* Re: [PATCH] tpm: fix tpm disabling if NULL name changes
From: Jarkko Sakkinen @ 2026-03-23 5:36 UTC (permalink / raw)
To: James Bottomley; +Cc: linux-integrity
In-Reply-To: <e12b2c091d85ae6bb1f54133c7d4727770f1ee9f.camel@HansenPartnership.com>
On Fri, Mar 13, 2026 at 10:31:03AM -0400, James Bottomley wrote:
> There's a logic error in the earlier fix which means that if the NULL
> name comparison fails, the tpm isn't disabled because rc remains zero.
> Fix this by setting it to an error.
>
> Cc: stable@vger.kernel.org # 6.12
> Fixes: cc7d8594342a ("tpm: Rollback tpm2_load_null()")
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> ---
>
> I didn't actually discover this problem until I was trying to do a
> reset attack demo with an updated kernel.
>
> drivers/char/tpm/tpm2-sessions.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-
> sessions.c
> index 3b1cf1ca0420..bd1c0456e775 100644
> --- a/drivers/char/tpm/tpm2-sessions.c
> +++ b/drivers/char/tpm/tpm2-sessions.c
> @@ -961,6 +961,7 @@ static int tpm2_load_null(struct tpm_chip *chip,
> u32 *null_key)
> /* Deduce from the name change TPM interference: */
> dev_err(&chip->dev, "null key integrity check failed\n");
> tpm2_flush_context(chip, tmp_null_key);
> + rc = -ENODEV;
>
> err:
> if (rc) {
> --
> 2.51.0
>
>
Possible to resend (fake ancestor)?
Other than that,
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH 1/4] tpm: Initial step to reorganize TPM public headers
From: Jarkko Sakkinen @ 2026-03-23 5:39 UTC (permalink / raw)
To: Alec Brown
Cc: linux-kernel, linux-integrity, peterhuewe, jarkko.sakkinen, jgg,
ross.philipson, dpsmith, daniel.kiper, kanth.ghatraju,
trenchboot-devel, ardb
In-Reply-To: <20260317160613.2899129-2-alec.r.brown@oracle.com>
On Tue, Mar 17, 2026 at 04:03:32PM +0000, Alec Brown wrote:
> From: Ross Philipson <ross.philipson@oracle.com>
>
> From: Ross Philipson <ross.philipson@oracle.com>
nit: just fix this glitch please :-)
>
> Consolidate TPM1 constants in tpm_command.h and remove duplicate
> constants from tpm1-cmd.c.
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
> Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
> ---
> drivers/char/tpm/tpm-buf.c | 1 -
> drivers/char/tpm/tpm1-cmd.c | 14 +-------
> include/keys/trusted_tpm.h | 1 -
> include/linux/tpm.h | 2 ++
> include/linux/tpm_command.h | 43 ++++++++++++++++-------
> security/keys/trusted-keys/trusted_tpm1.c | 1 -
> security/keys/trusted-keys/trusted_tpm2.c | 1 -
> 7 files changed, 33 insertions(+), 30 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c
> index dc882fc9fa9e..4c4f450630df 100644
> --- a/drivers/char/tpm/tpm-buf.c
> +++ b/drivers/char/tpm/tpm-buf.c
> @@ -3,7 +3,6 @@
> * Handling of TPM command and other buffers.
> */
>
> -#include <linux/tpm_command.h>
> #include <linux/module.h>
> #include <linux/tpm.h>
>
> diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> index b49a790f1bd5..664ca1fff2e8 100644
> --- a/drivers/char/tpm/tpm1-cmd.c
> +++ b/drivers/char/tpm/tpm1-cmd.c
> @@ -22,8 +22,6 @@
>
> #include "tpm.h"
>
> -#define TPM_MAX_ORDINAL 243
> -
> /*
> * Array with one entry per ordinal defining the maximum amount
> * of time the chip could take to return the result. The ordinal
> @@ -308,9 +306,6 @@ unsigned long tpm1_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal)
> return duration;
> }
>
> -#define TPM_ORD_STARTUP 153
> -#define TPM_ST_CLEAR 1
> -
> /**
> * tpm1_startup() - turn on the TPM
> * @chip: TPM chip to use
> @@ -459,7 +454,6 @@ int tpm1_get_timeouts(struct tpm_chip *chip)
> return 0;
> }
>
> -#define TPM_ORD_PCR_EXTEND 20
> int tpm1_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, const u8 *hash,
> const char *log_msg)
> {
> @@ -478,7 +472,6 @@ int tpm1_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, const u8 *hash,
> return rc;
> }
>
> -#define TPM_ORD_GET_CAP 101
> ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
> const char *desc, size_t min_cap_length)
> {
> @@ -511,7 +504,6 @@ ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
> }
> EXPORT_SYMBOL_GPL(tpm1_getcap);
>
> -#define TPM_ORD_GET_RANDOM 70
> struct tpm1_get_random_out {
> __be32 rng_data_len;
> u8 rng_data[TPM_MAX_RNG_DATA];
> @@ -580,13 +572,12 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> return rc;
> }
>
> -#define TPM_ORD_PCRREAD 21
> int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
> {
> struct tpm_buf buf;
> int rc;
>
> - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCRREAD);
> + rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCR_READ);
> if (rc)
> return rc;
>
> @@ -609,7 +600,6 @@ int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
> return rc;
> }
>
> -#define TPM_ORD_CONTINUE_SELFTEST 83
> /**
> * tpm1_continue_selftest() - run TPM's selftest
> * @chip: TPM chip to use
> @@ -726,8 +716,6 @@ int tpm1_auto_startup(struct tpm_chip *chip)
> return rc;
> }
>
> -#define TPM_ORD_SAVESTATE 152
> -
> /**
> * tpm1_pm_suspend() - pm suspend handler
> * @chip: TPM chip to use.
> diff --git a/include/keys/trusted_tpm.h b/include/keys/trusted_tpm.h
> index 0fadc6a4f166..3a0fa3bc8454 100644
> --- a/include/keys/trusted_tpm.h
> +++ b/include/keys/trusted_tpm.h
> @@ -3,7 +3,6 @@
> #define __TRUSTED_TPM_H
>
> #include <keys/trusted-type.h>
> -#include <linux/tpm_command.h>
>
> extern struct trusted_key_ops trusted_key_tpm_ops;
>
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index 202da079d500..18dcf0ef46f6 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -25,6 +25,8 @@
> #include <crypto/hash_info.h>
> #include <crypto/aes.h>
>
> +#include "tpm_command.h"
> +
> #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
>
> #define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
> index f5c03e9c3913..9a8991b8801d 100644
> --- a/include/linux/tpm_command.h
> +++ b/include/linux/tpm_command.h
> @@ -2,28 +2,45 @@
> #ifndef __LINUX_TPM_COMMAND_H__
> #define __LINUX_TPM_COMMAND_H__
>
> +/************************************************/
> +/* TPM 1 Family Chips */
> +/************************************************/
> +
> /*
> - * TPM Command constants from specifications at
> - * http://www.trustedcomputinggroup.org
> + * TPM 1.2 Main Specification
> + * https://trustedcomputinggroup.org/resource/tpm-main-specification/
> */
>
> +#define TPM_MAX_ORDINAL 243
> +
> /* Command TAGS */
> -#define TPM_TAG_RQU_COMMAND 193
> -#define TPM_TAG_RQU_AUTH1_COMMAND 194
> -#define TPM_TAG_RQU_AUTH2_COMMAND 195
> -#define TPM_TAG_RSP_COMMAND 196
> -#define TPM_TAG_RSP_AUTH1_COMMAND 197
> -#define TPM_TAG_RSP_AUTH2_COMMAND 198
> +enum tpm_command_tags {
> + TPM_TAG_RQU_COMMAND = 193,
> + TPM_TAG_RQU_AUTH1_COMMAND = 194,
> + TPM_TAG_RQU_AUTH2_COMMAND = 195,
> + TPM_TAG_RSP_COMMAND = 196,
> + TPM_TAG_RSP_AUTH1_COMMAND = 197,
> + TPM_TAG_RSP_AUTH2_COMMAND = 198,
> +};
>
> /* Command Ordinals */
> -#define TPM_ORD_GETRANDOM 70
> -#define TPM_ORD_OSAP 11
> -#define TPM_ORD_OIAP 10
> -#define TPM_ORD_SEAL 23
> -#define TPM_ORD_UNSEAL 24
> +enum tpm_command_ordinals {
> + TPM_ORD_CONTINUE_SELFTEST = 83,
> + TPM_ORD_GET_CAP = 101,
> + TPM_ORD_GET_RANDOM = 70,
> + TPM_ORD_PCR_EXTEND = 20,
> + TPM_ORD_PCR_READ = 21,
> + TPM_ORD_OSAP = 11,
> + TPM_ORD_OIAP = 10,
> + TPM_ORD_SAVESTATE = 152,
> + TPM_ORD_SEAL = 23,
> + TPM_ORD_STARTUP = 153,
> + TPM_ORD_UNSEAL = 24,
> +};
>
> /* Other constants */
> #define SRKHANDLE 0x40000000
> #define TPM_NONCE_SIZE 20
> +#define TPM_ST_CLEAR 1
>
> #endif
> diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
> index 636acb66a4f6..10f79a8c2d35 100644
> --- a/security/keys/trusted-keys/trusted_tpm1.c
> +++ b/security/keys/trusted-keys/trusted_tpm1.c
> @@ -17,7 +17,6 @@
> #include <keys/trusted-type.h>
> #include <linux/key-type.h>
> #include <linux/tpm.h>
> -#include <linux/tpm_command.h>
>
> #include <keys/trusted_tpm.h>
>
> diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
> index a7ea4a1c3bed..56eb8e20780a 100644
> --- a/security/keys/trusted-keys/trusted_tpm2.c
> +++ b/security/keys/trusted-keys/trusted_tpm2.c
> @@ -9,7 +9,6 @@
> #include <linux/string.h>
> #include <linux/err.h>
> #include <linux/tpm.h>
> -#include <linux/tpm_command.h>
>
> #include <keys/trusted-type.h>
> #include <keys/trusted_tpm.h>
> --
> 2.47.3
>
I need to compile and test these but yes agree with the idea.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH 3/4] tpm: Move TPM2 specific definitions to the command header
From: Jarkko Sakkinen @ 2026-03-23 5:41 UTC (permalink / raw)
To: Alec Brown
Cc: linux-kernel, linux-integrity, peterhuewe, jarkko.sakkinen, jgg,
ross.philipson, dpsmith, daniel.kiper, kanth.ghatraju,
trenchboot-devel, ardb
In-Reply-To: <20260317160613.2899129-4-alec.r.brown@oracle.com>
On Tue, Mar 17, 2026 at 04:03:34PM +0000, Alec Brown wrote:
> From: Ross Philipson <ross.philipson@oracle.com>
>
> From: Ross Philipson <ross.philipson@oracle.com>
Address this for +1 version but hold on until I have time to test
this (next week latest), as that might generate some additional
feedback.
>
> Gather all the TPM2 definitions and structures in the internal header
> file drivers/char/tpm/tpm.h into the command header, including:
> - Command codes, return codes and definitions from the public and
> internal tpm.h files.
> - Structures defined in numerous TPM driver C modules.
>
> The definitions moved to these files correspond to the TCG specification
> for TPM 2 family:
>
> TPM 2.0 Library
> - https://trustedcomputinggroup.org/resource/tpm-library-specification/
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
> Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
> ---
> drivers/char/tpm/tpm.h | 77 ----------
> drivers/char/tpm/tpm2-cmd.c | 30 ----
> drivers/char/tpm/tpm2-space.c | 13 --
> include/linux/tpm.h | 145 ------------------
> include/linux/tpm_command.h | 273 ++++++++++++++++++++++++++++++++++
> 5 files changed, 273 insertions(+), 265 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index 1a9a46a921fe..147e57c0e7bb 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -51,83 +51,6 @@ enum tpm_addr {
> TPM_ADDR = 0x4E,
> };
>
> -/* TPM2 specific constants. */
> -#define TPM2_SPACE_BUFFER_SIZE 16384 /* 16 kB */
> -
> -enum tpm2_pt_props {
> - TPM2_PT_NONE = 0x00000000,
> - TPM2_PT_GROUP = 0x00000100,
> - TPM2_PT_FIXED = TPM2_PT_GROUP * 1,
> - TPM2_PT_FAMILY_INDICATOR = TPM2_PT_FIXED + 0,
> - TPM2_PT_LEVEL = TPM2_PT_FIXED + 1,
> - TPM2_PT_REVISION = TPM2_PT_FIXED + 2,
> - TPM2_PT_DAY_OF_YEAR = TPM2_PT_FIXED + 3,
> - TPM2_PT_YEAR = TPM2_PT_FIXED + 4,
> - TPM2_PT_MANUFACTURER = TPM2_PT_FIXED + 5,
> - TPM2_PT_VENDOR_STRING_1 = TPM2_PT_FIXED + 6,
> - TPM2_PT_VENDOR_STRING_2 = TPM2_PT_FIXED + 7,
> - TPM2_PT_VENDOR_STRING_3 = TPM2_PT_FIXED + 8,
> - TPM2_PT_VENDOR_STRING_4 = TPM2_PT_FIXED + 9,
> - TPM2_PT_VENDOR_TPM_TYPE = TPM2_PT_FIXED + 10,
> - TPM2_PT_FIRMWARE_VERSION_1 = TPM2_PT_FIXED + 11,
> - TPM2_PT_FIRMWARE_VERSION_2 = TPM2_PT_FIXED + 12,
> - TPM2_PT_INPUT_BUFFER = TPM2_PT_FIXED + 13,
> - TPM2_PT_HR_TRANSIENT_MIN = TPM2_PT_FIXED + 14,
> - TPM2_PT_HR_PERSISTENT_MIN = TPM2_PT_FIXED + 15,
> - TPM2_PT_HR_LOADED_MIN = TPM2_PT_FIXED + 16,
> - TPM2_PT_ACTIVE_SESSIONS_MAX = TPM2_PT_FIXED + 17,
> - TPM2_PT_PCR_COUNT = TPM2_PT_FIXED + 18,
> - TPM2_PT_PCR_SELECT_MIN = TPM2_PT_FIXED + 19,
> - TPM2_PT_CONTEXT_GAP_MAX = TPM2_PT_FIXED + 20,
> - TPM2_PT_NV_COUNTERS_MAX = TPM2_PT_FIXED + 22,
> - TPM2_PT_NV_INDEX_MAX = TPM2_PT_FIXED + 23,
> - TPM2_PT_MEMORY = TPM2_PT_FIXED + 24,
> - TPM2_PT_CLOCK_UPDATE = TPM2_PT_FIXED + 25,
> - TPM2_PT_CONTEXT_HASH = TPM2_PT_FIXED + 26,
> - TPM2_PT_CONTEXT_SYM = TPM2_PT_FIXED + 27,
> - TPM2_PT_CONTEXT_SYM_SIZE = TPM2_PT_FIXED + 28,
> - TPM2_PT_ORDERLY_COUNT = TPM2_PT_FIXED + 29,
> - TPM2_PT_MAX_COMMAND_SIZE = TPM2_PT_FIXED + 30,
> - TPM2_PT_MAX_RESPONSE_SIZE = TPM2_PT_FIXED + 31,
> - TPM2_PT_MAX_DIGEST = TPM2_PT_FIXED + 32,
> - TPM2_PT_MAX_OBJECT_CONTEXT = TPM2_PT_FIXED + 33,
> - TPM2_PT_MAX_SESSION_CONTEXT = TPM2_PT_FIXED + 34,
> - TPM2_PT_PS_FAMILY_INDICATOR = TPM2_PT_FIXED + 35,
> - TPM2_PT_PS_LEVEL = TPM2_PT_FIXED + 36,
> - TPM2_PT_PS_REVISION = TPM2_PT_FIXED + 37,
> - TPM2_PT_PS_DAY_OF_YEAR = TPM2_PT_FIXED + 38,
> - TPM2_PT_PS_YEAR = TPM2_PT_FIXED + 39,
> - TPM2_PT_SPLIT_MAX = TPM2_PT_FIXED + 40,
> - TPM2_PT_TOTAL_COMMANDS = TPM2_PT_FIXED + 41,
> - TPM2_PT_LIBRARY_COMMANDS = TPM2_PT_FIXED + 42,
> - TPM2_PT_VENDOR_COMMANDS = TPM2_PT_FIXED + 43,
> - TPM2_PT_NV_BUFFER_MAX = TPM2_PT_FIXED + 44,
> - TPM2_PT_MODES = TPM2_PT_FIXED + 45,
> - TPM2_PT_MAX_CAP_BUFFER = TPM2_PT_FIXED + 46,
> - TPM2_PT_VAR = TPM2_PT_GROUP * 2,
> - TPM2_PT_PERMANENT = TPM2_PT_VAR + 0,
> - TPM2_PT_STARTUP_CLEAR = TPM2_PT_VAR + 1,
> - TPM2_PT_HR_NV_INDEX = TPM2_PT_VAR + 2,
> - TPM2_PT_HR_LOADED = TPM2_PT_VAR + 3,
> - TPM2_PT_HR_LOADED_AVAIL = TPM2_PT_VAR + 4,
> - TPM2_PT_HR_ACTIVE = TPM2_PT_VAR + 5,
> - TPM2_PT_HR_ACTIVE_AVAIL = TPM2_PT_VAR + 6,
> - TPM2_PT_HR_TRANSIENT_AVAIL = TPM2_PT_VAR + 7,
> - TPM2_PT_HR_PERSISTENT = TPM2_PT_VAR + 8,
> - TPM2_PT_HR_PERSISTENT_AVAIL = TPM2_PT_VAR + 9,
> - TPM2_PT_NV_COUNTERS = TPM2_PT_VAR + 10,
> - TPM2_PT_NV_COUNTERS_AVAIL = TPM2_PT_VAR + 11,
> - TPM2_PT_ALGORITHM_SET = TPM2_PT_VAR + 12,
> - TPM2_PT_LOADED_CURVES = TPM2_PT_VAR + 13,
> - TPM2_PT_LOCKOUT_COUNTER = TPM2_PT_VAR + 14,
> - TPM2_PT_MAX_AUTH_FAIL = TPM2_PT_VAR + 15,
> - TPM2_PT_LOCKOUT_INTERVAL = TPM2_PT_VAR + 16,
> - TPM2_PT_LOCKOUT_RECOVERY = TPM2_PT_VAR + 17,
> - TPM2_PT_NV_WRITE_RECOVERY = TPM2_PT_VAR + 18,
> - TPM2_PT_AUDIT_COUNTER_0 = TPM2_PT_VAR + 19,
> - TPM2_PT_AUDIT_COUNTER_1 = TPM2_PT_VAR + 20,
> -};
> -
> extern const struct class tpm_class;
> extern const struct class tpmrm_class;
> extern dev_t tpm_devt;
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 3a77be7ebf4a..1fa3e8a43c79 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -94,17 +94,6 @@ unsigned long tpm2_calc_ordinal_duration(u32 ordinal)
> return msecs_to_jiffies(TPM2_DURATION_DEFAULT);
> }
>
> -struct tpm2_pcr_read_out {
> - __be32 update_cnt;
> - __be32 pcr_selects_cnt;
> - __be16 hash_alg;
> - u8 pcr_select_size;
> - u8 pcr_select[TPM2_PCR_SELECT_MIN];
> - __be32 digests_cnt;
> - __be16 digest_size;
> - u8 digest[];
> -} __packed;
> -
> /**
> * tpm2_pcr_read() - read a PCR value
> * @chip: TPM chip to use.
