[GIT PULL] security: tpm subsystem updates for v5.1

James Morris jmorris at namei.org
Fri Mar 8 22:49:56 UTC 2019


Please pull these updates from Jarkko Sakkinen:

"
Clean up the transmission flow
==============================

Cleaned up the whole transmission flow. Locking of the chip is now done in 
the level of tpm_try_get_ops() and tpm_put_ops() instead taking the chip 
lock inside tpm_transmit(). The nested calls inside tpm_transmit(), used 
with the resource manager, have been refactored out.

Should make easier to perform more complex transactions with the TPM 
without making the subsystem a bigger mess (e.g. encrypted channel patches 
by James Bottomley).

PPI 1.3 support 
===============

TPM PPI 1.3 introduces an additional optional command parameter that may 
be
needed for some commands. Display the parameter if the command requires
such a parameter. Only command 23 (SetPCRBanks) needs one.

The PPI request file will show output like this then:

# echo "23 16" > request 
# cat request 
23 16   

# echo "5" > request 
# cat request 
5       

Extend all PCR banks in IMA
===========================

Instead of static PCR banks array, the array of available PCR banks is now 
allocated dynamically. The digests sizes are determined dynamically using 
a probe PCR read without relying crypto's static list of hash algorithms.

This should finally make sealing of measurements in IMA safe and secure. 

TPM 2.0 selftests
=================

Added a test suite to tools/testing/selftests/tpm2 previously outside of
the kernel tree: https://github.com/jsakkine-intel/tpm2-scripts.

"

---


The following changes since commit e7a44cfd639945a0dec749f896adc1d340c2a6aa:

  LSM: fix return value check in safesetid_init_securityfs() (2019-02-12 10:59:22 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-tpm

for you to fetch changes up to 5da10728037afea6743b76afddfdc9950cd711b3:

  Merge tag 'tpmdd-next-20190213' of git://git.infradead.org/users/jjs/linux-tpmdd into next-tpm (2019-02-13 12:01:00 -0800)

----------------------------------------------------------------
James Morris (1):
      Merge tag 'tpmdd-next-20190213' of git://git.infradead.org/users/jjs/linux-tpmdd into next-tpm

Jarkko Sakkinen (21):
      tpm/tpm_crb: Avoid unaligned reads in crb_recv()
      tpm: Fix some name collisions with drivers/char/tpm.h
      selftests: add TPM 2.0 tests
      tpm: Unify the send callback behaviour
      tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
      tpm: use tpm_buf in tpm_transmit_cmd() as the IO parameter
      tpm: fix invalid return value in pubek_show()
      tpm: return 0 from pcrs_show() when tpm1_pcr_read() fails
      tpm: print tpm2_commit_space() error inside tpm2_commit_space()
      tpm: declare struct tpm_header
      tpm: access command header through struct in tpm_try_transmit()
      tpm: encapsulate tpm_dev_transmit()
      tpm: clean up tpm_try_transmit() error handling flow
      tpm: move tpm_validate_commmand() to tpm2-space.c
      tpm: move TPM space code out of tpm_transmit()
      tpm: remove @space from tpm_transmit()
      tpm: use tpm_try_get_ops() in tpm-sysfs.c.
      tpm: remove TPM_TRANSMIT_UNLOCKED flag
      tpm: introduce tpm_chip_start() and tpm_chip_stop()
      tpm: take TPM chip power gating out of tpm_transmit()
      tpm: remove @flags from tpm_transmit()

Jerry Snitselaar (2):
      tpm: don't print error message in tpm_transmit_cmd when tpm still testing
      tpm: don't return bool from update_timeouts

Jia Zhang (2):
      tpm: Simplify the measurements loop
      tpm: Fix off-by-one when reading binary_bios_measurements

Roberto Sassu (7):
      tpm: add _head suffix to tcg_efi_specid_event and tcg_pcr_event2
      tpm: dynamically allocate the allocated_banks array
      tpm: rename and export tpm2_digest and tpm2_algorithms
      tpm: retrieve digest size of unknown algorithms with PCR read
      tpm: move tpm_chip definition to include/linux/tpm.h
      KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()
      tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()

