From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
dhowells@redhat.com, James.Bottomley@HansenPartnership.com
Cc: zohar@linux.ibm.com, david.safford@ge.com, monty.wiseman@ge.com,
matthewgarrett@google.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org,
silviu.vlasceanu@huawei.com
Subject: Re: [PATCH v8 6/7] KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()
Date: Tue, 29 Jan 2019 22:43:07 +0200 [thread overview]
Message-ID: <20190129204307.GE11615@linux.intel.com> (raw)
In-Reply-To: <20190124154910.29948-7-roberto.sassu@huawei.com>
On Thu, Jan 24, 2019 at 04:49:09PM +0100, Roberto Sassu wrote:
> When crypto agility support will be added to the TPM driver, users of the
> driver have to retrieve the allocated banks from chip->allocated_banks and
> use this information to prepare the array of tpm_digest structures to be
> passed to tpm_pcr_extend().
>
> This patch retrieves a tpm_chip pointer from tpm_default_chip() so that the
> pointer can be used to prepare the array of tpm_digest structures.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
> security/keys/trusted.c | 38 ++++++++++++++++++++++++--------------
> 1 file changed, 24 insertions(+), 14 deletions(-)
>
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 4d98f4f87236..1a20a9692fef 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -34,6 +34,7 @@
>
> static const char hmac_alg[] = "hmac(sha1)";
> static const char hash_alg[] = "sha1";
> +static struct tpm_chip *chip;
>
> struct sdesc {
> struct shash_desc shash;
> @@ -362,7 +363,7 @@ int trusted_tpm_send(unsigned char *cmd, size_t buflen)
> int rc;
>
> dump_tpm_buf(cmd);
> - rc = tpm_send(NULL, cmd, buflen);
> + rc = tpm_send(chip, cmd, buflen);
> dump_tpm_buf(cmd);
> if (rc > 0)
> /* Can't return positive return codes values to keyctl */
> @@ -384,10 +385,10 @@ static int pcrlock(const int pcrnum)
>
> if (!capable(CAP_SYS_ADMIN))
> return -EPERM;
> - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
> + ret = tpm_get_random(chip, hash, SHA1_DIGEST_SIZE);
> if (ret != SHA1_DIGEST_SIZE)
> return ret;
> - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
> + return tpm_pcr_extend(chip, pcrnum, hash) ? -EINVAL : 0;
> }
>
> /*
> @@ -400,7 +401,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
> unsigned char ononce[TPM_NONCE_SIZE];
> int ret;
>
> - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
> + ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE);
> if (ret != TPM_NONCE_SIZE)
> return ret;
>
> @@ -496,7 +497,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
> if (ret < 0)
> goto out;
>
> - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
> + ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
> if (ret != TPM_NONCE_SIZE)
> goto out;
> ordinal = htonl(TPM_ORD_SEAL);
> @@ -606,7 +607,7 @@ static int tpm_unseal(struct tpm_buf *tb,
>
> ordinal = htonl(TPM_ORD_UNSEAL);
> keyhndl = htonl(SRKHANDLE);
> - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
> + ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE);
> if (ret != TPM_NONCE_SIZE) {
> pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
> return ret;
> @@ -751,7 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
> int i;
> int tpm2;
>
> - tpm2 = tpm_is_tpm2(NULL);
> + tpm2 = tpm_is_tpm2(chip);
> if (tpm2 < 0)
> return tpm2;
>
> @@ -920,7 +921,7 @@ static struct trusted_key_options *trusted_options_alloc(void)
> struct trusted_key_options *options;
> int tpm2;
>
> - tpm2 = tpm_is_tpm2(NULL);