> @@ -238,11 +227,6 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
> return rc;
> }
>
> -struct tpm2_get_random_out {
> - __be16 size;
> - u8 buffer[TPM_MAX_RNG_DATA];
> -} __packed;
> -
> /**
> * tpm2_get_random() - get random bytes from the TPM RNG
> *
> @@ -366,14 +350,6 @@ void tpm2_flush_context(struct tpm_chip *chip, u32 handle)
> }
> EXPORT_SYMBOL_GPL(tpm2_flush_context);
>
> -struct tpm2_get_cap_out {
> - u8 more_data;
> - __be32 subcap_id;
> - __be32 property_cnt;
> - __be32 property_id;
> - __be32 value;
> -} __packed;
> -
> /**
> * tpm2_get_tpm_pt() - get value of a TPM_CAP_TPM_PROPERTIES type property
> * @chip: a &tpm_chip instance
> @@ -541,12 +517,6 @@ static int tpm2_init_bank_info(struct tpm_chip *chip, u32 bank_index)
> return tpm2_pcr_read(chip, 0, &digest, &bank->digest_size);
> }
>
> -struct tpm2_pcr_selection {
> - __be16 hash_alg;
> - u8 size_of_select;
> - u8 pcr_select[3];
> -} __packed;
> -
> ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
> {
> struct tpm2_pcr_selection pcr_selection;
> diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
> index 60354cd53b5c..7c1c0a174a2b 100644
> --- a/drivers/char/tpm/tpm2-space.c
> +++ b/drivers/char/tpm/tpm2-space.c
> @@ -15,19 +15,6 @@
> #include <linux/unaligned.h>
> #include "tpm.h"
>
> -enum tpm2_handle_types {
> - TPM2_HT_HMAC_SESSION = 0x02000000,
> - TPM2_HT_POLICY_SESSION = 0x03000000,
> - TPM2_HT_TRANSIENT = 0x80000000,
> -};
> -
> -struct tpm2_context {
> - __be64 sequence;
> - __be32 saved_handle;
> - __be32 hierarchy;
> - __be16 blob_size;
> -} __packed;
> -
> static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space)
> {
> int i;
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index 18dcf0ef46f6..92957452f7a7 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -38,12 +38,6 @@ struct trusted_key_options;
> /* opaque structure, holds auth session parameters like the session key */
> struct tpm2_auth;
>
> -enum tpm2_session_types {
> - TPM2_SE_HMAC = 0x00,
> - TPM2_SE_POLICY = 0x01,
> - TPM2_SE_TRIAL = 0x02,
> -};
> -
> /* if you add a new hash to this, increment TPM_MAX_HASHES below */
> enum tpm_algorithms {
> TPM_ALG_ERROR = 0x0000,
> @@ -65,11 +59,6 @@ enum tpm_algorithms {
> */
> #define TPM_MAX_HASHES 5
>
> -enum tpm2_curves {
> - TPM2_ECC_NONE = 0x0000,
> - TPM2_ECC_NIST_P256 = 0x0003,
> -};
> -
> struct tpm_digest {
> u16 alg_id;
> u8 digest[TPM2_MAX_DIGEST_SIZE];
> @@ -222,122 +211,11 @@ struct tpm_chip {
>
> #define TPM_HEADER_SIZE 10
>
> -enum tpm2_const {
> - TPM2_PLATFORM_PCR = 24,
> - TPM2_PCR_SELECT_MIN = ((TPM2_PLATFORM_PCR + 7) / 8),
> -};
> -
> -enum tpm2_timeouts {
> - TPM2_TIMEOUT_A = 750,
> - TPM2_TIMEOUT_B = 4000,
> - TPM2_TIMEOUT_C = 200,
> - TPM2_TIMEOUT_D = 30,
> -};
> -
> -enum tpm2_durations {
> - TPM2_DURATION_SHORT = 20,
> - TPM2_DURATION_LONG = 2000,
> - TPM2_DURATION_DEFAULT = 120000,
> -};
> -
> -enum tpm2_structures {
> - TPM2_ST_NO_SESSIONS = 0x8001,
> - TPM2_ST_SESSIONS = 0x8002,
> - TPM2_ST_CREATION = 0x8021,
> -};
> -
> -/* Indicates from what layer of the software stack the error comes from */
> -#define TSS2_RC_LAYER_SHIFT 16
> -#define TSS2_RESMGR_TPM_RC_LAYER (11 << TSS2_RC_LAYER_SHIFT)
> -
> -enum tpm2_return_codes {
> - TPM2_RC_SUCCESS = 0x0000,
> - TPM2_RC_HASH = 0x0083, /* RC_FMT1 */
> - TPM2_RC_HANDLE = 0x008B,
> - TPM2_RC_INTEGRITY = 0x009F,
> - TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */
> - TPM2_RC_FAILURE = 0x0101,
> - TPM2_RC_DISABLED = 0x0120,
> - TPM2_RC_UPGRADE = 0x012D,
> - TPM2_RC_COMMAND_CODE = 0x0143,
> - TPM2_RC_TESTING = 0x090A, /* RC_WARN */
> - TPM2_RC_REFERENCE_H0 = 0x0910,
> - TPM2_RC_RETRY = 0x0922,
> - TPM2_RC_SESSION_MEMORY = 0x0903,
> -};
> -
> -enum tpm2_command_codes {
> - TPM2_CC_FIRST = 0x011F,
> - TPM2_CC_HIERARCHY_CONTROL = 0x0121,
> - TPM2_CC_HIERARCHY_CHANGE_AUTH = 0x0129,
> - TPM2_CC_CREATE_PRIMARY = 0x0131,
> - TPM2_CC_SEQUENCE_COMPLETE = 0x013E,
> - TPM2_CC_SELF_TEST = 0x0143,
> - TPM2_CC_STARTUP = 0x0144,
> - TPM2_CC_SHUTDOWN = 0x0145,
> - TPM2_CC_NV_READ = 0x014E,
> - TPM2_CC_CREATE = 0x0153,
> - TPM2_CC_LOAD = 0x0157,
> - TPM2_CC_SEQUENCE_UPDATE = 0x015C,
> - TPM2_CC_UNSEAL = 0x015E,
> - TPM2_CC_CONTEXT_LOAD = 0x0161,
> - TPM2_CC_CONTEXT_SAVE = 0x0162,
> - TPM2_CC_FLUSH_CONTEXT = 0x0165,
> - TPM2_CC_READ_PUBLIC = 0x0173,
> - TPM2_CC_START_AUTH_SESS = 0x0176,
> - TPM2_CC_VERIFY_SIGNATURE = 0x0177,
> - TPM2_CC_GET_CAPABILITY = 0x017A,
> - TPM2_CC_GET_RANDOM = 0x017B,
> - TPM2_CC_PCR_READ = 0x017E,
> - TPM2_CC_PCR_EXTEND = 0x0182,
> - TPM2_CC_EVENT_SEQUENCE_COMPLETE = 0x0185,
> - TPM2_CC_HASH_SEQUENCE_START = 0x0186,
> - TPM2_CC_CREATE_LOADED = 0x0191,
> - TPM2_CC_LAST = 0x0193, /* Spec 1.36 */
> -};
> -
> -enum tpm2_permanent_handles {
> - TPM2_RH_NULL = 0x40000007,
> - TPM2_RS_PW = 0x40000009,
> -};
> -
> -/* Most Significant Octet for key types */
> -enum tpm2_mso_type {
> - TPM2_MSO_NVRAM = 0x01,
> - TPM2_MSO_SESSION = 0x02,
> - TPM2_MSO_POLICY = 0x03,
> - TPM2_MSO_PERMANENT = 0x40,
> - TPM2_MSO_VOLATILE = 0x80,
> - TPM2_MSO_PERSISTENT = 0x81,
> -};
> -
> static inline enum tpm2_mso_type tpm2_handle_mso(u32 handle)
> {
> return handle >> 24;
> }
>
> -enum tpm2_capabilities {
> - TPM2_CAP_HANDLES = 1,
> - TPM2_CAP_COMMANDS = 2,
> - TPM2_CAP_PCRS = 5,
> - TPM2_CAP_TPM_PROPERTIES = 6,
> -};
> -
> -enum tpm2_properties {
> - TPM_PT_TOTAL_COMMANDS = 0x0129,
> -};
> -
> -enum tpm2_startup_types {
> - TPM2_SU_CLEAR = 0x0000,
> - TPM2_SU_STATE = 0x0001,
> -};
> -
> -enum tpm2_cc_attrs {
> - TPM2_CC_ATTR_CHANDLES = 25,
> - TPM2_CC_ATTR_RHANDLE = 28,
> - TPM2_CC_ATTR_VENDOR = 29,
> -};
> -
> #define TPM_VID_INTEL 0x8086
> #define TPM_VID_WINBOND 0x1050
> #define TPM_VID_STM 0x104A
> @@ -389,29 +267,6 @@ struct tpm_buf {
> u8 handles;
> };
>
> -enum tpm2_object_attributes {
> - TPM2_OA_FIXED_TPM = BIT(1),
> - TPM2_OA_ST_CLEAR = BIT(2),
> - TPM2_OA_FIXED_PARENT = BIT(4),
> - TPM2_OA_SENSITIVE_DATA_ORIGIN = BIT(5),
> - TPM2_OA_USER_WITH_AUTH = BIT(6),
> - TPM2_OA_ADMIN_WITH_POLICY = BIT(7),
> - TPM2_OA_NO_DA = BIT(10),
> - TPM2_OA_ENCRYPTED_DUPLICATION = BIT(11),
> - TPM2_OA_RESTRICTED = BIT(16),
> - TPM2_OA_DECRYPT = BIT(17),
> - TPM2_OA_SIGN = BIT(18),
> -};
> -
> -enum tpm2_session_attributes {
> - TPM2_SA_CONTINUE_SESSION = BIT(0),
> - TPM2_SA_AUDIT_EXCLUSIVE = BIT(1),
> - TPM2_SA_AUDIT_RESET = BIT(3),
> - TPM2_SA_DECRYPT = BIT(5),
> - TPM2_SA_ENCRYPT = BIT(6),
> - TPM2_SA_AUDIT = BIT(7),
> -};
> -
> struct tpm2_hash {
> unsigned int crypto_id;
> unsigned int tpm_id;
> diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
> index 20b634591fb1..ee76fcd5ecef 100644
> --- a/include/linux/tpm_command.h
> +++ b/include/linux/tpm_command.h
> @@ -158,4 +158,277 @@ struct tpm1_get_random_out {
> #define TPM_NONCE_SIZE 20
> #define TPM_ST_CLEAR 1
>
> +/************************************************/
> +/* TPM 2 Family Chips */
> +/************************************************/
> +
> +/*
> + * TPM 2.0 Library
> + * https://trustedcomputinggroup.org/resource/tpm-library-specification/
> + */
> +
> +/* TPM2 specific constants. */
> +#define TPM2_SPACE_BUFFER_SIZE 16384 /* 16 kB */
> +
> +enum tpm2_session_types {
> + TPM2_SE_HMAC = 0x00,
> + TPM2_SE_POLICY = 0x01,
> + TPM2_SE_TRIAL = 0x02,
> +};
> +
> +enum tpm2_timeouts {
> + TPM2_TIMEOUT_A = 750,
> + TPM2_TIMEOUT_B = 4000,
> + TPM2_TIMEOUT_C = 200,
> + TPM2_TIMEOUT_D = 30,
> + TPM2_DURATION_SHORT = 20,
> + TPM2_DURATION_MEDIUM = 750,
> + TPM2_DURATION_LONG = 2000,
> + TPM2_DURATION_LONG_LONG = 300000,
> + TPM2_DURATION_DEFAULT = 120000,
> +};
> +
> +enum tpm2_structures {
> + TPM2_ST_NO_SESSIONS = 0x8001,
> + TPM2_ST_SESSIONS = 0x8002,
> + TPM2_ST_CREATION = 0x8021,
> +};
> +
> +/* Indicates from what layer of the software stack the error comes from */
> +#define TSS2_RC_LAYER_SHIFT 16
> +#define TSS2_RESMGR_TPM_RC_LAYER (11 << TSS2_RC_LAYER_SHIFT)
> +
> +enum tpm2_return_codes {
> + TPM2_RC_SUCCESS = 0x0000,
> + TPM2_RC_HASH = 0x0083, /* RC_FMT1 */
> + TPM2_RC_HANDLE = 0x008B,
> + TPM2_RC_INTEGRITY = 0x009F,
> + TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */
> + TPM2_RC_FAILURE = 0x0101,
> + TPM2_RC_DISABLED = 0x0120,
> + TPM2_RC_UPGRADE = 0x012D,
> + TPM2_RC_COMMAND_CODE = 0x0143,
> + TPM2_RC_TESTING = 0x090A, /* RC_WARN */
> + TPM2_RC_REFERENCE_H0 = 0x0910,
> + TPM2_RC_RETRY = 0x0922,
> + TPM2_RC_SESSION_MEMORY = 0x0903,
> +};
> +
> +enum tpm2_command_codes {
> + TPM2_CC_FIRST = 0x011F,
> + TPM2_CC_HIERARCHY_CONTROL = 0x0121,
> + TPM2_CC_HIERARCHY_CHANGE_AUTH = 0x0129,
> + TPM2_CC_CREATE_PRIMARY = 0x0131,
> + TPM2_CC_SEQUENCE_COMPLETE = 0x013E,
> + TPM2_CC_SELF_TEST = 0x0143,
> + TPM2_CC_STARTUP = 0x0144,
> + TPM2_CC_SHUTDOWN = 0x0145,
> + TPM2_CC_NV_READ = 0x014E,
> + TPM2_CC_CREATE = 0x0153,
> + TPM2_CC_LOAD = 0x0157,
> + TPM2_CC_SEQUENCE_UPDATE = 0x015C,
> + TPM2_CC_UNSEAL = 0x015E,
> + TPM2_CC_CONTEXT_LOAD = 0x0161,
> + TPM2_CC_CONTEXT_SAVE = 0x0162,
> + TPM2_CC_FLUSH_CONTEXT = 0x0165,
> + TPM2_CC_READ_PUBLIC = 0x0173,
> + TPM2_CC_START_AUTH_SESS = 0x0176,
> + TPM2_CC_VERIFY_SIGNATURE = 0x0177,
> + TPM2_CC_GET_CAPABILITY = 0x017A,
> + TPM2_CC_GET_RANDOM = 0x017B,
> + TPM2_CC_PCR_READ = 0x017E,
> + TPM2_CC_PCR_EXTEND = 0x0182,
> + TPM2_CC_EVENT_SEQUENCE_COMPLETE = 0x0185,
> + TPM2_CC_HASH_SEQUENCE_START = 0x0186,
> + TPM2_CC_CREATE_LOADED = 0x0191,
> + TPM2_CC_LAST = 0x0193, /* Spec 1.36 */
> +};
> +
> +enum tpm2_capabilities {
> + TPM2_CAP_HANDLES = 1,
> + TPM2_CAP_COMMANDS = 2,
> + TPM2_CAP_PCRS = 5,
> + TPM2_CAP_TPM_PROPERTIES = 6,
> +};
> +
> +enum tpm2_properties {
> + TPM_PT_TOTAL_COMMANDS = 0x0129,
> +};
> +
> +enum tpm2_startup_types {
> + TPM2_SU_CLEAR = 0x0000,
> + TPM2_SU_STATE = 0x0001,
> +};
> +
> +enum tpm2_cc_attrs {
> + TPM2_CC_ATTR_CHANDLES = 25,
> + TPM2_CC_ATTR_RHANDLE = 28,
> + TPM2_CC_ATTR_VENDOR = 29,
> +};
> +
> +enum tpm2_permanent_handles {
> + TPM2_RH_NULL = 0x40000007,
> + TPM2_RS_PW = 0x40000009,
> +};
> +
> +/* Most Significant Octet for key types */
> +enum tpm2_mso_type {
> + TPM2_MSO_NVRAM = 0x01,
> + TPM2_MSO_SESSION = 0x02,
> + TPM2_MSO_POLICY = 0x03,
> + TPM2_MSO_PERMANENT = 0x40,
> + TPM2_MSO_VOLATILE = 0x80,
> + TPM2_MSO_PERSISTENT = 0x81,
> +};
> +
> +enum tpm2_curves {
> + TPM2_ECC_NONE = 0x0000,
> + TPM2_ECC_NIST_P256 = 0x0003,
> +};
> +
> +enum tpm2_object_attributes {
> + TPM2_OA_FIXED_TPM = BIT(1),
> + TPM2_OA_ST_CLEAR = BIT(2),
> + TPM2_OA_FIXED_PARENT = BIT(4),
> + TPM2_OA_SENSITIVE_DATA_ORIGIN = BIT(5),
> + TPM2_OA_USER_WITH_AUTH = BIT(6),
> + TPM2_OA_ADMIN_WITH_POLICY = BIT(7),
> + TPM2_OA_NO_DA = BIT(10),
> + TPM2_OA_ENCRYPTED_DUPLICATION = BIT(11),
> + TPM2_OA_RESTRICTED = BIT(16),
> + TPM2_OA_DECRYPT = BIT(17),
> + TPM2_OA_SIGN = BIT(18),
> +};
> +
> +enum tpm2_session_attributes {
> + TPM2_SA_CONTINUE_SESSION = BIT(0),
> + TPM2_SA_AUDIT_EXCLUSIVE = BIT(1),
> + TPM2_SA_AUDIT_RESET = BIT(3),
> + TPM2_SA_DECRYPT = BIT(5),
> + TPM2_SA_ENCRYPT = BIT(6),
> + TPM2_SA_AUDIT = BIT(7),
> +};
> +
> +enum tpm2_pcr_select {
> + TPM2_PLATFORM_PCR = 24,
> + TPM2_PCR_SELECT_MIN = ((TPM2_PLATFORM_PCR + 7) / 8),
> +};
> +
> +enum tpm2_handle_types {
> + TPM2_HT_HMAC_SESSION = 0x02000000,
> + TPM2_HT_POLICY_SESSION = 0x03000000,
> + TPM2_HT_TRANSIENT = 0x80000000,
> +};
> +
> +enum tpm2_pt_props {
> + TPM2_PT_NONE = 0x00000000,
