lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140825182414.GB1298@obsidianresearch.com>
Date:	Mon, 25 Aug 2014 12:24:14 -0600
From:	Jason Gunthorpe <jgunthorpe@...idianresearch.com>
To:	Scot Doyle <lkml14@...tdoyle.com>
Cc:	Peter Huewe <peterhuewe@....de>, Ashley Lai <ashley@...leylai.com>,
	Marcel Selhorst <tpmdd@...horst.net>,
	Stefan Berger <stefanb@...ux.vnet.ibm.com>,
	Luigi Semenzato <semenzato@...gle.com>,
	tpmdd-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tpm_tis: Verify ACPI-specified interrupt

On Mon, Aug 25, 2014 at 06:38:33AM +0000, Scot Doyle wrote:

>    command. Now the chip is running. It will not be reboot on resume
>    (unlike stock SeaBIOS), presumably since the firmware is not
>    interacting with the TPM. But because an error 38 is returned during
>    the selftest issued on resume, its functioning will degrade over
>    suspend/resume cycles until the machine refuses to enter suspend,

So, be aware, on x86 the TPM specs require some BIOS support for
suspend/resume to work properly.

> Manual workarounds for these three payloads:
> 
> 1. Depthcharge. I don't know how ChromeOS interacts with the TPM chip.
>    From what I've seen, it may boot with kernel parameters tpm_tis.force=1
>    and tpm_tis.interrupts=0 (see #2 following). The kernel is older.

The HW or interrupt routing is fundamentally broken somehow?
 
> 2. Stock SeaBIOS. Boot the kernel with tpm_tis.force=1 or
>    tpm_tis.interrupts=0. 'force=1' causes the module to ignore the ACPI
>    TPM interrupt entry and instead probe for interrupts. Since no
>    interrupts are found to be valid, the driver falls back to polling
>    mode. And 'interrupts=0' causes the interrupt probing to be skipped,
>    defaulting to polling mode. So, even though most users set BOTH of
>    these parameters, they have the same effect on these machines and only
>    one or the other are necessary.
> 
> 3. Custom SeaBIOS. Blacklist the tpm_tis module so that it doesn't load
>    and therefore doesn't issue startup(clear) to the TPM chip.

It seems to me at least in this case you should be able to get rid of
the IRQ entry, people are going to be flashing the custom SeaBIOS
anyhow.

Further, in x86 land you really should have BIOS support for operating
a TPM if the OS is going to touch it. I don't really understand why
you want to flash a custom BIOS that doesn't work and then hack the
kernel to fix the custom BIOS's deficiencies? Fix the BIOS, you are
flashing it already anyhow.

> The firmware sends a startup(clear). Then the tpm_tis module is loaded 
> because there is a matching ACPI entry for "IFX0102". By default, module 
> parameters are interrupts=1 and force=0. I will talk about these default 
> values, since that is the case that I'd like to fix. force=0 causes the 
> module to look for an ACPI entry. It finds an entry indicating IRQ 6 and 
> continues with the tpm_tis_init function.

So, sounds like IRQ=6 is a BIOS bug.

> tpm_tis_init starts in polling mode. It registers the hardware device, 
> performs some initial setup, queries the chip manufacturer and vendor id,
> deterines the chip capabilities (I think they are all enabled), gets 
> timeouts, does a selftest (which passes), sets up the interrupt and read 
> queues, and enables chip interrupts. It does all of this in polling
> mode.

This is the wrong order, I think, the interrupts should be on before
issuing commands, other tpm drivers are working this way already.

> I've verified that no blocking commands are send to the TPM during the 
> tpm_tis_init function. Since none are sent, no interrupts fail, and the 
> attach procedes as normal.

tpm_get_timeouts and tpm_do_selftest should both be commands that
potentially wait for interrupt.
 
> Side note 1: my understanding is that the module exchanges data with the 
> TPM in the same way whether in polling mode or interrupt mode.

Right, the interrupt simply indicates when the TPM has completed
executing the comamnd, the driver can either poll loop or wait on IRQ
to read back the status register bit indicating the command is done.

> To make stock SeaBIOS work automatically:
> 1. For all systems in interrupt mode because of an ACPI entry: Use a
>    non-fragile method to detect correct functioning of the TPM and the
>    failure of interrupts. If detected, then fall back to polling mode.
>    Worst case is (slightly?) degraded performance.
> 2. Same as 1, but only for quirked machines
> 
> To make custom SeaBIOS work automatically:
> 3. For all systems: If error 38 received from selftest at resume, do not
>    issue subsequent save_state commands before suspend. (This approach has
>    been tested.)

This isn't right, if tpm core is going to handle resume without BIOS
support then it must do the protocol properly. IIRC this is issuing a
startup and then restore state command at resume (the BIOS is expected
to do this on x86, and it is expected to not jump back to the OS if
something goes wrong with the TPM, or the resume image has been
tampered with)

This might be interesting to people doing embedded (and I can't recall
exactly, but I want to say that one of the drivers implemented this).

Clearly we'd need a way to turn on 'embedded' mode for the TPM, but
that could potentially be a module parameter on x86...

> 4. For all systems: Do not send startup(clear) in tpm_get_timeouts unless
>    a module parameter is set.

No, all embedded systems require this functionality, why would you
want to take this out?

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