lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170622101404.blfpqcryrbe35ha4@linux.intel.com>
Date:   Thu, 22 Jun 2017 12:14:04 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        linux-ima-devel@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [tpmdd-devel] [PATCH v3 1/6] tpm: use tpm_buf functions to
 perform a PCR read

On Wed, Jun 21, 2017 at 04:29:36PM +0200, Roberto Sassu wrote:
> tpm2_pcr_read() now uses tpm_buf functions to build the TPM command
> to read a PCR. Those functions are preferred to passing a tpm2_cmd
> structure, as they provide protection against buffer overflow.
> 
> Also, tpm2_pcr_read() code has been moved to tpm2_pcr_read_tpm_buf().
> Callers have to pass a tpm_buf structure, an algorithm supported by
> the TPM and call tpm_buf_destroy(). The algorithm still cannot be
> passed to the TPM driver interface. This parameter has been introduced
> for determining the digest size of a given algorithm.
> 
> Moving tpm2_pcr_read() code to tpm2_pcr_read_tpm_buf() is necessary
> because callers of the new function obtain different information from
> the output buffer: tpm2_pcr_read() gets the digest, tpm2_do_selftest()
> will get the command return code and tpm2_get_pcr_allocation() will get
> the digest size.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>

We want to migrate *everything* to use tpm_buf to the point that
tpm_transmit takes tpm_buf as parameter.

> ---
>  drivers/char/tpm/tpm2-cmd.c | 54 +++++++++++++++++++++++++++------------------
>  1 file changed, 32 insertions(+), 22 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 3a99643..afd1b63 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -231,15 +231,37 @@ static const u8 tpm2_ordinal_duration[TPM2_CC_LAST - TPM2_CC_FIRST + 1] = {
>  	(sizeof(struct tpm_input_header) + \
>  	 sizeof(struct tpm2_pcr_read_in))
>  
> -#define TPM2_PCR_READ_RESP_BODY_SIZE \
> -	 sizeof(struct tpm2_pcr_read_out)
> -
>  static const struct tpm_input_header tpm2_pcrread_header = {
>  	.tag = cpu_to_be16(TPM2_ST_NO_SESSIONS),
>  	.length = cpu_to_be32(TPM2_PCR_READ_IN_SIZE),
>  	.ordinal = cpu_to_be32(TPM2_CC_PCR_READ)
>  };

Remove this and move tpm2_pcr_read_out declaration before tpm2_pcr_read.
Its only a one shot helper structure for this function. You can take it
of from the union and delete tpm2_pcr_read_in completely.

> +static int tpm2_pcr_read_tpm_buf(struct tpm_chip *chip, int pcr_idx,
> +				 enum tpm2_algorithms algo, struct tpm_buf *buf,
> +				 char *msg)

This wrapper is unnecessary especially since the fallback path is still
in the responsiblity of the caller.

> +{
> +	int rc;
> +	u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
> +
> +	if (pcr_idx >= TPM2_PLATFORM_PCR)
> +		return -EINVAL;
> +
> +	rc = tpm_buf_init(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
> +	if (rc)
> +		return rc;
> +
> +	pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
> +
> +	tpm_buf_append_u32(buf, 1);
> +	tpm_buf_append_u16(buf, algo);
> +	tpm_buf_append_u8(buf, TPM2_PCR_SELECT_MIN);
> +	tpm_buf_append(buf, (const unsigned char *)pcr_select,
> +		       sizeof(pcr_select));
> +
> +	return tpm_transmit_cmd(chip, NULL, buf->data, PAGE_SIZE, 0, 0, msg);
> +}
> +
>  /**
>   * tpm2_pcr_read() - read a PCR value
>   * @chip:	TPM chip to use.
> @@ -251,29 +273,17 @@ static const struct tpm_input_header tpm2_pcrread_header = {
>  int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf)
>  {
>  	int rc;
> -	struct tpm2_cmd cmd;
> -	u8 *buf;
> -
> -	if (pcr_idx >= TPM2_PLATFORM_PCR)
> -		return -EINVAL;
> -
> -	cmd.header.in = tpm2_pcrread_header;
> -	cmd.params.pcrread_in.pcr_selects_cnt = cpu_to_be32(1);
> -	cmd.params.pcrread_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1);
> -	cmd.params.pcrread_in.pcr_select_size = TPM2_PCR_SELECT_MIN;
> -
> -	memset(cmd.params.pcrread_in.pcr_select, 0,
> -	       sizeof(cmd.params.pcrread_in.pcr_select));
> -	cmd.params.pcrread_in.pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
> +	struct tpm_buf buf;
> +	struct tpm2_pcr_read_out *out;
>  
> -	rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd),
> -			      TPM2_PCR_READ_RESP_BODY_SIZE,
> -			      0, "attempting to read a pcr value");
> +	rc = tpm2_pcr_read_tpm_buf(chip, pcr_idx, TPM2_ALG_SHA1, &buf,
> +				   "attempting to read a pcr value");
>  	if (rc == 0) {
> -		buf = cmd.params.pcrread_out.digest;
> -		memcpy(res_buf, buf, TPM_DIGEST_SIZE);
> +		out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
> +		memcpy(res_buf, out->digest, TPM_DIGEST_SIZE);

I think that when changes are made that involve TPM_DIGEST_SIZE, it
should be simply replaced with SHA1_DIGEST_SIZE. It's just a constant
that makes reading the code harder.

>  	}
>  
> +	tpm_buf_destroy(&buf);
>  	return rc;
>  }

With some adjustments this is a welcome change.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