1. 08 Jan, 2022 9 commits
    • Patrick Williams's avatar
      tpm: fix NPE on probe for missing device · 84cc6958
      Patrick Williams authored
      When using the tpm_tis-spi driver on a system missing the physical TPM,
      a null pointer exception was observed.
      
          [    0.938677] Unable to handle kernel NULL pointer dereference at virtual address 00000004
          [    0.939020] pgd = 10c753cb
          [    0.939237] [00000004] *pgd=00000000
          [    0.939808] Internal error: Oops: 5 [#1] SMP ARM
          [    0.940157] CPU: 0 PID: 48 Comm: kworker/u4:1 Not tainted 5.15.10-dd1e40c #1
          [    0.940364] Hardware name: Generic DT based system
          [    0.940601] Workqueue: events_unbound async_run_entry_fn
          [    0.941048] PC is at tpm_tis_remove+0x28/0xb4
          [    0.941196] LR is at tpm_tis_core_init+0x170/0x6ac
      
      This is due to an attempt in 'tpm_tis_remove' to use the drvdata, which
      was not initialized in 'tpm_tis_core_init' prior to the first error.
      
      Move the initialization of drvdata earlier so 'tpm_tis_remove' has
      access to it.
      Signed-off-by: default avatarPatrick Williams <patrick@stwcx.xyz>
      Fixes: 79ca6f74 ("tpm: fix Atmel TPM crash caused by too frequent queries")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      84cc6958
    • Lino Sanfilippo's avatar
      tpm: fix potential NULL pointer access in tpm_del_char_device · eabad7ba
      Lino Sanfilippo authored
      Some SPI controller drivers unregister the controller in the shutdown
      handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
      chip->ops may be accessed when it is already NULL:
      
      At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
      TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
      tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
      which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
      (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
      calls chip->ops->clk_enable).
      
      Avoid the NULL pointer access by testing if chip->ops is valid and skipping
      the TPM 2 shutdown procedure in case it is NULL.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLino Sanfilippo <LinoSanfilippo@gmx.de>
      Fixes: 39d0099f ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus")
      Reviewed-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Tested-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      eabad7ba
    • axelj's avatar
      tpm: Add Upgrade/Reduced mode support for TPM2 modules · 0aa69878
      axelj authored
      If something went wrong during the TPM firmware upgrade, like power
      failure or the firmware image file get corrupted, the TPM might end
      up in Upgrade or Failure mode upon the next start. The state is
      persistent between the TPM power cycle/restart.
      
      According to TPM specification:
       * If the TPM is in Upgrade mode, it will answer with TPM2_RC_UPGRADE
         to all commands except TPM2_FieldUpgradeData(). It may also accept
         other commands if it is able to complete them using the previously
         installed firmware.
       * If the TPM is in Failure mode, it will allow performing TPM
         initialization but will not provide any crypto operations.
         Will happily respond to Field Upgrade calls.
      
      Change the behavior of the tpm2_auto_startup(), so it detects the active
      running mode of the TPM by adding the following checks.  If
      tpm2_do_selftest() call returns TPM2_RC_UPGRADE, the TPM is in Upgrade
      mode.
      If the TPM is in Failure mode, it will successfully respond to both
      tpm2_do_selftest() and tpm2_startup() calls. Although, will fail to
      answer to tpm2_get_cc_attrs_tbl(). Use this fact to conclude that TPM is
      in Failure mode.
      
      If detected that the TPM is in the Upgrade or Failure mode, the function
      sets TPM_CHIP_FLAG_FIRMWARE_UPGRADE_MODE flag.
      
      The TPM_CHIP_FLAG_FIRMWARE_UPGRADE_MODE flag is used later during driver
      initialization/deinitialization to disable functionality which makes no
      sense or will fail in the current TPM state. Following functionality is
      affected:
       * Do not register TPM as a hwrng
       * Do not register sysfs entries which provide information impossible to
         obtain in limited mode
       * Do not register resource managed character device
      Signed-off-by: default avataraxelj <axelj@axis.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      0aa69878
    • Rob Barnes's avatar
      char: tpm: cr50: Set TPM_FIRMWARE_POWER_MANAGED based on device property · 5887d7f4
      Rob Barnes authored
      Set TPM_FIRMWARE_POWER_MANAGED flag based on 'firmware-power-managed'
      ACPI DSD property. For the CR50 TPM, this flag defaults to true when
      the property is unset.
      
      When this flag is set to false, the CR50 TPM driver will always send
      a shutdown command whenever the system suspends.
      Signed-off-by: default avatarRob Barnes <robbarnes@google.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      5887d7f4
    • Andrew Zaborowski's avatar
      keys: X.509 public key issuer lookup without AKID · 7d30198e
      Andrew Zaborowski authored
      There are non-root X.509 v3 certificates in use out there that contain
      no Authority Key Identifier extension (RFC5280 section 4.2.1.1).  For
      trust verification purposes the kernel asymmetric key type keeps two
      struct asymmetric_key_id instances that the key can be looked up by,
      and another two to look up the key's issuer.  The x509 public key type
      and the PKCS7 type generate them from the SKID and AKID extensions in
      the certificate.  In effect current code has no way to look up the
      issuer certificate for verification without the AKID.
      
