From: Nayna <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [PATCH v3 3/7] tpm: Validate the eventlog access before tpm_bios_log_setup
Date: Fri, 9 Sep 2016 22:54:25 +0530 [thread overview]
Message-ID: <57D2F049.4040707@linux.vnet.ibm.com> (raw)
In-Reply-To: <20160830175213.GC6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
On 08/30/2016 11:22 PM, Jason Gunthorpe wrote:
> On Tue, Aug 30, 2016 at 12:50:15AM -0400, Nayna Jain wrote:
>> @@ -382,6 +370,8 @@ int tpm_chip_register(struct tpm_chip *chip)
>> return rc;
>> }
>>
>> + tpm_bios_log_setup(chip);
>
> Surely this can fail, right? At least if the security fs setup fails
> this should propogate that error.
What action we want to take if it fails to do bios_log_setup ?
I have done all other fixes, just am not sure that if we propogate this
error, then will it mean that tpm_chip_register (where this function is
called) should fail ? or it is just an error logging on failure of
bios_log_setup.
>
> That is a mistake in an earlier patch now that I think about it..
>>
>> /* malloc EventLog space */
>> - log->bios_event_log = kmalloc(len, GFP_KERNEL);
>> - if (!log->bios_event_log) {
>> + chip->log.bios_event_log = kmalloc(len, GFP_KERNEL);
>> + if (!chip->log.bios_event_log) {
>> printk("%s: ERROR - Not enough Memory for BIOS measurements\n",
>> __func__);
>
> Please delete all prints on kmalloc failure, maybe as another patch.
>
>> return -ENOMEM;
>> }
>>
>> - log->bios_event_log_end = log->bios_event_log + len;
>> + chip->log.bios_event_log_end = chip->log.bios_event_log + len;
>>
>> virt = acpi_os_map_iomem(start, len);
>> if (!virt) {
>> - kfree(log->bios_event_log);
>> + kfree(chip->log.bios_event_log);
>
> It would also be nice to see this written in the standard
> goto-unwind idiom.
>
>> static const struct file_operations tpm_bios_measurements_ops = {
>> @@ -372,12 +352,18 @@ static int is_bad(void *p)
>> void tpm_bios_log_setup(struct tpm_chip *chip)
>> {
>> const char *name = dev_name(&chip->dev);
>> + int rc = 0;
>> +
>> + rc = read_log(chip);
>> + if (rc < 0)
>> + return;
>>
>> chip->bios_dir_count = 0;
>> chip->bios_dir[chip->bios_dir_count] = securityfs_create_dir(name,
>> NULL);
>> if (is_bad(chip->bios_dir[chip->bios_dir_count]))
>> goto err;
>> + chip->bios_dir[chip->bios_dir_count]->d_inode->i_private =
>> chip;
>
> Hum.
>
> So I don't know if this is right. You should get someone more familiar
> with securityfs to double check it. I see apparmorfs.c doing a similar
> approach, so that would be a good starting place to copy. Notice how
> it uses aa_get_(x)
>
> Still, I wonder if that is even right, is securityfs_remove() really a
> strong fence against open? I guess the inode locking is doing that?
>
> This also means that the file can remain held open in userspace
> *after* securityfs_remove returns, so the filp must hold a kref on the
> chip as well.
>
> At a minimum you need to do something like this:
>
> Create:
>
> chip->sfs_data_bin.chip = chip;
> chip->sfs_data_bin.ops = &tpm_binary_b_measurments_seqops;
> securityfs_create_file(...,&chip->sfs_data_bin)
>
> It must be done like that to be atomic with open, create two new
> members of chip to hold a struct to pass through as the private
> data. Do not use the dentry private.
>
> Open:
> chip = (struct tpm_chip *)inode->i_private;
> dev_get(&chip->dev);
> seq_open(..)
> seq->private = chip;
>
> Release:
> dev_put(&((struct tpm_chip *)seq->private)->dev);
>
> Teardown
> the kfree needs to move to the chip release function.
>
>> ifdef CONFIG_ACPI
>> - tpm-y += tpm_eventlog.o tpm_acpi.o
>> + tpm-y += tpm_acpi.o
>> else
>> -ifdef CONFIG_TCG_IBMVTPM
>> - tpm-y += tpm_eventlog.o tpm_of.o
>> +ifdef CONFIG_OF
>> + tpm-y += tpm_of.o
>> endif
>
> This is too early in the patch series. This change needs to go into
> 'Redefine the read_log method to check for ACPI/OF properties
> sequentially'
>
>> -#if defined(CONFIG_TCG_IBMVTPM) || defined(CONFIG_TCG_IBMVTPM_MODULE) || \
>> - defined(CONFIG_ACPI)
>
> Ditto
>
> Regarding Jarkko's comment,
>
> Yes, move the check for TPM2 into both of the read_log() - do not
> allow TPM2 to read the log until you patch the OF stuff to support the
> TPM2 log format.