> + TPM2_PT_GROUP = 0x00000100,
> + TPM2_PT_FIXED = TPM2_PT_GROUP * 1,
> + TPM2_PT_FAMILY_INDICATOR = TPM2_PT_FIXED + 0,
> + TPM2_PT_LEVEL = TPM2_PT_FIXED + 1,
> + TPM2_PT_REVISION = TPM2_PT_FIXED + 2,
> + TPM2_PT_DAY_OF_YEAR = TPM2_PT_FIXED + 3,
> + TPM2_PT_YEAR = TPM2_PT_FIXED + 4,
> + TPM2_PT_MANUFACTURER = TPM2_PT_FIXED + 5,
> + TPM2_PT_VENDOR_STRING_1 = TPM2_PT_FIXED + 6,
> + TPM2_PT_VENDOR_STRING_2 = TPM2_PT_FIXED + 7,
> + TPM2_PT_VENDOR_STRING_3 = TPM2_PT_FIXED + 8,
> + TPM2_PT_VENDOR_STRING_4 = TPM2_PT_FIXED + 9,
> + TPM2_PT_VENDOR_TPM_TYPE = TPM2_PT_FIXED + 10,
> + TPM2_PT_FIRMWARE_VERSION_1 = TPM2_PT_FIXED + 11,
> + TPM2_PT_FIRMWARE_VERSION_2 = TPM2_PT_FIXED + 12,
> + TPM2_PT_INPUT_BUFFER = TPM2_PT_FIXED + 13,
> + TPM2_PT_HR_TRANSIENT_MIN = TPM2_PT_FIXED + 14,
> + TPM2_PT_HR_PERSISTENT_MIN = TPM2_PT_FIXED + 15,
> + TPM2_PT_HR_LOADED_MIN = TPM2_PT_FIXED + 16,
> + TPM2_PT_ACTIVE_SESSIONS_MAX = TPM2_PT_FIXED + 17,
> + TPM2_PT_PCR_COUNT = TPM2_PT_FIXED + 18,
> + TPM2_PT_PCR_SELECT_MIN = TPM2_PT_FIXED + 19,
> + TPM2_PT_CONTEXT_GAP_MAX = TPM2_PT_FIXED + 20,
> + TPM2_PT_NV_COUNTERS_MAX = TPM2_PT_FIXED + 22,
> + TPM2_PT_NV_INDEX_MAX = TPM2_PT_FIXED + 23,
> + TPM2_PT_MEMORY = TPM2_PT_FIXED + 24,
> + TPM2_PT_CLOCK_UPDATE = TPM2_PT_FIXED + 25,
> + TPM2_PT_CONTEXT_HASH = TPM2_PT_FIXED + 26,
> + TPM2_PT_CONTEXT_SYM = TPM2_PT_FIXED + 27,
> + TPM2_PT_CONTEXT_SYM_SIZE = TPM2_PT_FIXED + 28,
> + TPM2_PT_ORDERLY_COUNT = TPM2_PT_FIXED + 29,
> + TPM2_PT_MAX_COMMAND_SIZE = TPM2_PT_FIXED + 30,
> + TPM2_PT_MAX_RESPONSE_SIZE = TPM2_PT_FIXED + 31,
> + TPM2_PT_MAX_DIGEST = TPM2_PT_FIXED + 32,
> + TPM2_PT_MAX_OBJECT_CONTEXT = TPM2_PT_FIXED + 33,
> + TPM2_PT_MAX_SESSION_CONTEXT = TPM2_PT_FIXED + 34,
> + TPM2_PT_PS_FAMILY_INDICATOR = TPM2_PT_FIXED + 35,
> + TPM2_PT_PS_LEVEL = TPM2_PT_FIXED + 36,
> + TPM2_PT_PS_REVISION = TPM2_PT_FIXED + 37,
> + TPM2_PT_PS_DAY_OF_YEAR = TPM2_PT_FIXED + 38,
> + TPM2_PT_PS_YEAR = TPM2_PT_FIXED + 39,
> + TPM2_PT_SPLIT_MAX = TPM2_PT_FIXED + 40,
> + TPM2_PT_TOTAL_COMMANDS = TPM2_PT_FIXED + 41,
> + TPM2_PT_LIBRARY_COMMANDS = TPM2_PT_FIXED + 42,
> + TPM2_PT_VENDOR_COMMANDS = TPM2_PT_FIXED + 43,
> + TPM2_PT_NV_BUFFER_MAX = TPM2_PT_FIXED + 44,
> + TPM2_PT_MODES = TPM2_PT_FIXED + 45,
> + TPM2_PT_MAX_CAP_BUFFER = TPM2_PT_FIXED + 46,
> + TPM2_PT_VAR = TPM2_PT_GROUP * 2,
> + TPM2_PT_PERMANENT = TPM2_PT_VAR + 0,
> + TPM2_PT_STARTUP_CLEAR = TPM2_PT_VAR + 1,
> + TPM2_PT_HR_NV_INDEX = TPM2_PT_VAR + 2,
> + TPM2_PT_HR_LOADED = TPM2_PT_VAR + 3,
> + TPM2_PT_HR_LOADED_AVAIL = TPM2_PT_VAR + 4,
> + TPM2_PT_HR_ACTIVE = TPM2_PT_VAR + 5,
> + TPM2_PT_HR_ACTIVE_AVAIL = TPM2_PT_VAR + 6,
> + TPM2_PT_HR_TRANSIENT_AVAIL = TPM2_PT_VAR + 7,
> + TPM2_PT_HR_PERSISTENT = TPM2_PT_VAR + 8,
> + TPM2_PT_HR_PERSISTENT_AVAIL = TPM2_PT_VAR + 9,
> + TPM2_PT_NV_COUNTERS = TPM2_PT_VAR + 10,
> + TPM2_PT_NV_COUNTERS_AVAIL = TPM2_PT_VAR + 11,
> + TPM2_PT_ALGORITHM_SET = TPM2_PT_VAR + 12,
> + TPM2_PT_LOADED_CURVES = TPM2_PT_VAR + 13,
> + TPM2_PT_LOCKOUT_COUNTER = TPM2_PT_VAR + 14,
> + TPM2_PT_MAX_AUTH_FAIL = TPM2_PT_VAR + 15,
> + TPM2_PT_LOCKOUT_INTERVAL = TPM2_PT_VAR + 16,
> + TPM2_PT_LOCKOUT_RECOVERY = TPM2_PT_VAR + 17,
> + TPM2_PT_NV_WRITE_RECOVERY = TPM2_PT_VAR + 18,
> + TPM2_PT_AUDIT_COUNTER_0 = TPM2_PT_VAR + 19,
> + TPM2_PT_AUDIT_COUNTER_1 = TPM2_PT_VAR + 20,
> +};
> +
> +struct tpm2_pcr_read_out {
> + __be32 update_cnt;
> + __be32 pcr_selects_cnt;
> + __be16 hash_alg;
> + u8 pcr_select_size;
> + u8 pcr_select[TPM2_PCR_SELECT_MIN];
> + __be32 digests_cnt;
> + __be16 digest_size;
> + u8 digest[];
> +} __packed;
> +
> +struct tpm2_get_random_out {
> + __be16 size;
> + u8 buffer[TPM_MAX_RNG_DATA];
> +} __packed;
> +
> +struct tpm2_get_cap_out {
> + u8 more_data;
> + __be32 subcap_id;
> + __be32 property_cnt;
> + __be32 property_id;
> + __be32 value;
> +} __packed;
> +
> +struct tpm2_pcr_selection {
> + __be16 hash_alg;
> + u8 size_of_select;
> + u8 pcr_select[3];
> +} __packed;
> +
> +struct tpm2_context {
> + __be64 sequence;
> + __be32 saved_handle;
> + __be32 hierarchy;
> + __be16 blob_size;
> +} __packed;
> +
> #endif
> --
> 2.47.3
>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH 4/4] tpm: Move TPM common base definitions to the command header
From: Jarkko Sakkinen @ 2026-03-23 5:42 UTC (permalink / raw)
To: Alec Brown
Cc: linux-kernel, linux-integrity, peterhuewe, jarkko.sakkinen, jgg,
ross.philipson, dpsmith, daniel.kiper, kanth.ghatraju,
trenchboot-devel, ardb
In-Reply-To: <20260317160613.2899129-5-alec.r.brown@oracle.com>
On Tue, Mar 17, 2026 at 04:03:35PM +0000, Alec Brown wrote:
> From: Ross Philipson <ross.philipson@oracle.com>
>
> From: Ross Philipson <ross.philipson@oracle.com>
>
> These are top level definitions shared by both TPM 1 and 2
> family chips. This includes core definitions like TPM localities,
> common crypto algorithm IDs, and the base TPM command header.
>
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
> Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
> ---
> include/linux/tpm.h | 50 +--------------------
> include/linux/tpm_command.h | 89 +++++++++++++++++++++++++++++++++++++
> 2 files changed, 90 insertions(+), 49 deletions(-)
>
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index 92957452f7a7..a282b7045a24 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -27,49 +27,12 @@
>
> #include "tpm_command.h"
>
> -#define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
> -
> -#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> -#define TPM2_MAX_PCR_BANKS 8
> -
> struct tpm_chip;
> struct trusted_key_payload;
> struct trusted_key_options;
> /* opaque structure, holds auth session parameters like the session key */
> struct tpm2_auth;
>
> -/* if you add a new hash to this, increment TPM_MAX_HASHES below */
> -enum tpm_algorithms {
> - TPM_ALG_ERROR = 0x0000,
> - TPM_ALG_SHA1 = 0x0004,
> - TPM_ALG_AES = 0x0006,
> - TPM_ALG_KEYEDHASH = 0x0008,
> - TPM_ALG_SHA256 = 0x000B,
> - TPM_ALG_SHA384 = 0x000C,
> - TPM_ALG_SHA512 = 0x000D,
> - TPM_ALG_NULL = 0x0010,
> - TPM_ALG_SM3_256 = 0x0012,
> - TPM_ALG_ECC = 0x0023,
> - TPM_ALG_CFB = 0x0043,
> -};
> -
> -/*
> - * maximum number of hashing algorithms a TPM can have. This is
> - * basically a count of every hash in tpm_algorithms above
> - */
> -#define TPM_MAX_HASHES 5
> -
> -struct tpm_digest {
> - u16 alg_id;
> - u8 digest[TPM2_MAX_DIGEST_SIZE];
> -} __packed;
> -
> -struct tpm_bank_info {
> - u16 alg_id;
> - u16 digest_size;
> - u16 crypto_id;
> -};
> -
> enum TPM_OPS_FLAGS {
> TPM_OPS_AUTO_STARTUP = BIT(0),
> };
> @@ -127,7 +90,7 @@ struct tpm_chip_seqops {
> const struct seq_operations *seqops;
> };
>
> -/* fixed define for the curve we use which is NIST_P256 */
> +/* Fixed define for the curve we use which is NIST_P256 */
> #define EC_PT_SZ 32
>
> /*
> @@ -209,8 +172,6 @@ struct tpm_chip {
> #endif
> };
>
> -#define TPM_HEADER_SIZE 10
> -
> static inline enum tpm2_mso_type tpm2_handle_mso(u32 handle)
> {
> return handle >> 24;
> @@ -239,15 +200,6 @@ enum tpm_chip_flags {
>
> #define to_tpm_chip(d) container_of(d, struct tpm_chip, dev)
>
> -struct tpm_header {
> - __be16 tag;
> - __be32 length;
> - union {
> - __be32 ordinal;
> - __be32 return_code;
> - };
> -} __packed;
> -
> enum tpm_buf_flags {
> /* the capacity exceeded: */
> TPM_BUF_OVERFLOW = BIT(0),
> diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
> index ee76fcd5ecef..25a247254140 100644
> --- a/include/linux/tpm_command.h
> +++ b/include/linux/tpm_command.h
> @@ -431,4 +431,93 @@ struct tpm2_context {
> __be16 blob_size;
> } __packed;
>
> +/************************************************/
> +/* TPM Common Defs */
> +/************************************************/
> +
> +#define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
> +#define TPM_BUFSIZE 4096
> +
> +/*
> + * SHA-512 is, as of today, the largest digest in the TCG algorithm repository.
> + */
> +#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> +
> +/*
> + * A TPM name digest i.e., TPMT_HA, is a concatenation of TPM_ALG_ID of the
> + * name algorithm and hash of TPMT_PUBLIC.
> + */
> +#define TPM2_MAX_NAME_SIZE (TPM2_MAX_DIGEST_SIZE + 2)
> +
> +/*
> + * Fixed define for the size of a name. This is actually HASHALG size
> + * plus 2, so 32 for SHA256
> + */
> +#define TPM2_NULL_NAME_SIZE 34
> +
> +/*
> + * The maximum number of PCR banks.
> + */
> +#define TPM2_MAX_PCR_BANKS 8
> +
> +/* If you add a new hash to this, increment TPM_MAX_HASHES below */
> +enum tpm_algorithms {
> + TPM_ALG_ERROR = 0x0000,
> + TPM_ALG_SHA1 = 0x0004,
> + TPM_ALG_AES = 0x0006,
> + TPM_ALG_KEYEDHASH = 0x0008,
> + TPM_ALG_SHA256 = 0x000B,
> + TPM_ALG_SHA384 = 0x000C,
> + TPM_ALG_SHA512 = 0x000D,
> + TPM_ALG_NULL = 0x0010,
> + TPM_ALG_SM3_256 = 0x0012,
> + TPM_ALG_ECC = 0x0023,
> + TPM_ALG_CFB = 0x0043,
> +};
> +
> +/*
> + * The locality (0 - 4) for a TPM, as defined in section 3.2 of the
> + * Client Platform Profile Specification.
> + */
> +enum tpm_localities {
> + TPM_LOCALITY_0 = 0, /* Static RTM */
> + TPM_LOCALITY_1 = 1, /* Dynamic OS */
> + TPM_LOCALITY_2 = 2, /* DRTM Environment */
> + TPM_LOCALITY_3 = 3, /* Aux Components */
> + TPM_LOCALITY_4 = 4, /* CPU DRTM Establishment */
> + TPM_MAX_LOCALITY = TPM_LOCALITY_4
> +};
> +
> +/*
> + * Structure to represent active PCR algorithm banks usable by the
> + * TPM chip.
> + */
> +struct tpm_bank_info {
> + u16 alg_id;
> + u16 digest_size;
> + u16 crypto_id;
> +};
> +
> +/*
> + * Maximum number of hashing algorithms a TPM can have. This is
> + * basically a count of every hash in tpm_algorithms above
> + */
> +#define TPM_MAX_HASHES 5
> +
> +struct tpm_digest {
> + u16 alg_id;
> + u8 digest[TPM2_MAX_DIGEST_SIZE];
> +} __packed;
> +
> +#define TPM_HEADER_SIZE 10
> +
> +struct tpm_header {
> + __be16 tag;
> + __be32 length;
> + union {
> + __be32 ordinal;
> + __be32 return_code;
> + };
> +} __packed;
> +
> #endif
> --
> 2.47.3
>
Yep, all looks great and clean to me but exactly for that reason
this needs to the truth serum :-)
BR, Jarkko
^ permalink raw reply
* Re: [PATCH] tpm: i2c: atmel: fix block comment formatting
From: Jarkko Sakkinen @ 2026-03-23 5:44 UTC (permalink / raw)
To: Ethan Luna
Cc: peterhuewe, jgg, nicolas.ferre, claudiu.beznea, linux-integrity,
linux-arm-kernel, linux-kernel
In-Reply-To: <20260322193112.27010-1-trunixcodes@zohomail.com>
On Sun, Mar 22, 2026 at 12:30:53PM -0700, Ethan Luna wrote:
> Multiple block comments in tpm_i2c_atmel.c placed the closing '*/' on the
> same line as the comment text. This violates the kernel's preferred
> comment style, which requires the closing delimiter to appear on it's
> line.
>
> Fix the formatting to improve readability and resolve checkpatch
> warnings.
>
> Signed-off-by: Ethan Luna <trunixcodes@zohomail.com>
> ---
> drivers/char/tpm/tpm_i2c_atmel.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c
> index 4f229656a8e2..702b3c9191dc 100644
> --- a/drivers/char/tpm/tpm_i2c_atmel.c
> +++ b/drivers/char/tpm/tpm_i2c_atmel.c
> @@ -33,7 +33,8 @@ struct priv_data {
> size_t len;
> /* This is the amount we read on the first try. 25 was chosen to fit a
If you fix this up here.
> * fair number of read responses in the buffer so a 2nd retry can be
> - * avoided in small message cases. */
> + * avoided in small message cases.
