* [PATCH v2] tpm: add longer timeouts for creation commands.
@ 2018-01-28 8:17 Tomas Winkler
2018-02-06 20:06 ` Jarkko Sakkinen
0 siblings, 1 reply; 3+ messages in thread
From: Tomas Winkler @ 2018-01-28 8:17 UTC (permalink / raw)
To: Jarkko Sakkinen, Jason Gunthorpe
Cc: Alexander Usyskin, linux-integrity, linux-security-module,
linux-kernel, Tomas Winkler
TPM2_CC_Create(0x153) and TPM2_CC_CreatePrimary (0x131) involve generation
of crypto keys which can be a computationally intensive task.
The timeout is set to 3min.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
---
V2: resent
drivers/char/tpm/tpm-interface.c | 4 ++++
drivers/char/tpm/tpm.h | 27 ++++++++++++++++-----------
drivers/char/tpm/tpm2-cmd.c | 8 +++++---
3 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index 0c493f885a9e..e9488aa43959 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -673,6 +673,10 @@ int tpm_get_timeouts(struct tpm_chip *chip)
msecs_to_jiffies(TPM2_DURATION_MEDIUM);
chip->duration[TPM_LONG] =
msecs_to_jiffies(TPM2_DURATION_LONG);
+ chip->duration[TPM_LONG_LONG] =
+ msecs_to_jiffies(TPM2_DURATION_LONG_LONG);
+ chip->duration[TPM_UNDEFINED] =
+ msecs_to_jiffies(TPM2_DURATION_DEFAULT);
chip->flags |= TPM_CHIP_FLAG_HAVE_TIMEOUTS;
return 0;
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index f895fba4e20d..192ba68b39c2 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -67,7 +67,9 @@ enum tpm_duration {
TPM_SHORT = 0,
TPM_MEDIUM = 1,
TPM_LONG = 2,
- TPM_UNDEFINED,
+ TPM_LONG_LONG = 3,
+ TPM_UNDEFINED = 4,
+ TPM_DURATION_MAX,
};
#define TPM_WARN_RETRY 0x800
@@ -79,15 +81,17 @@ enum tpm_duration {
#define TPM_HEADER_SIZE 10
enum tpm2_const {
- TPM2_PLATFORM_PCR = 24,
- TPM2_PCR_SELECT_MIN = ((TPM2_PLATFORM_PCR + 7) / 8),
- TPM2_TIMEOUT_A = 750,
- TPM2_TIMEOUT_B = 2000,
- TPM2_TIMEOUT_C = 200,
- TPM2_TIMEOUT_D = 30,
- TPM2_DURATION_SHORT = 20,
- TPM2_DURATION_MEDIUM = 750,
- TPM2_DURATION_LONG = 2000,
+ TPM2_PLATFORM_PCR = 24,
+ TPM2_PCR_SELECT_MIN = ((TPM2_PLATFORM_PCR + 7) / 8),
+ TPM2_TIMEOUT_A = 750,
+ TPM2_TIMEOUT_B = 2000,
+ TPM2_TIMEOUT_C = 200,
+ TPM2_TIMEOUT_D = 30,
+ TPM2_DURATION_SHORT = 20,
+ TPM2_DURATION_MEDIUM = 750,
+ TPM2_DURATION_LONG = 2000,
+ TPM2_DURATION_LONG_LONG = 300000,
+ TPM2_DURATION_DEFAULT = 120000,
};
enum tpm2_structures {
@@ -123,6 +127,7 @@ enum tpm2_algorithms {
enum tpm2_command_codes {
TPM2_CC_FIRST = 0x011F,
+ TPM2_CC_CREATE_PRIMARY = 0x0131,
TPM2_CC_SELF_TEST = 0x0143,
TPM2_CC_STARTUP = 0x0144,
TPM2_CC_SHUTDOWN = 0x0145,
@@ -227,7 +232,7 @@ struct tpm_chip {
unsigned long timeout_c; /* jiffies */
unsigned long timeout_d; /* jiffies */
bool timeout_adjusted;
- unsigned long duration[3]; /* jiffies */
+ unsigned long duration[TPM_DURATION_MAX]; /* jiffies */
bool duration_adjusted;
struct dentry *bios_dir[TPM_NUM_EVENT_LOG_FILES];
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index c17e75348a99..aaa17e982b37 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -90,6 +90,8 @@ static struct tpm2_hash tpm2_hash_map[] = {
* of time the chip could take to return the result. The values
* of the SHORT, MEDIUM, and LONG durations are taken from the
* PC Client Profile (PTP) specification.
+ * LONG_LONG is for commands that generates keys which empirically
+ * takes longer time on some systems.
*/
static const u8 tpm2_ordinal_duration[TPM2_CC_LAST - TPM2_CC_FIRST + 1] = {
TPM_UNDEFINED, /* 11F */
@@ -110,7 +112,7 @@ static const u8 tpm2_ordinal_duration[TPM2_CC_LAST - TPM2_CC_FIRST + 1] = {
TPM_UNDEFINED, /* 12e */
TPM_UNDEFINED, /* 12f */
TPM_UNDEFINED, /* 130 */
- TPM_UNDEFINED, /* 131 */
+ TPM_LONG_LONG, /* 131 */
TPM_UNDEFINED, /* 132 */
TPM_UNDEFINED, /* 133 */
TPM_UNDEFINED, /* 134 */
@@ -144,7 +146,7 @@ static const u8 tpm2_ordinal_duration[TPM2_CC_LAST - TPM2_CC_FIRST + 1] = {
TPM_UNDEFINED, /* 150 */
TPM_UNDEFINED, /* 151 */
TPM_UNDEFINED, /* 152 */
- TPM_UNDEFINED, /* 153 */
+ TPM_LONG_LONG, /* 153 */
TPM_UNDEFINED, /* 154 */
TPM_UNDEFINED, /* 155 */
TPM_UNDEFINED, /* 156 */
@@ -817,7 +819,7 @@ unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal)
duration = chip->duration[index];
if (duration <= 0)
- duration = 2 * 60 * HZ;
+ duration = msecs_to_jiffies(TPM2_DURATION_DEFAULT);
return duration;
}
--
2.14.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] tpm: add longer timeouts for creation commands.
2018-01-28 8:17 [PATCH v2] tpm: add longer timeouts for creation commands Tomas Winkler
@ 2018-02-06 20:06 ` Jarkko Sakkinen
2018-02-06 20:51 ` Winkler, Tomas
0 siblings, 1 reply; 3+ messages in thread
From: Jarkko Sakkinen @ 2018-02-06 20:06 UTC (permalink / raw)
To: Tomas Winkler
Cc: Jason Gunthorpe, Alexander Usyskin, linux-integrity,
linux-security-module, linux-kernel
On Sun, Jan 28, 2018 at 10:17:39AM +0200, Tomas Winkler wrote:
> TPM2_CC_Create(0x153) and TPM2_CC_CreatePrimary (0x131) involve generation
> of crypto keys which can be a computationally intensive task.
> The timeout is set to 3min.
>
> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
This is still NAK because we need some kind of reference for the new
value. Is that also right value for ARM64/TrustZone based TPMs?
/Jarkko
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [PATCH v2] tpm: add longer timeouts for creation commands.
2018-02-06 20:06 ` Jarkko Sakkinen
@ 2018-02-06 20:51 ` Winkler, Tomas
0 siblings, 0 replies; 3+ messages in thread
From: Winkler, Tomas @ 2018-02-06 20:51 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Jason Gunthorpe, Usyskin, Alexander, linux-integrity,
linux-security-module, linux-kernel
>
> On Sun, Jan 28, 2018 at 10:17:39AM +0200, Tomas Winkler wrote:
> > TPM2_CC_Create(0x153) and TPM2_CC_CreatePrimary (0x131) involve
> > generation of crypto keys which can be a computationally intensive task.
> > The timeout is set to 3min.
> >
> > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
>
> This is still NAK because we need some kind of reference for the new value.
> Is that also right value for ARM64/TrustZone based TPMs?
The SPEC itself, doesn't define the timeout, except for specific commands,
also the current 'undefined' number is born in air, I wonder if you can provide the reference as well.
If I would suggest to shorten the number that would maybe a problem for other implementation,
but I don't see how the increase in timeout is adverse another implementations.
Key generation is computational intensive task because of generation of a prime number, so this is really
dependent on device capabilities, so there is no better source of definition that HW itself.
Thanks
Tomas
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-02-06 20:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-28 8:17 [PATCH v2] tpm: add longer timeouts for creation commands Tomas Winkler
2018-02-06 20:06 ` Jarkko Sakkinen
2018-02-06 20:51 ` Winkler, Tomas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).