lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 18 May 2024 16:51:36 +0530
From: Parthiban <parthiban@...umiz.com>
To: James.Bottomley@...senPartnership.com
Cc: linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
 peterhuewe@....de, jarkko@...nel.org, jgg@...pe.ca,
 Parthiban <parthiban@...umiz.com>
Subject: SLB9670 TPM module crash

Dear James Bottomley,

The following crash is observed in the current mainline kernel and I have tried the
git bisect to narrow it down. Bisect points to the below commit, which got merged as
part of [1]. I tried reverting the below commit and the TPM loads fine.

commit 1b6d7f9eb150305dcb0da4f7101a8d30dcdf0497
Author: James Bottomley <James.Bottomley@...senPartnership.com>
Date:   Mon Apr 29 16:28:07 2024 -0400

    tpm: add session encryption protection to tpm2_get_random()
    
    If some entity is snooping the TPM bus, they can see the random
    numbers we're extracting from the TPM and do prediction attacks
    against their consumers.  Foil this attack by using response
    encryption to prevent the attacker from seeing the random sequence.
    
    Signed-off-by: James Bottomley <James.Bottomley@...senPartnership.com>
    Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
    Tested-by: Jarkko Sakkinen <jarkko@...nel.org>
    Signed-off-by: Jarkko Sakkinen <jarkko@...nel.org>

 drivers/char/tpm/tpm2-cmd.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

[   11.551988] tpm_tis_spi spi0.1: 2.0 TPM (device-id 0x1B, rev-id 22)
[   11.563036] spi_master spi0: will run message pump with realtime priority
[   11.564345] tpm tpm0: A TPM error (256) occurred attempting the self test
[   11.576709] tpm tpm0: starting up the TPM manually
[   11.576825] mcp251xfd spi0.0 can0: MCP2518FD rev0.0 (-RX_INT -PLL -MAB_NO_WARN +CRC_REG +CRC_RX +CRC_TX +ECC -HD o:40.00MHz c:40.00MHz m:10.00MHz rs:10.00MHz es:10.00MHz rf:10.00MHz ef:10.00MHz) successfully i
nitialized.
[   12.418989] ------------[ cut here ]------------
[   12.423626] WARNING: CPU: 3 PID: 173 at kernel/module/kmod.c:144 __request_module+0x1b0/0x298
[   12.432169] Modules linked in: mcp251xfd tpm_tis_spi tpm_tis_core hantro_vpu can_dev v4l2_vp9 v4l2_h264 videobuf2_dma_contig etnaviv videobuf2_memops v4l2_mem2mem videobuf2_v4l2 gpu_sched videobuf2_common drm
videodev crct10dif_ce mc onboard_usb_hub imx8m_ddrc backlight fsl_imx8_ddr_perf tmp102 rtc_rv3028 caam spi_imx at24 rtc_snvs error imx8mm_thermal pwm_imx27 imx_sdma
[   12.465135] CPU: 3 PID: 173 Comm: kworker/u16:7 Not tainted 6.9.0-gde8a0c1b43a5 #1
[   12.472709] Hardware name: PHYTEC phyGATE-Tauri-L-iMX8MM (DT)
[   12.478458] Workqueue: async async_run_entry_fn
[   12.482996] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   12.489964] pc : __request_module+0x1b0/0x298
[   12.494326] lr : __request_module+0x1a8/0x298
[   12.498694] sp : ffff800082a0b520
[   12.502007] x29: ffff800082a0b520 x28: 00000000001b15d1 x27: ffff800081fef212
[   12.509155] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
[   12.516303] x23: 000000000000200f x22: 0000000000000001 x21: ffff800080601d7c
[   12.523449] x20: 0000000000000000 x19: ffff80008153a260 x18: 0000000000000014
[   12.530593] x17: 00000000935207a2 x16: 00000000a4f4335b x15: 0000000098476eec
[   12.537739] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000
[   12.544885] x11: 000000006516c2bb x10: ffffffffff2949fe x9 : ffff8000800e3594
[   12.552031] x8 : ffff800082a0b5c8 x7 : 0000000000000000 x6 : 0c0406065b07370f
[   12.559175] x5 : 0f37075b0606040c x4 : 0000000000000000 x3 : 0000000000000030
[   12.566322] x2 : 0000000000000008 x1 : ffff8000800e3468 x0 : 0000000000000001
[   12.573473] Call trace:
[   12.575921]  __request_module+0x1b0/0x298
[   12.579941]  crypto_alg_mod_lookup+0x184/0x230
[   12.584389]  crypto_alloc_tfm_node+0x5c/0x110
[   12.588751]  crypto_alloc_shash+0x2c/0x40
[   12.592768]  drbg_init_hash_kernel+0x30/0xf0
[   12.597046]  drbg_kcapi_seed+0x218/0x3b0
[   12.600975]  crypto_rng_reset+0x8c/0xc8
[   12.604821]  crypto_get_default_rng+0xac/0xe8
[   12.609186]  ecc_gen_privkey+0x60/0xe0
[   12.612938]  ecdh_set_secret+0x98/0x1a0
[   12.616779]  tpm_buf_append_salt+0x198/0x308
[   12.621055]  tpm2_start_auth_session+0x11c/0x2d0
[   12.625677]  tpm2_get_random+0x58/0x230
[   12.629521]  tpm_get_random+0x7c/0xa0
[   12.633193]  tpm_hwrng_read+0x2c/0x40
[   12.636862]  add_early_randomness+0x70/0x128
[   12.641137]  hwrng_register+0x16c/0x220
[   12.644978]  tpm_chip_register+0x110/0x238
[   12.649079]  tpm_tis_core_init+0x494/0xf18 [tpm_tis_core]
[   12.654488]  tpm_tis_spi_probe+0xac/0xe8 [tpm_tis_spi]
[   12.659639]  tpm_tis_spi_driver_probe+0x3c/0x78 [tpm_tis_spi]
[   12.665396]  spi_probe+0x8c/0xf8
[   12.668633]  really_probe+0xc4/0x2a8
[   12.672219]  __driver_probe_device+0x80/0x140
[   12.676582]  driver_probe_device+0xe0/0x170
[   12.680776]  __driver_attach_async_helper+0x54/0xc8
[   12.685663]  async_run_entry_fn+0x3c/0xf0
[   12.689677]  process_one_work+0x160/0x3f0
[   12.693695]  worker_thread+0x304/0x420
[   12.697449]  kthread+0x11c/0x128
[   12.700682]  ret_from_fork+0x10/0x20
[   12.704267] ---[ end trace 0000000000000000 ]---

[1]: https://patchwork.kernel.org/project/linux-integrity/list/?series=804628&state=*

-- 
Thanks,
Parthiban N
https://www.linumiz.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