- 27 Nov, 2016 30 commits
-
-
Jason Gunthorpe authored
The event log is an optional firmware feature, if the firmware does not support it then the securityfs files should not be created and no other notification given. - Uniformly return -ENODEV from the tpm_bios_log_setup cone if no event log is detected. - Check in ACPI if this node was discovered via ACPI. - Improve the check in OF to make sure there is a parent and to fail detection if the two log properties are not declared - Pass through all other error codes instead of filtering just some Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by:
-
Stefan Berger authored
Check the bios_dir entry for NULL before accessing it. Currently this crashes the driver when a TPM 2 is attached and the entries are NULL. Signed-off-by:
Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by:
-
Colin Ian King authored
device_node np contains a garbage value from the stack and it is only set if chip->dev.parent->of_node is not null. Thus the check for a null np won't spot a garbage value of np from the stack if chip->dev.parent->of_node is null and if np contains an garbage non-null value. I believe the correct fix is to return -ENODEV if and only if chip->dev.parent->of_node is null. Found with static analysis by CoverityScan, CID 1377755 Signed-off-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
-
Nayna Jain authored
This patch removes the unnecessary error messages on failing to allocate memory and replaces pr_err/printk with dev_dbg/dev_info as applicable. Suggested-by:
Nayna Jain <nayna@linux.vnet.ibm.com> Reviewed-by:
-
Nayna Jain authored
Using the device of_node property is a better way to refer to the device tree node rather than of_find_node_by_name(). Suggested-by:
-
Nayna Jain authored
Currently, read_log() has two implementations: one for ACPI platforms and the other for device tree(OF) based platforms. The proper one is selected at compile time using Kconfig and #ifdef in the Makefile, which is not the recommended approach. This patch removes the #ifdef in the Makefile by defining a single read_log() method, which checks for ACPI/OF event log properties at runtime. [jarkko.sakkinen@linux.intel.com: added tpm_ prefix to read_log*] Suggested-by:
-
Nayna Jain authored
This patch fixes the missing .owner field in tpm_bios_measurements_ops definition. Suggested-by:
-
Nayna Jain authored
Move the backing memory for the event log into tpm_chip and push the tpm_chip into read_log. This optimizes read_log processing by only doing it once and prepares things for the next patches in the series which require the tpm_chip to locate the event log via ACPI and OF handles instead of searching. This is straightfoward except for the issue of passing a kref through i_private with securityfs. Since securityfs_remove does not have any removal fencing like sysfs we use the inode lock to safely get a kref on the tpm_chip. Suggested-by:
-
Jarkko Sakkinen authored
Check for TPM2 chip in tpm_sysfs_add_device, tpm_bios_log_setup and tpm_bios_log_teardown in order to make code flow cleaner and to enable to implement TPM 2.0 support later on. This is partially derived from the commit by Nayna Jain with the extension that also tpm1_chip_register is dropped. Signed-off-by:
-
Jarkko Sakkinen authored
This commit is based on a commit by Nayna Jain. Replaced dynamically allocated bios_dir with a static array as the size is always constant. Suggested-by:
-
Nayna Jain authored
checkpatch.pl flags warning for symbolic permissions and suggests to replace with octal value. This patch changes securityfs pseudo files permission to octal values in tpm_bios_log_setup(). Signed-off-by:
-
Baruch Siach authored
Signed-off-by:
Baruch Siach <baruch@tkos.co.il> Reviewed-by:
-
Jason Gunthorpe authored
This provides an open firwmare driver binding for tpm_tis. OF is useful on arches where ACPI/PNP is not used. The tcg,tpm-tis-mmio register map interface is specified by the TCG. Reviewed-by:
Rob Herring <robh@kernel.org> Signed-off-by:
-
Jarkko Sakkinen authored
Added kdoc comments for VTPM_PROXY_IOC_NEW_DEV so that these can be imported to the kernel documentation written with rst markup and generated with Sphinx. Signed-off-by:
-
Stefan Berger authored
Only call pm_runtime_get_sync if the device has a parent. This change fixes a crash in the tpm_vtpm_proxy driver since that driver does not have a parent device. Signed-off-by:
-
Nayna Jain authored
open() method for event log ascii and binary bios measurements file operations are very similar. This patch refactors the code into a single open() call by passing seq_operations as i_node->private data. Suggested-by:
