[PATCH 1/5] tpm: Trigger only missing TPM 2.0 self tests

James Bottomley James.Bottomley at HansenPartnership.com
Sat Mar 3 20:11:59 UTC 2018


On Wed, 2018-02-28 at 21:58 +0200, Jarkko Sakkinen wrote:
> From: Alexander Steffen <Alexander.Steffen at infineon.com>
> 
> My Nuvoton 6xx in a Dell XPS-13 has been intermittently failing to
> work (necessitating a reboot). The problem seems to be that the TPM
> gets into a state where the partial self-test doesn't return
> TPM_RC_SUCCESS (meaning all tests have run to completion), but
> instead returns TPM_RC_TESTING (meaning some tests are still running
> in the background).  There are various theories that resending the
> self-test command actually causes the tests to restart and thus
> triggers more TPM_RC_TESTING returns until the timeout is exceeded.
> 
> There are several issues here: firstly being we shouldn't slow down
> the boot sequence waiting for the self test to complete once the TPM
> backgrounds them.  It will actually make available all functions that
> have passed and if it gets a failure return TPM_RC_FAILURE to every
> subsequent command.  So the fix is to kick off self tests once and if
> they return TPM_RC_TESTING log that as a backgrounded self test

I still think removing all logging traces is a mistake for something
that can consume a significant amount of time in the boot sequence.
 It's going to cause lost of people doing boot timings to waste lots of
effort.

However, removing the log messages makes the above statement a lie, so
one of the two needs fixing.

[...]
> @@ -852,27 +837,24 @@ static const struct tpm_input_header
> tpm2_selftest_header = {
>   */
>  static int tpm2_do_selftest(struct tpm_chip *chip)
>  {
> +	struct tpm_buf buf;
> +	int full;
>  	int rc;
> -	unsigned int delay_msec = 10;
> -	long duration;
> -	struct tpm2_cmd cmd;
>  
> -	duration = jiffies_to_msecs(
> -		tpm2_calc_ordinal_duration(chip,
> TPM2_CC_SELF_TEST));
> -
> -	while (1) {
> -		cmd.header.in = tpm2_selftest_header;
> -		cmd.params.selftest_in.full_test = 0;
> -
> -		rc = tpm_transmit_cmd(chip, NULL, &cmd,
> TPM2_SELF_TEST_IN_SIZE,
> -				      0, 0, "continue selftest");
> +	for (full = 0; full < 2; full++) {
> +		rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS,
> TPM2_CC_SELF_TEST);
> +		if (rc)
> +			return rc;
>  
> -		if (rc != TPM2_RC_TESTING || delay_msec >= duration)
> -			break;
> +		tpm_buf_append_u8(&buf, full);
> +		rc = tpm_transmit_cmd(chip, NULL, buf.data,
> PAGE_SIZE, 0, 0,
> +				      "attempting the self test\n");

There shouldn't be a \n in the string: the failure message already
appends one.

James

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list