Stefan Berger (5):
      tpm/ppi: pass function revision ID to tpm_eval_dsm()
      tpm/ppi: rename TPM_PPI_REVISION_ID to TPM_PPI_REVISION_ID_1
      tpm/ppi: Display up to 101 operations as define for version 1.3
      tpm/ppi: Possibly show command parameter if TPM PPI 1.3 is used
      tpm/ppi: Enable submission of optional command parameter for PPI 1.3

 drivers/char/tpm/eventlog/tpm1.c           |  41 +-
 drivers/char/tpm/eventlog/tpm2.c           |  12 +-
 drivers/char/tpm/st33zp24/i2c.c            |   2 +-
 drivers/char/tpm/st33zp24/spi.c            |   2 +-
 drivers/char/tpm/st33zp24/st33zp24.c       |   2 +-
 drivers/char/tpm/st33zp24/st33zp24.h       |   4 +-
 drivers/char/tpm/tpm-chip.c                | 124 ++++-
 drivers/char/tpm/tpm-dev-common.c          |  44 +-
 drivers/char/tpm/tpm-interface.c           | 327 ++++----------
 drivers/char/tpm/tpm-sysfs.c               | 138 +++---
 drivers/char/tpm/tpm.h                     | 180 ++------
 drivers/char/tpm/tpm1-cmd.c                |  43 +-
 drivers/char/tpm/tpm2-cmd.c                | 208 +++++----
 drivers/char/tpm/tpm2-space.c              |  90 +++-
 drivers/char/tpm/tpm_atmel.c               |   2 +-
 drivers/char/tpm/tpm_crb.c                 |  22 +-
 drivers/char/tpm/tpm_i2c_atmel.c           |  15 +-
 drivers/char/tpm/tpm_i2c_infineon.c        |  17 +-
 drivers/char/tpm/tpm_i2c_nuvoton.c         |  18 +-
 drivers/char/tpm/tpm_ibmvtpm.c             |   8 +-
 drivers/char/tpm/tpm_infineon.c            |   2 +-
 drivers/char/tpm/tpm_nsc.c                 |   2 +-
 drivers/char/tpm/tpm_ppi.c                 |  78 +++-
 drivers/char/tpm/tpm_tis_core.c            |  21 +-
 drivers/char/tpm/tpm_vtpm_proxy.c          |  15 +-
 drivers/char/tpm/xen-tpmfront.c            |   4 +-
 include/linux/tpm.h                        | 129 +++++-
 include/linux/tpm_eventlog.h               |  19 +-
 security/integrity/ima/ima.h               |   1 +
 security/integrity/ima/ima_crypto.c        |  10 +-
 security/integrity/ima/ima_init.c          |   4 +
 security/integrity/ima/ima_queue.c         |  27 +-
 security/keys/trusted.c                    |  73 ++-
 tools/testing/selftests/Makefile           |   1 +
 tools/testing/selftests/tpm2/Makefile      |   4 +
 tools/testing/selftests/tpm2/test_smoke.sh |   4 +
 tools/testing/selftests/tpm2/test_space.sh |   4 +
 tools/testing/selftests/tpm2/tpm2.py       | 696 +++++++++++++++++++++++++++++
 tools/testing/selftests/tpm2/tpm2_tests.py | 227 ++++++++++
 39 files changed, 1876 insertions(+), 744 deletions(-)
 create mode 100644 tools/testing/selftests/tpm2/Makefile
 create mode 100755 tools/testing/selftests/tpm2/test_smoke.sh
 create mode 100755 tools/testing/selftests/tpm2/test_space.sh
 create mode 100644 tools/testing/selftests/tpm2/tpm2.py
 create mode 100644 tools/testing/selftests/tpm2/tpm2_tests.py



More information about the Linux-security-module-archive mailing list