-
Nayna Jain authored
Newly added support of TPM 2.0 eventlog securityfs pseudo files in tpm device driver consumes device tree bindings representing I2C based Physical TPM. This patch adds the documentation for corresponding device tree bindings of I2C based Physical TPM. These bindings are similar to vtpm device tree bindings being used on IBM Power7+ and Power8 Systems running PowerVM. Suggested-by:
-
Nayna Jain authored
Virtual TPM, which is being used on IBM POWER7+ and POWER8 systems running POWERVM, is currently supported by tpm device driver but lacks the documentation. This patch adds the missing documentation for the existing support. Suggested-by:
-
Jason Gunthorpe authored
This is no longer necessary, all calls to tpm_chip_unregister happen in remove() callbacks. Signed-off-by:
Tomas Winkler <tomas.winkler@intel.com> Reviewed-by:
-
Jason Gunthorpe authored
tpm_chip_unregister can only be called after tpm_chip_register. devm manages the allocation so no unwind is needed here. Cc: stable@vger.kernel.org Fixes: afb5abc2 ("tpm: two-phase chip management functions") Reviewed-by:
-
Jason Gunthorpe authored
The tis driver does a tpm_get_timeouts out side of tpm_chip_register, and tpm_get_timeouts can print a message, resulting in two prints, eg: tpm tpm0: [Hardware Error]: Adjusting reported timeouts: A 10000->750000us B 10000->2000000us C 10000->750000us D 10000->750000us Keep track and prevent tpm_get_timeouts from running a second time, and clarify the purpose of the call in tpm_tis_core to only be connected to irq testing. Signed-off-by:
-
Josh Zimmerman authored
If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Cc: stable@vger.kernel.org Fixes: 1107d065 (tpm_tis: Introduce intermediate layer for TPM access) Signed-off-by:Josh Zimmerman <joshz@google.com> Reviewed-by:
-
Winkler, Tomas authored
Place kdoc just above tpm_pcr_extend so it can be parsed correctly. Signed-off-by:
-
Jarkko Sakkinen authored
Use cpu_to_b32 at the time it is needed in enum tpm_capabilities and enum tpm_sub_capabilities in order to be consistent with the other enums in drivats/char/tpm/tpm.h. Signed-off-by: -
Ed Swierk authored
Call tpm_getcap() from tpm_get_timeouts() to eliminate redundant code. Return all errors to the caller rather than swallowing them (e.g. when tpm_transmit_cmd() returns nonzero). Signed-off-by:
Ed Swierk <eswierk@skyportsystems.com> Reviewed-by:
-
Peter Huewe authored
In some weird cases it might be possible that the TPM does not set STS.VALID within the given timeout time (or ever) but sets STS.EXPECT (STS=0x0C) In this case the driver gets stuck in the while loop of tpm_tis_send_data and loops endlessly. Checking the return value of wait_for_tpm_stat fixes this and the driver bails out correctly. While at it fixing all other users since if the TPM does not manage to set STS.VALID within the reasonable timeframe something is definitely wrong and the driver should react correctly. Signed-off-by:
Peter Huewe <peterhuewe@gmx.de> Reviewed-by:
-
Winkler, Tomas authored
Utilize runtime_pm for driving tpm crb idle states. The framework calls cmd_ready from the pm_runtime_resume handler and go idle from the pm_runtime_suspend handler. The TPM framework should wake the device before transmit and receive. In case the runtime_pm framework is not compiled in or enabled, the device will be in the permanent ready state. Signed-off-by:
-
Winkler, Tomas authored
This is preparation step for implementing tpm crb runtime pm. We need to have tpm chip allocated and populated before we access the runtime handlers. Signed-off-by:
-
Winkler, Tomas authored
There is a HW bug in Skylake, and Broxton PCH Intel PTT device, where most of the registers in the control area except START, REQUEST, CANCEL, and LOC_CTRL lost retention when the device is in the idle state. Hence we need to bring the device to ready state before accessing the other registers. The fix brings device to ready state before trying to read command and response buffer addresses in order to remap the for access. Signed-off-by:
Jarkko Sakkinen <jarkko.sakkinn@linux.intel.com> Reviewed-by:
-
Winkler, Tomas authored