>
> Jason
>
------------------------------------------------------------------------------
next prev parent reply other threads:[~2016-09-09 17:24 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-30 4:50 [PATCH v3 0/7] tpm: TPM2.0 eventlog securityfs support Nayna Jain
[not found] ` <1472532619-22170-1-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 4:50 ` [PATCH v3 1/7] tpm: Define a generic open() method for ascii & bios measurements Nayna Jain
[not found] ` <1472532619-22170-2-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 7:49 ` Jarkko Sakkinen
2016-08-30 17:03 ` Jason Gunthorpe
[not found] ` <20160830170345.GA6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-31 19:09 ` Nayna
2016-08-30 4:50 ` [PATCH v3 2/7] tpm: Replace the dynamically allocated bios_dir as struct dentry array Nayna Jain
[not found] ` <1472532619-22170-3-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:05 ` Jarkko Sakkinen
2016-08-30 17:11 ` Jason Gunthorpe
2016-08-30 4:50 ` [PATCH v3 3/7] tpm: Validate the eventlog access before tpm_bios_log_setup Nayna Jain
[not found] ` <1472532619-22170-4-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:15 ` Jarkko Sakkinen
2016-08-30 17:52 ` Jason Gunthorpe
[not found] ` <20160830175213.GC6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-09 17:24 ` Nayna [this message]
[not found] ` <57D2F049.4040707-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-09 17:28 ` Jason Gunthorpe
2016-08-30 4:50 ` [PATCH v3 4/7] tpm: Redefine the read_log method to check for ACPI/OF properties sequentially Nayna Jain
[not found] ` <1472532619-22170-5-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 17:54 ` Jason Gunthorpe
[not found] ` <20160830175409.GD6373-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-31 19:09 ` Nayna
[not found] ` <57C72B7A.8040108-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-06 19:47 ` Jason Gunthorpe
[not found] ` <20160906194737.GD28416-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-06 20:08 ` Peter Huewe
2016-08-30 4:50 ` [PATCH v3 5/7] tpm: Replace the of_find_node_by_name() with dev of_node property Nayna Jain
[not found] ` <1472532619-22170-6-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 17:55 ` Jason Gunthorpe
2016-08-30 4:50 ` [PATCH v3 6/7] tpm: Moves the eventlog init functions to tpm_eventlog_init.c Nayna Jain
[not found] ` <1472532619-22170-7-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:18 ` Jarkko Sakkinen
2016-08-30 4:50 ` [PATCH v3 7/7] tpm: Adds securityfs support for TPM2.0 eventlog Nayna Jain
[not found] ` <1472532619-22170-8-git-send-email-nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-08-30 8:21 ` Jarkko Sakkinen
2016-08-30 17:59 ` Jason Gunthorpe
2016-08-30 7:10 ` [PATCH v3 0/7] tpm: TPM2.0 eventlog securityfs support Jarkko Sakkinen
[not found] ` <20160830071032.GB6215-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-08-31 17:56 ` Nayna
[not found] ` <57C71A48.8020505-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-01 13:45 ` Jarkko Sakkinen
[not found] ` <20160901134501.GA14627-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-01 14:52 ` Jarkko Sakkinen
[not found] ` <20160901145250.GA19529-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-28 8:49 ` Nayna
[not found] ` <57EB8425.6000005-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-09-30 19:27 ` Jarkko Sakkinen
2016-09-01 16:51 ` Jason Gunthorpe
2016-08-30 10:16 ` Jarkko Sakkinen
[not found] ` <20160830101611.GA11819-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-08-30 16:16 ` Jarkko Sakkinen
2016-09-19 14:50 ` Stefan Berger
[not found] ` <OFFF1DBFC5.1719C0A6-ON00258033.00514374-85258033.005192C5-8eTO7WVQ4XIsd+ienQ86orlN3bxYEBpz@public.gmane.org>
2016-09-20 10:04 ` Jarkko Sakkinen
[not found] ` <20160920100423.GB32433-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-09-20 12:27 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57D2F049.4040707@linux.vnet.ibm.com \
--to=nayna-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).