From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Peter Huewe <peterhuewe@gmx.de>,
linux-security-module@vger.kernel.org, stable@vger.kernel.org,
Marcel Selhorst <tpmdd@selhorst.net>,
"moderated list:TPM DEVICE DRIVER"
<tpmdd-devel@lists.sourceforge.net>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] tpm: fix a race condition tpm2_unseal_trusted()
Date: Thu, 25 Aug 2016 15:09:42 -0600 [thread overview]
Message-ID: <20160825210942.GA8502@obsidianresearch.com> (raw)
In-Reply-To: <20160825210437.GA8658@intel.com>
On Thu, Aug 25, 2016 at 05:06:10PM -0400, Jarkko Sakkinen wrote:
> On Thu, Aug 25, 2016 at 12:30:59PM -0600, Jason Gunthorpe wrote:
> > On Tue, Aug 23, 2016 at 08:57:22PM -0400, Jarkko Sakkinen wrote:
> >
> > > + if (flags & TPM_TRANSMIT_LOCK)
> > > + mutex_lock(&chip->tpm_mutex);
> >
> > I think I would invert this. UNLOCKED is the exceptional case, so I'd
> > make the 0 flags lock. If we see UNLOCKED in the caller then we know
> > to audit for locking, 0 is much less obvious.
>
> I'm fine with either way.
>
> > > @@ -576,7 +576,7 @@ static int tpm2_load(struct tpm_chip *chip,
> > > goto out;
> > > }
> > >
> > > - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, "loading blob");
> > > + rc = __tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, "loading blob", 0);
> >
> > All these points should accept a flags too and the caller should pass
> > in the TPM_TRASNMIT_UNLOCKED if it needs it..
>
> For this bug fix it makes sense to implement it the way I did because it
> needs to be applied to multiple releases (I think I've underlined this
> in my changelog).
You shouldn't compromise the mainline kernel to ease backporting, I'm
not sure why adding a flags to tpm2_load would be a problem for the
-stable kernels?
It is generally better to make the backports move the older kernels
closer to mainline than to have them be something else, it makes it
easier to apply future backport fixes.
> If you think this is high priority, I can make the next revision into
> patch set of two patches. The second patch would implement the change
> you suggested.
Yes, I think it is important the locking requirement be very clear
from the code.
Jason
next prev parent reply other threads:[~2016-08-25 21:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-24 0:57 [PATCH] tpm: fix a race condition tpm2_unseal_trusted() Jarkko Sakkinen
2016-08-24 1:32 ` Jarkko Sakkinen
2016-08-25 18:30 ` Jason Gunthorpe
2016-08-25 21:06 ` Jarkko Sakkinen
2016-08-25 21:09 ` Jason Gunthorpe [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-08-16 19:38 Jarkko Sakkinen
2016-08-17 4:31 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160825210942.GA8502@obsidianresearch.com \
--to=jgunthorpe@obsidianresearch.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=stable@vger.kernel.org \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).