> + */
> u8 buffer[sizeof(struct tpm_header) + 25];
> };
>
> @@ -58,7 +59,9 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz,
> if (status < 0)
> return status;
>
> - /* The upper layer does not support incomplete sends. */
> + /*
> + * The upper layer does not support incomplete sends.
> + */
> if (status != len)
> return -E2BIG;
>
> @@ -78,7 +81,8 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
>
> /* Get the message size from the message header, if we didn't get the
> * whole message in read_status then we need to re-read the
> - * message. */
> + * message.
> + */
> expected_len = be32_to_cpu(hdr->length);
> if (expected_len > count)
> return -ENOMEM;
> @@ -113,13 +117,15 @@ static u8 i2c_atmel_read_status(struct tpm_chip *chip)
>
> /* The TPM fails the I2C read until it is ready, so we do the entire
> * transfer here and buffer it locally. This way the common code can
> - * properly handle the timeouts. */
> + * properly handle the timeouts.
> + */
> priv->len = 0;
> memset(priv->buffer, 0, sizeof(priv->buffer));
>
>
> /* Once the TPM has completed the command the command remains readable
> - * until another command is issued. */
> + * until another command is issued.
> + */
> rc = i2c_master_recv(client, priv->buffer, sizeof(priv->buffer));
> dev_dbg(&chip->dev,
> "%s: sts=%d", __func__, rc);
> @@ -174,7 +180,8 @@ static int i2c_atmel_probe(struct i2c_client *client)
>
> /* There is no known way to probe for this device, and all version
> * information seems to be read via TPM commands. Thus we rely on the
> - * TPM startup process in the common code to detect the device. */
> + * TPM startup process in the common code to detect the device.
> + */
>
> return tpm_chip_register(chip);
> }
> --
> 2.53.0
>
The same comment applies for all.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v9 01/11] KEYS: trusted: Use get_random-fallback for TPM
From: Jarkko Sakkinen @ 2026-03-23 5:46 UTC (permalink / raw)
To: Mimi Zohar
Cc: Chris Fenner, linux-integrity, Jonathan McDowell, Eric Biggers,
James Bottomley, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, open list:KEYS-TRUSTED,
open list:SECURITY SUBSYSTEM, open list, Roberto Sassu
In-Reply-To: <acDQ7_lXNhsvp8Nb@kernel.org>
On Mon, Mar 23, 2026 at 07:34:39AM +0200, Jarkko Sakkinen wrote:
> On Mon, Mar 23, 2026 at 07:26:38AM +0200, Jarkko Sakkinen wrote:
> > On Thu, Mar 19, 2026 at 10:28:03AM -0400, Mimi Zohar wrote:
> > > On Wed, 2026-03-18 at 10:36 -0700, Chris Fenner wrote:
> > > > Apologies if my long message derailed this discussion. I meant to
> > > > support Mimi's concern here and project a future vision where
> > > > TCG_TPM2_HMAC doesn't conflict with other features.
> > > >
> > > > More concisely, I think that:
> > > >
> > > > > tpm2_get_random() is costly when TCG_TPM2_HMAC is enabled
> > > >
> > > > is not a compelling argument for removing TPM as an RNG source,
> > > > because TCG_TPM2_HMAC is known to have poor performance already
> > > > anyway.
> > >
> > > Agreed. Thanks, Chris! FYI, we raised concerns about IMA performance with the
> > > TPM HMAC and encrypted feature while it was being developed. James had some
> > > ideas, at the time, as to how to resolve the performance issue for IMA. Yet it
> > > was upstreamed without those changes and with CONFIG_TCG_TPM2_HMAC enabled by
> > > default on x86 systems.
> > >
> > > Jarkko has queued this patch in the "queue" branch, without indicating whether
> > > it will eventually be upstreamed or not.
> >
> > Yes and there's been multiple months of time to comment this and I
> > backed up the patch set there, which is not same as applying it.
>
> There's quite many other patches in that patch set also in the queue
> branch. This was largeriy past life for me when these comments came.
> Really don't understand what is suddenly going on tnh and for one
> not that interesting patch.
Underlined: not a queue to anywhere. I can rename it something else,
did not really think about the name when I created the branch.
BR, Jarkkko
^ permalink raw reply
* [PATCH] KEYS: trusted: Protocol debugging as a feature
From: Jarkko Sakkinen @ 2026-03-23 9:00 UTC (permalink / raw)
To: linux-integrity
Cc: keyrings, Jarkko Sakkinen, Srish Srinivasan, Nayna Jain,
James Bottomley, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM,
open list
TPM_DEBUG is a non-standard way to specify a feature in Linux kernel.
Introduce CONFIG_TRUSTED_KEYS_DEBUG, and use it to replace TPM_DEBUG in
TPM 1.x trusted keys.
Given that protocol bus could contain sensitive data, harden the feature as
follows:
1. In the Kconfig description postulate that pr_debug() statements must be
used.
2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
Traces can be enabled e.g., by providing trusted.dyndbg='+p' for the kernel
command-line.
Cc: Srish Srinivasan <ssrish@linux.ibm.com>
Reported-by: Nayna Jain <nayna@linux.ibm.com>
Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
security/keys/trusted-keys/Kconfig | 10 +++++++
security/keys/trusted-keys/trusted_tpm1.c | 36 +++++++++++------------
2 files changed, 27 insertions(+), 19 deletions(-)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index 9e00482d886a..0e53bef1343d 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,6 +1,16 @@
config HAVE_TRUSTED_KEYS
bool
+config TRUSTED_KEYS_DEBUG
+ bool "Debug trusted keys protocol"
+ depends on HAVE_TRUSTED_KEYS
+ default n
+ help
+ Drivers that support debugging the protocol dump, can opt-in that
+ feature here. Protocol dump must only use DEBUG level output, as
+ sensitive data may pass by. In the kernel-command line traces can
+ be enabled via trusted.dyndbg='+p'.
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index c865c97aa1b4..8fe889c7cdd1 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -46,38 +46,36 @@ enum {
SRK_keytype = 4
};
-#define TPM_DEBUG 0
-
-#if TPM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(struct trusted_key_options *o)
{
- pr_info("sealing key type %d\n", o->keytype);
- pr_info("sealing key handle %0X\n", o->keyhandle);
- pr_info("pcrlock %d\n", o->pcrlock);
- pr_info("pcrinfo %d\n", o->pcrinfo_len);
- print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
- 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
+ pr_debug("sealing key type %d\n", o->keytype);
+ pr_debug("sealing key handle %0X\n", o->keyhandle);
+ pr_debug("pcrlock %d\n", o->pcrlock);
+ pr_debug("pcrinfo %d\n", o->pcrinfo_len);
+ print_hex_dump_debug("pcrinfo ", DUMP_PREFIX_NONE,
+ 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
}
static inline void dump_sess(struct osapsess *s)
{
- print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
- 16, 1, &s->handle, 4, 0);
- pr_info("secret:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
- pr_info("trusted-key: enonce:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
+ print_hex_dump_debug("trusted-key: handle ", DUMP_PREFIX_NONE,
+ 16, 1, &s->handle, 4, 0);
+ pr_debug("secret:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
+ pr_debug("trusted-key: enonce:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
}
static inline void dump_tpm_buf(unsigned char *buf)
{
int len;
- pr_info("\ntpm buffer\n");
+ pr_debug("\ntpm buffer\n");
len = LOAD32(buf, TPM_SIZE_OFFSET);
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
+ print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
}
#else
static inline void dump_options(struct trusted_key_options *o)
--
2.47.3
^ permalink raw reply related
* [PATCH v2] tpm: i2c: atmel: fix block comment formatting
From: Ethan Luna @ 2026-03-23 13:40 UTC (permalink / raw)
To: peterhuewe, jarkko
Cc: jgg, nicolas.ferre, claudiu.beznea, linux-integrity,
linux-arm-kernel, linux-kernel
Multiple block comments in tpm_i2c_atmel.c placed the closing '*/' on the
same line as the comment text. This violates the kernel's preferred
comment style, which requires the closing delimiter to appear on its
line.
Fix the formatting to improve readability and resolve checkpatch
warnings.
Signed-off-by: Ethan Luna <trunixcodes@zohomail.com>
---
V1 -> V2: Fixed block comment formatting consistently across all multi-line comments
v1: https://lore.kernel.org/all/20260322193112.27010-1-trunixcodes@zohomail.com/
drivers/char/tpm/tpm_i2c_atmel.c | 34 +++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c
index 4f229656a8e2..c3cdc0d6e61c 100644
--- a/drivers/char/tpm/tpm_i2c_atmel.c
+++ b/drivers/char/tpm/tpm_i2c_atmel.c
@@ -31,9 +31,11 @@
struct priv_data {
size_t len;
- /* This is the amount we read on the first try. 25 was chosen to fit a
+ /*
+ * This is the amount we read on the first try. 25 was chosen to fit a
* fair number of read responses in the buffer so a 2nd retry can be
- * avoided in small message cases. */
+ * avoided in small message cases.
+ */
u8 buffer[sizeof(struct tpm_header) + 25];
};
@@ -58,7 +60,9 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz,
if (status < 0)
return status;
- /* The upper layer does not support incomplete sends. */
+ /*
+ * The upper layer does not support incomplete sends.
+ */
if (status != len)
return -E2BIG;
@@ -76,9 +80,11 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
if (priv->len == 0)
return -EIO;
- /* Get the message size from the message header, if we didn't get the
+ /*
+ * Get the message size from the message header, if we didn't get the
* whole message in read_status then we need to re-read the
- * message. */
+ * message.
+ */
expected_len = be32_to_cpu(hdr->length);
if (expected_len > count)
return -ENOMEM;
@@ -111,15 +117,19 @@ static u8 i2c_atmel_read_status(struct tpm_chip *chip)
struct i2c_client *client = to_i2c_client(chip->dev.parent);
int rc;
- /* The TPM fails the I2C read until it is ready, so we do the entire
+ /*
+ * The TPM fails the I2C read until it is ready, so we do the entire
* transfer here and buffer it locally. This way the common code can
- * properly handle the timeouts. */
+ * properly handle the timeouts.
+ */
priv->len = 0;
memset(priv->buffer, 0, sizeof(priv->buffer));
- /* Once the TPM has completed the command the command remains readable
- * until another command is issued. */
+ /*
+ * Once the TPM has completed the command the command remains readable
+ * until another command is issued.
+ */
rc = i2c_master_recv(client, priv->buffer, sizeof(priv->buffer));
dev_dbg(&chip->dev,
"%s: sts=%d", __func__, rc);
@@ -172,9 +182,11 @@ static int i2c_atmel_probe(struct i2c_client *client)
dev_set_drvdata(&chip->dev, priv);
- /* There is no known way to probe for this device, and all version
+ /*
+ * There is no known way to probe for this device, and all version
* information seems to be read via TPM commands. Thus we rely on the
- * TPM startup process in the common code to detect the device. */
+ * TPM startup process in the common code to detect the device.
+ */
return tpm_chip_register(chip);
}
--
2.53.0
^ permalink raw reply related
* [RFC 0/4] tpm_crb: Add command and response buffer chunking support
From: Arun Menon @ 2026-03-24 7:17 UTC (permalink / raw)
To: linux-kernel
Cc: linux-integrity, Jason Gunthorpe, Jarkko Sakkinen, Peter Huewe,
Arun Menon
The new version of TCG TPM v185 (currently under review [1]) supports
sending data/commands in chunks for the CRB (Command Response Buffer)
interface. This is in line with the initiative to support PQC algorithms.
This series implements the logic to send and receive larger TPM
cmd/rsp between the linux guest and the TPM backend in chunks.
Currently, the TPM CRB driver is limited by the physical size of the
MMIO window. When userspace attempts to send a payload that exceeds this
size, the driver rejects it.
This series introduces chunking support. The driver now checks the CRB
interface capability for CRB_INTF_CAP_CRB_CHUNK. If supported by the
backend, the driver will slice oversized commands into MMIO-sized
chunks, signalling the backend via CRB_START_NEXT_CHUNK, and finalizing
with CRB_START_INVOKE. Responses are also read back in a similar chunked
manner.
If the backend does not support chunking, the driver retains its legacy
behaviour and enforces the standard size limits.
This feature also requires the QEMU to interpret the data in chunks and
forward it to the TPM backend and subsequently dispatch the TPM response
in chunks back to the linux guest. This is implemented in [2]
[1] https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p07_rc1_121225.pdf
[2] https://lore.kernel.org/qemu-devel/20260319135316.37412-1-armenon@redhat.com/
Arun Menon (4):
tpm_crb: Add definition of TPM CRB chunking fields
tpm_crb: Add new wrapper function to invoke start method
tpm_crb: Implement command and response chunking logic
tpm: Increase TPM_BUFSIZE to 64kB for chunking support
drivers/char/tpm/tpm.h | 2 +-
drivers/char/tpm/tpm_crb.c | 194 ++++++++++++++++++++++++++-----------
2 files changed, 137 insertions(+), 59 deletions(-)
--
2.53.0
^ permalink raw reply
* [RFC 1/4] tpm_crb: Add definition of TPM CRB chunking fields
From: Arun Menon @ 2026-03-24 7:18 UTC (permalink / raw)
To: linux-kernel
Cc: linux-integrity, Jason Gunthorpe, Jarkko Sakkinen, Peter Huewe,
Arun Menon
In-Reply-To: <20260324071803.324774-1-armenon@redhat.com>
- Add 2 new registers for invoking the start method
and add CRB_INTF_CAP_CRB_CHUNK as the new TCG TPM
specifies this CRB Interface Identifier that decides
if chunking is allowed.
- Refer section 6.4.2.2 of the specification document [1]
[1] https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p07_rc1_121225.pdf
Signed-off-by: Arun Menon <armenon@redhat.com>
---
drivers/char/tpm/tpm_crb.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 6c25305c256ef..67c0061d4cab7 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -56,12 +56,18 @@ enum crb_ctrl_sts {
enum crb_start {
CRB_START_INVOKE = BIT(0),
+ CRB_START_RESP_RETRY = BIT(1),
+ CRB_START_NEXT_CHUNK = BIT(2),
};
enum crb_cancel {
CRB_CANCEL_INVOKE = BIT(0),
};
+enum crb_intf {
+ CRB_INTF_CAP_CRB_CHUNK = BIT(10),
+};
+
struct crb_regs_head {
u32 loc_state;
u32 reserved1;
--
2.53.0
^ permalink raw reply related
* [RFC 2/4] tpm_crb: Add new wrapper function to invoke start method
From: Arun Menon @ 2026-03-24 7:18 UTC (permalink / raw)
To: linux-kernel
Cc: linux-integrity, Jason Gunthorpe, Jarkko Sakkinen, Peter Huewe,
Arun Menon
In-Reply-To: <20260324071803.324774-1-armenon@redhat.com>
- Extract start invocation code into a separate function called
crb_trigger_tpm. This will be helpful in repeatedly calling the
start method with different bits set to toggle between start,
nextChunk or crbRspRetry behaviours.
- Based on the bit set, we signal the TPM to consume
contents of the command/response buffer.
- No functional change intended.
Signed-off-by: Arun Menon <armenon@redhat.com>
---
drivers/char/tpm/tpm_crb.c | 50 ++++++++++++++++++++------------------
1 file changed, 27 insertions(+), 23 deletions(-)
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 67c0061d4cab7..10128d078245c 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -445,6 +445,32 @@ static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
}
#endif
+static int crb_trigger_tpm(struct tpm_chip *chip, u32 start_cmd)
+{
+ struct crb_priv *priv = dev_get_drvdata(&chip->dev);
+ int rc;
+ /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
+ * report only ACPI start but in practice seems to require both
+ * CRB start, hence invoking CRB start method if hid == MSFT0101.
+ */
+ if (priv->sm == ACPI_TPM2_COMMAND_BUFFER ||
+ priv->sm == ACPI_TPM2_MEMORY_MAPPED ||
+ !strcmp(priv->hid, "MSFT0101"))
+ iowrite32(start_cmd, &priv->regs_t->ctrl_start);
+ if (priv->sm == ACPI_TPM2_START_METHOD ||
+ priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)
+ rc = crb_do_acpi_start(chip);
+ if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
+ iowrite32(start_cmd, &priv->regs_t->ctrl_start);
+ rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
+ }
+ if (priv->sm == ACPI_TPM2_CRB_WITH_ARM_FFA) {
+ iowrite32(start_cmd, &priv->regs_t->ctrl_start);
+ rc = tpm_crb_ffa_start(CRB_FFA_START_TYPE_COMMAND, chip->locality);
+ }
+ return rc;
+}
+
static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
{
struct crb_priv *priv = dev_get_drvdata(&chip->dev);
@@ -470,29 +496,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
/* Make sure that cmd is populated before issuing start. */
wmb();
- /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
- * report only ACPI start but in practice seems to require both
- * CRB start, hence invoking CRB start method if hid == MSFT0101.
- */
- if (priv->sm == ACPI_TPM2_COMMAND_BUFFER ||
- priv->sm == ACPI_TPM2_MEMORY_MAPPED ||
- !strcmp(priv->hid, "MSFT0101"))
- iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
-
- if (priv->sm == ACPI_TPM2_START_METHOD ||
- priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)
- rc = crb_do_acpi_start(chip);
-
- if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
- iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
- rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
- }
-
- if (priv->sm == ACPI_TPM2_CRB_WITH_ARM_FFA) {
- iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
- rc = tpm_crb_ffa_start(CRB_FFA_START_TYPE_COMMAND, chip->locality);
- }
-
+ rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
if (rc)
return rc;
--
2.53.0
^ permalink raw reply related
* [RFC 3/4] tpm_crb: Implement command and response chunking logic
From: Arun Menon @ 2026-03-24 7:18 UTC (permalink / raw)
To: linux-kernel
Cc: linux-integrity, Jason Gunthorpe, Jarkko Sakkinen, Peter Huewe,
Arun Menon
In-Reply-To: <20260324071803.324774-1-armenon@redhat.com>
Add support for sending and receiving TPM command data in chunks when
the payload exceeds the physical size of the hardware MMIO window.
This introduces the following changes:
- crb_map_io(): Checks the device interface capability to determine if
chunking is supported, setting the chunking_supported flag. It also
stores the hardware's maximum response buffer size in priv->rsp_size.
- crb_send(): Iteratively writes command chunks to the fixed priv->cmd
MMIO window. It signals the TPM backend to process intermediate chunks
using CRB_START_NEXT_CHUNK, and signals the final chunk to begin
execution using CRB_START_INVOKE.
- crb_recv(): Parses the expected response size from the initial TPM
header. It then iteratively reads chunks from the fixed priv->rsp
MMIO window into the destination buffer, advancing the buffer offset
until the complete response is retrieved.
Signed-off-by: Arun Menon <armenon@redhat.com>
---
drivers/char/tpm/tpm_crb.c | 150 +++++++++++++++++++++++++++----------
1 file changed, 109 insertions(+), 41 deletions(-)
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 10128d078245c..fb63cc3737253 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -104,11 +104,13 @@ struct crb_priv {
u8 __iomem *cmd;
u8 __iomem *rsp;
u32 cmd_size;
+ u32 rsp_size;
u32 smc_func_id;
u32 __iomem *pluton_start_addr;
u32 __iomem *pluton_reply_addr;
u8 ffa_flags;
u8 ffa_attributes;
+ bool chunking_supported;
};
struct tpm2_crb_smc {
@@ -368,38 +370,6 @@ static u8 crb_status(struct tpm_chip *chip)
return sts;
}
-static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
-{
- struct crb_priv *priv = dev_get_drvdata(&chip->dev);
- unsigned int expected;
-
- /* A sanity check that the upper layer wants to get at least the header
- * as that is the minimum size for any TPM response.
- */
- if (count < TPM_HEADER_SIZE)
- return -EIO;
-
- /* If this bit is set, according to the spec, the TPM is in
- * unrecoverable condition.
- */
- if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
- return -EIO;
-
- /* Read the first 8 bytes in order to get the length of the response.
- * We read exactly a quad word in order to make sure that the remaining
- * reads will be aligned.
- */
- memcpy_fromio(buf, priv->rsp, 8);
-
- expected = be32_to_cpup((__be32 *)&buf[2]);
- if (expected > count || expected < TPM_HEADER_SIZE)
- return -EIO;
-
- memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
-
- return expected;
-}
-
static int crb_do_acpi_start(struct tpm_chip *chip)
{
union acpi_object *obj;
@@ -474,6 +444,8 @@ static int crb_trigger_tpm(struct tpm_chip *chip, u32 start_cmd)
static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
{
struct crb_priv *priv = dev_get_drvdata(&chip->dev);
+ size_t offset = 0;
+ size_t chunk_size;
int rc = 0;
/* Zero the cancel register so that the next command will not get
@@ -481,7 +453,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
*/
iowrite32(0, &priv->regs_t->ctrl_cancel);
- if (len > priv->cmd_size) {
+ if (len > priv->cmd_size && !priv->chunking_supported) {
dev_err(&chip->dev, "invalid command count value %zd %d\n",
len, priv->cmd_size);
return -E2BIG;
@@ -491,16 +463,101 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
__crb_cmd_ready(&chip->dev, priv, chip->locality);
- memcpy_toio(priv->cmd, buf, len);
+ while (offset < len) {
+ chunk_size = min_t(size_t, len - offset, priv->cmd_size);
+
+ memcpy_toio(priv->cmd, buf + offset, chunk_size);
+ offset += chunk_size;
+
+ /* Make sure that cmd is populated before issuing start. */
+ wmb();
+ if (offset < len) {
+ rc = crb_trigger_tpm(chip, CRB_START_NEXT_CHUNK);
+ if (rc)
+ return rc;
+ if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_start,
+ CRB_START_NEXT_CHUNK, 0, TPM2_TIMEOUT_C)) {
+ dev_err(&chip->dev,
+ "Timeout waiting for backend to consume chunk\n");
+ return -ETIME;
+ }
+ } else {
+ rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
+ if (rc)
+ return rc;
+ }
+ }
+ return crb_try_pluton_doorbell(priv, false);
+}
- /* Make sure that cmd is populated before issuing start. */
- wmb();
+static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+{
+ struct crb_priv *priv = dev_get_drvdata(&chip->dev);
+ unsigned int expected;
+ size_t offset = 0;
+ size_t chunk_size;
+ size_t first_read;
+ int rc;
- rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
- if (rc)
- return rc;
+ /* A sanity check that the upper layer wants to get at least the header
+ * as that is the minimum size for any TPM response.
+ */
+ if (count < TPM_HEADER_SIZE)
+ return -EIO;
- return crb_try_pluton_doorbell(priv, false);
+ /* If this bit is set, according to the spec, the TPM is in
+ * unrecoverable condition.
+ */
+ if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
+ return -EIO;
+
+ /* Read the first 8 bytes in order to get the length of the response.
+ * We read exactly a quad word in order to make sure that the remaining
+ * reads will be aligned.
+ */
+ memcpy_fromio(buf, priv->rsp, 8);
+
+ expected = be32_to_cpup((__be32 *)&buf[2]);
+ if (expected > count || expected < TPM_HEADER_SIZE)
+ return -EIO;
+
+ /*
+ * Set chunk_size by comparing the size of the buffer that the upper layer has
+ * allocated (count) to the hardware tpm limit (priv->rsp_size).
+ * This is to prevent buffer overflow while writing to buf.
+ */
+ chunk_size = min_t(size_t, count, priv->rsp_size);
+
+ /*
+ * Compare the actual size of the response we found in the header to the chunk_size.
+ */
+ first_read = min_t(size_t, expected, chunk_size);
+
+ memcpy_fromio(&buf[8], &priv->rsp[8], first_read - 8);
+ offset = first_read;
+
+ while (offset < expected) {
+ if (!priv->chunking_supported) {
+ dev_err(&chip->dev, "Response larger than MMIO and chunking not supported\n");
+ return -EIO;
+ }
+
+ rc = crb_trigger_tpm(chip, CRB_START_NEXT_CHUNK);
+ if (rc)
+ return rc;
+
+ if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_start,
+ CRB_START_NEXT_CHUNK, 0, TPM2_TIMEOUT_C)) {
+ dev_err(&chip->dev, "Timeout waiting for backend response\n");
+ return -ETIME;
+ }
+
+ chunk_size = min_t(size_t, expected - offset, priv->rsp_size);
+ memcpy_fromio(buf + offset, priv->rsp, chunk_size);
+ offset += chunk_size;
+ }
+
+ return expected;
}
static void crb_cancel(struct tpm_chip *chip)
@@ -727,6 +784,15 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
goto out;
}
+ if (priv->regs_h) {
+ u32 intf_id = ioread32((u32 __iomem *)&priv->regs_h->intf_id);
+
+ if (intf_id & CRB_INTF_CAP_CRB_CHUNK) {
+ priv->chunking_supported = true;
+ dev_info(dev, "CRB Chunking is supported by backend\n");
+ }
+ }
+
memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
rsp_pa = le64_to_cpu(__rsp_pa);
rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
@@ -764,8 +830,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
priv->rsp = priv->cmd;
out:
- if (!ret)
+ if (!ret) {
priv->cmd_size = cmd_size;
+ priv->rsp_size = rsp_size;
+ }
__crb_go_idle(dev, priv, 0);
--
2.53.0
^ permalink raw reply related
* [RFC 4/4] tpm: Increase TPM_BUFSIZE to 64kB for chunking support
From: Arun Menon @ 2026-03-24 7:18 UTC (permalink / raw)
To: linux-kernel
Cc: linux-integrity, Jason Gunthorpe, Jarkko Sakkinen, Peter Huewe,
Arun Menon
In-Reply-To: <20260324071803.324774-1-armenon@redhat.com>
- In tpm_common_write() the size of the command is checked against
TPM_BUFSIZE. We therefore need to increase the TPM_BUFSIZE to allow
support for larger commands.
Signed-off-by: Arun Menon <armenon@redhat.com>
---
drivers/char/tpm/tpm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 87d68ddf270a7..a6933eb075296 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -33,7 +33,7 @@
#endif
#define TPM_MINOR 224 /* officially assigned */
-#define TPM_BUFSIZE 4096
+#define TPM_BUFSIZE 65536
#define TPM_NUM_DEVICES 65536
#define TPM_RETRY 50
--
2.53.0
^ permalink raw reply related
* Re: [PATCH] KEYS: trusted: Protocol debugging as a feature
From: Jarkko Sakkinen @ 2026-03-24 10:35 UTC (permalink / raw)
To: linux-integrity
Cc: keyrings, Srish Srinivasan, Nayna Jain, James Bottomley,
Mimi Zohar, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list
In-Reply-To: <20260323090047.632499-1-jarkko@kernel.org>
On Mon, Mar 23, 2026 at 11:00:46AM +0200, Jarkko Sakkinen wrote:
> TPM_DEBUG is a non-standard way to specify a feature in Linux kernel.
> Introduce CONFIG_TRUSTED_KEYS_DEBUG, and use it to replace TPM_DEBUG in
> TPM 1.x trusted keys.
>
> Given that protocol bus could contain sensitive data, harden the feature as
> follows:
>
> 1. In the Kconfig description postulate that pr_debug() statements must be
> used.
> 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
>
> Traces can be enabled e.g., by providing trusted.dyndbg='+p' for the kernel
> command-line.
>
> Cc: Srish Srinivasan <ssrish@linux.ibm.com>
> Reported-by: Nayna Jain <nayna@linux.ibm.com>
> Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> ---
I'm posting a v2 update with HAVE_* flag and a bit wider scope.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v2] tpm: i2c: atmel: fix block comment formatting
From: Jarkko Sakkinen @ 2026-03-24 10:37 UTC (permalink / raw)
To: Ethan Luna
Cc: peterhuewe, jgg, nicolas.ferre, claudiu.beznea, linux-integrity,
linux-arm-kernel, linux-kernel
In-Reply-To: <20260323134200.7766-1-trunixcodes@zohomail.com>
On Mon, Mar 23, 2026 at 06:40:49AM -0700, Ethan Luna wrote:
> Multiple block comments in tpm_i2c_atmel.c placed the closing '*/' on the
> same line as the comment text. This violates the kernel's preferred
> comment style, which requires the closing delimiter to appear on its
> line.
>
> Fix the formatting to improve readability and resolve checkpatch
> warnings.
>
> Signed-off-by: Ethan Luna <trunixcodes@zohomail.com>
> ---
>
> V1 -> V2: Fixed block comment formatting consistently across all multi-line comments
>
> v1: https://lore.kernel.org/all/20260322193112.27010-1-trunixcodes@zohomail.com/
>
> drivers/char/tpm/tpm_i2c_atmel.c | 34 +++++++++++++++++++++-----------
> 1 file changed, 23 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c
> index 4f229656a8e2..c3cdc0d6e61c 100644
> --- a/drivers/char/tpm/tpm_i2c_atmel.c
> +++ b/drivers/char/tpm/tpm_i2c_atmel.c
> @@ -31,9 +31,11 @@
>
> struct priv_data {
> size_t len;
> - /* This is the amount we read on the first try. 25 was chosen to fit a
> + /*
> + * This is the amount we read on the first try. 25 was chosen to fit a
> * fair number of read responses in the buffer so a 2nd retry can be
> - * avoided in small message cases. */
> + * avoided in small message cases.
> + */
> u8 buffer[sizeof(struct tpm_header) + 25];
> };
>
> @@ -58,7 +60,9 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz,
> if (status < 0)
> return status;
>
> - /* The upper layer does not support incomplete sends. */
> + /*
> + * The upper layer does not support incomplete sends.
> + */
> if (status != len)
> return -E2BIG;
>
> @@ -76,9 +80,11 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
> if (priv->len == 0)
> return -EIO;
>
> - /* Get the message size from the message header, if we didn't get the
> + /*
> + * Get the message size from the message header, if we didn't get the
> * whole message in read_status then we need to re-read the
> - * message. */
> + * message.
> + */
> expected_len = be32_to_cpu(hdr->length);
> if (expected_len > count)
> return -ENOMEM;
> @@ -111,15 +117,19 @@ static u8 i2c_atmel_read_status(struct tpm_chip *chip)
> struct i2c_client *client = to_i2c_client(chip->dev.parent);
> int rc;
>
> - /* The TPM fails the I2C read until it is ready, so we do the entire
> + /*
> + * The TPM fails the I2C read until it is ready, so we do the entire
> * transfer here and buffer it locally. This way the common code can
> - * properly handle the timeouts. */
> + * properly handle the timeouts.
> + */
> priv->len = 0;
> memset(priv->buffer, 0, sizeof(priv->buffer));
>
>
> - /* Once the TPM has completed the command the command remains readable
> - * until another command is issued. */
> + /*
> + * Once the TPM has completed the command the command remains readable
> + * until another command is issued.
> + */
> rc = i2c_master_recv(client, priv->buffer, sizeof(priv->buffer));
> dev_dbg(&chip->dev,
> "%s: sts=%d", __func__, rc);
> @@ -172,9 +182,11 @@ static int i2c_atmel_probe(struct i2c_client *client)
>
> dev_set_drvdata(&chip->dev, priv);
>
> - /* There is no known way to probe for this device, and all version
> + /*
> + * There is no known way to probe for this device, and all version
> * information seems to be read via TPM commands. Thus we rely on the
> - * TPM startup process in the common code to detect the device. */
> + * TPM startup process in the common code to detect the device.
> + */
>
> return tpm_chip_register(chip);
> }
> --
> 2.53.0
>
Almost there but when I applied it I spotted some trailing whitespace
errors:
❯ scripts/checkpatch.pl --strict -g HEAD
ERROR: trailing whitespace
#30: FILE: drivers/char/tpm/tpm_i2c_atmel.c:34:
+^I/* $
ERROR: trailing whitespace
#55: FILE: drivers/char/tpm/tpm_i2c_atmel.c:83:
+^I/* $
ERROR: trailing whitespace
#69: FILE: drivers/char/tpm/tpm_i2c_atmel.c:120:
+^I/* $
ERROR: trailing whitespace
#81: FILE: drivers/char/tpm/tpm_i2c_atmel.c:129:
+^I/* $
ERROR: trailing whitespace
#93: FILE: drivers/char/tpm/tpm_i2c_atmel.c:185:
+^I/* $
total: 5 errors, 0 warnings, 0 checks, 72 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
NOTE: Whitespace errors detected.
You may wish to use scripts/cleanpatch or scripts/cleanfile
Commit fe31e9522c2c ("tpm: i2c: atmel: fix block comment formatting") has style problems, please review.
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
BR, Jarkko
^ permalink raw reply
* Re: [RFC 0/4] tpm_crb: Add command and response buffer chunking support
From: Jarkko Sakkinen @ 2026-03-24 10:41 UTC (permalink / raw)
To: Arun Menon; +Cc: linux-kernel, linux-integrity, Jason Gunthorpe, Peter Huewe
In-Reply-To: <20260324071803.324774-1-armenon@redhat.com>
On Tue, Mar 24, 2026 at 12:47:59PM +0530, Arun Menon wrote:
> The new version of TCG TPM v185 (currently under review [1]) supports
> sending data/commands in chunks for the CRB (Command Response Buffer)
> interface. This is in line with the initiative to support PQC algorithms.
>
> This series implements the logic to send and receive larger TPM
> cmd/rsp between the linux guest and the TPM backend in chunks.
> Currently, the TPM CRB driver is limited by the physical size of the
> MMIO window. When userspace attempts to send a payload that exceeds this
> size, the driver rejects it.
>
> This series introduces chunking support. The driver now checks the CRB
> interface capability for CRB_INTF_CAP_CRB_CHUNK. If supported by the
> backend, the driver will slice oversized commands into MMIO-sized
> chunks, signalling the backend via CRB_START_NEXT_CHUNK, and finalizing
> with CRB_START_INVOKE. Responses are also read back in a similar chunked
> manner.
>
> If the backend does not support chunking, the driver retains its legacy
> behaviour and enforces the standard size limits.
>
> This feature also requires the QEMU to interpret the data in chunks and
> forward it to the TPM backend and subsequently dispatch the TPM response
> in chunks back to the linux guest. This is implemented in [2]
>
> [1] https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p07_rc1_121225.pdf
> [2] https://lore.kernel.org/qemu-devel/20260319135316.37412-1-armenon@redhat.com/
>
> Arun Menon (4):
> tpm_crb: Add definition of TPM CRB chunking fields
> tpm_crb: Add new wrapper function to invoke start method
> tpm_crb: Implement command and response chunking logic
> tpm: Increase TPM_BUFSIZE to 64kB for chunking support
>
> drivers/char/tpm/tpm.h | 2 +-
> drivers/char/tpm/tpm_crb.c | 194 ++++++++++++++++++++++++++-----------
> 2 files changed, 137 insertions(+), 59 deletions(-)
>
> --
> 2.53.0
>
When QEMU has the feature available?
BR, Jarkko
^ permalink raw reply
* Re: [RFC 2/4] tpm_crb: Add new wrapper function to invoke start method
From: Jarkko Sakkinen @ 2026-03-24 10:42 UTC (permalink / raw)
To: Arun Menon; +Cc: linux-kernel, linux-integrity, Jason Gunthorpe, Peter Huewe
In-Reply-To: <20260324071803.324774-3-armenon@redhat.com>
On Tue, Mar 24, 2026 at 12:48:01PM +0530, Arun Menon wrote:
> - Extract start invocation code into a separate function called
> crb_trigger_tpm. This will be helpful in repeatedly calling the
> start method with different bits set to toggle between start,
> nextChunk or crbRspRetry behaviours.
> - Based on the bit set, we signal the TPM to consume
> contents of the command/response buffer.
> - No functional change intended.
Please write a proper commit message, which is not a task list.
>
> Signed-off-by: Arun Menon <armenon@redhat.com>
> ---
> drivers/char/tpm/tpm_crb.c | 50 ++++++++++++++++++++------------------
> 1 file changed, 27 insertions(+), 23 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> index 67c0061d4cab7..10128d078245c 100644
> --- a/drivers/char/tpm/tpm_crb.c
> +++ b/drivers/char/tpm/tpm_crb.c
> @@ -445,6 +445,32 @@ static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
> }
> #endif
>
> +static int crb_trigger_tpm(struct tpm_chip *chip, u32 start_cmd)
> +{
> + struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> + int rc;
> + /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
> + * report only ACPI start but in practice seems to require both
> + * CRB start, hence invoking CRB start method if hid == MSFT0101.