The register TPM_CRB_CTRL_REQ_x contains bits goIdle and cmdReady for SW to indicate that the device can enter or should exit the idle state. The legacy ACPI-start (SMI + DMA) based devices do not support these bits and the idle state management is not exposed to the host SW. Thus, this functionality only is enabled only for a CRB start (MMIO) based devices. Based on Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> original patch: 'tpm_crb: implement power tpm crb power management' To keep the implementation local to the hw we don't use wait_for_tpm_stat for polling the TPM_CRB_CTRL_REQ. [jarkko.sakkinen@linux.intel.com: removed cmdReady debug trace on a success case due the heavy amount of log traffic it causes.] Signed-off-by:
-
- 24 Nov, 2016 1 commit
-
-
- 22 Nov, 2016 3 commits
-
-
James Morris authored
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
-
Andreas Gruenbacher authored
Convert isec->lock from a mutex into a spinlock. Instead of holding the lock while sleeping in inode_doinit_with_dentry, set isec->initialized to LABEL_PENDING and release the lock. Then, when the sid has been determined, re-acquire the lock. If isec->initialized is still set to LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime. This fixes a deadlock on gfs2 where * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds isec->lock, and tries to acquire the inode's glock, and * another task is in do_xmote -> inode_go_inval -> selinux_inode_invalidate_secctx, holds the inode's glock, and tries to acquire isec->lock. Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> [PM: minor tweaks to keep checkpatch.pl happy] Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
James Morris authored
-
- 21 Nov, 2016 1 commit
-
-
Stephen Smalley authored
When a new capability is defined, SELinux needs to be updated. Trigger a build error if a new capability is defined without corresponding update to security/selinux/include/classmap.h's COMMON_CAP2_PERMS. This is similar to BUILD_BUG_ON() guards in the SELinux nlmsgtab code to ensure that SELinux tracks new netlink message types as needed. Note that there is already a similar build guard in security/selinux/hooks.c to detect when more than 64 capabilities are defined, since that will require adding a third capability class to SELinux. A nicer way to do this would be to extend scripts/selinux/genheaders or a similar tool to auto-generate the necessary definitions and code for SELinux capability checking from include/uapi/linux/capability.h. AppArmor does something similar in its Makefile, although it only needs to generate a single table of names. That is left as future work. Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov> [PM: reformat the description to keep checkpatch.pl happy] Signed-off-by:
-
- 20 Nov, 2016 1 commit
-
-
Stephen Smalley authored
At present, one can write any signed integer value to /sys/fs/selinux/enforce and it will be stored, e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 > /sys/fs/selinux/enforce. This makes no real difference to the kernel, since it only ever cares if it is zero or non-zero, but some userspace code compares it with 1 to decide if SELinux is enforcing, and this could confuse it. Only a process that is already root and is allowed the setenforce permission in SELinux policy can write to /sys/fs/selinux/enforce, so this is not considered to be a security issue, but it should be fixed. Signed-off-by:
-
- 15 Nov, 2016 1 commit
-
-
Casey Schaufler authored
The invalid Smack label ("") and the Huh ("?") Smack label serve the same purpose and having both is unnecessary. While pulling out the invalid label it became clear that the use of smack_from_secid() was inconsistent, so that is repaired. The setting of inode labels to the invalid label could never happen in a functional system, has never been observed in the wild and is not what you'd really want for a failure behavior in any case. That is removed. Signed-off-by:Casey Schaufler <casey@schaufler-ca.com>
-
- 14 Nov, 2016 3 commits
-
-
Tetsuo Handa authored
Since smack_parse_opts_str() is calling match_strdup() which uses GFP_KERNEL, it is safe to use GFP_KERNEL from kcalloc() which is called by smack_parse_opts_str(). Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by:
-
Andreas Gruenbacher authored
Now that isec->initialized == LABEL_INITIALIZED implies that isec->sclass is valid, skip such inodes immediately in inode_doinit_with_dentry. For the remaining inodes, initialize isec->sclass at the beginning of inode_doinit_with_dentry to simplify the code. Signed-off-by:
-
Andreas Gruenbacher authored
Pass the file mode of the proc inode to be created to proc_pid_make_inode. In proc_pid_make_inode, initialize inode->i_mode before calling security_task_to_inode. This allows selinux to set isec->sclass right away without introducing "half-initialized" inode security structs. Signed-off-by:
-
