[PATCH 2/2] KEYS: trusted: Find tpm_chip and use it until module shutdown

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: jarkko.sakkinen@linux.intel.com (Jarkko Sakkinen)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 2/2] KEYS: trusted: Find tpm_chip and use it until module shutdown
Date: Tue, 03 Jul 2018 18:24:34 +0300	[thread overview]
Message-ID: <edf4aeaab76713579016cb009a0e632d7417c5f8.camel@linux.intel.com> (raw)
In-Reply-To: <20180626193040.2509798-3-stefanb@linux.vnet.ibm.com>

On Tue, 2018-06-26 at 15:30 -0400, Stefan Berger wrote:
> Use tpm_default_chip() to find the system's default TPM chip and
> use it as the tpm_chip parameter for all TPM operations. Release
> the tpm_chip when the module is shut down.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> ---
>  security/keys/trusted.c | 41 ++++++++++++++++++++++++++++-------------
>  1 file changed, 28 insertions(+), 13 deletions(-)
> 
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 423776682025..06d863caea43 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -42,6 +42,7 @@ struct sdesc {
>  
>  static struct crypto_shash *hashalg;
>  static struct crypto_shash *hmacalg;
> +static struct tpm_chip *tpm_chip;
>  
>  static struct sdesc *init_sdesc(struct crypto_shash *alg)
>  {
> @@ -360,7 +361,7 @@ static int trusted_tpm_send(unsigned char *cmd, size_t
> buflen)
>  	int rc;
>  
>  	dump_tpm_buf(cmd);
> -	rc = tpm_send(NULL, cmd, buflen);
> +	rc = tpm_send(tpm_chip, cmd, buflen);
>  	dump_tpm_buf(cmd);
>  	if (rc > 0)
>  		/* Can't return positive return codes values to keyctl */
> @@ -381,10 +382,10 @@ static int pcrlock(const int pcrnum)
>  
>  	if (!capable(CAP_SYS_ADMIN))
>  		return -EPERM;
> -	ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
> +	ret = tpm_get_random(tpm_chip, hash, SHA1_DIGEST_SIZE);
>  	if (ret != SHA1_DIGEST_SIZE)
>  		return ret;
> -	return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
> +	return tpm_pcr_extend(tpm_chip, pcrnum, hash) ? -EINVAL : 0;
>  }
>  
>  /*
> @@ -397,7 +398,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
>  	unsigned char ononce[TPM_NONCE_SIZE];
>  	int ret;
>  
> -	ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
> +	ret = tpm_get_random(tpm_chip, ononce, TPM_NONCE_SIZE);
>  	if (ret != TPM_NONCE_SIZE)
>  		return ret;
>  
> @@ -492,7 +493,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
>  	if (ret < 0)
>  		goto out;
>  
> -	ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
> +	ret = tpm_get_random(tpm_chip, td->nonceodd, TPM_NONCE_SIZE);
>  	if (ret != TPM_NONCE_SIZE)
>  		goto out;
>  	ordinal = htonl(TPM_ORD_SEAL);
> @@ -602,7 +603,7 @@ static int tpm_unseal(struct tpm_buf *tb,
>  
>  	ordinal = htonl(TPM_ORD_UNSEAL);
>  	keyhndl = htonl(SRKHANDLE);
> -	ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
> +	ret = tpm_get_random(tpm_chip, nonceodd, TPM_NONCE_SIZE);
>  	if (ret != TPM_NONCE_SIZE) {
>  		pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
>  		return ret;
> @@ -747,7 +748,7 @@ static int getoptions(char *c, struct trusted_key_payload
> *pay,
>  	int i;
>  	int tpm2;
>  
> -	tpm2 = tpm_is_tpm2(NULL);
> +	tpm2 = tpm_is_tpm2(tpm_chip);
>  	if (tpm2 < 0)
>  		return tpm2;
>  
> @@ -916,7 +917,7 @@ static struct trusted_key_options
> *trusted_options_alloc(void)
>  	struct trusted_key_options *options;
>  	int tpm2;
>  
> -	tpm2 = tpm_is_tpm2(NULL);
> +	tpm2 = tpm_is_tpm2(tpm_chip);
>  	if (tpm2 < 0)
>  		return NULL;
>  
> @@ -966,7 +967,7 @@ static int trusted_instantiate(struct key *key,
>  	size_t key_len;
>  	int tpm2;
>  
> -	tpm2 = tpm_is_tpm2(NULL);
> +	tpm2 = tpm_is_tpm2(tpm_chip);
>  	if (tpm2 < 0)
>  		return tpm2;
>  
> @@ -1007,7 +1008,7 @@ static int trusted_instantiate(struct key *key,
>  	switch (key_cmd) {
>  	case Opt_load:
>  		if (tpm2)
> -			ret = tpm_unseal_trusted(NULL, payload, options);
> +			ret = tpm_unseal_trusted(tpm_chip, payload, options);
>  		else
>  			ret = key_unseal(payload, options);
>  		dump_payload(payload);
> @@ -1017,13 +1018,13 @@ static int trusted_instantiate(struct key *key,
>  		break;
>  	case Opt_new:
>  		key_len = payload->key_len;
> -		ret = tpm_get_random(NULL, payload->key, key_len);
> +		ret = tpm_get_random(tpm_chip, payload->key, key_len);
>  		if (ret != key_len) {
>  			pr_info("trusted_key: key_create failed (%d)\n",
> ret);
>  			goto out;
>  		}
>  		if (tpm2)
> -			ret = tpm_seal_trusted(NULL, payload, options);
> +			ret = tpm_seal_trusted(tpm_chip, payload, options);
>  		else
>  			ret = key_seal(payload, options);
>  		if (ret < 0)
> @@ -1226,12 +1227,26 @@ static int __init init_trusted(void)
>  		return ret;
>  	ret = register_key_type(&key_type_trusted);
>  	if (ret < 0)
> -		trusted_shash_release();
> +		goto exit_shash_release;
> +	tpm_chip = tpm_default_chip();
> +	if (!tpm_chip) {
> +		ret = -ENODEV;
> +		goto exit_unregister;
> +	}
> +	return 0;
> +
> +exit_unregister:
> +	unregister_key_type(&key_type_trusted);
> +
> +exit_shash_release:
> +	trusted_shash_release();
>  	return ret;
>  }
>  
>  static void __exit cleanup_trusted(void)
>  {
> +	if (tpm_chip)
> +		tpm_put_chip(tpm_chip);
>  	trusted_shash_release();
>  	unregister_key_type(&key_type_trusted);
>  }

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Is James maintaining this now? Have not seen his feedback yet...

/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2018-07-03 15:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-26 19:30 [PATCH 0/2] Convert trusted keys to find and use the default TPM chip Stefan Berger
2018-06-26 19:30 ` [PATCH 1/2] tpm: Implement public tpm_put_chip() to release reference to chip Stefan Berger
2018-07-03 15:21   ` Jarkko Sakkinen
2018-06-26 19:30 ` [PATCH 2/2] KEYS: trusted: Find tpm_chip and use it until module shutdown Stefan Berger
2018-07-03 15:24   ` Jarkko Sakkinen [this message]
2018-07-03 15:26     ` James Bottomley
2018-07-03 16:51       ` Jarkko Sakkinen
2018-07-03 18:51         ` James Morris
2018-07-03 19:06           ` James Bottomley
2018-07-04 13:52             ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=edf4aeaab76713579016cb009a0e632d7417c5f8.camel@linux.intel.com \
    --to=jarkko.sakkinen@linux.intel.com \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).