lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aMGtPNV0lgH54yqK@kernel.org>
Date: Wed, 10 Sep 2025 19:54:20 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Jonathan McDowell <noodles@...th.li>
Cc: Peter Huewe <peterhuewe@....de>, Jason Gunthorpe <jgg@...pe.ca>,
	linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 2/4] tpm: Remove tpm_find_get_ops

On Tue, Sep 02, 2025 at 06:27:03PM +0100, Jonathan McDowell wrote:
> From: Jonathan McDowell <noodles@...a.com>
> 
> tpm_find_get_ops() looks for the first valid TPM if the caller passes in
> NULL. All internal users have been converted to either associate
> themselves with a TPM directly, or call tpm_default_chip() as part of
> their setup. Remove the no longer necessary tpm_find_get_ops().
> 
> Signed-off-by: Jonathan McDowell <noodles@...a.com>

This is a welcome change, thanks.

> ---
>  drivers/char/tpm/tpm-chip.c      | 36 --------------------------------
>  drivers/char/tpm/tpm-interface.c | 20 ++++++++++++++----
>  drivers/char/tpm/tpm.h           |  1 -
>  drivers/char/tpm/tpm_tis_core.c  |  3 +--
>  4 files changed, 17 insertions(+), 43 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index 8c8e9054762a..ba906966721a 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -230,42 +230,6 @@ struct tpm_chip *tpm_default_chip(void)
>  }
>  EXPORT_SYMBOL_GPL(tpm_default_chip);
>  
> -/**
> - * tpm_find_get_ops() - find and reserve a TPM chip
> - * @chip:	a &struct tpm_chip instance, %NULL for the default chip
> - *
> - * Finds a TPM chip and reserves its class device and operations. The chip must
> - * be released with tpm_put_ops() after use.
> - * This function is for internal use only. It supports existing TPM callers
> - * by accepting NULL, but those callers should be converted to pass in a chip
> - * directly.
> - *
> - * Return:
> - * A reserved &struct tpm_chip instance.
> - * %NULL if a chip is not found.
> - * %NULL if the chip is not available.
> - */
> -struct tpm_chip *tpm_find_get_ops(struct tpm_chip *chip)
> -{
> -	int rc;
> -
> -	if (chip) {
> -		if (!tpm_try_get_ops(chip))
> -			return chip;
> -		return NULL;
> -	}
> -
> -	chip = tpm_default_chip();
> -	if (!chip)
> -		return NULL;
> -	rc = tpm_try_get_ops(chip);
> -	/* release additional reference we got from tpm_default_chip() */
> -	put_device(&chip->dev);
> -	if (rc)
> -		return NULL;
> -	return chip;
> -}
> -
>  /**
>   * tpm_dev_release() - free chip memory and the device number
>   * @dev: the character device for the TPM chip
> diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
> index b71725827743..8f65dc06a157 100644
> --- a/drivers/char/tpm/tpm-interface.c
> +++ b/drivers/char/tpm/tpm-interface.c
> @@ -313,10 +313,13 @@ int tpm_is_tpm2(struct tpm_chip *chip)
>  {
>  	int rc;
>  
> -	chip = tpm_find_get_ops(chip);
>  	if (!chip)
>  		return -ENODEV;
>  
> +	rc = tpm_try_get_ops(chip);
> +	if (rc)
> +		return rc;
> +
>  	rc = (chip->flags & TPM_CHIP_FLAG_TPM2) != 0;
>  
>  	tpm_put_ops(chip);
> @@ -338,10 +341,13 @@ int tpm_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
>  {
>  	int rc;
>  
> -	chip = tpm_find_get_ops(chip);
>  	if (!chip)
>  		return -ENODEV;
>  
> +	rc = tpm_try_get_ops(chip);
> +	if (rc)
> +		return rc;
> +
>  	if (chip->flags & TPM_CHIP_FLAG_TPM2)
>  		rc = tpm2_pcr_read(chip, pcr_idx, digest, NULL);
>  	else
> @@ -369,10 +375,13 @@ int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
>  	int rc;
>  	int i;
>  
> -	chip = tpm_find_get_ops(chip);
>  	if (!chip)
>  		return -ENODEV;
>  
> +	rc = tpm_try_get_ops(chip);
> +	if (rc)
> +		return rc;
> +
>  	for (i = 0; i < chip->nr_allocated_banks; i++) {
>  		if (digests[i].alg_id != chip->allocated_banks[i].alg_id) {
>  			rc = -EINVAL;
> @@ -492,10 +501,13 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max)
>  	if (!out || max > TPM_MAX_RNG_DATA)
>  		return -EINVAL;
>  
> -	chip = tpm_find_get_ops(chip);
>  	if (!chip)
>  		return -ENODEV;
>  
> +	rc = tpm_try_get_ops(chip);
> +	if (rc)
> +		return rc;
> +
>  	if (chip->flags & TPM_CHIP_FLAG_TPM2)
>  		rc = tpm2_get_random(chip, out, max);
>  	else
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index 7bb87fa5f7a1..9c158c55c05f 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -267,7 +267,6 @@ static inline void tpm_msleep(unsigned int delay_msec)
>  int tpm_chip_bootstrap(struct tpm_chip *chip);
>  int tpm_chip_start(struct tpm_chip *chip);
>  void tpm_chip_stop(struct tpm_chip *chip);
> -struct tpm_chip *tpm_find_get_ops(struct tpm_chip *chip);
>  
>  struct tpm_chip *tpm_chip_alloc(struct device *dev,
>  				const struct tpm_class_ops *ops);
> diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
> index 4b12c4b9da8b..73b94f4daf4b 100644
> --- a/drivers/char/tpm/tpm_tis_core.c
> +++ b/drivers/char/tpm/tpm_tis_core.c
> @@ -265,8 +265,7 @@ static u8 tpm_tis_status(struct tpm_chip *chip)
>  
>  			/*
>  			 * Dump stack for forensics, as invalid TPM_STS.x could be
> -			 * potentially triggered by impaired tpm_try_get_ops() or
> -			 * tpm_find_get_ops().
> +			 * potentially triggered by impaired tpm_try_get_ops().
>  			 */
>  			dump_stack();

Sorry outside scope of the review but I'll remark something while I
still remember it :-)

Looking at "if  (!test_and_set_bit(TPM_TIS_INVALID_STATUS, &priv->flags)) {"

Despite unfortunately git blame points out to me I don't agree with the
"pr_err + dump_stack" rollback sequence:

1. Stack here is useless noise.
2. This should be fallible situation really, as at it can be affected by
   outside stimuli, not just long-strech malicious device alike case,
   but also it could be like perhaps TPM emulator or something else
   more flakky than a chip.

Improved rollback sequence would be:

1. Print dev_err, exactly as it does now. It's not a kernel bug per se
   but something is definitely acting weirdly.
2. Make '->status' fallible so that rollback can be further propagated
   to 'tpm_transmit'
3. Return some sensible POSIX error code, probably -EIO combined with
   pre-existing dev_err would be fine.

Back to the topic. I agree with the patch. I'll come back on this
once I've tested it with a live kernel in my environment [1].

[1] https://codeberg.org/jarkko/linux-tpmdd-test
    
BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