> + tpm2 = tpm_is_tpm2(chip);
> if (tpm2 < 0)
> return NULL;
>
> @@ -970,7 +971,7 @@ static int trusted_instantiate(struct key *key,
> size_t key_len;
> int tpm2;
>
> - tpm2 = tpm_is_tpm2(NULL);
> + tpm2 = tpm_is_tpm2(chip);
> if (tpm2 < 0)
> return tpm2;
>
> @@ -1011,7 +1012,7 @@ static int trusted_instantiate(struct key *key,
> switch (key_cmd) {
> case Opt_load:
> if (tpm2)
> - ret = tpm_unseal_trusted(NULL, payload, options);
> + ret = tpm_unseal_trusted(chip, payload, options);
> else
> ret = key_unseal(payload, options);
> dump_payload(payload);
> @@ -1021,13 +1022,13 @@ static int trusted_instantiate(struct key *key,
> break;
> case Opt_new:
> key_len = payload->key_len;
> - ret = tpm_get_random(NULL, payload->key, key_len);
> + ret = tpm_get_random(chip, payload->key, key_len);
> if (ret != key_len) {
> pr_info("trusted_key: key_create failed (%d)\n", ret);
> goto out;
> }
> if (tpm2)
> - ret = tpm_seal_trusted(NULL, payload, options);
> + ret = tpm_seal_trusted(chip, payload, options);
> else
> ret = key_seal(payload, options);
> if (ret < 0)
> @@ -1225,17 +1226,26 @@ static int __init init_trusted(void)
> {
> int ret;
>
> + chip = tpm_default_chip();
> + if (!chip)
> + return -ENOENT;
> ret = trusted_shash_alloc();
> if (ret < 0)
> - return ret;
> + goto out_put;
> ret = register_key_type(&key_type_trusted);
> if (ret < 0)
> - trusted_shash_release();
> + goto out_release;
> + return 0;
> +out_release:
> + trusted_shash_release();
> +out_put:
> + put_device(&chip->dev);
> return ret;
> }
Since the labels are *only* used for exception fallbacks, I'd prefer
err_release and err_put.
Other than that, LGTM.
Unrelated side-note: I think the TPM subsystem starts to be soon in a
shape that TPM 2.0 trusted keys code could be eventually moved to
security/keys/trusted2.c, and TPM 1.2 trusted keys code could start to
use tpm_buf to build its commands.
/Jarkko
next prev parent reply other threads:[~2019-01-29 20:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-24 15:49 [PATCH v8 0/7] tpm: retrieve digest size of unknown algorithms from TPM Roberto Sassu
2019-01-24 15:49 ` [PATCH v8 1/7] tpm: dynamically allocate the allocated_banks array Roberto Sassu
2019-01-29 19:29 ` Jarkko Sakkinen
2019-01-30 7:52 ` Roberto Sassu
2019-01-30 12:01 ` Jarkko Sakkinen
2019-01-24 15:49 ` [PATCH v8 2/7] tpm: add _head suffix to tcg_efi_specid_event and tcg_pcr_event2 Roberto Sassu
2019-01-29 19:37 ` Jarkko Sakkinen
2019-01-24 15:49 ` [PATCH v8 3/7] tpm: rename and export tpm2_digest and tpm2_algorithms Roberto Sassu
2019-01-24 15:49 ` [PATCH v8 4/7] tpm: retrieve digest size of unknown algorithms with PCR read Roberto Sassu
2019-01-29 20:14 ` Jarkko Sakkinen
2019-01-24 15:49 ` [PATCH v8 5/7] tpm: move tpm_chip definition to include/linux/tpm.h Roberto Sassu
2019-01-29 20:34 ` Jarkko Sakkinen
2019-01-31 7:54 ` Roberto Sassu
2019-01-31 16:05 ` Jarkko Sakkinen
2019-01-24 15:49 ` [PATCH v8 6/7] KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip() Roberto Sassu
2019-01-29 20:43 ` Jarkko Sakkinen [this message]
2019-01-24 15:49 ` [PATCH v8 7/7] tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend() Roberto Sassu
2019-01-29 21:02 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190129204307.GE11615@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=david.safford@ge.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=monty.wiseman@ge.com \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).