[tpmdd-devel] [PATCH v6 3/3] tpm: vtpm_proxy: Prevent userspace from sending driver command
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Thu May 25 00:10:49 UTC 2017
On Wed, May 24, 2017 at 03:22:11PM -0700, Jarkko Sakkinen wrote:
> On Wed, May 24, 2017 at 05:39:41PM -0400, Stefan Berger wrote:
> > To prevent userspace from sending the TPM driver command to set
> > the locality, we need to check every command that is sent from
> > user space. To distinguish user space commands from internally
> > sent commands we introduce an additional state flag
> > STATE_DRIVER_COMMAND that is set while the driver sends this
> > command. Similar to the TPM 2 space commands we return an error
> > code when this command is detected.
> >
> > Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> > ---
> > drivers/char/tpm/tpm_vtpm_proxy.c | 33 +++++++++++++++++++++++++++++++++
> > 1 file changed, 33 insertions(+)
> >
> > diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c
> > index 66024bf..1d877cc 100644
> > --- a/drivers/char/tpm/tpm_vtpm_proxy.c
> > +++ b/drivers/char/tpm/tpm_vtpm_proxy.c
> > @@ -43,6 +43,7 @@ struct proxy_dev {
> > #define STATE_OPENED_FLAG BIT(0)
> > #define STATE_WAIT_RESPONSE_FLAG BIT(1) /* waiting for emulator response */
> > #define STATE_REGISTERED_FLAG BIT(2)
> > +#define STATE_DRIVER_COMMAND BIT(3) /* sending a driver specific command */
> >
> > size_t req_len; /* length of queued TPM request */
> > size_t resp_len; /* length of queued TPM response */
> > @@ -299,6 +300,28 @@ static int vtpm_proxy_tpm_op_recv(struct tpm_chip *chip, u8 *buf, size_t count)
> > return len;
> > }
> >
> > +static int vtpm_proxy_is_driver_command(struct tpm_chip *chip,
> > + u8 *buf, size_t count)
> > +{
> > + struct tpm_input_header *hdr = (struct tpm_input_header *)buf;
> > +
> > + if (count < sizeof(struct tpm_input_header))
> > + return 0;
> > +
> > + if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> > + switch (be32_to_cpu(hdr->ordinal)) {
> > + case TPM2_CC_SET_LOCALITY:
> > + return 1;
> > + }
> > + } else {
> > + switch (be32_to_cpu(hdr->ordinal)) {
> > + case TPM_ORD_SET_LOCALITY:
> > + return 1;
> > + }
> > + }
> > + return 0;
> > +}
> > +
> > /*
> > * Called when core TPM driver forwards TPM requests to 'server side'.
> > *
> > @@ -321,6 +344,10 @@ static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t count)
> > return -EIO;
> > }
> >
> > + if (!(proxy_dev->state & STATE_DRIVER_COMMAND) &&
> > + vtpm_proxy_is_driver_command(chip, buf, count))
> > + return -EFAULT;
> > +
> > mutex_lock(&proxy_dev->buf_lock);
> >
> > if (!(proxy_dev->state & STATE_OPENED_FLAG)) {
> > @@ -376,6 +403,7 @@ static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality)
> > struct tpm_buf buf;
> > int rc;
> > const struct tpm_output_header *header;
> > + struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev);
> >
> > if (chip->flags & TPM_CHIP_FLAG_TPM2)
> > rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS,
> > @@ -387,9 +415,14 @@ static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality)
> > return rc;
> > tpm_buf_append_u8(&buf, locality);
> >
> > + proxy_dev->state |= STATE_DRIVER_COMMAND;
> > +
> > rc = tpm_transmit_cmd(chip, NULL, buf.data, tpm_buf_length(&buf), 0,
> > TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW,
> > "attempting to set locality");
> > +
> > + proxy_dev->state &= ~STATE_DRIVER_COMMAND;
> > +
> > if (rc < 0) {
> > locality = rc;
> > goto out;
> > --
> > 2.4.3
> >
>
> Otherwise fine except for the redundant code.
>
> /Jarkko
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com>
Probably not yet merging and testing this this week though as I'm
travelling in US right now.
/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list