPM chip to use. * @pcr_idx: index of the PCR. - * @hash: hash value to use for the extend operation. + * @count: number of digests passed. + * @digests: list of pcr banks and corresponding digest values to extend. * * Return: Same as with tpm_transmit_cmd. */ -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, + struct tpm2_digest *digests) { - struct tpm2_cmd cmd; + struct tpm_buf buf; + struct tpm2_null_auth_area auth_area; int rc; + int i; + int j; + + if (count > ARRAY_SIZE(chip->active_banks)) + return -EINVAL; - cmd.header.in = tpm2_pcrextend_header; - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); - cmd.params.pcrextend_in.auth_area_size = - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); - cmd.params.pcrextend_in.auth_area.handle = - cpu_to_be32(TPM2_RS_PW); - cmd.params.pcrextend_in.auth_area.nonce_size = 0; - cmd.params.pcrextend_in.auth_area.attributes = 0; - cmd.params.pcrextend_in.auth_area.auth_size = 0; - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); + if (rc) + return rc; - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, + tpm_buf_append_u32(&buf, pcr_idx); + + auth_area.handle = cpu_to_be32(TPM2_RS_PW); + auth_area.nonce_size = 0; + auth_area.attributes = 0; + auth_area.auth_size = 0; + + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); + tpm_buf_append(&buf, (const unsigned char *)&auth_area, + sizeof(auth_area)); + tpm_buf_append_u32(&buf, count); + + for (i = 0; i < count; i++) { + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) + continue; + + tpm_buf_append_u16(&buf, digests[i].alg_id); + tpm_buf_append(&buf, (const unsigned char + *)&digests[i].digest, + hash_digest_size[tpm2_hash_map[j].crypto_id]); + } + } + + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, "attempting extend a PCR value"); + tpm_buf_destroy(&buf); + return rc; } @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) } } + rc = tpm2_get_pcr_allocation(chip); + out: if (rc > 0) rc = -ENODEV; diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h index 1660d74..b5ae372 100644 --- a/drivers/char/tpm/tpm_eventlog.h +++ b/drivers/char/tpm/tpm_eventlog.h @@ -2,6 +2,8 @@ #ifndef __TPM_EVENTLOG_H__ #define __TPM_EVENTLOG_H__ +#include <crypto/hash_info.h> + #define TCG_EVENT_NAME_LEN_MAX 255 #define MAX_TEXT_EVENT 1000 /* Max event string length */ #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { HOST_TABLE_OF_DEVICES, }; +struct tpm2_digest { + u16 alg_id; + u8 digest[SHA512_DIGEST_SIZE]; +} __packed; + #if defined(CONFIG_ACPI) int tpm_read_log_acpi(struct tpm_chip *chip); #else -- 2.5.0 ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-20 17:05 ` Nayna Jain 0 siblings, 0 replies; 32+ messages in thread From: Nayna Jain @ 2017-01-20 17:05 UTC (permalink / raw) To: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA The current TPM 2.0 device driver extends only the SHA1 PCR bank but the TCG Specification[1] recommends extending all active PCR banks, to prevent malicious users from setting unused PCR banks with fake measurements and quoting them. The existing in-kernel interface(tpm_pcr_extend()) expects only a SHA1 digest. To extend all active PCR banks with differing digest sizes, the SHA1 digest is padded with trailing 0's as needed. This patch reuses the defined digest sizes from the crypto subsystem, adding a dependency on CRYPTO_HASH_INFO module. [1] TPM 2.0 Specification referred here is "TCG PC Client Specific Platform Firmware Profile for TPM 2.0" Signed-off-by: Nayna Jain <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> --- drivers/char/tpm/Kconfig | 1 + drivers/char/tpm/tpm-interface.c | 15 ++++++- drivers/char/tpm/tpm.h | 3 +- drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- drivers/char/tpm/tpm_eventlog.h | 7 ++++ 5 files changed, 73 insertions(+), 44 deletions(-) diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index 277186d..af985cc 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -6,6 +6,7 @@ menuconfig TCG_TPM tristate "TPM Hardware Support" depends on HAS_IOMEM select SECURITYFS + select CRYPTO_HASH_INFO ---help--- If you have a TPM security chip in your system, which implements the Trusted Computing Group's specification, diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index a3461cb..cf959c3 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) struct tpm_cmd_t cmd; int rc; struct tpm_chip *chip; + int max_active_banks = ARRAY_SIZE(chip->active_banks); + struct tpm2_digest digest_list[max_active_banks]; + u32 count = 0; + int i; chip = tpm_chip_find_get(chip_num); if (chip == NULL) return -ENODEV; if (chip->flags & TPM_CHIP_FLAG_TPM2) { - rc = tpm2_pcr_extend(chip, pcr_idx, hash); + memset(digest_list, 0, sizeof(digest_list)); + + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && + (i < max_active_banks); i++) { + digest_list[i].alg_id = chip->active_banks[i]; + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); + count++; + } + + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); tpm_put_ops(chip); return rc; } diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index c291f19..07a0677 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) #endif int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, + struct tpm2_digest *digests); int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); int tpm2_seal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 0e000a3..d78adb8 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { u8 digest[TPM_DIGEST_SIZE]; } __packed; -struct tpm2_null_auth_area { - __be32 handle; - __be16 nonce_size; - u8 attributes; - __be16 auth_size; -} __packed; - -struct tpm2_pcr_extend_in { - __be32 pcr_idx; - __be32 auth_area_size; - struct tpm2_null_auth_area auth_area; - __be32 digest_cnt; - __be16 hash_alg; - u8 digest[TPM_DIGEST_SIZE]; -} __packed; - struct tpm2_get_tpm_pt_in { __be32 cap_id; __be32 property_id; @@ -97,7 +81,6 @@ union tpm2_cmd_params { struct tpm2_self_test_in selftest_in; struct tpm2_pcr_read_in pcrread_in; struct tpm2_pcr_read_out pcrread_out; - struct tpm2_pcr_extend_in pcrextend_in; struct tpm2_get_tpm_pt_in get_tpm_pt_in; struct tpm2_get_tpm_pt_out get_tpm_pt_out; struct tpm2_get_random_in getrandom_in; @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) return rc; } -#define TPM2_GET_PCREXTEND_IN_SIZE \ - (sizeof(struct tpm_input_header) + \ - sizeof(struct tpm2_pcr_extend_in)) - -static const struct tpm_input_header tpm2_pcrextend_header = { - .tag = cpu_to_be16(TPM2_ST_SESSIONS), - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) -}; +struct tpm2_null_auth_area { + __be32 handle; + __be16 nonce_size; + u8 attributes; + __be16 auth_size; +} __packed; /** * tpm2_pcr_extend() - extend a PCR value * * @chip: TPM chip to use. * @pcr_idx: index of the PCR. - * @hash: hash value to use for the extend operation. + * @count: number of digests passed. + * @digests: list of pcr banks and corresponding digest values to extend. * * Return: Same as with tpm_transmit_cmd. */ -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, + struct tpm2_digest *digests) { - struct tpm2_cmd cmd; + struct tpm_buf buf; + struct tpm2_null_auth_area auth_area; int rc; + int i; + int j; + + if (count > ARRAY_SIZE(chip->active_banks)) + return -EINVAL; - cmd.header.in = tpm2_pcrextend_header; - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); - cmd.params.pcrextend_in.auth_area_size = - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); - cmd.params.pcrextend_in.auth_area.handle = - cpu_to_be32(TPM2_RS_PW); - cmd.params.pcrextend_in.auth_area.nonce_size = 0; - cmd.params.pcrextend_in.auth_area.attributes = 0; - cmd.params.pcrextend_in.auth_area.auth_size = 0; - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); + if (rc) + return rc; - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, + tpm_buf_append_u32(&buf, pcr_idx); + + auth_area.handle = cpu_to_be32(TPM2_RS_PW); + auth_area.nonce_size = 0; + auth_area.attributes = 0; + auth_area.auth_size = 0; + + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); + tpm_buf_append(&buf, (const unsigned char *)&auth_area, + sizeof(auth_area)); + tpm_buf_append_u32(&buf, count); + + for (i = 0; i < count; i++) { + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) + continue; + + tpm_buf_append_u16(&buf, digests[i].alg_id); + tpm_buf_append(&buf, (const unsigned char + *)&digests[i].digest, + hash_digest_size[tpm2_hash_map[j].crypto_id]); + } + } + + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, "attempting extend a PCR value"); + tpm_buf_destroy(&buf); + return rc; } @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) } } + rc = tpm2_get_pcr_allocation(chip); + out: if (rc > 0) rc = -ENODEV; diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h index 1660d74..b5ae372 100644 --- a/drivers/char/tpm/tpm_eventlog.h +++ b/drivers/char/tpm/tpm_eventlog.h @@ -2,6 +2,8 @@ #ifndef __TPM_EVENTLOG_H__ #define __TPM_EVENTLOG_H__ +#include <crypto/hash_info.h> + #define TCG_EVENT_NAME_LEN_MAX 255 #define MAX_TEXT_EVENT 1000 /* Max event string length */ #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { HOST_TABLE_OF_DEVICES, }; +struct tpm2_digest { + u16 alg_id; + u8 digest[SHA512_DIGEST_SIZE]; +} __packed; + #if defined(CONFIG_ACPI) int tpm_read_log_acpi(struct tpm_chip *chip); #else -- 2.5.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply related [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-23 15:19 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-23 15:19 UTC (permalink / raw) To: Nayna Jain Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: > The current TPM 2.0 device driver extends only the SHA1 PCR bank > but the TCG Specification[1] recommends extending all active PCR > banks, to prevent malicious users from setting unused PCR banks with > fake measurements and quoting them. > > The existing in-kernel interface(tpm_pcr_extend()) expects only a > SHA1 digest. To extend all active PCR banks with differing > digest sizes, the SHA1 digest is padded with trailing 0's as needed. > > This patch reuses the defined digest sizes from the crypto subsystem, > adding a dependency on CRYPTO_HASH_INFO module. > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > Platform Firmware Profile for TPM 2.0" > > Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > drivers/char/tpm/Kconfig | 1 + > drivers/char/tpm/tpm-interface.c | 15 ++++++- > drivers/char/tpm/tpm.h | 3 +- > drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- > drivers/char/tpm/tpm_eventlog.h | 7 ++++ > 5 files changed, 73 insertions(+), 44 deletions(-) > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig > index 277186d..af985cc 100644 > --- a/drivers/char/tpm/Kconfig > +++ b/drivers/char/tpm/Kconfig > @@ -6,6 +6,7 @@ menuconfig TCG_TPM > tristate "TPM Hardware Support" > depends on HAS_IOMEM > select SECURITYFS > + select CRYPTO_HASH_INFO > ---help--- > If you have a TPM security chip in your system, which > implements the Trusted Computing Group's specification, > diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c > index a3461cb..cf959c3 100644 > --- a/drivers/char/tpm/tpm-interface.c > +++ b/drivers/char/tpm/tpm-interface.c > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) > struct tpm_cmd_t cmd; > int rc; > struct tpm_chip *chip; > + int max_active_banks = ARRAY_SIZE(chip->active_banks); > + struct tpm2_digest digest_list[max_active_banks]; > + u32 count = 0; > + int i; > > chip = tpm_chip_find_get(chip_num); > if (chip == NULL) > return -ENODEV; > > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > - rc = tpm2_pcr_extend(chip, pcr_idx, hash); > + memset(digest_list, 0, sizeof(digest_list)); > + > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && > + (i < max_active_banks); i++) { > + digest_list[i].alg_id = chip->active_banks[i]; > + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); > + count++; > + } > + > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); > tpm_put_ops(chip); > return rc; > } > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index c291f19..07a0677 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) > #endif > > int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > + struct tpm2_digest *digests); > int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); > int tpm2_seal_trusted(struct tpm_chip *chip, > struct trusted_key_payload *payload, > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index 0e000a3..d78adb8 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { > u8 digest[TPM_DIGEST_SIZE]; > } __packed; > > -struct tpm2_null_auth_area { > - __be32 handle; > - __be16 nonce_size; > - u8 attributes; > - __be16 auth_size; > -} __packed; > - > -struct tpm2_pcr_extend_in { > - __be32 pcr_idx; > - __be32 auth_area_size; > - struct tpm2_null_auth_area auth_area; > - __be32 digest_cnt; > - __be16 hash_alg; > - u8 digest[TPM_DIGEST_SIZE]; > -} __packed; > - > struct tpm2_get_tpm_pt_in { > __be32 cap_id; > __be32 property_id; > @@ -97,7 +81,6 @@ union tpm2_cmd_params { > struct tpm2_self_test_in selftest_in; > struct tpm2_pcr_read_in pcrread_in; > struct tpm2_pcr_read_out pcrread_out; > - struct tpm2_pcr_extend_in pcrextend_in; > struct tpm2_get_tpm_pt_in get_tpm_pt_in; > struct tpm2_get_tpm_pt_out get_tpm_pt_out; > struct tpm2_get_random_in getrandom_in; > @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) > return rc; > } > > -#define TPM2_GET_PCREXTEND_IN_SIZE \ > - (sizeof(struct tpm_input_header) + \ > - sizeof(struct tpm2_pcr_extend_in)) > - > -static const struct tpm_input_header tpm2_pcrextend_header = { > - .tag = cpu_to_be16(TPM2_ST_SESSIONS), > - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), > - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) > -}; > +struct tpm2_null_auth_area { > + __be32 handle; > + __be16 nonce_size; > + u8 attributes; > + __be16 auth_size; > +} __packed; > > /** > * tpm2_pcr_extend() - extend a PCR value > * > * @chip: TPM chip to use. > * @pcr_idx: index of the PCR. > - * @hash: hash value to use for the extend operation. > + * @count: number of digests passed. > + * @digests: list of pcr banks and corresponding digest values to extend. > * > * Return: Same as with tpm_transmit_cmd. > */ > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > + struct tpm2_digest *digests) > { > - struct tpm2_cmd cmd; > + struct tpm_buf buf; > + struct tpm2_null_auth_area auth_area; > int rc; > + int i; > + int j; > + > + if (count > ARRAY_SIZE(chip->active_banks)) > + return -EINVAL; > > - cmd.header.in = tpm2_pcrextend_header; > - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); > - cmd.params.pcrextend_in.auth_area_size = > - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); > - cmd.params.pcrextend_in.auth_area.handle = > - cpu_to_be32(TPM2_RS_PW); > - cmd.params.pcrextend_in.auth_area.nonce_size = 0; > - cmd.params.pcrextend_in.auth_area.attributes = 0; > - cmd.params.pcrextend_in.auth_area.auth_size = 0; > - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); > - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); > - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); > + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > + if (rc) > + return rc; > > - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, > + tpm_buf_append_u32(&buf, pcr_idx); > + > + auth_area.handle = cpu_to_be32(TPM2_RS_PW); > + auth_area.nonce_size = 0; > + auth_area.attributes = 0; > + auth_area.auth_size = 0; > + > + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); > + tpm_buf_append(&buf, (const unsigned char *)&auth_area, > + sizeof(auth_area)); > + tpm_buf_append_u32(&buf, count); > + > + for (i = 0; i < count; i++) { > + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { > + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) > + continue; > + > + tpm_buf_append_u16(&buf, digests[i].alg_id); > + tpm_buf_append(&buf, (const unsigned char > + *)&digests[i].digest, > + hash_digest_size[tpm2_hash_map[j].crypto_id]); > + } > + } > + > + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, > "attempting extend a PCR value"); > > + tpm_buf_destroy(&buf); > + > return rc; > } > > @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) > } > } > > + rc = tpm2_get_pcr_allocation(chip); > + > out: > if (rc > 0) > rc = -ENODEV; > diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h > index 1660d74..b5ae372 100644 > --- a/drivers/char/tpm/tpm_eventlog.h > +++ b/drivers/char/tpm/tpm_eventlog.h > @@ -2,6 +2,8 @@ > #ifndef __TPM_EVENTLOG_H__ > #define __TPM_EVENTLOG_H__ > > +#include <crypto/hash_info.h> > + > #define TCG_EVENT_NAME_LEN_MAX 255 > #define MAX_TEXT_EVENT 1000 /* Max event string length */ > #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ > @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { > HOST_TABLE_OF_DEVICES, > }; > > +struct tpm2_digest { > + u16 alg_id; > + u8 digest[SHA512_DIGEST_SIZE]; > +} __packed; Shouldn't this be in tpm.h? /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-23 15:19 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-23 15:19 UTC (permalink / raw) To: Nayna Jain Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: > The current TPM 2.0 device driver extends only the SHA1 