      To remedy this, add a third asymmetric_key_id blob to the arrays in
      both asymmetric_key_id's (for certficate subject) and in the
      public_keys_signature's auth_ids (for issuer lookup), using just raw
      subject and issuer DNs from the certificate.  Adapt
      asymmetric_key_ids() and its callers to use the third ID for lookups
      when none of the other two are available.  Attempt to keep the logic
      intact when they are, to minimise behaviour changes.  Adapt the
      restrict functions' NULL-checks to include that ID too.  Do not modify
      the lookup logic in pkcs7_verify.c, the AKID extensions are still
      required there.
      
      Internally use a new "dn:" prefix to the search specifier string
      generated for the key lookup in find_asymmetric_key().  This tells
      asymmetric_key_match_preparse to only match the data against the raw
      DN in the third ID and shouldn't conflict with search specifiers
      already in use.
      
      In effect implement what (2) in the struct asymmetric_key_id comment
      (include/keys/asymmetric-type.h) is probably talking about already, so
      do not modify that comment.  It is also how "openssl verify" looks up
      issuer certificates without the AKID available.  Lookups by the raw
      DN are unambiguous only provided that the CAs respect the condition in
      RFC5280 4.2.1.1 that the AKID may only be omitted if the CA uses
      a single signing key.
      
      The following is an example of two things that this change enables.
      A self-signed ceritficate is generated following the example from
      https://letsencrypt.org/docs/certificates-for-localhost/, and can be
      looked up by an identifier and verified against itself by linking to a
      restricted keyring -- both things not possible before due to the missing
      AKID extension:
      
      $ openssl req -x509 -out localhost.crt -outform DER -keyout localhost.key \
        -newkey rsa:2048 -nodes -sha256 \
        -subj '/CN=localhost' -extensions EXT -config <( \
         echo -e "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\n" \
                "subjectAltName=DNS:localhost\nkeyUsage=digitalSignature\n" \
      	  "extendedKeyUsage=serverAuth")
      $ keyring=`keyctl newring test @u`
      $ trusted=`keyctl padd asymmetric trusted $keyring < localhost.crt`; \
        echo $trusted
      39726322
      $ keyctl search $keyring asymmetric dn:3112301006035504030c096c6f63616c686f7374
      39726322
      $ keyctl restrict_keyring $keyring asymmetric key_or_keyring:$trusted
      $ keyctl padd asymmetric verified $keyring < localhost.crt
      Signed-off-by: default avatarAndrew Zaborowski <andrew.zaborowski@intel.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Acked-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      7d30198e
    • Christophe Jaillet's avatar
      tpm_tis: Fix an error handling path in 'tpm_tis_core_init()' · e96d5282
      Christophe Jaillet authored
      Commit 79ca6f74 ("tpm: fix Atmel TPM crash caused by too frequent
      queries") has moved some code around without updating the error handling
      path.
      
      This is now pointless to 'goto out_err' when neither 'clk_enable()' nor
      'ioremap()' have been called yet.
      
      Make a direct return instead to avoid undoing things that have not been
      done.
      
      Fixes: 79ca6f74 ("tpm: fix Atmel TPM crash caused by too frequent queries")
      Signed-off-by: default avatarChristophe Jaillet <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      e96d5282
    • AngeloGioacchino Del Regno's avatar
      tpm: tpm_tis_spi_cr50: Add default RNG quality · d2704808
      AngeloGioacchino Del Regno authored
      To allow this device to fill the kernel's entropy pool at boot,
      setup a default quality for the hwrng found in Cr50.
      
      After some testing with rngtest and dieharder it was, in short,
      discovered that the RNG produces fair quality randomness, giving
      around 99.93% successes in rngtest FIPS140-2.
      
      Notably, though, when testing with dieharder it was noticed that
      we get 3 WEAK results over 114, which isn't optimal, and also
      the p-values distribution wasn't uniform in all the cases, so a
      conservative quality value was chosen by applying an arbitrary
      penalty to the calculated values.
      
      For reference, this is how the values were calculated:
      
      The dieharder results were averaged, then normalized (0-1000)
      and re-averaged with the rngtest result (where the result was
      given a score of 99.93% of 1000, so 999.3), then aggregated
      together and averaged again.
      An arbitrary penalty of -100 was applied due to the retrieved
      value, which brings us finally to 700.
      Signed-off-by: default avatarAngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      d2704808
    • Sohaib Mohamed's avatar
      tpm/st33zp24: drop unneeded over-commenting · f04510f2
      Sohaib Mohamed authored
      Remove parameter descriptions from all static functions.
      Remove the comment altogether that does not tell what the function does.
      Suggested-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarSohaib Mohamed <sohaib.amhmd@gmail.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      f04510f2
    • Chen Jun's avatar
      tpm: add request_locality before write TPM_INT_ENABLE · 0ef333f5
      Chen Jun authored
      Locality is not appropriately requested before writing the int mask.
      Add the missing boilerplate.
      
      Fixes: e6aef069 ("tpm_tis: convert to using locality callbacks")
      Signed-off-by: default avatarChen Jun <chenjun102@huawei.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      0ef333f5
  2. 28 Dec, 2021 3 commits
  3. 27 Dec, 2021 2 commits
  4. 26 Dec, 2021 4 commits
  5. 25 Dec, 2021 12 commits
  6. 24 Dec, 2021 3 commits
  7. 23 Dec, 2021 7 commits