> + */
> + if (priv->sm == ACPI_TPM2_COMMAND_BUFFER ||
> + priv->sm == ACPI_TPM2_MEMORY_MAPPED ||
> + !strcmp(priv->hid, "MSFT0101"))
> + iowrite32(start_cmd, &priv->regs_t->ctrl_start);
> + if (priv->sm == ACPI_TPM2_START_METHOD ||
> + priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)
> + rc = crb_do_acpi_start(chip);
> + if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
> + iowrite32(start_cmd, &priv->regs_t->ctrl_start);
> + rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
> + }
> + if (priv->sm == ACPI_TPM2_CRB_WITH_ARM_FFA) {
> + iowrite32(start_cmd, &priv->regs_t->ctrl_start);
> + rc = tpm_crb_ffa_start(CRB_FFA_START_TYPE_COMMAND, chip->locality);
> + }
> + return rc;
> +}
> +
> static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> {
> struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> @@ -470,29 +496,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> /* Make sure that cmd is populated before issuing start. */
> wmb();
>
> - /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
> - * report only ACPI start but in practice seems to require both
> - * CRB start, hence invoking CRB start method if hid == MSFT0101.
> - */
> - if (priv->sm == ACPI_TPM2_COMMAND_BUFFER ||
> - priv->sm == ACPI_TPM2_MEMORY_MAPPED ||
> - !strcmp(priv->hid, "MSFT0101"))
> - iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
> -
> - if (priv->sm == ACPI_TPM2_START_METHOD ||
> - priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)
> - rc = crb_do_acpi_start(chip);
> -
> - if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
> - iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
> - rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
> - }
> -
> - if (priv->sm == ACPI_TPM2_CRB_WITH_ARM_FFA) {
> - iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
> - rc = tpm_crb_ffa_start(CRB_FFA_START_TYPE_COMMAND, chip->locality);
> - }
> -
> + rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
> if (rc)
> return rc;
>
> --
> 2.53.0
>
BR, Jarkko
^ permalink raw reply
* Re: [RFC 3/4] tpm_crb: Implement command and response chunking logic
From: Jarkko Sakkinen @ 2026-03-24 10:45 UTC (permalink / raw)
To: Arun Menon; +Cc: linux-kernel, linux-integrity, Jason Gunthorpe, Peter Huewe
In-Reply-To: <20260324071803.324774-4-armenon@redhat.com>
On Tue, Mar 24, 2026 at 12:48:02PM +0530, Arun Menon wrote:
> Add support for sending and receiving TPM command data in chunks when
> the payload exceeds the physical size of the hardware MMIO window.
>
> This introduces the following changes:
>
> - crb_map_io(): Checks the device interface capability to determine if
> chunking is supported, setting the chunking_supported flag. It also
> stores the hardware's maximum response buffer size in priv->rsp_size.
> - crb_send(): Iteratively writes command chunks to the fixed priv->cmd
> MMIO window. It signals the TPM backend to process intermediate chunks
> using CRB_START_NEXT_CHUNK, and signals the final chunk to begin
> execution using CRB_START_INVOKE.
> - crb_recv(): Parses the expected response size from the initial TPM
> header. It then iteratively reads chunks from the fixed priv->rsp
> MMIO window into the destination buffer, advancing the buffer offset
> until the complete response is retrieved.
>
> Signed-off-by: Arun Menon <armenon@redhat.com>
This is also just description of wha this adds. I'd lessen the detail
and write a description that describes motivation and logic of the
change. It's a good test for author knowledge, as if you really get
the topic you can explain its gist. In addition, it can be reflected
to implementation (vs. the descriptions that are pseudocode in English)
Since this RFC and QEMU does not have the feature in release it is
good to polish stuff like this.
> ---
> drivers/char/tpm/tpm_crb.c | 150 +++++++++++++++++++++++++++----------
> 1 file changed, 109 insertions(+), 41 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> index 10128d078245c..fb63cc3737253 100644
> --- a/drivers/char/tpm/tpm_crb.c
> +++ b/drivers/char/tpm/tpm_crb.c
> @@ -104,11 +104,13 @@ struct crb_priv {
> u8 __iomem *cmd;
> u8 __iomem *rsp;
> u32 cmd_size;
> + u32 rsp_size;
> u32 smc_func_id;
> u32 __iomem *pluton_start_addr;
> u32 __iomem *pluton_reply_addr;
> u8 ffa_flags;
> u8 ffa_attributes;
> + bool chunking_supported;
> };
>
> struct tpm2_crb_smc {
> @@ -368,38 +370,6 @@ static u8 crb_status(struct tpm_chip *chip)
> return sts;
> }
>
> -static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
> -{
> - struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> - unsigned int expected;
> -
> - /* A sanity check that the upper layer wants to get at least the header
> - * as that is the minimum size for any TPM response.
> - */
> - if (count < TPM_HEADER_SIZE)
> - return -EIO;
> -
> - /* If this bit is set, according to the spec, the TPM is in
> - * unrecoverable condition.
> - */
> - if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
> - return -EIO;
> -
> - /* Read the first 8 bytes in order to get the length of the response.
> - * We read exactly a quad word in order to make sure that the remaining
> - * reads will be aligned.
> - */
> - memcpy_fromio(buf, priv->rsp, 8);
> -
> - expected = be32_to_cpup((__be32 *)&buf[2]);
> - if (expected > count || expected < TPM_HEADER_SIZE)
> - return -EIO;
> -
> - memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
> -
> - return expected;
> -}
> -
> static int crb_do_acpi_start(struct tpm_chip *chip)
> {
> union acpi_object *obj;
> @@ -474,6 +444,8 @@ static int crb_trigger_tpm(struct tpm_chip *chip, u32 start_cmd)
> static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> {
> struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> + size_t offset = 0;
> + size_t chunk_size;
> int rc = 0;
>
> /* Zero the cancel register so that the next command will not get
> @@ -481,7 +453,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> */
> iowrite32(0, &priv->regs_t->ctrl_cancel);
>
> - if (len > priv->cmd_size) {
> + if (len > priv->cmd_size && !priv->chunking_supported) {
> dev_err(&chip->dev, "invalid command count value %zd %d\n",
> len, priv->cmd_size);
> return -E2BIG;
> @@ -491,16 +463,101 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
> __crb_cmd_ready(&chip->dev, priv, chip->locality);
>
> - memcpy_toio(priv->cmd, buf, len);
> + while (offset < len) {
> + chunk_size = min_t(size_t, len - offset, priv->cmd_size);
> +
> + memcpy_toio(priv->cmd, buf + offset, chunk_size);
> + offset += chunk_size;
> +
> + /* Make sure that cmd is populated before issuing start. */
> + wmb();
> + if (offset < len) {
> + rc = crb_trigger_tpm(chip, CRB_START_NEXT_CHUNK);
> + if (rc)
> + return rc;
> + if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_start,
> + CRB_START_NEXT_CHUNK, 0, TPM2_TIMEOUT_C)) {
> + dev_err(&chip->dev,
> + "Timeout waiting for backend to consume chunk\n");
> + return -ETIME;
> + }
> + } else {
> + rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
> + if (rc)
> + return rc;
> + }
> + }
> + return crb_try_pluton_doorbell(priv, false);
> +}
>
> - /* Make sure that cmd is populated before issuing start. */
> - wmb();
> +static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
> +{
> + struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> + unsigned int expected;
> + size_t offset = 0;
> + size_t chunk_size;
> + size_t first_read;
> + int rc;
>
> - rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
> - if (rc)
> - return rc;
> + /* A sanity check that the upper layer wants to get at least the header
> + * as that is the minimum size for any TPM response.
> + */
> + if (count < TPM_HEADER_SIZE)
> + return -EIO;
>
> - return crb_try_pluton_doorbell(priv, false);
> + /* If this bit is set, according to the spec, the TPM is in
> + * unrecoverable condition.
> + */
> + if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
> + return -EIO;
> +
> + /* Read the first 8 bytes in order to get the length of the response.
> + * We read exactly a quad word in order to make sure that the remaining
> + * reads will be aligned.
> + */
> + memcpy_fromio(buf, priv->rsp, 8);
> +
> + expected = be32_to_cpup((__be32 *)&buf[2]);
> + if (expected > count || expected < TPM_HEADER_SIZE)
> + return -EIO;
> +
> + /*
> + * Set chunk_size by comparing the size of the buffer that the upper layer has
> + * allocated (count) to the hardware tpm limit (priv->rsp_size).
> + * This is to prevent buffer overflow while writing to buf.
> + */
> + chunk_size = min_t(size_t, count, priv->rsp_size);
> +
> + /*
> + * Compare the actual size of the response we found in the header to the chunk_size.
> + */
> + first_read = min_t(size_t, expected, chunk_size);
> +
> + memcpy_fromio(&buf[8], &priv->rsp[8], first_read - 8);
> + offset = first_read;
> +
> + while (offset < expected) {
> + if (!priv->chunking_supported) {
> + dev_err(&chip->dev, "Response larger than MMIO and chunking not supported\n");
> + return -EIO;
> + }
> +
> + rc = crb_trigger_tpm(chip, CRB_START_NEXT_CHUNK);
> + if (rc)
> + return rc;
> +
> + if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_start,
> + CRB_START_NEXT_CHUNK, 0, TPM2_TIMEOUT_C)) {
> + dev_err(&chip->dev, "Timeout waiting for backend response\n");
> + return -ETIME;
> + }
> +
> + chunk_size = min_t(size_t, expected - offset, priv->rsp_size);
> + memcpy_fromio(buf + offset, priv->rsp, chunk_size);
> + offset += chunk_size;
> + }
> +
> + return expected;
> }
>
> static void crb_cancel(struct tpm_chip *chip)
> @@ -727,6 +784,15 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> goto out;
> }
>
> + if (priv->regs_h) {
> + u32 intf_id = ioread32((u32 __iomem *)&priv->regs_h->intf_id);
> +
> + if (intf_id & CRB_INTF_CAP_CRB_CHUNK) {
> + priv->chunking_supported = true;
> + dev_info(dev, "CRB Chunking is supported by backend\n");
> + }
> + }
> +
> memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
> rsp_pa = le64_to_cpu(__rsp_pa);
> rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
> @@ -764,8 +830,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> priv->rsp = priv->cmd;
>
> out:
> - if (!ret)
> + if (!ret) {
> priv->cmd_size = cmd_size;
> + priv->rsp_size = rsp_size;
> + }
>
> __crb_go_idle(dev, priv, 0);
>
> --
> 2.53.0
>
BR, Jarkko
^ permalink raw reply
* [PATCH v2] KEYS: trusted: Debugging as a feature
From: Jarkko Sakkinen @ 2026-03-24 11:00 UTC (permalink / raw)
To: linux-integrity
Cc: keyrings, Jarkko Sakkinen, Srish Srinivasan, Nayna Jain,
James Bottomley, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, Ahmad Fatoum,
Pengutronix Kernel Team, open list, open list:SECURITY SUBSYSTEM
TPM_DEBUG, and other similar flags, are a non-standard way to specify a
feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for
trusted keys, and use it to replace these ad-hoc feature flags.
Given that trusted keys debug dumps can contain sensitive data, harden
the feature as follows:
1. In the Kconfig description postulate that pr_debug() statements must be
used.
2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
Traces, when actually needed, can be easily enabled by providing
trusted.dyndbg='+p' in the kernel command-line.
Cc: Srish Srinivasan <ssrish@linux.ibm.com>
Reported-by: Nayna Jain <nayna@linux.ibm.com>
Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
v2:
- Implement for all trusted keys backends.
- Add HAVE_TRUSTED_KEYS_DEBUG as it is a good practice despite full
coverage.
---
include/keys/trusted-type.h | 18 +++++-------
security/keys/trusted-keys/Kconfig | 19 ++++++++++++
security/keys/trusted-keys/trusted_caam.c | 4 +--
security/keys/trusted-keys/trusted_tpm1.c | 36 +++++++++++------------
4 files changed, 46 insertions(+), 31 deletions(-)
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 03527162613f..620a1f890b6b 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -83,18 +83,16 @@ struct trusted_key_source {
extern struct key_type key_type_trusted;
-#define TRUSTED_DEBUG 0
-
-#if TRUSTED_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_payload(struct trusted_key_payload *p)
{
- pr_info("key_len %d\n", p->key_len);
- print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE,
- 16, 1, p->key, p->key_len, 0);
- pr_info("bloblen %d\n", p->blob_len);
- print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE,
- 16, 1, p->blob, p->blob_len, 0);
- pr_info("migratable %d\n", p->migratable);
+ pr_debug("key_len %d\n", p->key_len);
+ print_hex_dump_debug("key ", DUMP_PREFIX_NONE,
+ 16, 1, p->key, p->key_len, 0);
+ pr_debug("bloblen %d\n", p->blob_len);
+ print_hex_dump_debug("blob ", DUMP_PREFIX_NONE,
+ 16, 1, p->blob, p->blob_len, 0);
+ pr_debug("migratable %d\n", p->migratable);
}
#else
static inline void dump_payload(struct trusted_key_payload *p)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index 9e00482d886a..2ad9ba0e03f1 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,10 +1,25 @@
config HAVE_TRUSTED_KEYS
bool
+config HAVE_TRUSTED_KEYS_DEBUG
+ bool
+
+config TRUSTED_KEYS_DEBUG
+ bool "Debug trusted keys"
+ depends on HAVE_TRUSTED_KEYS_DEBUG
+ default n
+ help
+ Trusted keys backends and core code that support debug dumps
+ can opt-in that feature here. Dumps must only use DEBUG
+ level output, as sensitive data may pass by. In the
+ kernel-command line traces can be enabled via
+ trusted.dyndbg='+p'.
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select CRYPTO_HASH_INFO
select CRYPTO_LIB_SHA1
select CRYPTO_LIB_UTILS
@@ -23,6 +38,7 @@ config TRUSTED_KEYS_TEE
bool "TEE-based trusted keys"
depends on TEE >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Execution Environment (TEE) as trusted
@@ -33,6 +49,7 @@ config TRUSTED_KEYS_CAAM
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of NXP's Cryptographic Accelerator and Assurance Module
@@ -42,6 +59,7 @@ config TRUSTED_KEYS_DCP
bool "DCP-based trusted keys"
depends on CRYPTO_DEV_MXS_DCP >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.
@@ -50,6 +68,7 @@ config TRUSTED_KEYS_PKWM
bool "PKWM-based trusted keys"
depends on PSERIES_PLPKS >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.
diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
index 601943ce0d60..015cddc6b53c 100644
--- a/security/keys/trusted-keys/trusted_caam.c
+++ b/security/keys/trusted-keys/trusted_caam.c
@@ -28,10 +28,10 @@ static const match_table_t key_tokens = {
{opt_err, NULL}
};
-#ifdef CAAM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(const struct caam_pkey_info *pkey_info)
{
- pr_info("key encryption algo %d\n", pkey_info->key_enc_algo);
+ pr_debug("key encryption algo %d\n", pkey_info->key_enc_algo);
}
#else
static inline void dump_options(const struct caam_pkey_info *pkey_info)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index c865c97aa1b4..8fe889c7cdd1 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -46,38 +46,36 @@ enum {
SRK_keytype = 4
};
-#define TPM_DEBUG 0
-
-#if TPM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(struct trusted_key_options *o)
{
- pr_info("sealing key type %d\n", o->keytype);
- pr_info("sealing key handle %0X\n", o->keyhandle);
- pr_info("pcrlock %d\n", o->pcrlock);
- pr_info("pcrinfo %d\n", o->pcrinfo_len);
- print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
- 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
+ pr_debug("sealing key type %d\n", o->keytype);
+ pr_debug("sealing key handle %0X\n", o->keyhandle);
+ pr_debug("pcrlock %d\n", o->pcrlock);
+ pr_debug("pcrinfo %d\n", o->pcrinfo_len);
+ print_hex_dump_debug("pcrinfo ", DUMP_PREFIX_NONE,
+ 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
}
static inline void dump_sess(struct osapsess *s)
{
- print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
- 16, 1, &s->handle, 4, 0);
- pr_info("secret:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
- pr_info("trusted-key: enonce:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
+ print_hex_dump_debug("trusted-key: handle ", DUMP_PREFIX_NONE,
+ 16, 1, &s->handle, 4, 0);
+ pr_debug("secret:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
+ pr_debug("trusted-key: enonce:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
}
static inline void dump_tpm_buf(unsigned char *buf)
{
int len;
- pr_info("\ntpm buffer\n");
+ pr_debug("\ntpm buffer\n");
len = LOAD32(buf, TPM_SIZE_OFFSET);
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
+ print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
}
#else
static inline void dump_options(struct trusted_key_options *o)
--
2.47.3
^ permalink raw reply related
* [PATCH v2] KEYS: trusted: Debugging as a feature
From: Jarkko Sakkinen @ 2026-03-24 11:00 UTC (permalink / raw)
To: linux-integrity
Cc: keyrings, Jarkko Sakkinen, Srish Srinivasan, Nayna Jain,
James Bottomley, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, Ahmad Fatoum,
Pengutronix Kernel Team, open list, open list:SECURITY SUBSYSTEM
TPM_DEBUG, and other similar flags, are a non-standard way to specify a
feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for
trusted keys, and use it to replace these ad-hoc feature flags.
Given that trusted keys debug dumps can contain sensitive data, harden
the feature as follows:
1. In the Kconfig description postulate that pr_debug() statements must be
used.
2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
Traces, when actually needed, can be easily enabled by providing
trusted.dyndbg='+p' in the kernel command-line.
Cc: Srish Srinivasan <ssrish@linux.ibm.com>
Reported-by: Nayna Jain <nayna@linux.ibm.com>
Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
v2:
- Implement for all trusted keys backends.
- Add HAVE_TRUSTED_KEYS_DEBUG as it is a good practice despite full
coverage.
