kernel/drivers/char/tpm, branch linux-5.1.y

tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM operations

2019-07-14T06:09:47Z

commit db4d8cb9c9f2af71c4d087817160d866ed572cc9 upstream. TPM 2.0 Shutdown involve sending TPM2_Shutdown to TPM chip and disabling future TPM operations. TPM 1.2 behavior was different, future TPM operations weren't disabled, causing rare issues. This patch ensures that future TPM operations are disabled. Fixes: d1bd4a792d39 ("tpm: Issue a TPM2_Shutdown for TPM2 devices.") Cc: stable@vger.kernel.org Signed-off-by: Vadim Sukhomlinov [dianders: resolved merge conflicts with mainline] Signed-off-by: Douglas Anderson Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman

tpm: Actually fail on TPM errors during "get random"

2019-07-14T06:09:47Z

commit 782779b60faa2fc7ff609ac8ef938260fd792c0f upstream. A "get random" may fail with a TPM error, but those codes were returned as-is to the caller, which assumed the result was the number of bytes that had been written to the target buffer, which could lead to a kernel heap memory exposure and over-read. This fixes tpm1_get_random() to mask positive TPM errors into -EIO, as before. [ 18.092103] tpm tpm0: A TPM error (379) occurred attempting get random [ 18.092106] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)! Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989 Reported-by: Phil Baker Reported-by: Craig Robson Fixes: 7aee9c52d7ac ("tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure") Cc: Laura Abbott Cc: Tomas Winkler Cc: Jarkko Sakkinen Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Tomas Winkler Tested-by: Bartosz Szczepanek Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman

tpm: Fix the type of the return value in calc_tpm2_event_size()

2019-04-08T22:58:54Z

calc_tpm2_event_size() has an invalid signature because it returns a 'size_t' where as its signature says that it returns 'int'. Cc: Fixes: 4d23cc323cdb ("tpm: add securityfs support for TPM 2.0 firmware event log") Suggested-by: Jarkko Sakkinen Signed-off-by: Yue Haibing Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: James Morris

tpm: fix an invalid condition in tpm_common_poll

2019-04-08T22:58:53Z

The poll condition should only check response_length, because reads should only be issued if there is data to read. The response_read flag only prevents double writes. The problem was that the write set the response_read to false, enqued a tpm job, and returned. Then application called poll which checked the response_read flag and returned EPOLLIN. Then the application called read, but got nothing. After all that the async_work kicked in. Added also mutex_lock around the poll check to prevent other possible race conditions. Fixes: 9488585b21bef0df12 ("tpm: add support for partial reads") Reported-by: Mantas Mikulėnas Tested-by: Mantas Mikulėnas Signed-off-by: Tadeusz Struk Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: James Morris

tpm: turn on TPM on suspend for TPM 1.x

2019-04-08T22:58:52Z

tpm_chip_start/stop() should be also called for TPM 1.x devices on suspend. Add that functionality back. Do not lock the chip because it is unnecessary as there are no multiple threads using it when doing the suspend. Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") Reported-by: Paul Zimmerman Signed-off-by: Jarkko Sakkinen Tested-by: Domenico Andreoli Signed-off-by: James Morris

tpm/ppi: Enable submission of optional command parameter for PPI 1.3

2019-02-13T07:48:53Z

This patch enables a user to specify the additional optional command parameter by writing it into the request file: # echo "23 16" > request # cat request 23 16 For backwards compatibility: If only 1 parameter is given then we assume this is the operation request number. # echo "5" > request # cat request 5 Signed-off-by: Stefan Berger Tested-by: David Safford Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

tpm/ppi: Possibly show command parameter if TPM PPI 1.3 is used

2019-02-13T07:48:53Z

TPM PPI 1.3 introduces an additional optional command parameter that may be needed for some commands. Display the parameter if the command requires such a parameter. Only command 23 needs one. The PPI request file will show output like this then: # echo "23 16" > request # cat request 23 16 # echo "5" > request # cat request 5 Signed-off-by: Stefan Berger Tested-by: David Safford Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

tpm/ppi: Display up to 101 operations as define for version 1.3

2019-02-13T07:48:53Z

TPM PPI 1.3 defines operations up to number 101. We need to query up to this number to show the user what the firmware implements. Signed-off-by: Stefan Berger Tested-by: David Safford Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

tpm/ppi: rename TPM_PPI_REVISION_ID to TPM_PPI_REVISION_ID_1

2019-02-13T07:48:52Z

TPM PPI 1.3 introduces a function revision 2 for some functions. So, rename the existing TPM_PPI_REVISION_ID to TPM_PPI_REVISION_ID_1. Signed-off-by: Stefan Berger Tested-by: David Safford Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

tpm/ppi: pass function revision ID to tpm_eval_dsm()

2019-02-13T07:48:52Z

Since we will need to pass different function revision numbers to tpm_eval_dsm, convert this function now to take the function revision as an additional parameter. Signed-off-by: Stefan Berger Tested-by: David Safford Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen