* [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM is inactive or deactivated [not found] <cover.1608019826.git.chenshan@hygon.cn> @ 2020-12-15 8:29 ` Shan 2020-12-15 9:24 ` Greg KH 2020-12-15 8:29 ` [PATCH AliOS 4.19 v3 12/15] KEYS: trusted: correctly initialize digests and fix locking issue Shan 1 sibling, 1 reply; 4+ messages in thread From: Shan @ 2020-12-15 8:29 UTC (permalink / raw) To: alikernel-developer Cc: Roberto Sassu, mayuanchen, fenghao, yingzhiwei, stable, Jarkko Sakkinen, Shan From: Roberto Sassu <roberto.sassu@huawei.com> commit 2d6c25215ab26bb009de3575faab7b685f138e92 upstream. Commit c78719203fc6 ("KEYS: trusted: allow trusted.ko to initialize w/o a TPM") allows the trusted module to be loaded even if a TPM is not found, to avoid module dependency problems. However, trusted module initialization can still fail if the TPM is inactive or deactivated. tpm_get_random() returns an error. This patch removes the call to tpm_get_random() and instead extends the PCR specified by the user with zeros. The security of this alternative is equivalent to the previous one, as either option prevents with a PCR update unsealing and misuse of sealed data by a user space process. Even if a PCR is extended with zeros, instead of random data, it is still computationally infeasible to find a value as input for a new PCR extend operation, to obtain again the PCR value that would allow unsealing. Cc: stable@vger.kernel.org Fixes: 240730437deb ("KEYS: trusted: explicitly use tpm_chip structure...") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Tyler Hicks <tyhicks@canonical.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: mayuanchen <mayuanchen@hygon.cn> Change-Id: Iada0e052c2ab4a0fbc2db4ac2690da3115d985c6 Signed-off-by: Shan <chenshan@hygon.cn> --- security/keys/trusted.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 5e983eb9a..b03525d0f 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -1216,24 +1216,11 @@ static int __init trusted_shash_alloc(void) static int __init init_digests(void) { - u8 digest[TPM_MAX_DIGEST_SIZE]; - int ret; - int i; - - ret = tpm_get_random(chip, digest, TPM_MAX_DIGEST_SIZE); - if (ret < 0) - return ret; - if (ret < TPM_MAX_DIGEST_SIZE) - return -EFAULT; - digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), GFP_KERNEL); if (!digests) return -ENOMEM; - for (i = 0; i < chip->nr_allocated_banks; i++) - memcpy(digests[i].digest, digest, TPM_MAX_DIGEST_SIZE); - return 0; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM is inactive or deactivated 2020-12-15 8:29 ` [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM is inactive or deactivated Shan @ 2020-12-15 9:24 ` Greg KH 2020-12-15 9:35 ` 答复: " Shan Chen 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2020-12-15 9:24 UTC (permalink / raw) To: Shan Cc: alikernel-developer, Roberto Sassu, mayuanchen, fenghao, yingzhiwei, stable, Jarkko Sakkinen On Tue, Dec 15, 2020 at 04:29:18PM +0800, Shan wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > commit 2d6c25215ab26bb009de3575faab7b685f138e92 upstream. > > Commit c78719203fc6 ("KEYS: trusted: allow trusted.ko to initialize w/o a > TPM") allows the trusted module to be loaded even if a TPM is not found, to > avoid module dependency problems. > > However, trusted module initialization can still fail if the TPM is > inactive or deactivated. tpm_get_random() returns an error. > > This patch removes the call to tpm_get_random() and instead extends the PCR > specified by the user with zeros. The security of this alternative is > equivalent to the previous one, as either option prevents with a PCR update > unsealing and misuse of sealed data by a user space process. > > Even if a PCR is extended with zeros, instead of random data, it is still > computationally infeasible to find a value as input for a new PCR extend > operation, to obtain again the PCR value that would allow unsealing. > > Cc: stable@vger.kernel.org > Fixes: 240730437deb ("KEYS: trusted: explicitly use tpm_chip structure...") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: Tyler Hicks <tyhicks@canonical.com> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > Signed-off-by: mayuanchen <mayuanchen@hygon.cn> > Change-Id: Iada0e052c2ab4a0fbc2db4ac2690da3115d985c6 > Signed-off-by: Shan <chenshan@hygon.cn> > --- > security/keys/trusted.c | 13 ------------- > 1 file changed, 13 deletions(-) Why is this being sent to the stable list? Do you want this backported to 4.19.y? If so, why, and what is the change-id stuff in there for? confused, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* 答复: [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM is inactive or deactivated 2020-12-15 9:24 ` Greg KH @ 2020-12-15 9:35 ` Shan Chen 0 siblings, 0 replies; 4+ messages in thread From: Shan Chen @ 2020-12-15 9:35 UTC (permalink / raw) To: Greg KH Cc: alikernel-developer, Roberto Sassu, Yuanchen Ma, Hao Feng, Zhiwei Ying, stable, Jarkko Sakkinen, Shan Chen -Shan > -----邮件原件----- > 发件人: Greg KH [mailto:gregkh@linuxfoundation.org] > 发送时间: 2020年12月15日 17:24 > 收件人: Shan Chen <chenshan@hygon.cn> > 抄送: alikernel-developer@linux.alibaba.com; Roberto Sassu > <roberto.sassu@huawei.com>; Yuanchen Ma <mayuanchen@hygon.cn>; Hao > Feng <fenghao@hygon.cn>; Zhiwei Ying <yingzhiwei@hygon.cn>; > stable@vger.kernel.org; Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > 主题: Re: [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM > is inactive or deactivated > > On Tue, Dec 15, 2020 at 04:29:18PM +0800, Shan wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > commit 2d6c25215ab26bb009de3575faab7b685f138e92 upstream. > > > > Commit c78719203fc6 ("KEYS: trusted: allow trusted.ko to initialize > > w/o a > > TPM") allows the trusted module to be loaded even if a TPM is not > > found, to avoid module dependency problems. > > > > However, trusted module initialization can still fail if the TPM is > > inactive or deactivated. tpm_get_random() returns an error. > > > > This patch removes the call to tpm_get_random() and instead extends > > the PCR specified by the user with zeros. The security of this > > alternative is equivalent to the previous one, as either option > > prevents with a PCR update unsealing and misuse of sealed data by a user > space process. > > > > Even if a PCR is extended with zeros, instead of random data, it is > > still computationally infeasible to find a value as input for a new > > PCR extend operation, to obtain again the PCR value that would allow > unsealing. > > > > Cc: stable@vger.kernel.org > > Fixes: 240730437deb ("KEYS: trusted: explicitly use tpm_chip > > structure...") > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > Reviewed-by: Tyler Hicks <tyhicks@canonical.com> > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > > > Signed-off-by: mayuanchen <mayuanchen@hygon.cn> > > Change-Id: Iada0e052c2ab4a0fbc2db4ac2690da3115d985c6 > > Signed-off-by: Shan <chenshan@hygon.cn> > > --- > > security/keys/trusted.c | 13 ------------- > > 1 file changed, 13 deletions(-) > > Why is this being sent to the stable list? Do you want this backported to > 4.19.y? If so, why, and what is the change-id stuff in there for? > > confused, > > greg k-h Sorry for the disturbing, it's not meant for the kernel community. We're backporting this commit for some private usage, and carelessly sent out this mail as git send-email automatically cc'ed the sob listed addresses. Have had the cc suppressed. pls ignore. Thanks! Shan ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH AliOS 4.19 v3 12/15] KEYS: trusted: correctly initialize digests and fix locking issue [not found] <cover.1608019826.git.chenshan@hygon.cn> 2020-12-15 8:29 ` [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM is inactive or deactivated Shan @ 2020-12-15 8:29 ` Shan 1 sibling, 0 replies; 4+ messages in thread From: Shan @ 2020-12-15 8:29 UTC (permalink / raw) To: alikernel-developer Cc: Roberto Sassu, mayuanchen, fenghao, yingzhiwei, stable, Jarkko Sakkinen, Shan From: Roberto Sassu <roberto.sassu@huawei.com> commit 9f75c82246313d4c2a6bc77e947b45655b3b5ad5 upstream. Commit 0b6cf6b97b7e ("tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()") modifies tpm_pcr_extend() to accept a digest for each PCR bank. After modification, tpm_pcr_extend() expects that digests are passed in the same order as the algorithms set in chip->allocated_banks. This patch fixes two issues introduced in the last iterations of the patch set: missing initialization of the TPM algorithm ID in the tpm_digest structures passed to tpm_pcr_extend() by the trusted key module, and unreleased locks in the TPM driver due to returning from tpm_pcr_extend() without calling tpm_put_ops(). Cc: stable@vger.kernel.org Fixes: 0b6cf6b97b7e ("tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Suggested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: mayuanchen <mayuanchen@hygon.cn> Change-Id: If1f7d414bcf2d8189d07623fea04d0b5db7060d8 Signed-off-by: Shan <chenshan@hygon.cn> --- drivers/char/tpm/tpm-interface.c | 14 +++++++++----- security/keys/trusted.c | 5 +++++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 46e0882d6..d0303d298 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -1057,18 +1057,22 @@ int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, if (!chip) return -ENODEV; - for (i = 0; i < chip->nr_allocated_banks; i++) - if (digests[i].alg_id != chip->allocated_banks[i].alg_id) - return -EINVAL; + for (i = 0; i < chip->nr_allocated_banks; i++) { + if (digests[i].alg_id != chip->allocated_banks[i].alg_id) { + rc = EINVAL; + goto out; + } + } if (chip->flags & TPM_CHIP_FLAG_TPM2) { rc = tpm2_pcr_extend(chip, pcr_idx, digests); - tpm_put_ops(chip); - return rc; + goto out; } rc = tpm1_pcr_extend(chip, pcr_idx, digests[0].digest, "attempting extend a PCR value"); + +out: tpm_put_ops(chip); return rc; } diff --git a/security/keys/trusted.c b/security/keys/trusted.c index b03525d0f..536970168 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -1216,11 +1216,16 @@ static int __init trusted_shash_alloc(void) static int __init init_digests(void) { + int i; + digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests), GFP_KERNEL); if (!digests) return -ENOMEM; + for (i = 0; i < chip->nr_allocated_banks; i++) + digests[i].alg_id = chip->allocated_banks[i].alg_id; + return 0; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-12-15 9:37 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <cover.1608019826.git.chenshan@hygon.cn> 2020-12-15 8:29 ` [PATCH AliOS 4.19 v3 11/15] KEYS: trusted: allow module init if TPM is inactive or deactivated Shan 2020-12-15 9:24 ` Greg KH 2020-12-15 9:35 ` 答复: " Shan Chen 2020-12-15 8:29 ` [PATCH AliOS 4.19 v3 12/15] KEYS: trusted: correctly initialize digests and fix locking issue Shan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).