---
include/keys/trusted-type.h | 18 +++++-------
security/keys/trusted-keys/Kconfig | 19 ++++++++++++
security/keys/trusted-keys/trusted_caam.c | 4 +--
security/keys/trusted-keys/trusted_tpm1.c | 36 +++++++++++------------
4 files changed, 46 insertions(+), 31 deletions(-)
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 03527162613f..620a1f890b6b 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -83,18 +83,16 @@ struct trusted_key_source {
extern struct key_type key_type_trusted;
-#define TRUSTED_DEBUG 0
-
-#if TRUSTED_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_payload(struct trusted_key_payload *p)
{
- pr_info("key_len %d\n", p->key_len);
- print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE,
- 16, 1, p->key, p->key_len, 0);
- pr_info("bloblen %d\n", p->blob_len);
- print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE,
- 16, 1, p->blob, p->blob_len, 0);
- pr_info("migratable %d\n", p->migratable);
+ pr_debug("key_len %d\n", p->key_len);
+ print_hex_dump_debug("key ", DUMP_PREFIX_NONE,
+ 16, 1, p->key, p->key_len, 0);
+ pr_debug("bloblen %d\n", p->blob_len);
+ print_hex_dump_debug("blob ", DUMP_PREFIX_NONE,
+ 16, 1, p->blob, p->blob_len, 0);
+ pr_debug("migratable %d\n", p->migratable);
}
#else
static inline void dump_payload(struct trusted_key_payload *p)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index 9e00482d886a..2ad9ba0e03f1 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,10 +1,25 @@
config HAVE_TRUSTED_KEYS
bool
+config HAVE_TRUSTED_KEYS_DEBUG
+ bool
+
+config TRUSTED_KEYS_DEBUG
+ bool "Debug trusted keys"
+ depends on HAVE_TRUSTED_KEYS_DEBUG
+ default n
+ help
+ Trusted keys backends and core code that support debug dumps
+ can opt-in that feature here. Dumps must only use DEBUG
+ level output, as sensitive data may pass by. In the
+ kernel-command line traces can be enabled via
+ trusted.dyndbg='+p'.
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select CRYPTO_HASH_INFO
select CRYPTO_LIB_SHA1
select CRYPTO_LIB_UTILS
@@ -23,6 +38,7 @@ config TRUSTED_KEYS_TEE
bool "TEE-based trusted keys"
depends on TEE >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Execution Environment (TEE) as trusted
@@ -33,6 +49,7 @@ config TRUSTED_KEYS_CAAM
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of NXP's Cryptographic Accelerator and Assurance Module
@@ -42,6 +59,7 @@ config TRUSTED_KEYS_DCP
bool "DCP-based trusted keys"
depends on CRYPTO_DEV_MXS_DCP >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.
@@ -50,6 +68,7 @@ config TRUSTED_KEYS_PKWM
bool "PKWM-based trusted keys"
depends on PSERIES_PLPKS >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.
diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
index 601943ce0d60..015cddc6b53c 100644
--- a/security/keys/trusted-keys/trusted_caam.c
+++ b/security/keys/trusted-keys/trusted_caam.c
@@ -28,10 +28,10 @@ static const match_table_t key_tokens = {
{opt_err, NULL}
};
-#ifdef CAAM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(const struct caam_pkey_info *pkey_info)
{
- pr_info("key encryption algo %d\n", pkey_info->key_enc_algo);
+ pr_debug("key encryption algo %d\n", pkey_info->key_enc_algo);
}
#else
static inline void dump_options(const struct caam_pkey_info *pkey_info)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index c865c97aa1b4..8fe889c7cdd1 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -46,38 +46,36 @@ enum {
SRK_keytype = 4
};
-#define TPM_DEBUG 0
-
-#if TPM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(struct trusted_key_options *o)
{
- pr_info("sealing key type %d\n", o->keytype);
- pr_info("sealing key handle %0X\n", o->keyhandle);
- pr_info("pcrlock %d\n", o->pcrlock);
- pr_info("pcrinfo %d\n", o->pcrinfo_len);
- print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
- 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
+ pr_debug("sealing key type %d\n", o->keytype);
+ pr_debug("sealing key handle %0X\n", o->keyhandle);
+ pr_debug("pcrlock %d\n", o->pcrlock);
+ pr_debug("pcrinfo %d\n", o->pcrinfo_len);
+ print_hex_dump_debug("pcrinfo ", DUMP_PREFIX_NONE,
+ 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
}
static inline void dump_sess(struct osapsess *s)
{
- print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
- 16, 1, &s->handle, 4, 0);
- pr_info("secret:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
- pr_info("trusted-key: enonce:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
+ print_hex_dump_debug("trusted-key: handle ", DUMP_PREFIX_NONE,
+ 16, 1, &s->handle, 4, 0);
+ pr_debug("secret:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
+ pr_debug("trusted-key: enonce:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
}
static inline void dump_tpm_buf(unsigned char *buf)
{
int len;
- pr_info("\ntpm buffer\n");
+ pr_debug("\ntpm buffer\n");
len = LOAD32(buf, TPM_SIZE_OFFSET);
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
+ print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
}
#else
static inline void dump_options(struct trusted_key_options *o)
--
2.47.3
^ permalink raw reply related
* [PATCH v2] KEYS: trusted: Debugging as a feature
From: Jarkko Sakkinen @ 2026-03-24 11:01 UTC (permalink / raw)
To: linux-integrity
Cc: keyrings, Jarkko Sakkinen, Srish Srinivasan, Nayna Jain,
James Bottomley, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, Ahmad Fatoum,
Pengutronix Kernel Team, open list, open list:SECURITY SUBSYSTEM
TPM_DEBUG, and other similar flags, are a non-standard way to specify a
feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for
trusted keys, and use it to replace these ad-hoc feature flags.
Given that trusted keys debug dumps can contain sensitive data, harden
the feature as follows:
1. In the Kconfig description postulate that pr_debug() statements must be
used.
2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
Traces, when actually needed, can be easily enabled by providing
trusted.dyndbg='+p' in the kernel command-line.
Cc: Srish Srinivasan <ssrish@linux.ibm.com>
Reported-by: Nayna Jain <nayna@linux.ibm.com>
Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
v2:
- Implement for all trusted keys backends.
- Add HAVE_TRUSTED_KEYS_DEBUG as it is a good practice despite full
coverage.
---
include/keys/trusted-type.h | 18 +++++-------
security/keys/trusted-keys/Kconfig | 19 ++++++++++++
security/keys/trusted-keys/trusted_caam.c | 4 +--
security/keys/trusted-keys/trusted_tpm1.c | 36 +++++++++++------------
4 files changed, 46 insertions(+), 31 deletions(-)
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 03527162613f..620a1f890b6b 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -83,18 +83,16 @@ struct trusted_key_source {
extern struct key_type key_type_trusted;
-#define TRUSTED_DEBUG 0
-
-#if TRUSTED_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_payload(struct trusted_key_payload *p)
{
- pr_info("key_len %d\n", p->key_len);
- print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE,
- 16, 1, p->key, p->key_len, 0);
- pr_info("bloblen %d\n", p->blob_len);
- print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE,
- 16, 1, p->blob, p->blob_len, 0);
- pr_info("migratable %d\n", p->migratable);
+ pr_debug("key_len %d\n", p->key_len);
+ print_hex_dump_debug("key ", DUMP_PREFIX_NONE,
+ 16, 1, p->key, p->key_len, 0);
+ pr_debug("bloblen %d\n", p->blob_len);
+ print_hex_dump_debug("blob ", DUMP_PREFIX_NONE,
+ 16, 1, p->blob, p->blob_len, 0);
+ pr_debug("migratable %d\n", p->migratable);
}
#else
static inline void dump_payload(struct trusted_key_payload *p)
diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
index 9e00482d886a..2ad9ba0e03f1 100644
--- a/security/keys/trusted-keys/Kconfig
+++ b/security/keys/trusted-keys/Kconfig
@@ -1,10 +1,25 @@
config HAVE_TRUSTED_KEYS
bool
+config HAVE_TRUSTED_KEYS_DEBUG
+ bool
+
+config TRUSTED_KEYS_DEBUG
+ bool "Debug trusted keys"
+ depends on HAVE_TRUSTED_KEYS_DEBUG
+ default n
+ help
+ Trusted keys backends and core code that support debug dumps
+ can opt-in that feature here. Dumps must only use DEBUG
+ level output, as sensitive data may pass by. In the
+ kernel-command line traces can be enabled via
+ trusted.dyndbg='+p'.
+
config TRUSTED_KEYS_TPM
bool "TPM-based trusted keys"
depends on TCG_TPM >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select CRYPTO_HASH_INFO
select CRYPTO_LIB_SHA1
select CRYPTO_LIB_UTILS
@@ -23,6 +38,7 @@ config TRUSTED_KEYS_TEE
bool "TEE-based trusted keys"
depends on TEE >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of the Trusted Execution Environment (TEE) as trusted
@@ -33,6 +49,7 @@ config TRUSTED_KEYS_CAAM
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of NXP's Cryptographic Accelerator and Assurance Module
@@ -42,6 +59,7 @@ config TRUSTED_KEYS_DCP
bool "DCP-based trusted keys"
depends on CRYPTO_DEV_MXS_DCP >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.
@@ -50,6 +68,7 @@ config TRUSTED_KEYS_PKWM
bool "PKWM-based trusted keys"
depends on PSERIES_PLPKS >= TRUSTED_KEYS
default y
+ select HAVE_TRUSTED_KEYS_DEBUG
select HAVE_TRUSTED_KEYS
help
Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.
diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
index 601943ce0d60..015cddc6b53c 100644
--- a/security/keys/trusted-keys/trusted_caam.c
+++ b/security/keys/trusted-keys/trusted_caam.c
@@ -28,10 +28,10 @@ static const match_table_t key_tokens = {
{opt_err, NULL}
};
-#ifdef CAAM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(const struct caam_pkey_info *pkey_info)
{
- pr_info("key encryption algo %d\n", pkey_info->key_enc_algo);
+ pr_debug("key encryption algo %d\n", pkey_info->key_enc_algo);
}
#else
static inline void dump_options(const struct caam_pkey_info *pkey_info)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
index c865c97aa1b4..8fe889c7cdd1 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -46,38 +46,36 @@ enum {
SRK_keytype = 4
};
-#define TPM_DEBUG 0
-
-#if TPM_DEBUG
+#ifdef CONFIG_TRUSTED_KEYS_DEBUG
static inline void dump_options(struct trusted_key_options *o)
{
- pr_info("sealing key type %d\n", o->keytype);
- pr_info("sealing key handle %0X\n", o->keyhandle);
- pr_info("pcrlock %d\n", o->pcrlock);
- pr_info("pcrinfo %d\n", o->pcrinfo_len);
- print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
- 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
+ pr_debug("sealing key type %d\n", o->keytype);
+ pr_debug("sealing key handle %0X\n", o->keyhandle);
+ pr_debug("pcrlock %d\n", o->pcrlock);
+ pr_debug("pcrinfo %d\n", o->pcrinfo_len);
+ print_hex_dump_debug("pcrinfo ", DUMP_PREFIX_NONE,
+ 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
}
static inline void dump_sess(struct osapsess *s)
{
- print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
- 16, 1, &s->handle, 4, 0);
- pr_info("secret:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
- pr_info("trusted-key: enonce:\n");
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
- 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
+ print_hex_dump_debug("trusted-key: handle ", DUMP_PREFIX_NONE,
+ 16, 1, &s->handle, 4, 0);
+ pr_debug("secret:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
+ pr_debug("trusted-key: enonce:\n");
+ print_hex_dump_debug("", DUMP_PREFIX_NONE,
+ 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
}
static inline void dump_tpm_buf(unsigned char *buf)
{
int len;
- pr_info("\ntpm buffer\n");
+ pr_debug("\ntpm buffer\n");
len = LOAD32(buf, TPM_SIZE_OFFSET);
- print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
+ print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
}
#else
static inline void dump_options(struct trusted_key_options *o)
--
2.47.3
^ permalink raw reply related
* Re: [PATCH v2] KEYS: trusted: Debugging as a feature
From: Jarkko Sakkinen @ 2026-03-24 11:05 UTC (permalink / raw)
To: linux-integrity
Cc: keyrings, Srish Srinivasan, Nayna Jain, James Bottomley,
Mimi Zohar, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, Ahmad Fatoum, Pengutronix Kernel Team, open list,
open list:SECURITY SUBSYSTEM
In-Reply-To: <20260324110018.67081-1-jarkko@kernel.org>
On Tue, Mar 24, 2026 at 01:00:15PM +0200, Jarkko Sakkinen wrote:
> TPM_DEBUG, and other similar flags, are a non-standard way to specify a
> feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for
> trusted keys, and use it to replace these ad-hoc feature flags.
>
> Given that trusted keys debug dumps can contain sensitive data, harden
> the feature as follows:
>
> 1. In the Kconfig description postulate that pr_debug() statements must be
> used.
> 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.
>
> Traces, when actually needed, can be easily enabled by providing
> trusted.dyndbg='+p' in the kernel command-line.
>
> Cc: Srish Srinivasan <ssrish@linux.ibm.com>
> Reported-by: Nayna Jain <nayna@linux.ibm.com>
> Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> ---
> v2:
> - Implement for all trusted keys backends.
> - Add HAVE_TRUSTED_KEYS_DEBUG as it is a good practice despite full
> coverage.
> ---
Sorry came out 3x, I messed up in terminal :-) They are equal.
> include/keys/trusted-type.h | 18 +++++-------
> security/keys/trusted-keys/Kconfig | 19 ++++++++++++
> security/keys/trusted-keys/trusted_caam.c | 4 +--
> security/keys/trusted-keys/trusted_tpm1.c | 36 +++++++++++------------
> 4 files changed, 46 insertions(+), 31 deletions(-)
>
> diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
> index 03527162613f..620a1f890b6b 100644
> --- a/include/keys/trusted-type.h
> +++ b/include/keys/trusted-type.h
> @@ -83,18 +83,16 @@ struct trusted_key_source {
>
> extern struct key_type key_type_trusted;
>
> -#define TRUSTED_DEBUG 0
> -
> -#if TRUSTED_DEBUG
> +#ifdef CONFIG_TRUSTED_KEYS_DEBUG
> static inline void dump_payload(struct trusted_key_payload *p)
> {
> - pr_info("key_len %d\n", p->key_len);
> - print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE,
> - 16, 1, p->key, p->key_len, 0);
> - pr_info("bloblen %d\n", p->blob_len);
> - print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE,
> - 16, 1, p->blob, p->blob_len, 0);
> - pr_info("migratable %d\n", p->migratable);
> + pr_debug("key_len %d\n", p->key_len);
> + print_hex_dump_debug("key ", DUMP_PREFIX_NONE,
> + 16, 1, p->key, p->key_len, 0);
> + pr_debug("bloblen %d\n", p->blob_len);
> + print_hex_dump_debug("blob ", DUMP_PREFIX_NONE,
> + 16, 1, p->blob, p->blob_len, 0);
> + pr_debug("migratable %d\n", p->migratable);
> }
> #else
> static inline void dump_payload(struct trusted_key_payload *p)
> diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig
> index 9e00482d886a..2ad9ba0e03f1 100644
> --- a/security/keys/trusted-keys/Kconfig
> +++ b/security/keys/trusted-keys/Kconfig
> @@ -1,10 +1,25 @@
> config HAVE_TRUSTED_KEYS
> bool
>
> +config HAVE_TRUSTED_KEYS_DEBUG
> + bool
> +
> +config TRUSTED_KEYS_DEBUG
> + bool "Debug trusted keys"
> + depends on HAVE_TRUSTED_KEYS_DEBUG
> + default n
> + help
> + Trusted keys backends and core code that support debug dumps
> + can opt-in that feature here. Dumps must only use DEBUG
> + level output, as sensitive data may pass by. In the
> + kernel-command line traces can be enabled via
> + trusted.dyndbg='+p'.
> +
> config TRUSTED_KEYS_TPM
> bool "TPM-based trusted keys"
> depends on TCG_TPM >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS_DEBUG
> select CRYPTO_HASH_INFO
> select CRYPTO_LIB_SHA1
> select CRYPTO_LIB_UTILS
> @@ -23,6 +38,7 @@ config TRUSTED_KEYS_TEE
> bool "TEE-based trusted keys"
> depends on TEE >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS_DEBUG
> select HAVE_TRUSTED_KEYS
> help
> Enable use of the Trusted Execution Environment (TEE) as trusted
> @@ -33,6 +49,7 @@ config TRUSTED_KEYS_CAAM
> depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
> select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> default y
> + select HAVE_TRUSTED_KEYS_DEBUG
> select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's Cryptographic Accelerator and Assurance Module
> @@ -42,6 +59,7 @@ config TRUSTED_KEYS_DCP
> bool "DCP-based trusted keys"
> depends on CRYPTO_DEV_MXS_DCP >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS_DEBUG
> select HAVE_TRUSTED_KEYS
> help
> Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.
> @@ -50,6 +68,7 @@ config TRUSTED_KEYS_PKWM
> bool "PKWM-based trusted keys"
> depends on PSERIES_PLPKS >= TRUSTED_KEYS
> default y
> + select HAVE_TRUSTED_KEYS_DEBUG
> select HAVE_TRUSTED_KEYS
> help
> Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.
> diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
> index 601943ce0d60..015cddc6b53c 100644
> --- a/security/keys/trusted-keys/trusted_caam.c
> +++ b/security/keys/trusted-keys/trusted_caam.c
> @@ -28,10 +28,10 @@ static const match_table_t key_tokens = {
> {opt_err, NULL}
> };
>
> -#ifdef CAAM_DEBUG
> +#ifdef CONFIG_TRUSTED_KEYS_DEBUG
> static inline void dump_options(const struct caam_pkey_info *pkey_info)
> {
> - pr_info("key encryption algo %d\n", pkey_info->key_enc_algo);
> + pr_debug("key encryption algo %d\n", pkey_info->key_enc_algo);
> }
> #else
> static inline void dump_options(const struct caam_pkey_info *pkey_info)
> diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
> index c865c97aa1b4..8fe889c7cdd1 100644
> --- a/security/keys/trusted-keys/trusted_tpm1.c
> +++ b/security/keys/trusted-keys/trusted_tpm1.c
> @@ -46,38 +46,36 @@ enum {
> SRK_keytype = 4
> };
>
> -#define TPM_DEBUG 0
> -
> -#if TPM_DEBUG
> +#ifdef CONFIG_TRUSTED_KEYS_DEBUG
> static inline void dump_options(struct trusted_key_options *o)
> {
> - pr_info("sealing key type %d\n", o->keytype);
> - pr_info("sealing key handle %0X\n", o->keyhandle);
> - pr_info("pcrlock %d\n", o->pcrlock);
> - pr_info("pcrinfo %d\n", o->pcrinfo_len);
> - print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
> - 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
> + pr_debug("sealing key type %d\n", o->keytype);
> + pr_debug("sealing key handle %0X\n", o->keyhandle);
> + pr_debug("pcrlock %d\n", o->pcrlock);
> + pr_debug("pcrinfo %d\n", o->pcrinfo_len);
> + print_hex_dump_debug("pcrinfo ", DUMP_PREFIX_NONE,
> + 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
> }
>
> static inline void dump_sess(struct osapsess *s)
> {
> - print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
> - 16, 1, &s->handle, 4, 0);
> - pr_info("secret:\n");
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> - 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
> - pr_info("trusted-key: enonce:\n");
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
> - 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
> + print_hex_dump_debug("trusted-key: handle ", DUMP_PREFIX_NONE,
> + 16, 1, &s->handle, 4, 0);
> + pr_debug("secret:\n");
> + print_hex_dump_debug("", DUMP_PREFIX_NONE,
> + 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
> + pr_debug("trusted-key: enonce:\n");
> + print_hex_dump_debug("", DUMP_PREFIX_NONE,
> + 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
> }
>
> static inline void dump_tpm_buf(unsigned char *buf)
> {
> int len;
>
> - pr_info("\ntpm buffer\n");
> + pr_debug("\ntpm buffer\n");
> len = LOAD32(buf, TPM_SIZE_OFFSET);
> - print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> + print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
> }
> #else
> static inline void dump_options(struct trusted_key_options *o)
> --
> 2.47.3
>
>
BR, Jarkko
^ permalink raw reply
* Re: [RFC 0/4] tpm_crb: Add command and response buffer chunking support
From: Arun Menon @ 2026-03-24 12:41 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: linux-kernel, linux-integrity, Jason Gunthorpe, Peter Huewe
In-Reply-To: <acJqVjZ7eSxOpSL5@kernel.org>
Hi Jarkko,
On Tue, Mar 24, 2026 at 12:41:26PM +0200, Jarkko Sakkinen wrote:
> On Tue, Mar 24, 2026 at 12:47:59PM +0530, Arun Menon wrote:
> > The new version of TCG TPM v185 (currently under review [1]) supports
> > sending data/commands in chunks for the CRB (Command Response Buffer)
> > interface. This is in line with the initiative to support PQC algorithms.
> >
> > This series implements the logic to send and receive larger TPM
> > cmd/rsp between the linux guest and the TPM backend in chunks.
> > Currently, the TPM CRB driver is limited by the physical size of the
> > MMIO window. When userspace attempts to send a payload that exceeds this
> > size, the driver rejects it.
> >
> > This series introduces chunking support. The driver now checks the CRB
> > interface capability for CRB_INTF_CAP_CRB_CHUNK. If supported by the
> > backend, the driver will slice oversized commands into MMIO-sized
> > chunks, signalling the backend via CRB_START_NEXT_CHUNK, and finalizing
> > with CRB_START_INVOKE. Responses are also read back in a similar chunked
> > manner.
> >
> > If the backend does not support chunking, the driver retains its legacy
> > behaviour and enforces the standard size limits.
> >
> > This feature also requires the QEMU to interpret the data in chunks and
> > forward it to the TPM backend and subsequently dispatch the TPM response
> > in chunks back to the linux guest. This is implemented in [2]
> >
> > [1] https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p07_rc1_121225.pdf
> > [2] https://lore.kernel.org/qemu-devel/20260319135316.37412-1-armenon@redhat.com/
> >
> > Arun Menon (4):
> > tpm_crb: Add definition of TPM CRB chunking fields
> > tpm_crb: Add new wrapper function to invoke start method
> > tpm_crb: Implement command and response chunking logic
> > tpm: Increase TPM_BUFSIZE to 64kB for chunking support
> >
> > drivers/char/tpm/tpm.h | 2 +-
> > drivers/char/tpm/tpm_crb.c | 194 ++++++++++++++++++++++++++-----------
> > 2 files changed, 137 insertions(+), 59 deletions(-)
> >
> > --
> > 2.53.0
> >
>
> When QEMU has the feature available?
The QEMU patches are in review at the moment,
here is the link: https://lore.kernel.org/qemu-devel/20260319135316.37412-1-armenon@redhat.com/
Hoping to have them merged soon.
>
> BR, Jarkko
>
Regards,
Arun Menon
^ permalink raw reply
* Re: [RFC 2/4] tpm_crb: Add new wrapper function to invoke start method
From: Arun Menon @ 2026-03-24 12:43 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: linux-kernel, linux-integrity, Jason Gunthorpe, Peter Huewe
In-Reply-To: <acJqi8S81I2hwvsR@kernel.org>
On Tue, Mar 24, 2026 at 12:42:19PM +0200, Jarkko Sakkinen wrote:
> On Tue, Mar 24, 2026 at 12:48:01PM +0530, Arun Menon wrote:
> > - Extract start invocation code into a separate function called
> > crb_trigger_tpm. This will be helpful in repeatedly calling the
> > start method with different bits set to toggle between start,
> > nextChunk or crbRspRetry behaviours.
> > - Based on the bit set, we signal the TPM to consume
> > contents of the command/response buffer.
> > - No functional change intended.
>
> Please write a proper commit message, which is not a task list.
Yes, I shall do that. Thank you for taking a look.
>
> >
> > Signed-off-by: Arun Menon <armenon@redhat.com>
> > ---
> > drivers/char/tpm/tpm_crb.c | 50 ++++++++++++++++++++------------------
> > 1 file changed, 27 insertions(+), 23 deletions(-)
> >
> > diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> > index 67c0061d4cab7..10128d078245c 100644
> > --- a/drivers/char/tpm/tpm_crb.c
> > +++ b/drivers/char/tpm/tpm_crb.c
> > @@ -445,6 +445,32 @@ static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
> > }
> > #endif
> >
> > +static int crb_trigger_tpm(struct tpm_chip *chip, u32 start_cmd)
> > +{
> > + struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> > + int rc;
> > + /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
> > + * report only ACPI start but in practice seems to require both
> > + * CRB start, hence invoking CRB start method if hid == MSFT0101.
> > + */
> > + if (priv->sm == ACPI_TPM2_COMMAND_BUFFER ||
> > + priv->sm == ACPI_TPM2_MEMORY_MAPPED ||
> > + !strcmp(priv->hid, "MSFT0101"))
> > + iowrite32(start_cmd, &priv->regs_t->ctrl_start);
> > + if (priv->sm == ACPI_TPM2_START_METHOD ||
> > + priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)
> > + rc = crb_do_acpi_start(chip);
> > + if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
> > + iowrite32(start_cmd, &priv->regs_t->ctrl_start);
> > + rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
> > + }
> > + if (priv->sm == ACPI_TPM2_CRB_WITH_ARM_FFA) {
> > + iowrite32(start_cmd, &priv->regs_t->ctrl_start);
> > + rc = tpm_crb_ffa_start(CRB_FFA_START_TYPE_COMMAND, chip->locality);
> > + }
> > + return rc;
> > +}
> > +
> > static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> > {
> > struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> > @@ -470,29 +496,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> > /* Make sure that cmd is populated before issuing start. */
> > wmb();
> >
> > - /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
> > - * report only ACPI start but in practice seems to require both
> > - * CRB start, hence invoking CRB start method if hid == MSFT0101.
> > - */
> > - if (priv->sm == ACPI_TPM2_COMMAND_BUFFER ||
> > - priv->sm == ACPI_TPM2_MEMORY_MAPPED ||
> > - !strcmp(priv->hid, "MSFT0101"))
> > - iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
> > -
> > - if (priv->sm == ACPI_TPM2_START_METHOD ||
> > - priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)
> > - rc = crb_do_acpi_start(chip);
> > -
> > - if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
> > - iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
> > - rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
> > - }
> > -
> > - if (priv->sm == ACPI_TPM2_CRB_WITH_ARM_FFA) {
> > - iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
> > - rc = tpm_crb_ffa_start(CRB_FFA_START_TYPE_COMMAND, chip->locality);
> > - }
> > -
> > + rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
> > if (rc)
> > return rc;
> >
> > --
> > 2.53.0
> >
>
> BR, Jarkko
>
Regards,
Arun Menon
^ permalink raw reply
* Re: [RFC 3/4] tpm_crb: Implement command and response chunking logic
From: Arun Menon @ 2026-03-24 12:46 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: linux-kernel, linux-integrity, Jason Gunthorpe, Peter Huewe
In-Reply-To: <acJrSXwUMjh5Pt_8@kernel.org>
On Tue, Mar 24, 2026 at 12:45:29PM +0200, Jarkko Sakkinen wrote:
> On Tue, Mar 24, 2026 at 12:48:02PM +0530, Arun Menon wrote:
> > Add support for sending and receiving TPM command data in chunks when
> > the payload exceeds the physical size of the hardware MMIO window.
> >
> > This introduces the following changes:
> >
> > - crb_map_io(): Checks the device interface capability to determine if
> > chunking is supported, setting the chunking_supported flag. It also
> > stores the hardware's maximum response buffer size in priv->rsp_size.
> > - crb_send(): Iteratively writes command chunks to the fixed priv->cmd
> > MMIO window. It signals the TPM backend to process intermediate chunks
> > using CRB_START_NEXT_CHUNK, and signals the final chunk to begin
> > execution using CRB_START_INVOKE.
> > - crb_recv(): Parses the expected response size from the initial TPM
> > header. It then iteratively reads chunks from the fixed priv->rsp
> > MMIO window into the destination buffer, advancing the buffer offset
> > until the complete response is retrieved.
> >
> > Signed-off-by: Arun Menon <armenon@redhat.com>
>
> This is also just description of wha this adds. I'd lessen the detail
> and write a description that describes motivation and logic of the
> change. It's a good test for author knowledge, as if you really get
> the topic you can explain its gist. In addition, it can be reflected
> to implementation (vs. the descriptions that are pseudocode in English)
Sure, I will replace the commit message with motivation+logic instead of
explaining the code step by step.
>
> Since this RFC and QEMU does not have the feature in release it is
> good to polish stuff like this.
>
> > ---
> > drivers/char/tpm/tpm_crb.c | 150 +++++++++++++++++++++++++++----------
> > 1 file changed, 109 insertions(+), 41 deletions(-)
> >
> > diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> > index 10128d078245c..fb63cc3737253 100644
> > --- a/drivers/char/tpm/tpm_crb.c
> > +++ b/drivers/char/tpm/tpm_crb.c
> > @@ -104,11 +104,13 @@ struct crb_priv {
> > u8 __iomem *cmd;
> > u8 __iomem *rsp;
> > u32 cmd_size;
> > + u32 rsp_size;
> > u32 smc_func_id;
> > u32 __iomem *pluton_start_addr;
> > u32 __iomem *pluton_reply_addr;
> > u8 ffa_flags;
> > u8 ffa_attributes;
> > + bool chunking_supported;
> > };
> >
> > struct tpm2_crb_smc {
> > @@ -368,38 +370,6 @@ static u8 crb_status(struct tpm_chip *chip)
> > return sts;
> > }
> >
> > -static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
> > -{
> > - struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> > - unsigned int expected;
> > -
> > - /* A sanity check that the upper layer wants to get at least the header
> > - * as that is the minimum size for any TPM response.
> > - */
> > - if (count < TPM_HEADER_SIZE)
> > - return -EIO;
> > -
> > - /* If this bit is set, according to the spec, the TPM is in
> > - * unrecoverable condition.
> > - */
> > - if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
> > - return -EIO;
> > -
> > - /* Read the first 8 bytes in order to get the length of the response.
> > - * We read exactly a quad word in order to make sure that the remaining
> > - * reads will be aligned.
> > - */
> > - memcpy_fromio(buf, priv->rsp, 8);
> > -
> > - expected = be32_to_cpup((__be32 *)&buf[2]);
> > - if (expected > count || expected < TPM_HEADER_SIZE)
> > - return -EIO;
> > -
> > - memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
> > -
> > - return expected;
> > -}
> > -
> > static int crb_do_acpi_start(struct tpm_chip *chip)
> > {
> > union acpi_object *obj;
> > @@ -474,6 +444,8 @@ static int crb_trigger_tpm(struct tpm_chip *chip, u32 start_cmd)
> > static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> > {
> > struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> > + size_t offset = 0;
> > + size_t chunk_size;
> > int rc = 0;
> >
> > /* Zero the cancel register so that the next command will not get
> > @@ -481,7 +453,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> > */
> > iowrite32(0, &priv->regs_t->ctrl_cancel);
> >
> > - if (len > priv->cmd_size) {
> > + if (len > priv->cmd_size && !priv->chunking_supported) {
> > dev_err(&chip->dev, "invalid command count value %zd %d\n",
> > len, priv->cmd_size);
> > return -E2BIG;
> > @@ -491,16 +463,101 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, size_t len)
> > if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
> > __crb_cmd_ready(&chip->dev, priv, chip->locality);
> >
> > - memcpy_toio(priv->cmd, buf, len);
> > + while (offset < len) {
> > + chunk_size = min_t(size_t, len - offset, priv->cmd_size);
> > +
> > + memcpy_toio(priv->cmd, buf + offset, chunk_size);
> > + offset += chunk_size;
> > +
> > + /* Make sure that cmd is populated before issuing start. */
> > + wmb();
> > + if (offset < len) {
> > + rc = crb_trigger_tpm(chip, CRB_START_NEXT_CHUNK);
> > + if (rc)
> > + return rc;
> > + if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_start,
> > + CRB_START_NEXT_CHUNK, 0, TPM2_TIMEOUT_C)) {
> > + dev_err(&chip->dev,
> > + "Timeout waiting for backend to consume chunk\n");
> > + return -ETIME;
> > + }
> > + } else {
> > + rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
> > + if (rc)
> > + return rc;
> > + }
> > + }
> > + return crb_try_pluton_doorbell(priv, false);
> > +}
> >
> > - /* Make sure that cmd is populated before issuing start. */
> > - wmb();
> > +static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
> > +{
> > + struct crb_priv *priv = dev_get_drvdata(&chip->dev);
> > + unsigned int expected;
> > + size_t offset = 0;
> > + size_t chunk_size;
> > + size_t first_read;
> > + int rc;
> >
> > - rc = crb_trigger_tpm(chip, CRB_START_INVOKE);
> > - if (rc)
> > - return rc;
> > + /* A sanity check that the upper layer wants to get at least the header
> > + * as that is the minimum size for any TPM response.
> > + */
> > + if (count < TPM_HEADER_SIZE)
> > + return -EIO;
> >
> > - return crb_try_pluton_doorbell(priv, false);
> > + /* If this bit is set, according to the spec, the TPM is in
> > + * unrecoverable condition.
> > + */
> > + if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
> > + return -EIO;
> > +
> > + /* Read the first 8 bytes in order to get the length of the response.
> > + * We read exactly a quad word in order to make sure that the remaining
> > + * reads will be aligned.
> > + */
> > + memcpy_fromio(buf, priv->rsp, 8);
> > +
> > + expected = be32_to_cpup((__be32 *)&buf[2]);
> > + if (expected > count || expected < TPM_HEADER_SIZE)
> > + return -EIO;
> > +
> > + /*
> > + * Set chunk_size by comparing the size of the buffer that the upper layer has
> > + * allocated (count) to the hardware tpm limit (priv->rsp_size).
> > + * This is to prevent buffer overflow while writing to buf.
> > + */
> > + chunk_size = min_t(size_t, count, priv->rsp_size);
> > +
> > + /*
> > + * Compare the actual size of the response we found in the header to the chunk_size.
> > + */
> > + first_read = min_t(size_t, expected, chunk_size);
> > +
> > + memcpy_fromio(&buf[8], &priv->rsp[8], first_read - 8);
> > + offset = first_read;
> > +
> > + while (offset < expected) {
> > + if (!priv->chunking_supported) {
> > + dev_err(&chip->dev, "Response larger than MMIO and chunking not supported\n");
> > + return -EIO;
> > + }
> > +
> > + rc = crb_trigger_tpm(chip, CRB_START_NEXT_CHUNK);
> > + if (rc)
> > + return rc;
> > +
> > + if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_start,
> > + CRB_START_NEXT_CHUNK, 0, TPM2_TIMEOUT_C)) {
> > + dev_err(&chip->dev, "Timeout waiting for backend response\n");
> > + return -ETIME;
> > + }
> > +
> > + chunk_size = min_t(size_t, expected - offset, priv->rsp_size);
> > + memcpy_fromio(buf + offset, priv->rsp, chunk_size);
> > + offset += chunk_size;
> > + }
> > +
> > + return expected;
> > }
> >
> > static void crb_cancel(struct tpm_chip *chip)
> > @@ -727,6 +784,15 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> > goto out;
> > }
> >
> > + if (priv->regs_h) {
> > + u32 intf_id = ioread32((u32 __iomem *)&priv->regs_h->intf_id);
> > +
> > + if (intf_id & CRB_INTF_CAP_CRB_CHUNK) {
> > + priv->chunking_supported = true;
> > + dev_info(dev, "CRB Chunking is supported by backend\n");
> > + }
> > + }
> > +
> > memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
> > rsp_pa = le64_to_cpu(__rsp_pa);
> > rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
> > @@ -764,8 +830,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> > priv->rsp = priv->cmd;
> >
> > out:
> > - if (!ret)
> > + if (!ret) {
> > priv->cmd_size = cmd_size;
> > + priv->rsp_size = rsp_size;
> > + }
> >
> > __crb_go_idle(dev, priv, 0);
> >
> > --
> > 2.53.0
> >
>
> BR, Jarkko
>
Regards,
Arun Menon
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox