lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240915180448.2030115-4-jarkko@kernel.org>
Date: Sun, 15 Sep 2024 21:04:45 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: linux-integrity@...r.kernel.org
Cc: James.Bottomley@...senPartnership.com,
	roberto.sassu@...wei.com,
	mapengyu@...il.com,
	Jarkko Sakkinen <jarkko@...nel.org>,
	Peter Huewe <peterhuewe@....de>,
	Jason Gunthorpe <jgg@...pe.ca>,
	linux-kernel@...r.kernel.org (open list)
Subject: [PATCH 3/4] tpm: address tpm2_create_primary() failure

tpm2_load_null() ignores the return value of tpm2_create_primary(). Return
instead on failure. On success when the null key name has not been changed
heal appropriately, and return the created key handle instead of flushing
it.

Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes")
Signed-off-by: Jarkko Sakkinen <jarkko@...nel.org>
---
 drivers/char/tpm/tpm2-sessions.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
index d63510ad44ab..34ce0d9d4577 100644
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -850,9 +850,10 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth,
 
 static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
 {
-	int rc;
 	unsigned int offset = 0; /* dummy offset for null seed context */
 	u8 name[SHA256_DIGEST_SIZE + 2];
+	u32 tmp_null_key;
+	int rc;
 
 	rc = tpm2_load_context(chip, chip->null_key_context, &offset,
 			       null_key);
@@ -861,11 +862,17 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
 
 	/* an integrity failure may mean the TPM has been reset */
 	dev_err(&chip->dev, "NULL key integrity failure!\n");
-	/* check the null name against what we know */
-	tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name);
-	if (memcmp(name, chip->null_key_name, sizeof(name)) == 0)
-		/* name unchanged, assume transient integrity failure */
+
+	rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name);
+	if (rc)
 		return rc;
+
+	/* Return the null key if the name has not been changed: */
+	if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) {
+		*null_key = tmp_null_key;
+		return 0;
+	}
+
 	/*
 	 * Fatal TPM failure: the NULL seed has actually changed, so
 	 * the TPM must have been illegally reset.  All in-kernel TPM
@@ -874,6 +881,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
 	 * userspace programmes can't be compromised by it.
 	 */
 	dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n");
+	tpm2_flush_context(chip, tmp_null_key);
 	chip->flags |= TPM_CHIP_FLAG_DISABLE;
 
 	return rc;
@@ -991,10 +999,6 @@ static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
 	u32 val, param_len, keyhandle;
 
 	keyhandle = tpm_buf_read_u32(buf, &offset_r);
-	if (handle)
-		*handle = keyhandle;
-	else
-		tpm2_flush_context(chip, keyhandle);
 
 	param_len = tpm_buf_read_u32(buf, &offset_r);
 	/*
@@ -1135,6 +1139,7 @@ static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
 		return -EINVAL;
 	}
 
+	*handle = keyhandle;
 	return 0;
 }
 
-- 
2.46.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