[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <edf4aeaab76713579016cb009a0e632d7417c5f8.camel@linux.intel.com>
Date: Tue, 03 Jul 2018 18:24:34 +0300
From: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To: Stefan Berger <stefanb@...ux.vnet.ibm.com>,
linux-integrity@...r.kernel.org, zohar@...ux.vnet.ibm.com,
jejb@...ux.vnet.ibm.com
Cc: jgg@...pe.ca, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, dhowells@...hat.com,
keyrings@...r.kernel.org
Subject: Re: [PATCH 2/2] KEYS: trusted: Find tpm_chip and use it until
module shutdown
On Tue, 2018-06-26 at 15:30 -0400, Stefan Berger wrote:
> Use tpm_default_chip() to find the system's default TPM chip and
> use it as the tpm_chip parameter for all TPM operations. Release
> the tpm_chip when the module is shut down.
>
> Signed-off-by: Stefan Berger <stefanb@...ux.vnet.ibm.com>
> ---
> security/keys/trusted.c | 41 ++++++++++++++++++++++++++++-------------
> 1 file changed, 28 insertions(+), 13 deletions(-)
>
> diff --git a/security/keys/trusted.c b/security/keys/trusted.c
> index 423776682025..06d863caea43 100644
> --- a/security/keys/trusted.c
> +++ b/security/keys/trusted.c
> @@ -42,6 +42,7 @@ struct sdesc {
>
> static struct crypto_shash *hashalg;
> static struct crypto_shash *hmacalg;
> +static struct tpm_chip *tpm_chip;
>
> static struct sdesc *init_sdesc(struct crypto_shash *alg)
> {
> @@ -360,7 +361,7 @@ static int trusted_tpm_send(unsigned char *cmd, size_t
> buflen)
> int rc;
>
> dump_tpm_buf(cmd);
> - rc = tpm_send(NULL, cmd, buflen);
> + rc = tpm_send(tpm_chip, cmd, buflen);
> dump_tpm_buf(cmd);
> if (rc > 0)
> /* Can't return positive return codes values to keyctl */
> @@ -381,10 +382,10 @@ static int pcrlock(const int pcrnum)
>
> if (!capable(CAP_SYS_ADMIN))
> return -EPERM;
> - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
> + ret = tpm_get_random(tpm_chip, hash, SHA1_DIGEST_SIZE);
> if (ret != SHA1_DIGEST_SIZE)
> return ret;
> - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
> + return tpm_pcr_extend(tpm_chip, pcrnum, hash) ? -EINVAL : 0;
> }
>
> /*
> @@ -397,7 +398,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
> unsigned char ononce[TPM_NONCE_SIZE];
> int ret;
>
> - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
> + ret = tpm_get_random(tpm_chip, ononce, TPM_NONCE_SIZE);
> if (ret != TPM_NONCE_SIZE)
> return ret;
>
> @@ -492,7 +493,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
> if (ret < 0)
> goto out;
>
> - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
> + ret = tpm_get_random(tpm_chip, td->nonceodd, TPM_NONCE_SIZE);
> if (ret != TPM_NONCE_SIZE)
> goto out;
> ordinal = htonl(TPM_ORD_SEAL);
> @@ -602,7 +603,7 @@ static int tpm_unseal(struct tpm_buf *tb,
>
> ordinal = htonl(TPM_ORD_UNSEAL);
> keyhndl = htonl(SRKHANDLE);
> - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
> + ret = tpm_get_random(tpm_chip, nonceodd, TPM_NONCE_SIZE);
> if (ret != TPM_NONCE_SIZE) {
> pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
> return ret;
> @@ -747,7 +748,7 @@ static int getoptions(char *c, struct trusted_key_payload
> *pay,
> int i;
> int tpm2;
>
> - tpm2 = tpm_is_tpm2(NULL);
> + tpm2 = tpm_is_tpm2(tpm_chip);
> if (tpm2 < 0)
> return tpm2;
>
> @@ -916,7 +917,7 @@ static struct trusted_key_options
> *trusted_options_alloc(void)
> struct trusted_key_options *options;
> int tpm2;
>
> - tpm2 = tpm_is_tpm2(NULL);
> + tpm2 = tpm_is_tpm2(tpm_chip);
> if (tpm2 < 0)
> return NULL;
>
> @@ -966,7 +967,7 @@ static int trusted_instantiate(struct key *key,
> size_t key_len;
> int tpm2;
>
> - tpm2 = tpm_is_tpm2(NULL);
> + tpm2 = tpm_is_tpm2(tpm_chip);
> if (tpm2 < 0)
> return tpm2;
>
> @@ -1007,7 +1008,7 @@ static int trusted_instantiate(struct key *key,
> switch (key_cmd) {
> case Opt_load:
> if (tpm2)
> - ret = tpm_unseal_trusted(NULL, payload, options);
> + ret = tpm_unseal_trusted(tpm_chip, payload, options);
> else
> ret = key_unseal(payload, options);
> dump_payload(payload);
> @@ -1017,13 +1018,13 @@ static int trusted_instantiate(struct key *key,
> break;
> case Opt_new:
> key_len = payload->key_len;
> - ret = tpm_get_random(NULL, payload->key, key_len);
> + ret = tpm_get_random(tpm_chip, payload->key, key_len);
> if (ret != key_len) {
> pr_info("trusted_key: key_create failed (%d)\n",
> ret);
> goto out;
> }
> if (tpm2)
> - ret = tpm_seal_trusted(NULL, payload, options);
> + ret = tpm_seal_trusted(tpm_chip, payload, options);
> else
> ret = key_seal(payload, options);
> if (ret < 0)
> @@ -1226,12 +1227,26 @@ static int __init init_trusted(void)
> return ret;
> ret = register_key_type(&key_type_trusted);
> if (ret < 0)
> - trusted_shash_release();
> + goto exit_shash_release;
> + tpm_chip = tpm_default_chip();
> + if (!tpm_chip) {
> + ret = -ENODEV;
> + goto exit_unregister;
> + }
> + return 0;
> +
> +exit_unregister:
> + unregister_key_type(&key_type_trusted);
> +
> +exit_shash_release:
> + trusted_shash_release();
> return ret;
> }
>
> static void __exit cleanup_trusted(void)
> {
> + if (tpm_chip)
> + tpm_put_chip(tpm_chip);
> trusted_shash_release();
> unregister_key_type(&key_type_trusted);
> }
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Is James maintaining this now? Have not seen his feedback yet...
/Jarkko
Powered by blists - more mailing lists