lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Feb 2017 14:32:49 +0200 From: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com> To: tpmdd-devel@...ts.sourceforge.net Cc: linux-security-module@...r.kernel.org, James Bottomley <James.Bottomley@...senPartnership.com>, Peter Huewe <peterhuewe@....de>, Marcel Selhorst <tpmdd@...horst.net>, Jason Gunthorpe <jgunthorpe@...idianresearch.com>, open list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 6/6] tpm2: add session handle context saving and restoring to the space code On Wed, Feb 08, 2017 at 01:07:08PM +0200, Jarkko Sakkinen wrote: > From: James Bottomley <James.Bottomley@...senPartnership.com> > > Sessions are different from transient objects in that their handles > may not be virtualized (because they're used for some hmac > calculations). Additionally when a session is context saved, a > vestigial memory remains in the TPM and if it is also flushed, that > will be lost and the session context will refuse to load next time, so > the code is updated to flush only transient objects after a context > save. Add a separate array (chip->session_tbl) to save and restore > sessions by handle. Use the failure of a context save or load to > signal that the session has been flushed from the TPM and we can > remove its memory from chip->session_tbl. > > Sessions are also isolated during each instance of a tpm space. This > means that spaces shouldn't be able to see each other's sessions and > is enforced by ensuring that a space user may only refer to sessions > handles that are present in their own chip->session_tbl. Finally when > a space is closed, all the sessions belonging to it should be flushed > so the handles may be re-used by other spaces. > > Note that if we get a session save or load error, all sessions are > effectively flushed. Even though we restore the session buffer, all > the old sessions will refuse to load after the flush and they'll be > purged from our session memory. This means that while transient > context handling is still soft in the face of errors, session handling > is hard (any failure of the model means all sessions are lost). > > Signed-off-by: James Bottomley <James.Bottomley@...senPartnership.com> > --- > drivers/char/tpm/tpm-chip.c | 6 +++ > drivers/char/tpm/tpm.h | 4 +- > drivers/char/tpm/tpm2-space.c | 115 ++++++++++++++++++++++++++++++++++++++++-- > drivers/char/tpm/tpms-dev.c | 2 +- > 4 files changed, 122 insertions(+), 5 deletions(-) > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c > index c71c353..e8536ab 100644 > --- a/drivers/char/tpm/tpm-chip.c > +++ b/drivers/char/tpm/tpm-chip.c > @@ -130,6 +130,7 @@ static void tpm_dev_release(struct device *dev) > > kfree(chip->log.bios_event_log); > kfree(chip->work_space.context_buf); > + kfree(chip->work_space.session_buf); > kfree(chip); > } > > @@ -224,6 +225,11 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, > rc = -ENOMEM; > goto out; > } > + chip->work_space.session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); > + if (!chip->work_space.session_buf) { > + rc = -ENOMEM; > + goto out; > + } > > return chip; > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index 8670cc5..9261223 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -160,6 +160,8 @@ enum tpm2_cc_attrs { > struct tpm_space { > u32 context_tbl[3]; > u8 *context_buf; > + u32 session_tbl[3]; > + u8 *session_buf; > }; > > enum tpm_chip_flags { > @@ -588,7 +590,7 @@ int tpm2_probe(struct tpm_chip *chip); > ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip); > int tpm2_find_cc(struct tpm_chip *chip, u32 cc); > int tpm2_init_space(struct tpm_space *space); > -void tpm2_del_space(struct tpm_space *space); > +void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space); > int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, > u8 *cmd); > int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c > index d241c2a..fb817ca 100644 > --- a/drivers/char/tpm/tpm2-space.c > +++ b/drivers/char/tpm/tpm2-space.c > @@ -32,18 +32,39 @@ struct tpm2_context { > __be16 blob_size; > } __packed; > > +static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space) > +{ > + int i; > + > + for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) { > + if (space->session_tbl[i]) > + tpm2_flush_context_cmd(chip, space->session_tbl[i], > + TPM_TRANSMIT_UNLOCKED); > + } > +} > + > int tpm2_init_space(struct tpm_space *space) > { > space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); > if (!space->context_buf) > return -ENOMEM; > > + space->session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); > + if (space->session_buf == NULL) { > + kfree(space->context_buf); > + return -ENOMEM; > + } > + > return 0; > } > > -void tpm2_del_space(struct tpm_space *space) > +void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) > { > + mutex_lock(&chip->tpm_mutex); > + tpm2_flush_sessions(chip, space); > + mutex_unlock(&chip->tpm_mutex); > kfree(space->context_buf); > + kfree(space->session_buf); > } > > static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, > @@ -69,6 +90,20 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, > __func__, rc); > tpm_buf_destroy(&tbuf); > return -EFAULT; > + } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE || > + rc == TPM2_RC_REFERENCE_H0) { > + /* > + * TPM_RC_HANDLE means that the session context can't > + * be loaded because of an internal counter mismatch > + * that makes the TPM think there might have been a > + * replay. This might happen if the context was saved > + * and loaded outside the space. > + * > + * TPM_RC_REFERENCE_H0 means the session has been > + * flushed outside the space > + */ > + rc = -ENOENT; > + tpm_buf_destroy(&tbuf); > } else if (rc > 0) { > dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", > __func__, rc); > @@ -121,12 +156,30 @@ static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf, > } > > memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size); > - tpm2_flush_context_cmd(chip, handle, TPM_TRANSMIT_UNLOCKED); > *offset += body_size; > tpm_buf_destroy(&tbuf); > return 0; > } > > +static int tpm2_session_add(struct tpm_chip *chip, u32 handle) > +{ > + struct tpm_space *space = &chip->work_space; > + int i; > + > + for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) > + if (space->session_tbl[i] == 0) > + break; > + if (i == ARRAY_SIZE(space->session_tbl)) { > + dev_err(&chip->dev, "out of session slots\n"); This really should be dev_dbg. /Jarkko
Powered by blists - more mailing lists