From: Nayna <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [PATCH v3 3/7] tpm: Validate the eventlog access before tpm_bios_log_setup
Date: Fri, 9 Sep 2016 22:54:25 +0530 [thread overview]
Message-ID: <57D2F049.4040707@linux.vnet.ibm.com> (raw)
In-Reply-To: <20160830175213.GC6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
On 08/30/2016 11:22 PM, Jason Gunthorpe wrote:
> On Tue, Aug 30, 2016 at 12:50:15AM -0400, Nayna Jain wrote:
>> @@ -382,6 +370,8 @@ int tpm_chip_register(struct tpm_chip *chip)
>> return rc;
>> }
>>
>> + tpm_bios_log_setup(chip);
>
> Surely this can fail, right? At least if the security fs setup fails
> this should propogate that error.
What action we want to take if it fails to do bios_log_setup ?
I have done all other fixes, just am not sure that if we propogate this
error, then will it mean that tpm_chip_register (where this function is
called) should fail ? or it is just an error logging on failure of
bios_log_setup.
>
> That is a mistake in an earlier patch now that I think about it..
>>
>> /* malloc EventLog space */
>> - log->bios_event_log = kmalloc(len, GFP_KERNEL);
>> - if (!log->bios_event_log) {
>> + chip->log.bios_event_log = kmalloc(len, GFP_KERNEL);
>> + if (!chip->log.bios_event_log) {
>> printk("%s: ERROR - Not enough Memory for BIOS measurements\n",
>> __func__);
>
> Please delete all prints on kmalloc failure, maybe as another patch.
>
>> return -ENOMEM;
>> }
>>
>> - log->bios_event_log_end = log->bios_event_log + len;
>> + chip->log.bios_event_log_end = chip->log.bios_event_log + len;
>>
>> virt = acpi_os_map_iomem(start, len);
>> if (!virt) {
>> - kfree(log->bios_event_log);
>> + kfree(chip->log.bios_event_log);
>
> It would also be nice to see this written in the standard
> goto-unwind idiom.
>
>> static const struct file_operations tpm_bios_measurements_ops = {
>> @@ -372,12 +352,18 @@ static int is_bad(void *p)
>> void tpm_bios_log_setup(struct tpm_chip *chip)
>> {
>> const char *name = dev_name(&chip->dev);
>> + int rc = 0;
>> +
>> + rc = read_log(chip);
>> + if (rc < 0)
>> + return;
>>
>> chip->bios_dir_count = 0;
>> chip->bios_dir[chip->bios_dir_count] = securityfs_create_dir(name,
>> NULL);
>> if (is_bad(chip->bios_dir[chip->bios_dir_count]))
>> goto err;
>> + chip->bios_dir[chip->bios_dir_count]->d_inode->i_private =
>> chip;
>
> Hum.
>
> So I don't know if this is right. You should get someone more familiar
> with securityfs to double check it. I see apparmorfs.c doing a similar
> approach, so that would be a good starting place to copy. Notice how
> it uses aa_get_(x)
>
> Still, I wonder if that is even right, is securityfs_remove() really a
> strong fence against open? I guess the inode locking is doing that?
>
> This also means that the file can remain held open in userspace
> *after* securityfs_remove returns, so the filp must hold a kref on the
> chip as well.
>
> At a minimum you need to do something like this:
>
> Create:
>
> chip->sfs_data_bin.chip = chip;
> chip->sfs_data_bin.ops = &tpm_binary_b_measurments_seqops;
> securityfs_create_file(...,&chip->sfs_data_bin)
>
> It must be done like that to be atomic with open, create two new
> members of chip to hold a struct to pass through as the private
> data. Do not use the dentry private.
>
> Open:
> chip = (struct tpm_chip *)inode->i_private;
> dev_get(&chip->dev);
> seq_open(..)
> seq->private = chip;
>
> Release:
> dev_put(&((struct tpm_chip *)seq->private)->dev);
>
> Teardown
> the kfree needs to move to the chip release function.
>
>> ifdef CONFIG_ACPI
>> - tpm-y += tpm_eventlog.o tpm_acpi.o
>> + tpm-y += tpm_acpi.o
>> else
>> -ifdef CONFIG_TCG_IBMVTPM
>> - tpm-y += tpm_eventlog.o tpm_of.o
>> +ifdef CONFIG_OF
>> + tpm-y += tpm_of.o
>> endif
>
> This is too early in the patch series. This change needs to go into
> 'Redefine the read_log method to check for ACPI/OF properties
> sequentially'
>
>> -#if defined(CONFIG_TCG_IBMVTPM) || defined(CONFIG_TCG_IBMVTPM_MODULE) || \
>> - defined(CONFIG_ACPI)
>
> Ditto
>
> Regarding Jarkko's comment,
>
> Yes, move the check for TPM2 into both of the read_log() - do not
> allow TPM2 to read the log until you patch the OF stuff to support the
> TPM2 log format.
>
> Jason
>
------------------------------------------------------------------------------
next prev parent reply other threads:[~2016-09-09 17:24 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-30 4:50 [PATCH v3 0/7] tpm: TPM2.0 eventlog securityfs support Nayna Jain
[not found] ` <1472532619-22170-1-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 4:50 ` [PATCH v3 1/7] tpm: Define a generic open() method for ascii & bios measurements Nayna Jain
[not found] ` <1472532619-22170-2-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 7:49 ` Jarkko Sakkinen
2016-08-30 17:03 ` Jason Gunthorpe
[not found] ` <20160830170345.GA6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-31 19:09 ` Nayna
2016-08-30 4:50 ` [PATCH v3 2/7] tpm: Replace the dynamically allocated bios_dir as struct dentry array Nayna Jain
[not found] ` <1472532619-22170-3-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:05 ` Jarkko Sakkinen
2016-08-30 17:11 ` Jason Gunthorpe
2016-08-30 4:50 ` [PATCH v3 3/7] tpm: Validate the eventlog access before tpm_bios_log_setup Nayna Jain
[not found] ` <1472532619-22170-4-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:15 ` Jarkko Sakkinen
2016-08-30 17:52 ` Jason Gunthorpe
[not found] ` <20160830175213.GC6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-09 17:24 ` Nayna [this message]
[not found] ` <57D2F049.4040707-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-09 17:28 ` Jason Gunthorpe
2016-08-30 4:50 ` [PATCH v3 4/7] tpm: Redefine the read_log method to check for ACPI/OF properties sequentially Nayna Jain
[not found] ` <1472532619-22170-5-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 17:54 ` Jason Gunthorpe
[not found] ` <20160830175409.GD6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-31 19:09 ` Nayna
[not found] ` <57C72B7A.8040108-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-06 19:47 ` Jason Gunthorpe
[not found] ` <20160906194737.GD28416-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-06 20:08 ` Peter Huewe
2016-08-30 4:50 ` [PATCH v3 5/7] tpm: Replace the of_find_node_by_name() with dev of_node property Nayna Jain
[not found] ` <1472532619-22170-6-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 17:55 ` Jason Gunthorpe
2016-08-30 4:50 ` [PATCH v3 6/7] tpm: Moves the eventlog init functions to tpm_eventlog_init.c Nayna Jain
[not found] ` <1472532619-22170-7-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:18 ` Jarkko Sakkinen
2016-08-30 4:50 ` [PATCH v3 7/7] tpm: Adds securityfs support for TPM2.0 eventlog Nayna Jain
[not found] ` <1472532619-22170-8-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:21 ` Jarkko Sakkinen
2016-08-30 17:59 ` Jason Gunthorpe
2016-08-30 7:10 ` [PATCH v3 0/7] tpm: TPM2.0 eventlog securityfs support Jarkko Sakkinen
[not found] ` <20160830071032.GB6215-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-08-31 17:56 ` Nayna
[not found] ` <57C71A48.8020505-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-01 13:45 ` Jarkko Sakkinen
[not found] ` <20160901134501.GA14627-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-01 14:52 ` Jarkko Sakkinen
[not found] ` <20160901145250.GA19529-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-28 8:49 ` Nayna
[not found] ` <57EB8425.6000005-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-30 19:27 ` Jarkko Sakkinen
2016-09-01 16:51 ` Jason Gunthorpe
2016-08-30 10:16 ` Jarkko Sakkinen
[not found] ` <20160830101611.GA11819-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-08-30 16:16 ` Jarkko Sakkinen
2016-09-19 14:50 ` Stefan Berger
[not found] ` <OFFF1DBFC5.1719C0A6-ON00258033.00514374-85258033.005192C5-8eTO7WVQ4XIsd+ienQ86orlN3bxYEBpz@public.gmane.org>
2016-09-20 10:04 ` Jarkko Sakkinen
[not found] ` <20160920100423.GB32433-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-20 12:27 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57D2F049.4040707@linux.vnet.ibm.com \
--to=nayna-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.