PCR bank > but the TCG Specification[1] recommends extending all active PCR > banks, to prevent malicious users from setting unused PCR banks with > fake measurements and quoting them. > > The existing in-kernel interface(tpm_pcr_extend()) expects only a > SHA1 digest. To extend all active PCR banks with differing > digest sizes, the SHA1 digest is padded with trailing 0's as needed. > > This patch reuses the defined digest sizes from the crypto subsystem, > adding a dependency on CRYPTO_HASH_INFO module. > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > Platform Firmware Profile for TPM 2.0" > > Signed-off-by: Nayna Jain <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> > --- > drivers/char/tpm/Kconfig | 1 + > drivers/char/tpm/tpm-interface.c | 15 ++++++- > drivers/char/tpm/tpm.h | 3 +- > drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- > drivers/char/tpm/tpm_eventlog.h | 7 ++++ > 5 files changed, 73 insertions(+), 44 deletions(-) > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig > index 277186d..af985cc 100644 > --- a/drivers/char/tpm/Kconfig > +++ b/drivers/char/tpm/Kconfig > @@ -6,6 +6,7 @@ menuconfig TCG_TPM > tristate "TPM Hardware Support" > depends on HAS_IOMEM > select SECURITYFS > + select CRYPTO_HASH_INFO > ---help--- > If you have a TPM security chip in your system, which > implements the Trusted Computing Group's specification, > diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c > index a3461cb..cf959c3 100644 > --- a/drivers/char/tpm/tpm-interface.c > +++ b/drivers/char/tpm/tpm-interface.c > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) > struct tpm_cmd_t cmd; > int rc; > struct tpm_chip *chip; > + int max_active_banks = ARRAY_SIZE(chip->active_banks); > + struct tpm2_digest digest_list[max_active_banks]; > + u32 count = 0; > + int i; > > chip = tpm_chip_find_get(chip_num); > if (chip == NULL) > return -ENODEV; > > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > - rc = tpm2_pcr_extend(chip, pcr_idx, hash); > + memset(digest_list, 0, sizeof(digest_list)); > + > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && > + (i < max_active_banks); i++) { > + digest_list[i].alg_id = chip->active_banks[i]; > + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); > + count++; > + } > + > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); > tpm_put_ops(chip); > return rc; > } > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index c291f19..07a0677 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) > #endif > > int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > + struct tpm2_digest *digests); > int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); > int tpm2_seal_trusted(struct tpm_chip *chip, > struct trusted_key_payload *payload, > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index 0e000a3..d78adb8 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { > u8 digest[TPM_DIGEST_SIZE]; > } __packed; > > -struct tpm2_null_auth_area { > - __be32 handle; > - __be16 nonce_size; > - u8 attributes; > - __be16 auth_size; > -} __packed; > - > -struct tpm2_pcr_extend_in { > - __be32 pcr_idx; > - __be32 auth_area_size; > - struct tpm2_null_auth_area auth_area; > - __be32 digest_cnt; > - __be16 hash_alg; > - u8 digest[TPM_DIGEST_SIZE]; > -} __packed; > - > struct tpm2_get_tpm_pt_in { > __be32 cap_id; > __be32 property_id; > @@ -97,7 +81,6 @@ union tpm2_cmd_params { > struct tpm2_self_test_in selftest_in; > struct tpm2_pcr_read_in pcrread_in; > struct tpm2_pcr_read_out pcrread_out; > - struct tpm2_pcr_extend_in pcrextend_in; > struct tpm2_get_tpm_pt_in get_tpm_pt_in; > struct tpm2_get_tpm_pt_out get_tpm_pt_out; > struct tpm2_get_random_in getrandom_in; > @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) > return rc; > } > > -#define TPM2_GET_PCREXTEND_IN_SIZE \ > - (sizeof(struct tpm_input_header) + \ > - sizeof(struct tpm2_pcr_extend_in)) > - > -static const struct tpm_input_header tpm2_pcrextend_header = { > - .tag = cpu_to_be16(TPM2_ST_SESSIONS), > - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), > - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) > -}; > +struct tpm2_null_auth_area { > + __be32 handle; > + __be16 nonce_size; > + u8 attributes; > + __be16 auth_size; > +} __packed; > > /** > * tpm2_pcr_extend() - extend a PCR value > * > * @chip: TPM chip to use. > * @pcr_idx: index of the PCR. > - * @hash: hash value to use for the extend operation. > + * @count: number of digests passed. > + * @digests: list of pcr banks and corresponding digest values to extend. > * > * Return: Same as with tpm_transmit_cmd. > */ > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > + struct tpm2_digest *digests) > { > - struct tpm2_cmd cmd; > + struct tpm_buf buf; > + struct tpm2_null_auth_area auth_area; > int rc; > + int i; > + int j; > + > + if (count > ARRAY_SIZE(chip->active_banks)) > + return -EINVAL; > > - cmd.header.in = tpm2_pcrextend_header; > - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); > - cmd.params.pcrextend_in.auth_area_size = > - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); > - cmd.params.pcrextend_in.auth_area.handle = > - cpu_to_be32(TPM2_RS_PW); > - cmd.params.pcrextend_in.auth_area.nonce_size = 0; > - cmd.params.pcrextend_in.auth_area.attributes = 0; > - cmd.params.pcrextend_in.auth_area.auth_size = 0; > - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); > - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); > - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); > + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > + if (rc) > + return rc; > > - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, > + tpm_buf_append_u32(&buf, pcr_idx); > + > + auth_area.handle = cpu_to_be32(TPM2_RS_PW); > + auth_area.nonce_size = 0; > + auth_area.attributes = 0; > + auth_area.auth_size = 0; > + > + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); > + tpm_buf_append(&buf, (const unsigned char *)&auth_area, > + sizeof(auth_area)); > + tpm_buf_append_u32(&buf, count); > + > + for (i = 0; i < count; i++) { > + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { > + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) > + continue; > + > + tpm_buf_append_u16(&buf, digests[i].alg_id); > + tpm_buf_append(&buf, (const unsigned char > + *)&digests[i].digest, > + hash_digest_size[tpm2_hash_map[j].crypto_id]); > + } > + } > + > + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, > "attempting extend a PCR value"); > > + tpm_buf_destroy(&buf); > + > return rc; > } > > @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) > } > } > > + rc = tpm2_get_pcr_allocation(chip); > + > out: > if (rc > 0) > rc = -ENODEV; > diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h > index 1660d74..b5ae372 100644 > --- a/drivers/char/tpm/tpm_eventlog.h > +++ b/drivers/char/tpm/tpm_eventlog.h > @@ -2,6 +2,8 @@ > #ifndef __TPM_EVENTLOG_H__ > #define __TPM_EVENTLOG_H__ > > +#include <crypto/hash_info.h> > + > #define TCG_EVENT_NAME_LEN_MAX 255 > #define MAX_TEXT_EVENT 1000 /* Max event string length */ > #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ > @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { > HOST_TABLE_OF_DEVICES, > }; > > +struct tpm2_digest { > + u16 alg_id; > + u8 digest[SHA512_DIGEST_SIZE]; > +} __packed; Shouldn't this be in tpm.h? /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks 2017-01-23 15:19 ` Jarkko Sakkinen (?) @ 2017-01-23 16:41 ` Nayna 2017-01-24 11:59 ` Jarkko Sakkinen -1 siblings, 1 reply; 32+ messages in thread From: Nayna @ 2017-01-23 16:41 UTC (permalink / raw) To: Jarkko Sakkinen Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: >> The current TPM 2.0 device driver extends only the SHA1 PCR bank >> but the TCG Specification[1] recommends extending all active PCR >> banks, to prevent malicious users from setting unused PCR banks with >> fake measurements and quoting them. >> >> The existing in-kernel interface(tpm_pcr_extend()) expects only a >> SHA1 digest. To extend all active PCR banks with differing >> digest sizes, the SHA1 digest is padded with trailing 0's as needed. >> >> This patch reuses the defined digest sizes from the crypto subsystem, >> adding a dependency on CRYPTO_HASH_INFO module. >> >> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >> Platform Firmware Profile for TPM 2.0" >> >> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> >> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> >> --- >> drivers/char/tpm/Kconfig | 1 + >> drivers/char/tpm/tpm-interface.c | 15 ++++++- >> drivers/char/tpm/tpm.h | 3 +- >> drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- >> drivers/char/tpm/tpm_eventlog.h | 7 ++++ >> 5 files changed, 73 insertions(+), 44 deletions(-) >> >> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig >> index 277186d..af985cc 100644 >> --- a/drivers/char/tpm/Kconfig >> +++ b/drivers/char/tpm/Kconfig >> @@ -6,6 +6,7 @@ menuconfig TCG_TPM >> tristate "TPM Hardware Support" >> depends on HAS_IOMEM >> select SECURITYFS >> + select CRYPTO_HASH_INFO >> ---help--- >> If you have a TPM security chip in your system, which >> implements the Trusted Computing Group's specification, >> diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c >> index a3461cb..cf959c3 100644 >> --- a/drivers/char/tpm/tpm-interface.c >> +++ b/drivers/char/tpm/tpm-interface.c >> @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) >> struct tpm_cmd_t cmd; >> int rc; >> struct tpm_chip *chip; >> + int max_active_banks = ARRAY_SIZE(chip->active_banks); >> + struct tpm2_digest digest_list[max_active_banks]; >> + u32 count = 0; >> + int i; >> >> chip = tpm_chip_find_get(chip_num); >> if (chip == NULL) >> return -ENODEV; >> >> if (chip->flags & TPM_CHIP_FLAG_TPM2) { >> - rc = tpm2_pcr_extend(chip, pcr_idx, hash); >> + memset(digest_list, 0, sizeof(digest_list)); >> + >> + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && >> + (i < max_active_banks); i++) { >> + digest_list[i].alg_id = chip->active_banks[i]; >> + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); >> + count++; >> + } >> + >> + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); >> tpm_put_ops(chip); >> return rc; >> } >> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h >> index c291f19..07a0677 100644 >> --- a/drivers/char/tpm/tpm.h >> +++ b/drivers/char/tpm/tpm.h >> @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) >> #endif >> >> int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); >> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); >> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, >> + struct tpm2_digest *digests); >> int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); >> int tpm2_seal_trusted(struct tpm_chip *chip, >> struct trusted_key_payload *payload, >> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c >> index 0e000a3..d78adb8 100644 >> --- a/drivers/char/tpm/tpm2-cmd.c >> +++ b/drivers/char/tpm/tpm2-cmd.c >> @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { >> u8 digest[TPM_DIGEST_SIZE]; >> } __packed; >> >> -struct tpm2_null_auth_area { >> - __be32 handle; >> - __be16 nonce_size; >> - u8 attributes; >> - __be16 auth_size; >> -} __packed; >> - >> -struct tpm2_pcr_extend_in { >> - __be32 pcr_idx; >> - __be32 auth_area_size; >> - struct tpm2_null_auth_area auth_area; >> - __be32 digest_cnt; >> - __be16 hash_alg; >> - u8 digest[TPM_DIGEST_SIZE]; >> -} __packed; >> - >> struct tpm2_get_tpm_pt_in { >> __be32 cap_id; >> __be32 property_id; >> @@ -97,7 +81,6 @@ union tpm2_cmd_params { >> struct tpm2_self_test_in selftest_in; >> struct tpm2_pcr_read_in pcrread_in; >> struct tpm2_pcr_read_out pcrread_out; >> - struct tpm2_pcr_extend_in pcrextend_in; >> struct tpm2_get_tpm_pt_in get_tpm_pt_in; >> struct tpm2_get_tpm_pt_out get_tpm_pt_out; >> struct tpm2_get_random_in getrandom_in; >> @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) >> return rc; >> } >> >> -#define TPM2_GET_PCREXTEND_IN_SIZE \ >> - (sizeof(struct tpm_input_header) + \ >> - sizeof(struct tpm2_pcr_extend_in)) >> - >> -static const struct tpm_input_header tpm2_pcrextend_header = { >> - .tag = cpu_to_be16(TPM2_ST_SESSIONS), >> - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), >> - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) >> -}; >> +struct tpm2_null_auth_area { >> + __be32 handle; >> + __be16 nonce_size; >> + u8 attributes; >> + __be16 auth_size; >> +} __packed; >> >> /** >> * tpm2_pcr_extend() - extend a PCR value >> * >> * @chip: TPM chip to use. >> * @pcr_idx: index of the PCR. >> - * @hash: hash value to use for the extend operation. >> + * @count: number of digests passed. >> + * @digests: list of pcr banks and corresponding digest values to extend. >> * >> * Return: Same as with tpm_transmit_cmd. >> */ >> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) >> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, >> + struct tpm2_digest *digests) >> { >> - struct tpm2_cmd cmd; >> + struct tpm_buf buf; >> + struct tpm2_null_auth_area auth_area; >> int rc; >> + int i; >> + int j; >> + >> + if (count > ARRAY_SIZE(chip->active_banks)) >> + return -EINVAL; >> >> - cmd.header.in = tpm2_pcrextend_header; >> - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); >> - cmd.params.pcrextend_in.auth_area_size = >> - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); >> - cmd.params.pcrextend_in.auth_area.handle = >> - cpu_to_be32(TPM2_RS_PW); >> - cmd.params.pcrextend_in.auth_area.nonce_size = 0; >> - cmd.params.pcrextend_in.auth_area.attributes = 0; >> - cmd.params.pcrextend_in.auth_area.auth_size = 0; >> - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); >> - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); >> - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); >> + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); >> + if (rc) >> + return rc; >> >> - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, >> + tpm_buf_append_u32(&buf, pcr_idx); >> + >> + auth_area.handle = cpu_to_be32(TPM2_RS_PW); >> + auth_area.nonce_size = 0; >> + auth_area.attributes = 0; >> + auth_area.auth_size = 0; >> + >> + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); >> + tpm_buf_append(&buf, (const unsigned char *)&auth_area, >> + sizeof(auth_area)); >> + tpm_buf_append_u32(&buf, count); >> + >> + for (i = 0; i < count; i++) { >> + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { >> + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) >> + continue; >> + >> + tpm_buf_append_u16(&buf, digests[i].alg_id); >> + tpm_buf_append(&buf, (const unsigned char >> + *)&digests[i].digest, >> + hash_digest_size[tpm2_hash_map[j].crypto_id]); >> + } >> + } >> + >> + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, >> "attempting extend a PCR value"); >> >> + tpm_buf_destroy(&buf); >> + >> return rc; >> } >> >> @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) >> } >> } >> >> + rc = tpm2_get_pcr_allocation(chip); >> + >> out: >> if (rc > 0) >> rc = -ENODEV; >> diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h >> index 1660d74..b5ae372 100644 >> --- a/drivers/char/tpm/tpm_eventlog.h >> +++ b/drivers/char/tpm/tpm_eventlog.h >> @@ -2,6 +2,8 @@ >> #ifndef __TPM_EVENTLOG_H__ >> #define __TPM_EVENTLOG_H__ >> >> +#include <crypto/hash_info.h> >> + >> #define TCG_EVENT_NAME_LEN_MAX 255 >> #define MAX_TEXT_EVENT 1000 /* Max event string length */ >> #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ >> @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { >> HOST_TABLE_OF_DEVICES, >> }; >> >> +struct tpm2_digest { >> + u16 alg_id; >> + u8 digest[SHA512_DIGEST_SIZE]; >> +} __packed; > > Shouldn't this be in tpm.h? This is a struct common for TPM 2.0 extend and eventlog structure i.e struct tcg_pcr_event2. And so I preferred to place it here. Thanks & Regards, - Nayna > > /Jarkko > ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks 2017-01-23 16:41 ` Nayna @ 2017-01-24 11:59 ` Jarkko Sakkinen 2017-01-24 13:04 ` Nayna 0 siblings, 1 reply; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-24 11:59 UTC (permalink / raw) To: Nayna Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote: > > > On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote: > > On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: > > > The current TPM 2.0 device driver extends only the SHA1 PCR bank > > > but the TCG Specification[1] recommends extending all active PCR > > > banks, to prevent malicious users from setting unused PCR banks with > > > fake measurements and quoting them. > > > > > > The existing in-kernel interface(tpm_pcr_extend()) expects only a > > > SHA1 digest. To extend all active PCR banks with differing > > > digest sizes, the SHA1 digest is padded with trailing 0's as needed. > > > > > > This patch reuses the defined digest sizes from the crypto subsystem, > > > adding a dependency on CRYPTO_HASH_INFO module. > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > Platform Firmware Profile for TPM 2.0" > > > > > > Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> > > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > > --- > > > drivers/char/tpm/Kconfig | 1 + > > > drivers/char/tpm/tpm-interface.c | 15 ++++++- > > > drivers/char/tpm/tpm.h | 3 +- > > > drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- > > > drivers/char/tpm/tpm_eventlog.h | 7 ++++ > > > 5 files changed, 73 insertions(+), 44 deletions(-) > > > > > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig > > > index 277186d..af985cc 100644 > > > --- a/drivers/char/tpm/Kconfig > > > +++ b/drivers/char/tpm/Kconfig > > > @@ -6,6 +6,7 @@ menuconfig TCG_TPM > > > tristate "TPM Hardware Support" > > > depends on HAS_IOMEM > > > select SECURITYFS > > > + select CRYPTO_HASH_INFO > > > ---help--- > > > If you have a TPM security chip in your system, which > > > implements the Trusted Computing Group's specification, > > > diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c > > > index a3461cb..cf959c3 100644 > > > --- a/drivers/char/tpm/tpm-interface.c > > > +++ b/drivers/char/tpm/tpm-interface.c > > > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) > > > struct tpm_cmd_t cmd; > > > int rc; > > > struct tpm_chip *chip; > > > + int max_active_banks = ARRAY_SIZE(chip->active_banks); > > > + struct tpm2_digest digest_list[max_active_banks]; > > > + u32 count = 0; > > > + int i; > > > > > > chip = tpm_chip_find_get(chip_num); > > > if (chip == NULL) > > > return -ENODEV; > > > > > > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > > > - rc = tpm2_pcr_extend(chip, pcr_idx, hash); > > > + memset(digest_list, 0, sizeof(digest_list)); > > > + > > > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && > > > + (i < max_active_banks); i++) { > > > + digest_list[i].alg_id = chip->active_banks[i]; > > > + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); > > > + count++; > > > + } > > > + > > > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); > > > tpm_put_ops(chip); > > > return rc; > > > } > > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > > > index c291f19..07a0677 100644 > > > --- a/drivers/char/tpm/tpm.h > > > +++ b/drivers/char/tpm/tpm.h > > > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) > > > #endif > > > > > > int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > > > + struct tpm2_digest *digests); > > > int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); > > > int tpm2_seal_trusted(struct tpm_chip *chip, > > > struct trusted_key_payload *payload, > > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > > > index 0e000a3..d78adb8 100644 > > > --- a/drivers/char/tpm/tpm2-cmd.c > > > +++ b/drivers/char/tpm/tpm2-cmd.c > > > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { > > > u8 digest[TPM_DIGEST_SIZE]; > > > } __packed; > > > > > > -struct tpm2_null_auth_area { > > > - __be32 handle; > > > - __be16 nonce_size; > > > - u8 attributes; > > > - __be16 auth_size; > > > -} __packed; > > > - > > > -struct tpm2_pcr_extend_in { > > > - __be32 pcr_idx; > > > - __be32 auth_area_size; > > > - struct tpm2_null_auth_area auth_area; > > > - __be32 digest_cnt; > > > - __be16 hash_alg; > > > - u8 digest[TPM_DIGEST_SIZE]; > > > -} __packed; > > > - > > > struct tpm2_get_tpm_pt_in { > > > __be32 cap_id; > > > __be32 property_id; > > > @@ -97,7 +81,6 @@ union tpm2_cmd_params { > > > struct tpm2_self_test_in selftest_in; > > > struct tpm2_pcr_read_in pcrread_in; > > > struct tpm2_pcr_read_out pcrread_out; > > > - struct tpm2_pcr_extend_in pcrextend_in; > > > struct tpm2_get_tpm_pt_in get_tpm_pt_in; > > > struct tpm2_get_tpm_pt_out get_tpm_pt_out; > > > struct tpm2_get_random_in getrandom_in; > > > @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) > > > return rc; > > > } > > > > > > -#define TPM2_GET_PCREXTEND_IN_SIZE \ > > > - (sizeof(struct tpm_input_header) + \ > > > - sizeof(struct tpm2_pcr_extend_in)) > > > - > > > -static const struct tpm_input_header tpm2_pcrextend_header = { > > > - .tag = cpu_to_be16(TPM2_ST_SESSIONS), > > > - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), > > > - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) > > > -}; > > > +struct tpm2_null_auth_area { > > > + __be32 handle; > > > + __be16 nonce_size; > > > + u8 attributes; > > > + __be16 auth_size; > > > +} __packed; > > > > > > /** > > > * tpm2_pcr_extend() - extend a PCR value > > > * > > > * @chip: TPM chip to use. > > > * @pcr_idx: index of the PCR. > > > - * @hash: hash value to use for the extend operation. > > > + * @count: number of digests passed. > > > + * @digests: list of pcr banks and corresponding digest values to extend. > > > * > > > * Return: Same as with tpm_transmit_cmd. > > > */ > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > > > + struct tpm2_digest *digests) > > > { > > > - struct tpm2_cmd cmd; > > > + struct tpm_buf buf; > > > + struct tpm2_null_auth_area auth_area; > > > int rc; > > > + int i; > > > + int j; > > > + > > > + if (count > ARRAY_SIZE(chip->active_banks)) > > > + return -EINVAL; > > > > > > - cmd.header.in = tpm2_pcrextend_header; > > > - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); > > > - cmd.params.pcrextend_in.auth_area_size = > > > - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); > > > - cmd.params.pcrextend_in.auth_area.handle = > > > - cpu_to_be32(TPM2_RS_PW); > > > - cmd.params.pcrextend_in.auth_area.nonce_size = 0; > > > - cmd.params.pcrextend_in.auth_area.attributes = 0; > > > - cmd.params.pcrextend_in.auth_area.auth_size = 0; > > > - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); > > > - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); > > > - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); > > > + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > > > + if (rc) > > > + return rc; > > > > > > - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, > > > + tpm_buf_append_u32(&buf, pcr_idx); > > > + > > > + auth_area.handle = cpu_to_be32(TPM2_RS_PW); > > > + auth_area.nonce_size = 0; > > > + auth_area.attributes = 0; > > > + auth_area.auth_size = 0; > > > + > > > + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); > > > + tpm_buf_append(&buf, (const unsigned char *)&auth_area, > > > + sizeof(auth_area)); > > > + tpm_buf_append_u32(&buf, count); > > > + > > > + for (i = 0; i < count; i++) { > > > + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { > > > + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) > > > + continue; > > > + > > > + tpm_buf_append_u16(&buf, digests[i].alg_id); > > > + tpm_buf_append(&buf, (const unsigned char > > > + *)&digests[i].digest, > > > + hash_digest_size[tpm2_hash_map[j].crypto_id]); > > > + } > > > + } > > > + > > > + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, > > > "attempting extend a PCR value"); > > > > > > + tpm_buf_destroy(&buf); > > > + > > > return rc; > > > } > > > > > > @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) > > > } > > > } > > > > > > + rc = tpm2_get_pcr_allocation(chip); > > > + > > > out: > > > if (rc > 0) > > > rc = -ENODEV; > > > diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h > > > index 1660d74..b5ae372 100644 > > > --- a/drivers/char/tpm/tpm_eventlog.h > > > +++ b/drivers/char/tpm/tpm_eventlog.h > > > @@ -2,6 +2,8 @@ > > > #ifndef __TPM_EVENTLOG_H__ > > > #define __TPM_EVENTLOG_H__ > > > > > > +#include <crypto/hash_info.h> > > > + > > > #define TCG_EVENT_NAME_LEN_MAX 255 > > > #define MAX_TEXT_EVENT 1000 /* Max event string length */ > > > #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ > > > @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { > > > HOST_TABLE_OF_DEVICES, > > > }; > > > > > > +struct tpm2_digest { > > > + u16 alg_id; > > > + u8 digest[SHA512_DIGEST_SIZE]; > > > +} __packed; > > > > Shouldn't this be in tpm.h? > > This is a struct common for TPM 2.0 extend and eventlog structure i.e > struct tcg_pcr_event2. > And so I preferred to place it here. > If it is common, why is it in tpm_eventlog.h and not in tpm.h? > Thanks & Regards, > - Nayna /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-24 13:04 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-24 13:04 UTC (permalink / raw) To: Jarkko Sakkinen Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote: > On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote: >> >> >> On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote: >>> On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: >>>> The current TPM 2.0 device driver extends only the SHA1 PCR bank >>>> but the TCG Specification[1] recommends extending all active PCR >>>> banks, to prevent malicious users from setting unused PCR banks with >>>> fake measurements and quoting them. >>>> >>>> The existing in-kernel interface(tpm_pcr_extend()) expects only a >>>> SHA1 digest. To extend all active PCR banks with differing >>>> digest sizes, the SHA1 digest is padded with trailing 0's as needed. >>>> >>>> This patch reuses the defined digest sizes from the crypto subsystem, >>>> adding a dependency on CRYPTO_HASH_INFO module. >>>> >>>> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >>>> Platform Firmware Profile for TPM 2.0" >>>> >>>> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> >>>> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> >>>> --- >>>> drivers/char/tpm/Kconfig | 1 + >>>> drivers/char/tpm/tpm-interface.c | 15 ++++++- >>>> drivers/char/tpm/tpm.h | 3 +- >>>> drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- >>>> drivers/char/tpm/tpm_eventlog.h | 7 ++++ >>>> 5 files changed, 73 insertions(+), 44 deletions(-) >>>> >>>> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig >>>> index 277186d..af985cc 100644 >>>> --- a/drivers/char/tpm/Kconfig >>>> +++ b/drivers/char/tpm/Kconfig >>>> @@ -6,6 +6,7 @@ menuconfig TCG_TPM >>>> tristate "TPM Hardware Support" >>>> depends on HAS_IOMEM >>>> select SECURITYFS >>>> + select CRYPTO_HASH_INFO >>>> ---help--- >>>> If you have a TPM security chip in your system, which >>>> implements the Trusted Computing Group's specification, >>>> diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c >>>> index a3461cb..cf959c3 100644 >>>> --- a/drivers/char/tpm/tpm-interface.c >>>> +++ b/drivers/char/tpm/tpm-interface.c >>>> @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) >>>> struct tpm_cmd_t cmd; >>>> int rc; >>>> struct tpm_chip *chip; >>>> + int max_active_banks = ARRAY_SIZE(chip->active_banks); >>>> + struct tpm2_digest digest_list[max_active_banks]; >>>> + u32 count = 0; >>>> + int i; >>>> >>>> chip = tpm_chip_find_get(chip_num); >>>> if (chip == NULL) >>>> return -ENODEV; >>>> >>>> if (chip->flags & TPM_CHIP_FLAG_TPM2) { >>>> - rc = tpm2_pcr_extend(chip, pcr_idx, hash); >>>> + memset(digest_list, 0, sizeof(digest_list)); >>>> + >>>> + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && >>>> + (i < max_active_banks); i++) { >>>> + digest_list[i].alg_id = chip->active_banks[i]; >>>> + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); >>>> + count++; >>>> + } >>>> + >>>> + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); >>>> tpm_put_ops(chip); >>>> return rc; >>>> } >>>> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h >>>> index c291f19..07a0677 100644 >>>> --- a/drivers/char/tpm/tpm.h >>>> +++ b/drivers/char/tpm/tpm.h >>>> @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) >>>> #endif >>>> >>>> int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); >>>> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); >>>> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, >>>> + struct tpm2_digest *digests); >>>> int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); >>>> int tpm2_seal_trusted(struct tpm_chip *chip, >>>> struct trusted_key_payload *payload, >>>> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c >>>> index 0e000a3..d78adb8 100644 >>>> --- a/drivers/char/tpm/tpm2-cmd.c >>>> +++ b/drivers/char/tpm/tpm2-cmd.c >>>> @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { >>>> u8 digest[TPM_DIGEST_SIZE]; >>>> } __packed; >>>> >>>> -struct tpm2_null_auth_area { >>>> - __be32 handle; >>>> - __be16 nonce_size; >>>> - u8 attributes; >>>> - __be16 auth_size; >>>> -} __packed; >>>> - >>>> -struct tpm2_pcr_extend_in { >>>> - __be32 pcr_idx; >>>> - __be32 auth_area_size; >>>> - struct tpm2_null_auth_area auth_area; >>>> - __be32 digest_cnt; >>>> - __be16 hash_alg; >>>> - u8 digest[TPM_DIGEST_SIZE]; >>>> -} __packed; >>>> - >>>> struct tpm2_get_tpm_pt_in { >>>> __be32 cap_id; >>>> __be32 property_id; >>>> @@ -97,7 +81,6 @@ union tpm2_cmd_params { >>>> struct tpm2_self_test_in selftest_in; >>>> struct tpm2_pcr_read_in pcrread_in; >>>> struct tpm2_pcr_read_out pcrread_out; >>>> - struct tpm2_pcr_extend_in pcrextend_in; >>>> struct tpm2_get_tpm_pt_in get_tpm_pt_in; >>>> struct tpm2_get_tpm_pt_out get_tpm_pt_out; >>>> struct tpm2_get_random_in getrandom_in; >>>> @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) >>>> return rc; >>>> } >>>> >>>> -#define TPM2_GET_PCREXTEND_IN_SIZE \ >>>> - (sizeof(struct tpm_input_header) + \ >>>> - sizeof(struct tpm2_pcr_extend_in)) >>>> - >>>> -static const struct tpm_input_header tpm2_pcrextend_header = { >>>> - .tag = cpu_to_be16(TPM2_ST_SESSIONS), >>>> - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), >>>> - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) >>>> -}; >>>> +struct tpm2_null_auth_area { >>>> + __be32 handle; >>>> + __be16 nonce_size; >>>> + u8 attributes; >>>> + __be16 auth_size; >>>> +} __packed; >>>> >>>> /** >>>> * tpm2_pcr_extend() - extend a PCR value >>>> * >>>> * @chip: TPM chip to use. >>>> * @pcr_idx: index of the PCR. >>>> - * @hash: hash value to use for the extend operation. >>>> + * @count: number of digests passed. >>>> + * @digests: list of pcr banks and corresponding digest values to extend. >>>> * >>>> * Return: Same as with tpm_transmit_cmd. >>>> */ >>>> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) >>>> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, >>>> + struct tpm2_digest *digests) >>>> { >>>> - struct tpm2_cmd cmd; >>>> + struct tpm_buf buf; >>>> + struct tpm2_null_auth_area auth_area; >>>> int rc; >>>> + int i; >>>> + int j; >>>> + >>>> + if (count > ARRAY_SIZE(chip->active_banks)) >>>> + return -EINVAL; >>>> >>>> - cmd.header.in = tpm2_pcrextend_header; >>>> - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); >>>> - cmd.params.pcrextend_in.auth_area_size = >>>> - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); >>>> - cmd.params.pcrextend_in.auth_area.handle = >>>> - cpu_to_be32(TPM2_RS_PW); >>>> - cmd.params.pcrextend_in.auth_area.nonce_size = 0; >>>> - cmd.params.pcrextend_in.auth_area.attributes = 0; >>>> - cmd.params.pcrextend_in.auth_area.auth_size = 0; >>>> - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); >>>> - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); >>>> - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); >>>> + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); >>>> + if (rc) >>>> + return rc; >>>> >>>> - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, >>>> + tpm_buf_append_u32(&buf, pcr_idx); >>>> + >>>> + auth_area.handle = cpu_to_be32(TPM2_RS_PW); >>>> + auth_area.nonce_size = 0; >>>> + auth_area.attributes = 0; >>>> + auth_area.auth_size = 0; >>>> + >>>> + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); >>>> + tpm_buf_append(&buf, (const unsigned char *)&auth_area, >>>> + sizeof(auth_area)); >>>> + tpm_buf_append_u32(&buf, count); >>>> + >>>> + for (i = 0; i < count; i++) { >>>> + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { >>>> + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) >>>> + continue; >>>> + >>>> + tpm_buf_append_u16(&buf, digests[i].alg_id); >>>> + tpm_buf_append(&buf, (const unsigned char >>>> + *)&digests[i].digest, >>>> + hash_digest_size[tpm2_hash_map[j].crypto_id]); >>>> + } >>>> + } >>>> + >>>> + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, >>>> "attempting extend a PCR value"); >>>> >>>> + tpm_buf_destroy(&buf); >>>> + >>>> return rc; >>>> } >>>> >>>> @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) >>>> } >>>> } >>>> >>>> + rc = tpm2_get_pcr_allocation(chip); >>>> + >>>> out: >>>> if (rc > 0) >>>> rc = -ENODEV; >>>> diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h >>>> index 1660d74..b5ae372 100644 >>>> --- a/drivers/char/tpm/tpm_eventlog.h >>>> +++ b/drivers/char/tpm/tpm_eventlog.h >>>> @@ -2,6 +2,8 @@ >>>> #ifndef __TPM_EVENTLOG_H__ >>>> #define __TPM_EVENTLOG_H__ >>>> >>>> +#include <crypto/hash_info.h> >>>> + >>>> #define TCG_EVENT_NAME_LEN_MAX 255 >>>> #define MAX_TEXT_EVENT 1000 /* Max event string length */ >>>> #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ >>>> @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { >>>> HOST_TABLE_OF_DEVICES, >>>> }; >>>> >>>> +struct tpm2_digest { >>>> + u16 alg_id; >>>> + u8 digest[SHA512_DIGEST_SIZE]; >>>> +} __packed; >>> >>> Shouldn't this be in tpm.h? >> >> This is a struct common for TPM 2.0 extend and eventlog structure i.e >> struct tcg_pcr_event2. >> And so I preferred to place it here. >> > > If it is common, why is it in tpm_eventlog.h and not in tpm.h? Hmm, the way I took it was that all event log structs are in tpm_eventlog.h. So, I have defined all structs related to event log into tpm_eventlog.h, including this one. Also, currently, tpm_eventlog.h has no dependency on tpm.h, but tpm.h does include tpm_eventlog.h. Hmm.. is it an issue to have it in tpm_eventlog.h ? Thanks & Regards, - Nayna > >> Thanks & Regards, >> - Nayna > > /Jarkko > ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-24 13:04 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-24 13:04 UTC (permalink / raw) To: Jarkko Sakkinen Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote: > On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote: >> >> >> On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote: >>> On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: >>>> The current TPM 2.0 device driver extends only the SHA1 PCR bank >>>> but the TCG Specification[1] recommends extending all active PCR >>>> banks, to prevent malicious users from setting unused PCR banks with >>>> fake measurements and quoting them. >>>> >>>> The existing in-kernel interface(tpm_pcr_extend()) expects only a >>>> SHA1 digest. To extend all active PCR banks with differing >>>> digest sizes, the SHA1 digest is padded with trailing 0's as needed. >>>> >>>> This patch reuses the defined digest sizes from the crypto subsystem, >>>> adding a dependency on CRYPTO_HASH_INFO module. >>>> >>>> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >>>> Platform Firmware Profile for TPM 2.0" >>>> >>>> Signed-off-by: Nayna Jain <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> >>>> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> >>>> --- >>>> drivers/char/tpm/Kconfig | 1 + >>>> drivers/char/tpm/tpm-interface.c | 15 ++++++- >>>> drivers/char/tpm/tpm.h | 3 +- >>>> drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- >>>> drivers/char/tpm/tpm_eventlog.h | 7 ++++ >>>> 5 files changed, 73 insertions(+), 44 deletions(-) >>>> >>>> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig >>>> index 277186d..af985cc 100644 >>>> --- a/drivers/char/tpm/Kconfig >>>> +++ b/drivers/char/tpm/Kconfig >>>> @@ -6,6 +6,7 @@ menuconfig TCG_TPM >>>> tristate "TPM Hardware Support" >>>> depends on HAS_IOMEM >>>> select SECURITYFS >>>> + select CRYPTO_HASH_INFO >>>> ---help--- >>>> If you have a TPM security chip in your system, which >>>> implements the Trusted Computing Group's specification, >>>> diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c >>>> index a3461cb..cf959c3 100644 >>>> --- a/drivers/char/tpm/tpm-interface.c >>>> +++ b/drivers/char/tpm/tpm-interface.c >>>> @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) >>>> struct tpm_cmd_t cmd; >>>> int rc; >>>> struct tpm_chip *chip; >>>> + int max_active_banks = ARRAY_SIZE(chip->active_banks); >>>> + struct tpm2_digest digest_list[max_active_banks]; >>>> + u32 count = 0; >>>> + int i; >>>> >>>> chip = tpm_chip_find_get(chip_num); >>>> if (chip == NULL) >>>> return -ENODEV; >>>> >>>> if (chip->flags & TPM_CHIP_FLAG_TPM2) { >>>> - rc = tpm2_pcr_extend(chip, pcr_idx, hash); >>>> + memset(digest_list, 0, sizeof(digest_list)); >>>> + >>>> + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && >>>> + (i < max_active_banks); i++) { >>>> + digest_list[i].alg_id = chip->active_banks[i]; >>>> + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); >>>> + count++; >>>> + } >>>> + >>>> + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); >>>> tpm_put_ops(chip); >>>> return rc; >>>> } >>>> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h >>>> index c291f19..07a0677 100644 >>>> --- a/drivers/char/tpm/tpm.h >>>> +++ b/drivers/char/tpm/tpm.h >>>> @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) >>>> #endif >>>> >>>> int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); >>>> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); >>>> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, >>>> + struct tpm2_digest *digests); >>>> int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); >>>> int tpm2_seal_trusted(struct tpm_chip *chip, >>>> struct trusted_key_payload *payload, >>>> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c >>>> index 0e000a3..d78adb8 100644 >>>> --- a/drivers/char/tpm/tpm2-cmd.c >>>> +++ b/drivers/char/tpm/tpm2-cmd.c >>>> @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { >>>> u8 digest[TPM_DIGEST_SIZE]; >>>> } __packed; >>>> >>>> -struct tpm2_null_auth_area { >>>> - __be32 handle; >>>> - __be16 nonce_size; >>>> - u8 attributes; >>>> - __be16 auth_size; >>>> -} __packed; >>>> - >>>> -struct tpm2_pcr_extend_in { >>>> - __be32 pcr_idx; >>>> - __be32 auth_area_size; >>>> - struct tpm2_null_auth_area auth_area; >>>> - __be32 digest_cnt; >>>> - __be16 hash_alg; >>>> - u8 digest[TPM_DIGEST_SIZE]; >>>> -} __packed; >>>> - >>>> struct tpm2_get_tpm_pt_in { >>>> __be32 cap_id; >>>> __be32 property_id; >>>> @@ -97,7 +81,6 @@ union tpm2_cmd_params { >>>> struct tpm2_self_test_in selftest_in; >>>> struct tpm2_pcr_read_in pcrread_in; >>>> struct tpm2_pcr_read_out pcrread_out; >>>> - struct tpm2_pcr_extend_in pcrextend_in; >>>> struct tpm2_get_tpm_pt_in get_tpm_pt_in; >>>> struct tpm2_get_tpm_pt_out get_tpm_pt_out; >>>> struct tpm2_get_random_in getrandom_in; >>>> @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) >>>> return rc; >>>> } >>>> >>>> -#define TPM2_GET_PCREXTEND_IN_SIZE \ >>>> - (sizeof(struct tpm_input_header) + \ >>>> - sizeof(struct tpm2_pcr_extend_in)) >>>> - >>>> -static const struct tpm_input_header tpm2_pcrextend_header = { >>>> - .tag = cpu_to_be16(TPM2_ST_SESSIONS), >>>> - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), >>>> - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) >>>> -}; >>>> +struct tpm2_null_auth_area { >>>> + __be32 handle; >>>> + __be16 nonce_size; >>>> + u8 attributes; >>>> + __be16 auth_size; >>>> +} __packed; >>>> >>>> /** >>>> * tpm2_pcr_extend() - extend a PCR value >>>> * >>>> * @chip: TPM chip to use. >>>> * @pcr_idx: index of the PCR. >>>> - * @hash: hash value to use for the extend operation. >>>> + * @count: number of digests passed. >>>> + * @digests: list of pcr banks and corresponding digest values to extend. >>>> * >>>> * Return: Same as with tpm_transmit_cmd. >>>> */ >>>> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) >>>> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, >>>> + struct tpm2_digest *digests) >>>> { >>>> - struct tpm2_cmd cmd; >>>> + struct tpm_buf buf; >>>> + struct tpm2_null_auth_area auth_area; >>>> int rc; >>>> + int i; >>>> + int j; >>>> + >>>> + if (count > ARRAY_SIZE(chip->active_banks)) >>>> + return -EINVAL; >>>> >>>> - cmd.header.in = tpm2_pcrextend_header; >>>> - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); >>>> - cmd.params.pcrextend_in.auth_area_size = >>>> - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); >>>> - cmd.params.pcrextend_in.auth_area.handle = >>>> - cpu_to_be32(TPM2_RS_PW); >>>> - cmd.params.pcrextend_in.auth_area.nonce_size = 0; >>>> - cmd.params.pcrextend_in.auth_area.attributes = 0; >>>> - cmd.params.pcrextend_in.auth_area.auth_size = 0; >>>> - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); >>>> - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); >>>> - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); >>>> + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); >>>> + if (rc) >>>> + return rc; >>>> >>>> - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, >>>> + tpm_buf_append_u32(&buf, pcr_idx); >>>> + >>>> + auth_area.handle = cpu_to_be32(TPM2_RS_PW); >>>> + auth_area.nonce_size = 0; >>>> + auth_area.attributes = 0; >>>> + auth_area.auth_size = 0; >>>> + >>>> + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); >>>> + tpm_buf_append(&buf, (const unsigned char *)&auth_area, >>>> + sizeof(auth_area)); >>>> + tpm_buf_append_u32(&buf, count); >>>> + >>>> + for (i = 0; i < count; i++) { >>>> + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { >>>> + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) >>>> + continue; >>>> + >>>> + tpm_buf_append_u16(&buf, digests[i].alg_id); >>>> + tpm_buf_append(&buf, (const unsigned char >>>> + *)&digests[i].digest, >>>> + hash_digest_size[tpm2_hash_map[j].crypto_id]); >>>> + } >>>> + } >>>> + >>>> + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, >>>> "attempting extend a PCR value"); >>>> >>>> + tpm_buf_destroy(&buf); >>>> + >>>> return rc; >>>> } >>>> >>>> @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) >>>> } >>>> } >>>> >>>> + rc = tpm2_get_pcr_allocation(chip); >>>> + >>>> out: >>>> if (rc > 0) >>>> rc = -ENODEV; >>>> diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h >>>> index 1660d74..b5ae372 100644 >>>> --- a/drivers/char/tpm/tpm_eventlog.h >>>> +++ b/drivers/char/tpm/tpm_eventlog.h >>>> @@ -2,6 +2,8 @@ >>>> #ifndef __TPM_EVENTLOG_H__ >>>> #define __TPM_EVENTLOG_H__ >>>> >>>> +#include <crypto/hash_info.h> >>>> + >>>> #define TCG_EVENT_NAME_LEN_MAX 255 >>>> #define MAX_TEXT_EVENT 1000 /* Max event string length */ >>>> #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ >>>> @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { >>>> HOST_TABLE_OF_DEVICES, >>>> }; >>>> >>>> +struct tpm2_digest { >>>> + u16 alg_id; >>>> + u8 digest[SHA512_DIGEST_SIZE]; >>>> +} __packed; >>> >>> Shouldn't this be in tpm.h? >> >> This is a struct common for TPM 2.0 extend and eventlog structure i.e >> struct tcg_pcr_event2. >> And so I preferred to place it here. >> > > If it is common, why is it in tpm_eventlog.h and not in tpm.h? Hmm, the way I took it was that all event log structs are in tpm_eventlog.h. So, I have defined all structs related to event log into tpm_eventlog.h, including this one. Also, currently, tpm_eventlog.h has no dependency on tpm.h, but tpm.h does include tpm_eventlog.h. Hmm.. is it an issue to have it in tpm_eventlog.h ? Thanks & Regards, - Nayna > >> Thanks & Regards, >> - Nayna > > /Jarkko > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-25 19:49 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 19:49 UTC (permalink / raw) To: Nayna Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Tue, Jan 24, 2017 at 06:34:54PM +0530, Nayna wrote: > > > On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote: > > On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote: > > > > > > > > > On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote: > > > > On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: > > > > > The current TPM 2.0 device driver extends only the SHA1 PCR bank > > > > > but the TCG Specification[1] recommends extending all active PCR > > > > > banks, to prevent malicious users from setting unused PCR banks with > > > > > fake measurements and quoting them. > > > > > > > > > > The existing in-kernel interface(tpm_pcr_extend()) expects only a > > > > > SHA1 digest. To extend all active PCR banks with differing > > > > > digest sizes, the SHA1 digest is padded with trailing 0's as needed. > > > > > > > > > > This patch reuses the defined digest sizes from the crypto subsystem, > > > > > adding a dependency on CRYPTO_HASH_INFO module. > > > > > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > > > Platform Firmware Profile for TPM 2.0" > > > > > > > > > > Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> > > > > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > > > > --- > > > > > drivers/char/tpm/Kconfig | 1 + > > > > > drivers/char/tpm/tpm-interface.c | 15 ++++++- > > > > > drivers/char/tpm/tpm.h | 3 +- > > > > > drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- > > > > > drivers/char/tpm/tpm_eventlog.h | 7 ++++ > > > > > 5 files changed, 73 insertions(+), 44 deletions(-) > > > > > > > > > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig > > > > > index 277186d..af985cc 100644 > > > > > --- a/drivers/char/tpm/Kconfig > > > > > +++ b/drivers/char/tpm/Kconfig > > > > > @@ -6,6 +6,7 @@ menuconfig TCG_TPM > > > > > tristate "TPM Hardware Support" > > > > > depends on HAS_IOMEM > > > > > select SECURITYFS > > > > > + select CRYPTO_HASH_INFO > > > > > ---help--- > > > > > If you have a TPM security chip in your system, which > > > > > implements the Trusted Computing Group's specification, > > > > > diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c > > > > > index a3461cb..cf959c3 100644 > > > > > --- a/drivers/char/tpm/tpm-interface.c > > > > > +++ b/drivers/char/tpm/tpm-interface.c > > > > > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) > > > > > struct tpm_cmd_t cmd; > > > > > int rc; > > > > > struct tpm_chip *chip; > > > > > + int max_active_banks = ARRAY_SIZE(chip->active_banks); > > > > > + struct tpm2_digest digest_list[max_active_banks]; > > > > > + u32 count = 0; > > > > > + int i; > > > > > > > > > > chip = tpm_chip_find_get(chip_num); > > > > > if (chip == NULL) > > > > > return -ENODEV; > > > > > > > > > > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > > > > > - rc = tpm2_pcr_extend(chip, pcr_idx, hash); > > > > > + memset(digest_list, 0, sizeof(digest_list)); > > > > > + > > > > > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && > > > > > + (i < max_active_banks); i++) { > > > > > + digest_list[i].alg_id = chip->active_banks[i]; > > > > > + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); > > > > > + count++; > > > > > + } > > > > > + > > > > > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); > > > > > tpm_put_ops(chip); > > > > > return rc; > > > > > } > > > > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > > > > > index c291f19..07a0677 100644 > > > > > --- a/drivers/char/tpm/tpm.h > > > > > +++ b/drivers/char/tpm/tpm.h > > > > > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) > > > > > #endif > > > > > > > > > > int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); > > > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); > > > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > > > > > + struct tpm2_digest *digests); > > > > > int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); > > > > > int tpm2_seal_trusted(struct tpm_chip *chip, > > > > > struct trusted_key_payload *payload, > > > > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > > > > > index 0e000a3..d78adb8 100644 > > > > > --- a/drivers/char/tpm/tpm2-cmd.c > > > > > +++ b/drivers/char/tpm/tpm2-cmd.c > > > > > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { > > > > > u8 digest[TPM_DIGEST_SIZE]; > > > > > } __packed; > > > > > > > > > > -struct tpm2_null_auth_area { > > > > > - __be32 handle; > > > > > - __be16 nonce_size; > > > > > - u8 attributes; > > > > > - __be16 auth_size; > > > > > -} __packed; > > > > > - > > > > > -struct tpm2_pcr_extend_in { > > > > > - __be32 pcr_idx; > > > > > - __be32 auth_area_size; > > > > > - struct tpm2_null_auth_area auth_area; > > > > > - __be32 digest_cnt; > > > > > - __be16 hash_alg; > > > > > - u8 digest[TPM_DIGEST_SIZE]; > > > > > -} __packed; > > > > > - > > > > > struct tpm2_get_tpm_pt_in { > > > > > __be32 cap_id; > > > > > __be32 property_id; > > > > > @@ -97,7 +81,6 @@ union tpm2_cmd_params { > > > > > struct tpm2_self_test_in selftest_in; > > > > > struct tpm2_pcr_read_in pcrread_in; > > > > > struct tpm2_pcr_read_out pcrread_out; > > > > > - struct tpm2_pcr_extend_in pcrextend_in; > > > > > struct tpm2_get_tpm_pt_in get_tpm_pt_in; > > > > > struct tpm2_get_tpm_pt_out get_tpm_pt_out; > > > > > struct tpm2_get_random_in getrandom_in; > > > > > @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) > > > > > return rc; > > > > > } > > > > > > > > > > -#define TPM2_GET_PCREXTEND_IN_SIZE \ > > > > > - (sizeof(struct tpm_input_header) + \ > > > > > - sizeof(struct tpm2_pcr_extend_in)) > > > > > - > > > > > -static const struct tpm_input_header tpm2_pcrextend_header = { > > > > > - .tag = cpu_to_be16(TPM2_ST_SESSIONS), > > > > > - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), > > > > > - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) > > > > > -}; > > > > > +struct tpm2_null_auth_area { > > > > > + __be32 handle; > > > > > + __be16 nonce_size; > > > > > + u8 attributes; > > > > > + __be16 auth_size; > > > > > +} __packed; > > > > > > > > > > /** > > > > > * tpm2_pcr_extend() - extend a PCR value > > > > > * > > > > > * @chip: TPM chip to use. > > > > > * @pcr_idx: index of the PCR. > > > > > - * @hash: hash value to use for the extend operation. > > > > > + * @count: number of digests passed. > > > > > + * @digests: list of pcr banks and corresponding digest values to extend. > > > > > * > > > > > * Return: Same as with tpm_transmit_cmd. > > > > > */ > > > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) > > > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > > > > > + struct tpm2_digest *digests) > > > > > { > > > > > - struct tpm2_cmd cmd; > > > > > + struct tpm_buf buf; > > > > > + struct tpm2_null_auth_area auth_area; > > > > > int rc; > > > > > + int i; > > > > > + int j; > > > > > + > > > > > + if (count > ARRAY_SIZE(chip->active_banks)) > > > > > + return -EINVAL; > > > > > > > > > > - cmd.header.in = tpm2_pcrextend_header; > > > > > - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); > > > > > - cmd.params.pcrextend_in.auth_area_size = > > > > > - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); > > > > > - cmd.params.pcrextend_in.auth_area.handle = > > > > > - cpu_to_be32(TPM2_RS_PW); > > > > > - cmd.params.pcrextend_in.auth_area.nonce_size = 0; > > > > > - cmd.params.pcrextend_in.auth_area.attributes = 0; > > > > > - cmd.params.pcrextend_in.auth_area.auth_size = 0; > > > > > - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); > > > > > - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); > > > > > - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); > > > > > + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > > > > > + if (rc) > > > > > + return rc; > > > > > > > > > > - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, > > > > > + tpm_buf_append_u32(&buf, pcr_idx); > > > > > + > > > > > + auth_area.handle = cpu_to_be32(TPM2_RS_PW); > > > > > + auth_area.nonce_size = 0; > > > > > + auth_area.attributes = 0; > > > > > + auth_area.auth_size = 0; > > > > > + > > > > > + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); > > > > > + tpm_buf_append(&buf, (const unsigned char *)&auth_area, > > > > > + sizeof(auth_area)); > > > > > + tpm_buf_append_u32(&buf, count); > > > > > + > > > > > + for (i = 0; i < count; i++) { > > > > > + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { > > > > > + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) > > > > > + continue; > > > > > + > > > > > + tpm_buf_append_u16(&buf, digests[i].alg_id); > > > > > + tpm_buf_append(&buf, (const unsigned char > > > > > + *)&digests[i].digest, > > > > > + hash_digest_size[tpm2_hash_map[j].crypto_id]); > > > > > + } > > > > > + } > > > > > + > > > > > + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, > > > > > "attempting extend a PCR value"); > > > > > > > > > > + tpm_buf_destroy(&buf); > > > > > + > > > > > return rc; > > > > > } > > > > > > > > > > @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) > > > > > } > > > > > } > > > > > > > > > > + rc = tpm2_get_pcr_allocation(chip); > > > > > + > > > > > out: > > > > > if (rc > 0) > > > > > rc = -ENODEV; > > > > > diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h > > > > > index 1660d74..b5ae372 100644 > > > > > --- a/drivers/char/tpm/tpm_eventlog.h > > > > > +++ b/drivers/char/tpm/tpm_eventlog.h > > > > > @@ -2,6 +2,8 @@ > > > > > #ifndef __TPM_EVENTLOG_H__ > > > > > #define __TPM_EVENTLOG_H__ > > > > > > > > > > +#include <crypto/hash_info.h> > > > > > + > > > > > #define TCG_EVENT_NAME_LEN_MAX 255 > > > > > #define MAX_TEXT_EVENT 1000 /* Max event string length */ > > > > > #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ > > > > > @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { > > > > > HOST_TABLE_OF_DEVICES, > > > > > }; > > > > > > > > > > +struct tpm2_digest { > > > > > + u16 alg_id; > > > > > + u8 digest[SHA512_DIGEST_SIZE]; > > > > > +} __packed; > > > > > > > > Shouldn't this be in tpm.h? > > > > > > This is a struct common for TPM 2.0 extend and eventlog structure i.e > > > struct tcg_pcr_event2. > > > And so I preferred to place it here. > > > > > > > If it is common, why is it in tpm_eventlog.h and not in tpm.h? > > Hmm, the way I took it was that all event log structs are in tpm_eventlog.h. > So, I have defined all structs related to event log into tpm_eventlog.h, > including this one. > > Also, currently, tpm_eventlog.h has no dependency on tpm.h, but tpm.h does > include tpm_eventlog.h. > > Hmm.. is it an issue to have it in tpm_eventlog.h ? > > Thanks & Regards, > - Nayna I'm not sure why tpm.h should include tpm_eventlog.h. The struct tpm2_digest is part of the internal API. Other structs are not. /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks @ 2017-01-25 19:49 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 19:49 UTC (permalink / raw) To: Nayna Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On Tue, Jan 24, 2017 at 06:34:54PM +0530, Nayna wrote: > > > On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote: > > On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote: > > > > > > > > > On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote: > > > > On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote: > > > > > The current TPM 2.0 device driver extends only the SHA1 PCR bank > > > > > but the TCG Specification[1] recommends extending all active PCR > > > > > banks, to prevent malicious users from setting unused PCR banks with > > > > > fake measurements and quoting them. > > > > > > > > > > The existing in-kernel interface(tpm_pcr_extend()) expects only a > > > > > SHA1 digest. To extend all active PCR banks with differing > > > > > digest sizes, the SHA1 digest is padded with trailing 0's as needed. > > > > > > > > > > This patch reuses the defined digest sizes from the crypto subsystem, > > > > > adding a dependency on CRYPTO_HASH_INFO module. > > > > > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > > > Platform Firmware Profile for TPM 2.0" > > > > > > > > > > Signed-off-by: Nayna Jain <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> > > > > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> > > > > > --- > > > > > drivers/char/tpm/Kconfig | 1 + > > > > > drivers/char/tpm/tpm-interface.c | 15 ++++++- > > > > > drivers/char/tpm/tpm.h | 3 +- > > > > > drivers/char/tpm/tpm2-cmd.c | 91 +++++++++++++++++++++------------------- > > > > > drivers/char/tpm/tpm_eventlog.h | 7 ++++ > > > > > 5 files changed, 73 insertions(+), 44 deletions(-) > > > > > > > > > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig > > > > > index 277186d..af985cc 100644 > > > > > --- a/drivers/char/tpm/Kconfig > > > > > +++ b/drivers/char/tpm/Kconfig > > > > > @@ -6,6 +6,7 @@ menuconfig TCG_TPM > > > > > tristate "TPM Hardware Support" > > > > > depends on HAS_IOMEM > > > > > select SECURITYFS > > > > > + select CRYPTO_HASH_INFO > > > > > ---help--- > > > > > If you have a TPM security chip in your system, which > > > > > implements the Trusted Computing Group's specification, > > > > > diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c > > > > > index a3461cb..cf959c3 100644 > > > > > --- a/drivers/char/tpm/tpm-interface.c > > > > > +++ b/drivers/char/tpm/tpm-interface.c > > > > > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) > > > > > struct tpm_cmd_t cmd; > > > > > int rc; > > > > > struct tpm_chip *chip; > > > > > + int max_active_banks = ARRAY_SIZE(chip->active_banks); > > > > > + struct tpm2_digest digest_list[max_active_banks]; > > > > > + u32 count = 0; > > > > > + int i; > > > > > > > > > > chip = tpm_chip_find_get(chip_num); > > > > > if (chip == NULL) > > > > > return -ENODEV; > > > > > > > > > > if (chip->flags & TPM_CHIP_FLAG_TPM2) { > > > > > - rc = tpm2_pcr_extend(chip, pcr_idx, hash); > > > > > + memset(digest_list, 0, sizeof(digest_list)); > > > > > + > > > > > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) && > > > > > + (i < max_active_banks); i++) { > > > > > + digest_list[i].alg_id = chip->active_banks[i]; > > > > > + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE); > > > > > + count++; > > > > > + } > > > > > + > > > > > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list); > > > > > tpm_put_ops(chip); > > > > > return rc; > > > > > } > > > > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > > > > > index c291f19..07a0677 100644 > > > > > --- a/drivers/char/tpm/tpm.h > > > > > +++ b/drivers/char/tpm/tpm.h > > > > > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip) > > > > > #endif > > > > > > > > > > int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); > > > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); > > > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > > > > > + struct tpm2_digest *digests); > > > > > int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); > > > > > int tpm2_seal_trusted(struct tpm_chip *chip, > > > > > struct trusted_key_payload *payload, > > > > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > > > > > index 0e000a3..d78adb8 100644 > > > > > --- a/drivers/char/tpm/tpm2-cmd.c > > > > > +++ b/drivers/char/tpm/tpm2-cmd.c > > > > > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out { > > > > > u8 digest[TPM_DIGEST_SIZE]; > > > > > } __packed; > > > > > > > > > > -struct tpm2_null_auth_area { > > > > > - __be32 handle; > > > > > - __be16 nonce_size; > > > > > - u8 attributes; > > > > > - __be16 auth_size; > > > > > -} __packed; > > > > > - > > > > > -struct tpm2_pcr_extend_in { > > > > > - __be32 pcr_idx; > > > > > - __be32 auth_area_size; > > > > > - struct tpm2_null_auth_area auth_area; > > > > > - __be32 digest_cnt; > > > > > - __be16 hash_alg; > > > > > - u8 digest[TPM_DIGEST_SIZE]; > > > > > -} __packed; > > > > > - > > > > > struct tpm2_get_tpm_pt_in { > > > > > __be32 cap_id; > > > > > __be32 property_id; > > > > > @@ -97,7 +81,6 @@ union tpm2_cmd_params { > > > > > struct tpm2_self_test_in selftest_in; > > > > > struct tpm2_pcr_read_in pcrread_in; > > > > > struct tpm2_pcr_read_out pcrread_out; > > > > > - struct tpm2_pcr_extend_in pcrextend_in; > > > > > struct tpm2_get_tpm_pt_in get_tpm_pt_in; > > > > > struct tpm2_get_tpm_pt_out get_tpm_pt_out; > > > > > struct tpm2_get_random_in getrandom_in; > > > > > @@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) > > > > > return rc; > > > > > } > > > > > > > > > > -#define TPM2_GET_PCREXTEND_IN_SIZE \ > > > > > - (sizeof(struct tpm_input_header) + \ > > > > > - sizeof(struct tpm2_pcr_extend_in)) > > > > > - > > > > > -static const struct tpm_input_header tpm2_pcrextend_header = { > > > > > - .tag = cpu_to_be16(TPM2_ST_SESSIONS), > > > > > - .length = cpu_to_be32(TPM2_GET_PCREXTEND_IN_SIZE), > > > > > - .ordinal = cpu_to_be32(TPM2_CC_PCR_EXTEND) > > > > > -}; > > > > > +struct tpm2_null_auth_area { > > > > > + __be32 handle; > > > > > + __be16 nonce_size; > > > > > + u8 attributes; > > > > > + __be16 auth_size; > > > > > +} __packed; > > > > > > > > > > /** > > > > > * tpm2_pcr_extend() - extend a PCR value > > > > > * > > > > > * @chip: TPM chip to use. > > > > > * @pcr_idx: index of the PCR. > > > > > - * @hash: hash value to use for the extend operation. > > > > > + * @count: number of digests passed. > > > > > + * @digests: list of pcr banks and corresponding digest values to extend. > > > > > * > > > > > * Return: Same as with tpm_transmit_cmd. > > > > > */ > > > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) > > > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > > > > > + struct tpm2_digest *digests) > > > > > { > > > > > - struct tpm2_cmd cmd; > > > > > + struct tpm_buf buf; > > > > > + struct tpm2_null_auth_area auth_area; > > > > > int rc; > > > > > + int i; > > > > > + int j; > > > > > + > > > > > + if (count > ARRAY_SIZE(chip->active_banks)) > > > > > + return -EINVAL; > > > > > > > > > > - cmd.header.in = tpm2_pcrextend_header; > > > > > - cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); > > > > > - cmd.params.pcrextend_in.auth_area_size = > > > > > - cpu_to_be32(sizeof(struct tpm2_null_auth_area)); > > > > > - cmd.params.pcrextend_in.auth_area.handle = > > > > > - cpu_to_be32(TPM2_RS_PW); > > > > > - cmd.params.pcrextend_in.auth_area.nonce_size = 0; > > > > > - cmd.params.pcrextend_in.auth_area.attributes = 0; > > > > > - cmd.params.pcrextend_in.auth_area.auth_size = 0; > > > > > - cmd.params.pcrextend_in.digest_cnt = cpu_to_be32(1); > > > > > - cmd.params.pcrextend_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); > > > > > - memcpy(cmd.params.pcrextend_in.digest, hash, TPM_DIGEST_SIZE); > > > > > + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > > > > > + if (rc) > > > > > + return rc; > > > > > > > > > > - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, > > > > > + tpm_buf_append_u32(&buf, pcr_idx); > > > > > + > > > > > + auth_area.handle = cpu_to_be32(TPM2_RS_PW); > > > > > + auth_area.nonce_size = 0; > > > > > + auth_area.attributes = 0; > > > > > + auth_area.auth_size = 0; > > > > > + > > > > > + tpm_buf_append_u32(&buf, sizeof(struct tpm2_null_auth_area)); > > > > > + tpm_buf_append(&buf, (const unsigned char *)&auth_area, > > > > > + sizeof(auth_area)); > > > > > + tpm_buf_append_u32(&buf, count); > > > > > + > > > > > + for (i = 0; i < count; i++) { > > > > > + for (j = 0; j < ARRAY_SIZE(tpm2_hash_map); j++) { > > > > > + if (digests[i].alg_id != tpm2_hash_map[j].tpm_id) > > > > > + continue; > > > > > + > > > > > + tpm_buf_append_u16(&buf, digests[i].alg_id); > > > > > + tpm_buf_append(&buf, (const unsigned char > > > > > + *)&digests[i].digest, > > > > > + hash_digest_size[tpm2_hash_map[j].crypto_id]); > > > > > + } > > > > > + } > > > > > + > > > > > + rc = tpm_transmit_cmd(chip, buf.data, tpm_buf_length(&buf), 0, > > > > > "attempting extend a PCR value"); > > > > > > > > > > + tpm_buf_destroy(&buf); > > > > > + > > > > > return rc; > > > > > } > > > > > > > > > > @@ -993,6 +998,8 @@ int tpm2_auto_startup(struct tpm_chip *chip) > > > > > } > > > > > } > > > > > > > > > > + rc = tpm2_get_pcr_allocation(chip); > > > > > + > > > > > out: > > > > > if (rc > 0) > > > > > rc = -ENODEV; > > > > > diff --git a/drivers/char/tpm/tpm_eventlog.h b/drivers/char/tpm/tpm_eventlog.h > > > > > index 1660d74..b5ae372 100644 > > > > > --- a/drivers/char/tpm/tpm_eventlog.h > > > > > +++ b/drivers/char/tpm/tpm_eventlog.h > > > > > @@ -2,6 +2,8 @@ > > > > > #ifndef __TPM_EVENTLOG_H__ > > > > > #define __TPM_EVENTLOG_H__ > > > > > > > > > > +#include <crypto/hash_info.h> > > > > > + > > > > > #define TCG_EVENT_NAME_LEN_MAX 255 > > > > > #define MAX_TEXT_EVENT 1000 /* Max event string length */ > > > > > #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ > > > > > @@ -73,6 +75,11 @@ enum tcpa_pc_event_ids { > > > > > HOST_TABLE_OF_DEVICES, > > > > > }; > > > > > > > > > > +struct tpm2_digest { > > > > > + u16 alg_id; > > > > > + u8 digest[SHA512_DIGEST_SIZE]; > > > > > +} __packed; > > > > > > > > Shouldn't this be in tpm.h? > > > > > > This is a struct common for TPM 2.0 extend and eventlog structure i.e > > > struct tcg_pcr_event2. > > > And so I preferred to place it here. > > > > > > > If it is common, why is it in tpm_eventlog.h and not in tpm.h? > > Hmm, the way I took it was that all event log structs are in tpm_eventlog.h. > So, I have defined all structs related to event log into tpm_eventlog.h, > including this one. > > Also, currently, tpm_eventlog.h has no dependency on tpm.h, but tpm.h does > include tpm_eventlog.h. > > Hmm.. is it an issue to have it in tpm_eventlog.h ? > > Thanks & Regards, > - Nayna I'm not sure why tpm.h should include tpm_eventlog.h. The struct tpm2_digest is part of the internal API. Other structs are not. /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-20 20:51 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-20 20:51 UTC (permalink / raw) To: Nayna Jain Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > IMA extends its hash measurements in the TPM PCRs, based on policy. > The existing in-kernel TPM extend function extends only the SHA1 > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > extending all active PCR banks to prevent malicious users from > setting unused PCR banks with fake measurements and quoting them. > This patch set adds support for extending all active PCR banks, > as recommended. > > The first patch implements the TPM 2.0 capability to retrieve > the list of active PCR banks. > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > interface to support extending multiple PCR banks. The existing > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > extend all active PCR banks with differing digest sizes for TPM 2.0, > the SHA1 digest is padded with 0's as needed. > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > Platform Firmware Profile for TPM 2.0" > > Changelog v6: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Fixed the regression - missing tpm_buf_destroy() in > in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. > - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. > > Changelog v5: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved variable declaration to start of function in > tpm_pcr_extend() > > > Changelog v4: > - Updated cover letter as per Mimi's feedback. > - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use > default timeout value if chip reports it as zero) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved call to tpm2_get_pcr_allocation to Patch 2 > - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection > and moved the struct to before tpm2_get_pcr_allocation() > - Fixed code formatting > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Included Jarkkos' feedbacks > - Updated commit msg to mention dependency on CRYPTO_HASH_INFO > - Renamed struct tpmt_hash to struct tpm2_digest > - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts > count and digests list as two separate arguments. Added check for > count of hashes passed. > - Cleaned up struct tpm2_pcr_extend_in as not required anymore with > use of tpm_buf > - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as > it is the only function using it for now. > - Fixed code formatting > > Changelog v3: > - Rebased to the Jarkko's latest master branch (8e25809 tpm: > Do not print an error message when doing TPM auto startup) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Removed getcap_in, getcap_out and used tpm_buf for getting > capability. > - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included > other feedbacks. > - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" > - Fixed kbuild errors > - Fixed buf.data uninitialized warning. > - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. > > Changelog v2: > > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - defined structs definition in tpm2-cmd.c. > - no_of_active_banks field is removed. Instead, constant > TPM2_MAX_PCR_BANKS is defined. > - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() > - removed generic function tpm2_get_capability(). > > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Removed tpm2.h, and defined structs common for extend and event log > in tpm_eventlog.h > - uses tpm_buf in tpm2_pcr_extend(). > > Nayna Jain (2): > tpm: implement TPM 2.0 capability to get active PCR banks > tpm: enhance TPM 2.0 PCR extend to support multiple banks > > drivers/char/tpm/Kconfig | 1 + > drivers/char/tpm/tpm-interface.c | 15 +++- > drivers/char/tpm/tpm.h | 8 ++- > drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- > drivers/char/tpm/tpm_eventlog.h | 7 ++ > 5 files changed, 137 insertions(+), 44 deletions(-) > > -- > 2.5.0 > I need to test these patches but otherwise they're fine... /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-20 20:51 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-20 20:51 UTC (permalink / raw) To: Nayna Jain Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > IMA extends its hash measurements in the TPM PCRs, based on policy. > The existing in-kernel TPM extend function extends only the SHA1 > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > extending all active PCR banks to prevent malicious users from > setting unused PCR banks with fake measurements and quoting them. > This patch set adds support for extending all active PCR banks, > as recommended. > > The first patch implements the TPM 2.0 capability to retrieve > the list of active PCR banks. > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > interface to support extending multiple PCR banks. The existing > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > extend all active PCR banks with differing digest sizes for TPM 2.0, > the SHA1 digest is padded with 0's as needed. > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > Platform Firmware Profile for TPM 2.0" > > Changelog v6: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Fixed the regression - missing tpm_buf_destroy() in > in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. > - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. > > Changelog v5: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved variable declaration to start of function in > tpm_pcr_extend() > > > Changelog v4: > - Updated cover letter as per Mimi's feedback. > - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use > default timeout value if chip reports it as zero) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved call to tpm2_get_pcr_allocation to Patch 2 > - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection > and moved the struct to before tpm2_get_pcr_allocation() > - Fixed code formatting > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Included Jarkkos' feedbacks > - Updated commit msg to mention dependency on CRYPTO_HASH_INFO > - Renamed struct tpmt_hash to struct tpm2_digest > - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts > count and digests list as two separate arguments. Added check for > count of hashes passed. > - Cleaned up struct tpm2_pcr_extend_in as not required anymore with > use of tpm_buf > - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as > it is the only function using it for now. > - Fixed code formatting > > Changelog v3: > - Rebased to the Jarkko's latest master branch (8e25809 tpm: > Do not print an error message when doing TPM auto startup) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Removed getcap_in, getcap_out and used tpm_buf for getting > capability. > - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included > other feedbacks. > - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" > - Fixed kbuild errors > - Fixed buf.data uninitialized warning. > - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. > > Changelog v2: > > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - defined structs definition in tpm2-cmd.c. > - no_of_active_banks field is removed. Instead, constant > TPM2_MAX_PCR_BANKS is defined. > - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() > - removed generic function tpm2_get_capability(). > > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Removed tpm2.h, and defined structs common for extend and event log > in tpm_eventlog.h > - uses tpm_buf in tpm2_pcr_extend(). > > Nayna Jain (2): > tpm: implement TPM 2.0 capability to get active PCR banks > tpm: enhance TPM 2.0 PCR extend to support multiple banks > > drivers/char/tpm/Kconfig | 1 + > drivers/char/tpm/tpm-interface.c | 15 +++- > drivers/char/tpm/tpm.h | 8 ++- > drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- > drivers/char/tpm/tpm_eventlog.h | 7 ++ > 5 files changed, 137 insertions(+), 44 deletions(-) > > -- > 2.5.0 > I need to test these patches but otherwise they're fine... /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-25 20:45 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 20:45 UTC (permalink / raw) To: Nayna Jain Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > IMA extends its hash measurements in the TPM PCRs, based on policy. > The existing in-kernel TPM extend function extends only the SHA1 > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > extending all active PCR banks to prevent malicious users from > setting unused PCR banks with fake measurements and quoting them. > This patch set adds support for extending all active PCR banks, > as recommended. > > The first patch implements the TPM 2.0 capability to retrieve > the list of active PCR banks. > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > interface to support extending multiple PCR banks. The existing > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > extend all active PCR banks with differing digest sizes for TPM 2.0, > the SHA1 digest is padded with 0's as needed. > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > Platform Firmware Profile for TPM 2.0" I pushed these patches. I had to resolve merge conflicts caused by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you verify that I didn't break anything? /Jarkko > > Changelog v6: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Fixed the regression - missing tpm_buf_destroy() in > in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. > - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. > > Changelog v5: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved variable declaration to start of function in > tpm_pcr_extend() > > > Changelog v4: > - Updated cover letter as per Mimi's feedback. > - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use > default timeout value if chip reports it as zero) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved call to tpm2_get_pcr_allocation to Patch 2 > - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection > and moved the struct to before tpm2_get_pcr_allocation() > - Fixed code formatting > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Included Jarkkos' feedbacks > - Updated commit msg to mention dependency on CRYPTO_HASH_INFO > - Renamed struct tpmt_hash to struct tpm2_digest > - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts > count and digests list as two separate arguments. Added check for > count of hashes passed. > - Cleaned up struct tpm2_pcr_extend_in as not required anymore with > use of tpm_buf > - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as > it is the only function using it for now. > - Fixed code formatting > > Changelog v3: > - Rebased to the Jarkko's latest master branch (8e25809 tpm: > Do not print an error message when doing TPM auto startup) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Removed getcap_in, getcap_out and used tpm_buf for getting > capability. > - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included > other feedbacks. > - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" > - Fixed kbuild errors > - Fixed buf.data uninitialized warning. > - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. > > Changelog v2: > > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - defined structs definition in tpm2-cmd.c. > - no_of_active_banks field is removed. Instead, constant > TPM2_MAX_PCR_BANKS is defined. > - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() > - removed generic function tpm2_get_capability(). > > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Removed tpm2.h, and defined structs common for extend and event log > in tpm_eventlog.h > - uses tpm_buf in tpm2_pcr_extend(). > > Nayna Jain (2): > tpm: implement TPM 2.0 capability to get active PCR banks > tpm: enhance TPM 2.0 PCR extend to support multiple banks > > drivers/char/tpm/Kconfig | 1 + > drivers/char/tpm/tpm-interface.c | 15 +++- > drivers/char/tpm/tpm.h | 8 ++- > drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- > drivers/char/tpm/tpm_eventlog.h | 7 ++ > 5 files changed, 137 insertions(+), 44 deletions(-) > > -- > 2.5.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-25 20:45 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 20:45 UTC (permalink / raw) To: Nayna Jain Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > IMA extends its hash measurements in the TPM PCRs, based on policy. > The existing in-kernel TPM extend function extends only the SHA1 > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > extending all active PCR banks to prevent malicious users from > setting unused PCR banks with fake measurements and quoting them. > This patch set adds support for extending all active PCR banks, > as recommended. > > The first patch implements the TPM 2.0 capability to retrieve > the list of active PCR banks. > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > interface to support extending multiple PCR banks. The existing > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > extend all active PCR banks with differing digest sizes for TPM 2.0, > the SHA1 digest is padded with 0's as needed. > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > Platform Firmware Profile for TPM 2.0" I pushed these patches. I had to resolve merge conflicts caused by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you verify that I didn't break anything? /Jarkko > > Changelog v6: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Fixed the regression - missing tpm_buf_destroy() in > in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. > - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. > > Changelog v5: > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved variable declaration to start of function in > tpm_pcr_extend() > > > Changelog v4: > - Updated cover letter as per Mimi's feedback. > - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use > default timeout value if chip reports it as zero) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Moved call to tpm2_get_pcr_allocation to Patch 2 > - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection > and moved the struct to before tpm2_get_pcr_allocation() > - Fixed code formatting > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Included Jarkkos' feedbacks > - Updated commit msg to mention dependency on CRYPTO_HASH_INFO > - Renamed struct tpmt_hash to struct tpm2_digest > - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts > count and digests list as two separate arguments. Added check for > count of hashes passed. > - Cleaned up struct tpm2_pcr_extend_in as not required anymore with > use of tpm_buf > - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as > it is the only function using it for now. > - Fixed code formatting > > Changelog v3: > - Rebased to the Jarkko's latest master branch (8e25809 tpm: > Do not print an error message when doing TPM auto startup) > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - Included Jarkko's feedbacks > - Removed getcap_in, getcap_out and used tpm_buf for getting > capability. > - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included > other feedbacks. > - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" > - Fixed kbuild errors > - Fixed buf.data uninitialized warning. > - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. > > Changelog v2: > > - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" > - defined structs definition in tpm2-cmd.c. > - no_of_active_banks field is removed. Instead, constant > TPM2_MAX_PCR_BANKS is defined. > - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() > - removed generic function tpm2_get_capability(). > > - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" > - Removed tpm2.h, and defined structs common for extend and event log > in tpm_eventlog.h > - uses tpm_buf in tpm2_pcr_extend(). > > Nayna Jain (2): > tpm: implement TPM 2.0 capability to get active PCR banks > tpm: enhance TPM 2.0 PCR extend to support multiple banks > > drivers/char/tpm/Kconfig | 1 + > drivers/char/tpm/tpm-interface.c | 15 +++- > drivers/char/tpm/tpm.h | 8 ++- > drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- > drivers/char/tpm/tpm_eventlog.h | 7 ++ > 5 files changed, 137 insertions(+), 44 deletions(-) > > -- > 2.5.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [tpmdd-devel] [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks 2017-01-25 20:45 ` Jarkko Sakkinen (?) @ 2017-01-25 21:08 ` Stefan Berger 2017-01-25 22:04 ` Jarkko Sakkinen -1 siblings, 1 reply; 32+ messages in thread From: Stefan Berger @ 2017-01-25 21:08 UTC (permalink / raw) To: Jarkko Sakkinen, Nayna Jain Cc: linux-kernel, linux-security-module, tpmdd-devel On 01/25/2017 03:45 PM, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: >> IMA extends its hash measurements in the TPM PCRs, based on policy. >> The existing in-kernel TPM extend function extends only the SHA1 >> PCR bank. TPM 2.0 defines multiple PCR banks, to support different >> hash algorithms. The TCG TPM 2.0 Specification[1] recommends >> extending all active PCR banks to prevent malicious users from >> setting unused PCR banks with fake measurements and quoting them. >> This patch set adds support for extending all active PCR banks, >> as recommended. >> >> The first patch implements the TPM 2.0 capability to retrieve >> the list of active PCR banks. >> >> The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() >> interface to support extending multiple PCR banks. The existing >> tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to >> extend all active PCR banks with differing digest sizes for TPM 2.0, >> the SHA1 digest is padded with 0's as needed. >> >> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >> Platform Firmware Profile for TPM 2.0" > I pushed these patches. I had to resolve merge conflicts caused > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > verify that I didn't break anything? It looks like this hunk here got into the wrong patch: @@ -1061,7 +1068,7 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) tpm_buf_append_u32(&buf, 0); tpm_buf_append_u32(&buf, 1); - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, "get tpm pcr allocation"); if (rc < 0) goto out; ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [tpmdd-devel] [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks 2017-01-25 21:08 ` [tpmdd-devel] " Stefan Berger @ 2017-01-25 22:04 ` Jarkko Sakkinen 2017-01-25 22:52 ` Jarkko Sakkinen 0 siblings, 1 reply; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 22:04 UTC (permalink / raw) To: Stefan Berger Cc: Nayna Jain, linux-kernel, linux-security-module, tpmdd-devel On Wed, Jan 25, 2017 at 04:08:55PM -0500, Stefan Berger wrote: > On 01/25/2017 03:45 PM, Jarkko Sakkinen wrote: > > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > > > IMA extends its hash measurements in the TPM PCRs, based on policy. > > > The existing in-kernel TPM extend function extends only the SHA1 > > > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > > > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > > > extending all active PCR banks to prevent malicious users from > > > setting unused PCR banks with fake measurements and quoting them. > > > This patch set adds support for extending all active PCR banks, > > > as recommended. > > > > > > The first patch implements the TPM 2.0 capability to retrieve > > > the list of active PCR banks. > > > > > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > > > interface to support extending multiple PCR banks. The existing > > > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > > > extend all active PCR banks with differing digest sizes for TPM 2.0, > > > the SHA1 digest is padded with 0's as needed. > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > Platform Firmware Profile for TPM 2.0" > > I pushed these patches. I had to resolve merge conflicts caused > > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > > verify that I didn't break anything? > > It looks like this hunk here got into the wrong patch: > > @@ -1061,7 +1068,7 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) > tpm_buf_append_u32(&buf, 0); > tpm_buf_append_u32(&buf, 1); > > - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, > + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, > "get tpm pcr allocation"); > if (rc < 0) > goto out; Thanks. I'll eventually fix this before sending the next pull request. /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [tpmdd-devel] [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks 2017-01-25 22:04 ` Jarkko Sakkinen @ 2017-01-25 22:52 ` Jarkko Sakkinen 2017-01-25 22:57 ` Jarkko Sakkinen 0 siblings, 1 reply; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 22:52 UTC (permalink / raw) To: Stefan Berger Cc: Nayna Jain, linux-kernel, linux-security-module, tpmdd-devel On Thu, Jan 26, 2017 at 12:04:01AM +0200, Jarkko Sakkinen wrote: > On Wed, Jan 25, 2017 at 04:08:55PM -0500, Stefan Berger wrote: > > On 01/25/2017 03:45 PM, Jarkko Sakkinen wrote: > > > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > > > > IMA extends its hash measurements in the TPM PCRs, based on policy. > > > > The existing in-kernel TPM extend function extends only the SHA1 > > > > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > > > > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > > > > extending all active PCR banks to prevent malicious users from > > > > setting unused PCR banks with fake measurements and quoting them. > > > > This patch set adds support for extending all active PCR banks, > > > > as recommended. > > > > > > > > The first patch implements the TPM 2.0 capability to retrieve > > > > the list of active PCR banks. > > > > > > > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > > > > interface to support extending multiple PCR banks. The existing > > > > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > > > > extend all active PCR banks with differing digest sizes for TPM 2.0, > > > > the SHA1 digest is padded with 0's as needed. > > > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > > Platform Firmware Profile for TPM 2.0" > > > I pushed these patches. I had to resolve merge conflicts caused > > > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > > > verify that I didn't break anything? > > > > It looks like this hunk here got into the wrong patch: > > > > @@ -1061,7 +1068,7 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) > > tpm_buf_append_u32(&buf, 0); > > tpm_buf_append_u32(&buf, 1); > > > > - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, > > + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, > > "get tpm pcr allocation"); > > if (rc < 0) > > goto out; > > Thanks. I'll eventually fix this before sending the next pull request. I'll actually squash the patches and make it a static function. Its only call site is tpm2_auto_startup and remove the declaration from tpm.h. There's no point to have it there. /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [tpmdd-devel] [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks 2017-01-25 22:52 ` Jarkko Sakkinen @ 2017-01-25 22:57 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 22:57 UTC (permalink / raw) To: Stefan Berger Cc: Nayna Jain, linux-kernel, linux-security-module, tpmdd-devel On Thu, Jan 26, 2017 at 12:52:52AM +0200, Jarkko Sakkinen wrote: > On Thu, Jan 26, 2017 at 12:04:01AM +0200, Jarkko Sakkinen wrote: > > On Wed, Jan 25, 2017 at 04:08:55PM -0500, Stefan Berger wrote: > > > On 01/25/2017 03:45 PM, Jarkko Sakkinen wrote: > > > > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > > > > > IMA extends its hash measurements in the TPM PCRs, based on policy. > > > > > The existing in-kernel TPM extend function extends only the SHA1 > > > > > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > > > > > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > > > > > extending all active PCR banks to prevent malicious users from > > > > > setting unused PCR banks with fake measurements and quoting them. > > > > > This patch set adds support for extending all active PCR banks, > > > > > as recommended. > > > > > > > > > > The first patch implements the TPM 2.0 capability to retrieve > > > > > the list of active PCR banks. > > > > > > > > > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > > > > > interface to support extending multiple PCR banks. The existing > > > > > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > > > > > extend all active PCR banks with differing digest sizes for TPM 2.0, > > > > > the SHA1 digest is padded with 0's as needed. > > > > > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > > > Platform Firmware Profile for TPM 2.0" > > > > I pushed these patches. I had to resolve merge conflicts caused > > > > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > > > > verify that I didn't break anything? > > > > > > It looks like this hunk here got into the wrong patch: > > > > > > @@ -1061,7 +1068,7 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) > > > tpm_buf_append_u32(&buf, 0); > > > tpm_buf_append_u32(&buf, 1); > > > > > > - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, > > > + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, > > > "get tpm pcr allocation"); > > > if (rc < 0) > > > goto out; > > > > Thanks. I'll eventually fix this before sending the next pull request. > > I'll actually squash the patches and make it a static function. Its > only call site is tpm2_auto_startup and remove the declaration from > tpm.h. There's no point to have it there. OK, now it should be better. I also moved tpm2_digest to tpm.h as it is part of the API. /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks 2017-01-25 20:45 ` Jarkko Sakkinen (?) (?) @ 2017-01-25 23:33 ` Jarkko Sakkinen 2017-01-26 14:34 ` Nayna -1 siblings, 1 reply; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-25 23:33 UTC (permalink / raw) To: Nayna Jain Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Wed, Jan 25, 2017 at 10:45:35PM +0200, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > > IMA extends its hash measurements in the TPM PCRs, based on policy. > > The existing in-kernel TPM extend function extends only the SHA1 > > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > > extending all active PCR banks to prevent malicious users from > > setting unused PCR banks with fake measurements and quoting them. > > This patch set adds support for extending all active PCR banks, > > as recommended. > > > > The first patch implements the TPM 2.0 capability to retrieve > > the list of active PCR banks. > > > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > > interface to support extending multiple PCR banks. The existing > > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > > extend all active PCR banks with differing digest sizes for TPM 2.0, > > the SHA1 digest is padded with 0's as needed. > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > Platform Firmware Profile for TPM 2.0" > > I pushed these patches. I had to resolve merge conflicts caused > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > verify that I didn't break anything? You have a bug in tpm2_get_pcr_allocation: rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, "get tpm pcr allocation"); if (rc < 0) goto out; You do not handle TPM error. Can you send a fix for this ASAP? /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks 2017-01-25 23:33 ` Jarkko Sakkinen @ 2017-01-26 14:34 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-26 14:34 UTC (permalink / raw) To: Jarkko Sakkinen Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On 01/26/2017 05:03 AM, Jarkko Sakkinen wrote: > On Wed, Jan 25, 2017 at 10:45:35PM +0200, Jarkko Sakkinen wrote: >> On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: >>> IMA extends its hash measurements in the TPM PCRs, based on policy. >>> The existing in-kernel TPM extend function extends only the SHA1 >>> PCR bank. TPM 2.0 defines multiple PCR banks, to support different >>> hash algorithms. The TCG TPM 2.0 Specification[1] recommends >>> extending all active PCR banks to prevent malicious users from >>> setting unused PCR banks with fake measurements and quoting them. >>> This patch set adds support for extending all active PCR banks, >>> as recommended. >>> >>> The first patch implements the TPM 2.0 capability to retrieve >>> the list of active PCR banks. >>> >>> The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() >>> interface to support extending multiple PCR banks. The existing >>> tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to >>> extend all active PCR banks with differing digest sizes for TPM 2.0, >>> the SHA1 digest is padded with 0's as needed. >>> >>> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >>> Platform Firmware Profile for TPM 2.0" >> >> I pushed these patches. I had to resolve merge conflicts caused >> by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you >> verify that I didn't break anything? > > You have a bug in tpm2_get_pcr_allocation: > > rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, > "get tpm pcr allocation"); > if (rc < 0) > goto out; > > You do not handle TPM error. Can you send a fix for this ASAP? Oh!! Sure.. I see below fix should handle it. if (rc) goto out: Sending the patch... Thanks & Regards, - Nayna > > /Jarkko > ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-27 17:23 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-27 17:23 UTC (permalink / raw) To: Jarkko Sakkinen Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: >> IMA extends its hash measurements in the TPM PCRs, based on policy. >> The existing in-kernel TPM extend function extends only the SHA1 >> PCR bank. TPM 2.0 defines multiple PCR banks, to support different >> hash algorithms. The TCG TPM 2.0 Specification[1] recommends >> extending all active PCR banks to prevent malicious users from >> setting unused PCR banks with fake measurements and quoting them. >> This patch set adds support for extending all active PCR banks, >> as recommended. >> >> The first patch implements the TPM 2.0 capability to retrieve >> the list of active PCR banks. >> >> The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() >> interface to support extending multiple PCR banks. The existing >> tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to >> extend all active PCR banks with differing digest sizes for TPM 2.0, >> the SHA1 digest is padded with 0's as needed. >> >> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >> Platform Firmware Profile for TPM 2.0" > > I pushed these patches. I had to resolve merge conflicts caused > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > verify that I didn't break anything? > Yes, it looks fine, also tested with it. Just to understand.. how did you decide min_rsp_body_length to be 9. If I understood correctly, I think it is the size after header, till last fixed parameter i.e. till count. Is the assumption is that count can be zero, such that there is no active bank for PCR and so no struct tpm2_pcr_selection ? Thanks & Regards, - Nayna > /Jarkko > >> >> Changelog v6: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Fixed the regression - missing tpm_buf_destroy() in >> in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. >> - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. >> >> Changelog v5: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved variable declaration to start of function in >> tpm_pcr_extend() >> >> >> Changelog v4: >> - Updated cover letter as per Mimi's feedback. >> - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use >> default timeout value if chip reports it as zero) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved call to tpm2_get_pcr_allocation to Patch 2 >> - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection >> and moved the struct to before tpm2_get_pcr_allocation() >> - Fixed code formatting >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Included Jarkkos' feedbacks >> - Updated commit msg to mention dependency on CRYPTO_HASH_INFO >> - Renamed struct tpmt_hash to struct tpm2_digest >> - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts >> count and digests list as two separate arguments. Added check for >> count of hashes passed. >> - Cleaned up struct tpm2_pcr_extend_in as not required anymore with >> use of tpm_buf >> - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as >> it is the only function using it for now. >> - Fixed code formatting >> >> Changelog v3: >> - Rebased to the Jarkko's latest master branch (8e25809 tpm: >> Do not print an error message when doing TPM auto startup) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Removed getcap_in, getcap_out and used tpm_buf for getting >> capability. >> - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included >> other feedbacks. >> - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" >> - Fixed kbuild errors >> - Fixed buf.data uninitialized warning. >> - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. >> >> Changelog v2: >> >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - defined structs definition in tpm2-cmd.c. >> - no_of_active_banks field is removed. Instead, constant >> TPM2_MAX_PCR_BANKS is defined. >> - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() >> - removed generic function tpm2_get_capability(). >> >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Removed tpm2.h, and defined structs common for extend and event log >> in tpm_eventlog.h >> - uses tpm_buf in tpm2_pcr_extend(). >> >> Nayna Jain (2): >> tpm: implement TPM 2.0 capability to get active PCR banks >> tpm: enhance TPM 2.0 PCR extend to support multiple banks >> >> drivers/char/tpm/Kconfig | 1 + >> drivers/char/tpm/tpm-interface.c | 15 +++- >> drivers/char/tpm/tpm.h | 8 ++- >> drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- >> drivers/char/tpm/tpm_eventlog.h | 7 ++ >> 5 files changed, 137 insertions(+), 44 deletions(-) >> >> -- >> 2.5.0 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-27 17:23 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-27 17:23 UTC (permalink / raw) To: Jarkko Sakkinen Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: >> IMA extends its hash measurements in the TPM PCRs, based on policy. >> The existing in-kernel TPM extend function extends only the SHA1 >> PCR bank. TPM 2.0 defines multiple PCR banks, to support different >> hash algorithms. The TCG TPM 2.0 Specification[1] recommends >> extending all active PCR banks to prevent malicious users from >> setting unused PCR banks with fake measurements and quoting them. >> This patch set adds support for extending all active PCR banks, >> as recommended. >> >> The first patch implements the TPM 2.0 capability to retrieve >> the list of active PCR banks. >> >> The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() >> interface to support extending multiple PCR banks. The existing >> tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to >> extend all active PCR banks with differing digest sizes for TPM 2.0, >> the SHA1 digest is padded with 0's as needed. >> >> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >> Platform Firmware Profile for TPM 2.0" > > I pushed these patches. I had to resolve merge conflicts caused > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > verify that I didn't break anything? > Yes, it looks fine, also tested with it. Just to understand.. how did you decide min_rsp_body_length to be 9. If I understood correctly, I think it is the size after header, till last fixed parameter i.e. till count. Is the assumption is that count can be zero, such that there is no active bank for PCR and so no struct tpm2_pcr_selection ? Thanks & Regards, - Nayna > /Jarkko > >> >> Changelog v6: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Fixed the regression - missing tpm_buf_destroy() in >> in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. >> - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. >> >> Changelog v5: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved variable declaration to start of function in >> tpm_pcr_extend() >> >> >> Changelog v4: >> - Updated cover letter as per Mimi's feedback. >> - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use >> default timeout value if chip reports it as zero) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved call to tpm2_get_pcr_allocation to Patch 2 >> - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection >> and moved the struct to before tpm2_get_pcr_allocation() >> - Fixed code formatting >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Included Jarkkos' feedbacks >> - Updated commit msg to mention dependency on CRYPTO_HASH_INFO >> - Renamed struct tpmt_hash to struct tpm2_digest >> - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts >> count and digests list as two separate arguments. Added check for >> count of hashes passed. >> - Cleaned up struct tpm2_pcr_extend_in as not required anymore with >> use of tpm_buf >> - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as >> it is the only function using it for now. >> - Fixed code formatting >> >> Changelog v3: >> - Rebased to the Jarkko's latest master branch (8e25809 tpm: >> Do not print an error message when doing TPM auto startup) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Removed getcap_in, getcap_out and used tpm_buf for getting >> capability. >> - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included >> other feedbacks. >> - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" >> - Fixed kbuild errors >> - Fixed buf.data uninitialized warning. >> - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. >> >> Changelog v2: >> >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - defined structs definition in tpm2-cmd.c. >> - no_of_active_banks field is removed. Instead, constant >> TPM2_MAX_PCR_BANKS is defined. >> - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() >> - removed generic function tpm2_get_capability(). >> >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Removed tpm2.h, and defined structs common for extend and event log >> in tpm_eventlog.h >> - uses tpm_buf in tpm2_pcr_extend(). >> >> Nayna Jain (2): >> tpm: implement TPM 2.0 capability to get active PCR banks >> tpm: enhance TPM 2.0 PCR extend to support multiple banks >> >> drivers/char/tpm/Kconfig | 1 + >> drivers/char/tpm/tpm-interface.c | 15 +++- >> drivers/char/tpm/tpm.h | 8 ++- >> drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- >> drivers/char/tpm/tpm_eventlog.h | 7 ++ >> 5 files changed, 137 insertions(+), 44 deletions(-) >> >> -- >> 2.5.0 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in >> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-29 15:19 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-29 15:19 UTC (permalink / raw) To: Nayna Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On Fri, Jan 27, 2017 at 10:53:11PM +0530, Nayna wrote: > > > On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote: > > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > > > IMA extends its hash measurements in the TPM PCRs, based on policy. > > > The existing in-kernel TPM extend function extends only the SHA1 > > > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > > > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > > > extending all active PCR banks to prevent malicious users from > > > setting unused PCR banks with fake measurements and quoting them. > > > This patch set adds support for extending all active PCR banks, > > > as recommended. > > > > > > The first patch implements the TPM 2.0 capability to retrieve > > > the list of active PCR banks. > > > > > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > > > interface to support extending multiple PCR banks. The existing > > > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > > > extend all active PCR banks with differing digest sizes for TPM 2.0, > > > the SHA1 digest is padded with 0's as needed. > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > Platform Firmware Profile for TPM 2.0" > > > > I pushed these patches. I had to resolve merge conflicts caused > > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > > verify that I didn't break anything? > > > > Yes, it looks fine, also tested with it. > > Just to understand.. how did you decide min_rsp_body_length to be 9. > If I understood correctly, I think it is the size after header, till last > fixed parameter i.e. till count. > Is the assumption is that count can be zero, such that there is no active > bank for PCR and so no struct tpm2_pcr_selection ? > > Thanks & Regards, > - Nayna Hmm.. I got it from "marker = &buf.data[TPM_HEADER_SIZE + 9];" i.e. must have at last 9 bytes after the header. /Jarkko ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-29 15:19 ` Jarkko Sakkinen 0 siblings, 0 replies; 32+ messages in thread From: Jarkko Sakkinen @ 2017-01-29 15:19 UTC (permalink / raw) To: Nayna Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On Fri, Jan 27, 2017 at 10:53:11PM +0530, Nayna wrote: > > > On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote: > > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: > > > IMA extends its hash measurements in the TPM PCRs, based on policy. > > > The existing in-kernel TPM extend function extends only the SHA1 > > > PCR bank. TPM 2.0 defines multiple PCR banks, to support different > > > hash algorithms. The TCG TPM 2.0 Specification[1] recommends > > > extending all active PCR banks to prevent malicious users from > > > setting unused PCR banks with fake measurements and quoting them. > > > This patch set adds support for extending all active PCR banks, > > > as recommended. > > > > > > The first patch implements the TPM 2.0 capability to retrieve > > > the list of active PCR banks. > > > > > > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() > > > interface to support extending multiple PCR banks. The existing > > > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to > > > extend all active PCR banks with differing digest sizes for TPM 2.0, > > > the SHA1 digest is padded with 0's as needed. > > > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific > > > Platform Firmware Profile for TPM 2.0" > > > > I pushed these patches. I had to resolve merge conflicts caused > > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > > verify that I didn't break anything? > > > > Yes, it looks fine, also tested with it. > > Just to understand.. how did you decide min_rsp_body_length to be 9. > If I understood correctly, I think it is the size after header, till last > fixed parameter i.e. till count. > Is the assumption is that count can be zero, such that there is no active > bank for PCR and so no struct tpm2_pcr_selection ? > > Thanks & Regards, > - Nayna Hmm.. I got it from "marker = &buf.data[TPM_HEADER_SIZE + 9];" i.e. must have at last 9 bytes after the header. /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-27 17:24 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-27 17:24 UTC (permalink / raw) To: Jarkko Sakkinen Cc: tpmdd-devel, peterhuewe, tpmdd, jgunthorpe, linux-security-module, linux-kernel On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: >> IMA extends its hash measurements in the TPM PCRs, based on policy. >> The existing in-kernel TPM extend function extends only the SHA1 >> PCR bank. TPM 2.0 defines multiple PCR banks, to support different >> hash algorithms. The TCG TPM 2.0 Specification[1] recommends >> extending all active PCR banks to prevent malicious users from >> setting unused PCR banks with fake measurements and quoting them. >> This patch set adds support for extending all active PCR banks, >> as recommended. >> >> The first patch implements the TPM 2.0 capability to retrieve >> the list of active PCR banks. >> >> The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() >> interface to support extending multiple PCR banks. The existing >> tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to >> extend all active PCR banks with differing digest sizes for TPM 2.0, >> the SHA1 digest is padded with 0's as needed. >> >> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >> Platform Firmware Profile for TPM 2.0" > > I pushed these patches. I had to resolve merge conflicts caused > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > verify that I didn't break anything? > Thanks Jarkko !! Yes, it looks fine, also tested with it. Just to understand..in tpm2_get_pcr_allocation(), how did you decide min_rsp_body_length to be 9. If I understood correctly, I think it is the size after header, till last fixed parameter i.e. till count. Is the assumption is that count can be zero, such that there is no active bank for PCR and so no struct tpm2_pcr_selection ? Thanks & Regards, - Nayna > /Jarkko > >> >> Changelog v6: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Fixed the regression - missing tpm_buf_destroy() in >> in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. >> - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. >> >> Changelog v5: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved variable declaration to start of function in >> tpm_pcr_extend() >> >> >> Changelog v4: >> - Updated cover letter as per Mimi's feedback. >> - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use >> default timeout value if chip reports it as zero) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved call to tpm2_get_pcr_allocation to Patch 2 >> - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection >> and moved the struct to before tpm2_get_pcr_allocation() >> - Fixed code formatting >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Included Jarkkos' feedbacks >> - Updated commit msg to mention dependency on CRYPTO_HASH_INFO >> - Renamed struct tpmt_hash to struct tpm2_digest >> - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts >> count and digests list as two separate arguments. Added check for >> count of hashes passed. >> - Cleaned up struct tpm2_pcr_extend_in as not required anymore with >> use of tpm_buf >> - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as >> it is the only function using it for now. >> - Fixed code formatting >> >> Changelog v3: >> - Rebased to the Jarkko's latest master branch (8e25809 tpm: >> Do not print an error message when doing TPM auto startup) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Removed getcap_in, getcap_out and used tpm_buf for getting >> capability. >> - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included >> other feedbacks. >> - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" >> - Fixed kbuild errors >> - Fixed buf.data uninitialized warning. >> - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. >> >> Changelog v2: >> >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - defined structs definition in tpm2-cmd.c. >> - no_of_active_banks field is removed. Instead, constant >> TPM2_MAX_PCR_BANKS is defined. >> - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() >> - removed generic function tpm2_get_capability(). >> >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Removed tpm2.h, and defined structs common for extend and event log >> in tpm_eventlog.h >> - uses tpm_buf in tpm2_pcr_extend(). >> >> Nayna Jain (2): >> tpm: implement TPM 2.0 capability to get active PCR banks >> tpm: enhance TPM 2.0 PCR extend to support multiple banks >> >> drivers/char/tpm/Kconfig | 1 + >> drivers/char/tpm/tpm-interface.c | 15 +++- >> drivers/char/tpm/tpm.h | 8 ++- >> drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- >> drivers/char/tpm/tpm_eventlog.h | 7 ++ >> 5 files changed, 137 insertions(+), 44 deletions(-) >> >> -- >> 2.5.0 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks @ 2017-01-27 17:24 ` Nayna 0 siblings, 0 replies; 32+ messages in thread From: Nayna @ 2017-01-27 17:24 UTC (permalink / raw) To: Jarkko Sakkinen Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, linux-security-module-u79uwXL29TY76Z2rM5mHXA, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote: >> IMA extends its hash measurements in the TPM PCRs, based on policy. >> The existing in-kernel TPM extend function extends only the SHA1 >> PCR bank. TPM 2.0 defines multiple PCR banks, to support different >> hash algorithms. The TCG TPM 2.0 Specification[1] recommends >> extending all active PCR banks to prevent malicious users from >> setting unused PCR banks with fake measurements and quoting them. >> This patch set adds support for extending all active PCR banks, >> as recommended. >> >> The first patch implements the TPM 2.0 capability to retrieve >> the list of active PCR banks. >> >> The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() >> interface to support extending multiple PCR banks. The existing >> tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to >> extend all active PCR banks with differing digest sizes for TPM 2.0, >> the SHA1 digest is padded with 0's as needed. >> >> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific >> Platform Firmware Profile for TPM 2.0" > > I pushed these patches. I had to resolve merge conflicts caused > by the min_rsp_body_length parameter in tpm_transmit_cmd. Can you > verify that I didn't break anything? > Thanks Jarkko !! Yes, it looks fine, also tested with it. Just to understand..in tpm2_get_pcr_allocation(), how did you decide min_rsp_body_length to be 9. If I understood correctly, I think it is the size after header, till last fixed parameter i.e. till count. Is the assumption is that count can be zero, such that there is no active bank for PCR and so no struct tpm2_pcr_selection ? Thanks & Regards, - Nayna > /Jarkko > >> >> Changelog v6: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Fixed the regression - missing tpm_buf_destroy() in >> in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing. >> - Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm. >> >> Changelog v5: >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved variable declaration to start of function in >> tpm_pcr_extend() >> >> >> Changelog v4: >> - Updated cover letter as per Mimi's feedback. >> - Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use >> default timeout value if chip reports it as zero) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Moved call to tpm2_get_pcr_allocation to Patch 2 >> - Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection >> and moved the struct to before tpm2_get_pcr_allocation() >> - Fixed code formatting >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Included Jarkkos' feedbacks >> - Updated commit msg to mention dependency on CRYPTO_HASH_INFO >> - Renamed struct tpmt_hash to struct tpm2_digest >> - Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts >> count and digests list as two separate arguments. Added check for >> count of hashes passed. >> - Cleaned up struct tpm2_pcr_extend_in as not required anymore with >> use of tpm_buf >> - Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as >> it is the only function using it for now. >> - Fixed code formatting >> >> Changelog v3: >> - Rebased to the Jarkko's latest master branch (8e25809 tpm: >> Do not print an error message when doing TPM auto startup) >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - Included Jarkko's feedbacks >> - Removed getcap_in, getcap_out and used tpm_buf for getting >> capability. >> - Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included >> other feedbacks. >> - Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks" >> - Fixed kbuild errors >> - Fixed buf.data uninitialized warning. >> - Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig. >> >> Changelog v2: >> >> - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" >> - defined structs definition in tpm2-cmd.c. >> - no_of_active_banks field is removed. Instead, constant >> TPM2_MAX_PCR_BANKS is defined. >> - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() >> - removed generic function tpm2_get_capability(). >> >> - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" >> - Removed tpm2.h, and defined structs common for extend and event log >> in tpm_eventlog.h >> - uses tpm_buf in tpm2_pcr_extend(). >> >> Nayna Jain (2): >> tpm: implement TPM 2.0 capability to get active PCR banks >> tpm: enhance TPM 2.0 PCR extend to support multiple banks >> >> drivers/char/tpm/Kconfig | 1 + >> drivers/char/tpm/tpm-interface.c | 15 +++- >> drivers/char/tpm/tpm.h | 8 ++- >> drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++----------- >> drivers/char/tpm/tpm_eventlog.h | 7 ++ >> 5 files changed, 137 insertions(+), 44 deletions(-) >> >> -- >> 2.5.0 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in >> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ^ permalink raw reply [flat|nested] 32+ messages in thread
end of thread, other threads:[~2017-01-29 15:19 UTC | newest] Thread overview: 32+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-20 17:05 [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks Nayna Jain 2017-01-20 17:05 ` Nayna Jain 2017-01-20 17:05 ` [PATCH v6 1/2] tpm: implement TPM 2.0 capability to get active " Nayna Jain 2017-01-20 17:05 ` Nayna Jain 2017-01-26 12:23 ` [tpmdd-devel] " Stefan Berger 2017-01-27 6:30 ` Jarkko Sakkinen 2017-01-20 17:05 ` [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks Nayna Jain 2017-01-20 17:05 ` Nayna Jain 2017-01-23 15:19 ` Jarkko Sakkinen 2017-01-23 15:19 ` Jarkko Sakkinen 2017-01-23 16:41 ` Nayna 2017-01-24 11:59 ` Jarkko Sakkinen 2017-01-24 13:04 ` Nayna 2017-01-24 13:04 ` Nayna 2017-01-25 19:49 ` Jarkko Sakkinen 2017-01-25 19:49 ` Jarkko Sakkinen 2017-01-20 20:51 ` [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks Jarkko Sakkinen 2017-01-20 20:51 ` Jarkko Sakkinen 2017-01-25 20:45 ` Jarkko Sakkinen 2017-01-25 20:45 ` Jarkko Sakkinen 2017-01-25 21:08 ` [tpmdd-devel] " Stefan Berger 2017-01-25 22:04 ` Jarkko Sakkinen 2017-01-25 22:52 ` Jarkko Sakkinen 2017-01-25 22:57 ` Jarkko Sakkinen 2017-01-25 23:33 ` Jarkko Sakkinen 2017-01-26 14:34 ` Nayna 2017-01-27 17:23 ` Nayna 2017-01-27 17:23 ` Nayna 2017-01-29 15:19 ` Jarkko Sakkinen 2017-01-29 15:19 ` Jarkko Sakkinen 2017-01-27 17:24 ` Nayna 2017-01-27 17:24 ` Nayna
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.