lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250716121823.173949-1-jarkko@kernel.org>
Date: Wed, 16 Jul 2025 15:18:21 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: linux-kernel@...r.kernel.org
Cc: keyrings@...r.kernel.org,
	linux-integrity@...r.kernel.org,
	Stefan Berger <stefanb@...ux.ibm.com>,
	Jarkko Sakkinen <jarkko.sakkinen@...nsys.com>,
	Jonathan Corbet <corbet@....net>,
	Peter Huewe <peterhuewe@....de>,
	Jarkko Sakkinen <jarkko@...nel.org>,
	Jason Gunthorpe <jgg@...pe.ca>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"Paul E. McKenney" <paulmck@...nel.org>,
	Steven Rostedt <rostedt@...dmis.org>,
	Neeraj Upadhyay <Neeraj.Upadhyay@....com>,
	"Borislav Petkov (AMD)" <bp@...en8.de>,
	Arnd Bergmann <arnd@...db.de>,
	Frank van der Linden <fvdl@...gle.com>,
	linux-doc@...r.kernel.org (open list:DOCUMENTATION)
Subject: [RFC PATCH] tpm, tpm_vtpm_proxy: boot-time TPM

From: Jarkko Sakkinen <jarkko.sakkinen@...nsys.com>

Provide a kernel command-line parameter named as `supplicant`, which
contains a path to an TPM emulator binary. When defind, the kernel will
launch the program during boot-time.

This feature is most useful in feature testing e.g., in environments
where other means are not possible, such as CI runners. Its original use
case highlights also quite well of its applicability for pre-production
hardware: it was used to provide a TPM implemnentation for a RISC-V SoC
running on FPGA with no TPM HW implementation at the time.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@...nsys.com>
---
Bumped into this in my archives so thought to make it available just in
case anyone is interested.
---
 .../admin-guide/kernel-parameters.txt         | 14 +++++
 drivers/char/tpm/tpm_vtpm_proxy.c             | 51 +++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index f1f2c0874da9..e062de99480e 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -7230,6 +7230,20 @@
 			defined by Trusted Computing Group (TCG) see
 			https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/
 
+	tpm_vtpm_proxy.supplicant= [TPM]
+			When defined, this field must contain a legit path to a
+			program emulating a TPM chip, which will be started
+			during the driver initialization, thus providing a
+			mechanism for the user space have an emulated TPM from
+			the get go. Kernel prepares the process with a file
+			pre-opened file descriptor in the index 3 for
+			/dev/vtpmx.
+
+			An emulator can optionally provide support for
+			localities by reacting to the vendor command defined
+			by the driver: 0x20001000. Its payload is a single
+			byte containing the new locality.
+
 	tp_printk	[FTRACE]
 			Have the tracepoints sent to printk as well as the
 			tracing ring buffer. This is useful for early boot up
diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c
index 0818bb517805..612f5251fdc0 100644
--- a/drivers/char/tpm/tpm_vtpm_proxy.c
+++ b/drivers/char/tpm/tpm_vtpm_proxy.c
@@ -51,6 +51,8 @@ struct proxy_dev {
 #define VTPM_PROXY_FLAGS_ALL  (VTPM_PROXY_FLAG_TPM2)
 
 static struct workqueue_struct *workqueue;
+static char *supplicant;
+module_param(supplicant, charp, 0);
 
 static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev);
 
@@ -678,6 +680,55 @@ static const struct file_operations vtpmx_fops = {
 	.llseek = noop_llseek,
 };
 
+static int vtpmx_supplicant_setup(struct subprocess_info *info, struct cred *new)
+{
+	struct vtpm_proxy_new_dev dev = { .flags = VTPM_PROXY_FLAG_TPM2 };
+	struct file *file = vtpm_proxy_create_device(&dev);
+
+	if (IS_ERR(file))
+		return PTR_ERR(file);
+
+	fd_install(dev.fd, file);
+	return 0;
+}
+
+static void vtpmx_supplicant_cleanup(struct subprocess_info *info)
+{
+}
+
+static int vtpmx_supplicant_init(void)
+{
+	static const char * const argv[] = { supplicant, NULL };
+	struct subprocess_info *info;
+	int ret;
+
+	if (!supplicant)
+		return 0;
+
+	info = call_usermodehelper_setup(argv[0], (char **)argv, NULL,
+					 GFP_KERNEL, vtpmx_supplicant_setup,
+					 vtpmx_supplicant_cleanup, NULL);
+	if (!info)
+		return -ENOMEM;
+
+	ret = call_usermodehelper_exec(info, UMH_KILLABLE | UMH_NO_WAIT);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+static int vtpmx_init(void)
+{
+	int ret;
+
+	ret = vtpmx_supplicant_init();
+	if (ret)
+		return ret;
+
+	return misc_register(&vtpmx_miscdev);
+}
+
 static struct miscdevice vtpmx_miscdev = {
 	.minor = MISC_DYNAMIC_MINOR,
 	.name = "vtpmx",
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