lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <YidTCX0NOgDfHCp9@kernel.org>
Date:   Tue, 8 Mar 2022 14:58:49 +0200
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
        keyrings@...r.kernel.org, James Morris <jmorris@...ei.org>,
        David Howells <dhowells@...hat.com>,
        Peter Huewe <peterhuewe@....de>, Jason Gunthorpe <jgg@...pe.ca>
Subject: [GIT PULL] TPM DEVICE DRIVER updates for v5.18

Hi,

In order to split the work a bit we've aligned with David Howells more or
less that I take more hardware/firmware aligned keyring patches, and he
takes care more of the framework aligned patches.

For TPM the patches worth of highlighting are the fixes for refcounting
provided by Lino Sanfilippo and James Bottomley.

Eric B. has done a bunch obvious (but important) fixes but there's one a
bit controversial: removal of asym_tpm. It was added in 2018 when TPM1
was already declared as insecure and world had moved on to TPM2. I don't
know how this has passed all the filters but I did not have a chance to
see the patches when they were out. I simply cannot commit on
maintaining this because it was from all angles just wrong to take it in
the first place to the mainline kernel. Nobody should use this module
really for anything.

Finally, there is a new keyring ".machine" to hold MOK keys. In the mok
side MokListTrustedRT UEFI variable can be set, from which kernel knows
that MOK keys are kernel trusted keys and they are populated to the machine
keyring. This keyring linked to the secondary trusted keyring, which means
that can be used like any kernel trusted keys. This keyring of course can
be used to hold other MOK'ish keys in other platforms in future.

BR, Jarkko

The following changes since commit ea4424be16887a37735d6550cfd0611528dbe5d9:

  Merge tag 'mtd/fixes-for-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux (2022-03-07 11:43:22 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/ tags/tpmdd-next-v5.18

for you to fetch changes up to f4fe76112c8fbe0a2d2e3ebd94ff2cfe22977e39:

  tpm: use try_get_ops() in tpm-space.c (2022-03-08 14:29:25 +0200)

----------------------------------------------------------------
tpmdd updates for Linux v5.18

----------------------------------------------------------------
Andreas Rammhold (1):
      KEYS: trusted: Fix trusted key backends when building as module

Dave Kleikamp (1):
      KEYS: trusted: Avoid calling null function trusted_key_exit

Eric Biggers (8):
      KEYS: fix length validation in keyctl_pkey_params_get_2()
      KEYS: x509: clearly distinguish between key and signature algorithms
      KEYS: x509: remove unused fields
      KEYS: x509: remove never-set ->unsupported_key flag
      KEYS: x509: remove dead code that set ->unsupported_sig
      KEYS: remove support for asym_tpm keys
      KEYS: asymmetric: enforce that sig algo matches key algo
      KEYS: asymmetric: properly validate hash_algo and encoding

Eric Snowberg (8):
      integrity: Fix warning about missing prototypes
      integrity: Introduce a Linux keyring called machine
      integrity: add new keyring handler for mok keys
      KEYS: store reference to machine keyring
      KEYS: Introduce link restriction for machine keys
      efi/mokvar: move up init order
      integrity: Trust MOK keys if MokListTrustedRT found
      integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

Gustavo A. R. Silva (1):
      tpm: xen-tpmfront: Use struct_size() helper

James Bottomley (1):
      tpm: use try_get_ops() in tpm-space.c

Lino Sanfilippo (1):
      tpm: fix reference counting for struct tpm_chip

Stefan Berger (1):
      selftests: tpm2: Determine available PCR bank

Tadeusz Struk (2):
      tpm: Fix error handling in async work
      selftests: tpm: add async space test with noneexisting handle

 certs/system_keyring.c                             |  44 +-
 crypto/asymmetric_keys/Kconfig                     |  21 -
 crypto/asymmetric_keys/Makefile                    |  12 -
 crypto/asymmetric_keys/asym_tpm.c                  | 957 ---------------------
 crypto/asymmetric_keys/pkcs7_verify.c              |  13 +-
 crypto/asymmetric_keys/public_key.c                | 126 ++-
 crypto/asymmetric_keys/tpm.asn1                    |   5 -
 crypto/asymmetric_keys/tpm_parser.c                | 102 ---
 crypto/asymmetric_keys/x509.asn1                   |   2 +-
 crypto/asymmetric_keys/x509_cert_parser.c          |  34 +-
 crypto/asymmetric_keys/x509_parser.h               |   1 -
 crypto/asymmetric_keys/x509_public_key.c           |  24 -
 drivers/char/tpm/tpm-chip.c                        |  46 +-
 drivers/char/tpm/tpm-dev-common.c                  |   8 +-
 drivers/char/tpm/tpm.h                             |   2 +
 drivers/char/tpm/tpm2-space.c                      |  73 +-
 drivers/char/tpm/xen-tpmfront.c                    |   8 +-
 drivers/firmware/efi/mokvar-table.c                |   2 +-
 include/crypto/asym_tpm_subtype.h                  |  19 -
 include/keys/system_keyring.h                      |  14 +
 security/integrity/Kconfig                         |  13 +
 security/integrity/Makefile                        |   1 +
 security/integrity/digsig.c                        |  15 +-
 security/integrity/integrity.h                     |  17 +-
 .../integrity/platform_certs/keyring_handler.c     |  18 +-
 .../integrity/platform_certs/keyring_handler.h     |   5 +
 security/integrity/platform_certs/load_uefi.c      |   4 +-
 .../integrity/platform_certs/machine_keyring.c     |  77 ++
 security/keys/keyctl_pkey.c                        |  14 +-
 security/keys/trusted-keys/trusted_core.c          |   6 +-
 tools/testing/selftests/tpm2/tpm2.py               |  31 +
 tools/testing/selftests/tpm2/tpm2_tests.py         |  45 +-
 32 files changed, 486 insertions(+), 1273 deletions(-)
 delete mode 100644 crypto/asymmetric_keys/asym_tpm.c
 delete mode 100644 crypto/asymmetric_keys/tpm.asn1
 delete mode 100644 crypto/asymmetric_keys/tpm_parser.c
 delete mode 100644 include/crypto/asym_tpm_subtype.h
 create mode 100644 security/integrity/platform_certs/machine_keyring.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