From: "Serge E. Hallyn" <serge@hallyn.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: linux-integrity@vger.kernel.org,
James Bottomley <jejb@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v5 8/8] KEYS: trusted: tpm2: Use struct tpm_buf for sized buffers
Date: Mon, 27 Nov 2023 21:48:02 -0600 [thread overview]
Message-ID: <20231128034802.GA33794@mail.hallyn.com> (raw)
In-Reply-To: <20231121223130.30824-9-jarkko@kernel.org>
On Wed, Nov 22, 2023 at 12:31:20AM +0200, Jarkko Sakkinen wrote:
> Take advantage of the new sized buffer (TPM2B) mode of struct tpm_buf in
> tpm2_seal_trusted(). This allows to add robustness to the command
> construction without requiring to calculate buffer sizes manually.
>
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> ---
> v3 [2023-11-21]: A boundary error check as response for the feeedback
> from Mario Limenciello:
> https://lore.kernel.org/linux-integrity/3f9086f6-935f-48a7-889b-c71398422fa1@amd.com/
> v2: Use tpm_buf_read_*
> ---
> security/keys/trusted-keys/trusted_tpm2.c | 54 +++++++++++++----------
> 1 file changed, 31 insertions(+), 23 deletions(-)
>
> diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
> index bc700f85f80b..97b1dfca2dba 100644
> --- a/security/keys/trusted-keys/trusted_tpm2.c
> +++ b/security/keys/trusted-keys/trusted_tpm2.c
> @@ -228,8 +228,9 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> struct trusted_key_payload *payload,
> struct trusted_key_options *options)
> {
> + off_t offset = TPM_HEADER_SIZE;
> + struct tpm_buf buf, sized;
> int blob_len = 0;
> - struct tpm_buf buf;
> u32 hash;
> u32 flags;
> int i;
> @@ -258,6 +259,14 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> return rc;
> }
>
> + rc = tpm_buf_init_sized(&sized);
> + if (rc) {
> + tpm_buf_destroy(&buf);
It won't really hurt, but at the moment if tpm_buf_init_sized() returns
non-zero, then it must be returning -ENOMEM, and tpm_buf_destroy(&buf)
is not needed, right?
> + tpm_put_ops(chip);
> + return rc;
> + }
> +
> + tpm_buf_reset(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
> tpm_buf_append_u32(&buf, options->keyhandle);
> tpm2_buf_append_auth(&buf, TPM2_RS_PW,
> NULL /* nonce */, 0,
> @@ -266,36 +275,36 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> TPM_DIGEST_SIZE);
>
> /* sensitive */
> - tpm_buf_append_u16(&buf, 4 + options->blobauth_len + payload->key_len);
> + tpm_buf_append_u16(&sized, options->blobauth_len);
>
> - tpm_buf_append_u16(&buf, options->blobauth_len);
> if (options->blobauth_len)
> - tpm_buf_append(&buf, options->blobauth, options->blobauth_len);
> + tpm_buf_append(&sized, options->blobauth, options->blobauth_len);
>
> - tpm_buf_append_u16(&buf, payload->key_len);
> - tpm_buf_append(&buf, payload->key, payload->key_len);
> + tpm_buf_append_u16(&sized, payload->key_len);
> + tpm_buf_append(&sized, payload->key, payload->key_len);
> + tpm_buf_append(&buf, sized.data, sized.length);
>
> /* public */
> - tpm_buf_append_u16(&buf, 14 + options->policydigest_len);
> - tpm_buf_append_u16(&buf, TPM_ALG_KEYEDHASH);
> - tpm_buf_append_u16(&buf, hash);
> + tpm_buf_reset_sized(&sized);
> + tpm_buf_append_u16(&sized, TPM_ALG_KEYEDHASH);
> + tpm_buf_append_u16(&sized, hash);
>
> /* key properties */
> flags = 0;
> flags |= options->policydigest_len ? 0 : TPM2_OA_USER_WITH_AUTH;
> - flags |= payload->migratable ? 0 : (TPM2_OA_FIXED_TPM |
> - TPM2_OA_FIXED_PARENT);
> - tpm_buf_append_u32(&buf, flags);
> + flags |= payload->migratable ? 0 : (TPM2_OA_FIXED_TPM | TPM2_OA_FIXED_PARENT);
> + tpm_buf_append_u32(&sized, flags);
>
> /* policy */
> - tpm_buf_append_u16(&buf, options->policydigest_len);
> + tpm_buf_append_u16(&sized, options->policydigest_len);
> if (options->policydigest_len)
> - tpm_buf_append(&buf, options->policydigest,
> - options->policydigest_len);
> + tpm_buf_append(&sized, options->policydigest, options->policydigest_len);
>
> /* public parameters */
> - tpm_buf_append_u16(&buf, TPM_ALG_NULL);
> - tpm_buf_append_u16(&buf, 0);
> + tpm_buf_append_u16(&sized, TPM_ALG_NULL);
> + tpm_buf_append_u16(&sized, 0);
> +
> + tpm_buf_append(&buf, sized.data, sized.length);
>
> /* outside info */
> tpm_buf_append_u16(&buf, 0);
> @@ -312,21 +321,20 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> if (rc)
> goto out;
>
> - blob_len = be32_to_cpup((__be32 *) &buf.data[TPM_HEADER_SIZE]);
> - if (blob_len > MAX_BLOB_SIZE) {
> + blob_len = tpm_buf_read_u32(&buf, &offset);
> + if (blob_len > MAX_BLOB_SIZE || buf.flags & TPM_BUF_BOUNDARY_ERROR) {
> rc = -E2BIG;
> goto out;
> }
> - if (tpm_buf_length(&buf) < TPM_HEADER_SIZE + 4 + blob_len) {
> + if (buf.length - offset < blob_len) {
> rc = -EFAULT;
> goto out;
> }
>
> - blob_len = tpm2_key_encode(payload, options,
> - &buf.data[TPM_HEADER_SIZE + 4],
> - blob_len);
> + blob_len = tpm2_key_encode(payload, options, &buf.data[offset], blob_len);
>
> out:
> + tpm_buf_destroy(&sized);
> tpm_buf_destroy(&buf);
>
> if (rc > 0) {
> --
> 2.42.1
next prev parent reply other threads:[~2023-11-28 3:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 22:31 [PATCH v5 0/8] Extend struct tpm_buf to support sized buffers (TPM2B) Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 1/8] tpm: Remove unused tpm_buf_tag() Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 2/8] tpm: Remove tpm_send() Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 3/8] tpm: Move buffer handling from static inlines to real functions Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 4/8] tpm: Update &tpm_buf documentation Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 5/8] tpm: Store the length of the tpm_buf data separately Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 6/8] tpm: TPM2B formatted buffers Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 7/8] tpm: Add tpm_buf_read_{u8,u16,u32} Jarkko Sakkinen
2023-11-21 22:31 ` [PATCH v5 8/8] KEYS: trusted: tpm2: Use struct tpm_buf for sized buffers Jarkko Sakkinen
2023-11-28 3:48 ` Serge E. Hallyn [this message]
2023-11-28 12:24 ` James Bottomley
2023-11-28 14:34 ` Serge E. Hallyn
2023-11-28 14:37 ` James Bottomley
2023-12-04 4:03 ` Jarkko Sakkinen
2023-11-28 14:42 ` [PATCH v5 0/8] Extend struct tpm_buf to support sized buffers (TPM2B) Serge E. Hallyn
2023-12-04 4:06 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231128034802.GA33794@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.