From 791ec491c372f49cea3ea7a7143454a9023ac9d4 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 17 Feb 2017 07:57:00 -0500 Subject: [PATCH 01/98] prlimit,security,selinux: add a security hook for prlimit When SELinux was first added to the kernel, a process could only get and set its own resource limits via getrlimit(2) and setrlimit(2), so no MAC checks were required for those operations, and thus no security hooks were defined for them. Later, SELinux introduced a hook for setlimit(2) with a check if the hard limit was being changed in order to be able to rely on the hard limit value as a safe reset point upon context transitions. Later on, when prlimit(2) was added to the kernel with the ability to get or set resource limits (hard or soft) of another process, LSM/SELinux was not updated other than to pass the target process to the setrlimit hook. This resulted in incomplete control over both getting and setting the resource limits of another process. Add a new security_task_prlimit() hook to the check_prlimit_permission() function to provide complete mediation. The hook is only called when acting on another task, and only if the existing DAC/capability checks would allow access. Pass flags down to the hook to indicate whether the prlimit(2) call will read, write, or both read and write the resource limits of the target process. The existing security_task_setrlimit() hook is left alone; it continues to serve a purpose in supporting the ability to make decisions based on the old and/or new resource limit values when setting limits. This is consistent with the DAC/capability logic, where check_prlimit_permission() performs generic DAC/capability checks for acting on another task, while do_prlimit() performs a capability check based on a comparison of the old and new resource limits. Fix the inline documentation for the hook to match the code. Implement the new hook for SELinux. For setting resource limits, we reuse the existing setrlimit permission. Note that this does overload the setrlimit permission to mean the ability to set the resource limit (soft or hard) of another process or the ability to change one's own hard limit. For getting resource limits, a new getrlimit permission is defined. This was not originally defined since getrlimit(2) could only be used to obtain a process' own limits. Signed-off-by: Stephen Smalley Signed-off-by: James Morris --- include/linux/lsm_hooks.h | 18 ++++++++++++++--- include/linux/security.h | 13 +++++++++++++ kernel/sys.c | 30 +++++++++++++++++------------ security/security.c | 8 ++++++++ security/selinux/hooks.c | 14 ++++++++++++++ security/selinux/include/classmap.h | 2 +- 6 files changed, 69 insertions(+), 16 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index e29d4c62a3c8..ba3049f05aea 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -630,10 +630,19 @@ * Check permission before getting the ioprio value of @p. * @p contains the task_struct of process. * Return 0 if permission is granted. + * @task_prlimit: + * Check permission before getting and/or setting the resource limits of + * another task. + * @cred points to the cred structure for the current task. + * @tcred points to the cred structure for the target task. + * @flags contains the LSM_PRLIMIT_* flag bits indicating whether the + * resource limits are being read, modified, or both. + * Return 0 if permission is granted. * @task_setrlimit: - * Check permission before setting the resource limits of the current - * process for @resource to @new_rlim. The old resource limit values can - * be examined by dereferencing (current->signal->rlim + resource). + * Check permission before setting the resource limits of process @p + * for @resource to @new_rlim. The old resource limit values can + * be examined by dereferencing (p->signal->rlim + resource). + * @p points to the task_struct for the target task's group leader. * @resource contains the resource whose limit is being set. * @new_rlim contains the new limits for @resource. * Return 0 if permission is granted. @@ -1494,6 +1503,8 @@ union security_list_options { int (*task_setnice)(struct task_struct *p, int nice); int (*task_setioprio)(struct task_struct *p, int ioprio); int (*task_getioprio)(struct task_struct *p); + int (*task_prlimit)(const struct cred *cred, const struct cred *tcred, + unsigned int flags); int (*task_setrlimit)(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim); int (*task_setscheduler)(struct task_struct *p); @@ -1755,6 +1766,7 @@ struct security_hook_heads { struct list_head task_setnice; struct list_head task_setioprio; struct list_head task_getioprio; + struct list_head task_prlimit; struct list_head task_setrlimit; struct list_head task_setscheduler; struct list_head task_getscheduler; diff --git a/include/linux/security.h b/include/linux/security.h index 96899fad7016..97df7bac5b48 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -133,6 +133,10 @@ extern unsigned long dac_mmap_min_addr; /* setfsuid or setfsgid, id0 == fsuid or fsgid */ #define LSM_SETID_FS 8 +/* Flags for security_task_prlimit(). */ +#define LSM_PRLIMIT_READ 1 +#define LSM_PRLIMIT_WRITE 2 + /* forward declares to avoid warnings */ struct sched_param; struct request_sock; @@ -324,6 +328,8 @@ void security_task_getsecid(struct task_struct *p, u32 *secid); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); +int security_task_prlimit(const struct cred *cred, const struct cred *tcred, + unsigned int flags); int security_task_setrlimit(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim); int security_task_setscheduler(struct task_struct *p); @@ -949,6 +955,13 @@ static inline int security_task_getioprio(struct task_struct *p) return 0; } +static inline int security_task_prlimit(const struct cred *cred, + const struct cred *tcred, + unsigned int flags) +{ + return 0; +} + static inline int security_task_setrlimit(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim) diff --git a/kernel/sys.c b/kernel/sys.c index 7ff6d1b10cec..196c7134bee6 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1432,25 +1432,26 @@ out: } /* rcu lock must be held */ -static int check_prlimit_permission(struct task_struct *task) +static int check_prlimit_permission(struct task_struct *task, + unsigned int flags) { const struct cred *cred = current_cred(), *tcred; + bool id_match; if (current == task) return 0; tcred = __task_cred(task); - if (uid_eq(cred->uid, tcred->euid) && - uid_eq(cred->uid, tcred->suid) && - uid_eq(cred->uid, tcred->uid) && - gid_eq(cred->gid, tcred->egid) && - gid_eq(cred->gid, tcred->sgid) && - gid_eq(cred->gid, tcred->gid)) - return 0; - if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) - return 0; + id_match = (uid_eq(cred->uid, tcred->euid) && + uid_eq(cred->uid, tcred->suid) && + uid_eq(cred->uid, tcred->uid) && + gid_eq(cred->gid, tcred->egid) && + gid_eq(cred->gid, tcred->sgid) && + gid_eq(cred->gid, tcred->gid)); + if (!id_match && !ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) + return -EPERM; - return -EPERM; + return security_task_prlimit(cred, tcred, flags); } SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, @@ -1460,12 +1461,17 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, struct rlimit64 old64, new64; struct rlimit old, new; struct task_struct *tsk; + unsigned int checkflags = 0; int ret; + if (old_rlim) + checkflags |= LSM_PRLIMIT_READ; + if (new_rlim) { if (copy_from_user(&new64, new_rlim, sizeof(new64))) return -EFAULT; rlim64_to_rlim(&new64, &new); + checkflags |= LSM_PRLIMIT_WRITE; } rcu_read_lock(); @@ -1474,7 +1480,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, rcu_read_unlock(); return -ESRCH; } - ret = check_prlimit_permission(tsk); + ret = check_prlimit_permission(tsk, checkflags); if (ret) { rcu_read_unlock(); return ret; diff --git a/security/security.c b/security/security.c index d0e07f269b2d..905dad2811d3 100644 --- a/security/security.c +++ b/security/security.c @@ -1036,6 +1036,12 @@ int security_task_getioprio(struct task_struct *p) return call_int_hook(task_getioprio, 0, p); } +int security_task_prlimit(const struct cred *cred, const struct cred *tcred, + unsigned int flags) +{ + return call_int_hook(task_prlimit, 0, cred, tcred, flags); +} + int security_task_setrlimit(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim) { @@ -1793,6 +1799,8 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.task_setioprio), .task_getioprio = LIST_HEAD_INIT(security_hook_heads.task_getioprio), + .task_prlimit = + LIST_HEAD_INIT(security_hook_heads.task_prlimit), .task_setrlimit = LIST_HEAD_INIT(security_hook_heads.task_setrlimit), .task_setscheduler = diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0c2ac318aa7f..870d24ecc2de 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3920,6 +3920,19 @@ static int selinux_task_getioprio(struct task_struct *p) PROCESS__GETSCHED, NULL); } +int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, + unsigned int flags) +{ + u32 av = 0; + + if (flags & LSM_PRLIMIT_WRITE) + av |= PROCESS__SETRLIMIT; + if (flags & LSM_PRLIMIT_READ) + av |= PROCESS__GETRLIMIT; + return avc_has_perm(cred_sid(cred), cred_sid(tcred), + SECCLASS_PROCESS, av, NULL); +} + static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim) { @@ -6206,6 +6219,7 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), + LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index d429c4a1c551..1e0cc9b5de20 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -47,7 +47,7 @@ struct security_class_mapping secclass_map[] = { "getattr", "setexec", "setfscreate", "noatsecure", "siginh", "setrlimit", "rlimitinh", "dyntransition", "setcurrent", "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", NULL } }, + "setsockcreate", "getrlimit", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, From 84e6885e9e6a818d1ca1eabb9b720b357ab07a8b Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 28 Feb 2017 09:35:08 -0500 Subject: [PATCH 02/98] selinux: fix kernel BUG on prlimit(..., NULL, NULL) commit 79bcf325e6b32b3c ("prlimit,security,selinux: add a security hook for prlimit") introduced a security hook for prlimit() and implemented it for SELinux. However, if prlimit() is called with NULL arguments for both the new limit and the old limit, then the hook is called with 0 for the read/write flags, since the prlimit() will neither read nor write the process' limits. This would in turn lead to calling avc_has_perm() with 0 for the requested permissions, which triggers a BUG_ON() in avc_has_perm_noaudit() since the kernel should never be invoking avc_has_perm() with no permissions. Fix this in the SELinux hook by returning immediately if the flags are 0. Arguably prlimit64() itself ought to return immediately if both old_rlim and new_rlim are NULL since it is effectively a no-op in that case. Reported by the lkp-robot based on trinity testing. Signed-off-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: James Morris --- security/selinux/hooks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 870d24ecc2de..3ba5ce1f4e05 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3925,6 +3925,8 @@ int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, { u32 av = 0; + if (!flags) + return 0; if (flags & LSM_PRLIMIT_WRITE) av |= PROCESS__SETRLIMIT; if (flags & LSM_PRLIMIT_READ) From dd0859dccbe291cf8179a96390f5c0e45cb9af1d Mon Sep 17 00:00:00 2001 From: James Morris Date: Wed, 15 Feb 2017 00:17:24 +1100 Subject: [PATCH 03/98] security: introduce CONFIG_SECURITY_WRITABLE_HOOKS Subsequent patches will add RO hardening to LSM hooks, however, SELinux still needs to be able to perform runtime disablement after init to handle architectures where init-time disablement via boot parameters is not feasible. Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS, and a helper macro __lsm_ro_after_init, to handle this case. Signed-off-by: James Morris Acked-by: Stephen Smalley Acked-by: Casey Schaufler Acked-by: Kees Cook --- include/linux/lsm_hooks.h | 7 +++++++ security/Kconfig | 5 +++++ security/selinux/Kconfig | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index ba3049f05aea..1aa63335de9e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, } #endif /* CONFIG_SECURITY_SELINUX_DISABLE */ +/* Currently required to handle SELinux runtime hook disable. */ +#ifdef CONFIG_SECURITY_WRITABLE_HOOKS +#define __lsm_ro_after_init +#else +#define __lsm_ro_after_init __ro_after_init +#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ + extern int __init security_module_enable(const char *module); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA diff --git a/security/Kconfig b/security/Kconfig index d900f47eaa68..3ff1bf91080e 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -31,6 +31,11 @@ config SECURITY If you are unsure how to answer this question, answer N. +config SECURITY_WRITABLE_HOOKS + depends on SECURITY + bool + default n + config SECURITYFS bool "Enable the securityfs filesystem" help diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index ea7e3efbe0f7..8af7a690eb40 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE config SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" depends on SECURITY_SELINUX + select SECURITY_WRITABLE_HOOKS default n help This option enables writing to a selinuxfs node 'disable', which @@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE portability across platforms where boot parameters are difficult to employ. + NOTE: selecting this option will disable the '__ro_after_init' + kernel hardening feature for security hooks. Please consider + using the selinux=0 boot parameter instead of enabling this + option. + If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DEVELOP From ca97d939db114c8d1619e10a3b82af8615372dae Mon Sep 17 00:00:00 2001 From: James Morris Date: Wed, 15 Feb 2017 00:18:51 +1100 Subject: [PATCH 04/98] security: mark LSM hooks as __ro_after_init Mark all of the registration hooks as __ro_after_init (via the __lsm_ro_after_init macro). Signed-off-by: James Morris Acked-by: Stephen Smalley Acked-by: Kees Cook --- security/apparmor/lsm.c | 2 +- security/commoncap.c | 2 +- security/loadpin/loadpin.c | 2 +- security/security.c | 2 +- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 709eacd23909..e287b691a30e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -587,7 +587,7 @@ static int apparmor_task_setrlimit(struct task_struct *task, return error; } -static struct security_hook_list apparmor_hooks[] = { +static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), LSM_HOOK_INIT(capget, apparmor_capget), diff --git a/security/commoncap.c b/security/commoncap.c index 78b37838a2d3..7abebd782d5e 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1071,7 +1071,7 @@ int cap_mmap_file(struct file *file, unsigned long reqprot, #ifdef CONFIG_SECURITY -struct security_hook_list capability_hooks[] = { +struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(capable, cap_capable), LSM_HOOK_INIT(settime, cap_settime), LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check), diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 1d82eae3a5b8..dbe6efde77a0 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -174,7 +174,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) return 0; } -static struct security_hook_list loadpin_hooks[] = { +static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), }; diff --git a/security/security.c b/security/security.c index 905dad2811d3..d6d18a3721aa 100644 --- a/security/security.c +++ b/security/security.c @@ -1628,7 +1628,7 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, } #endif /* CONFIG_AUDIT */ -struct security_hook_heads security_hook_heads = { +struct security_hook_heads security_hook_heads __lsm_ro_after_init = { .binder_set_context_mgr = LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr), .binder_transaction = diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3ba5ce1f4e05..d37a72316e9d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6123,7 +6123,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif -static struct security_hook_list selinux_hooks[] = { +static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fc8fb31fc24f..927e60e622d1 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4633,7 +4633,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) return 0; } -static struct security_hook_list smack_hooks[] = { +static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), LSM_HOOK_INIT(syslog, smack_syslog), diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index edc52d620f29..b5fb930349a9 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -496,7 +496,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg, * tomoyo_security_ops is a "struct security_operations" which is used for * registering TOMOYO. */ -static struct security_hook_list tomoyo_hooks[] = { +static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(cred_alloc_blank, tomoyo_cred_alloc_blank), LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare), LSM_HOOK_INIT(cred_transfer, tomoyo_cred_transfer), diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 88271a3bf37f..8298e094f4f7 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -428,7 +428,7 @@ int yama_ptrace_traceme(struct task_struct *parent) return rc; } -static struct security_hook_list yama_hooks[] = { +static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), LSM_HOOK_INIT(task_prctl, yama_task_prctl), From 579fc0dc09111c1f8b94742a0ed5a0bb8fdddbb9 Mon Sep 17 00:00:00 2001 From: James Morris Date: Mon, 6 Mar 2017 11:58:08 -0500 Subject: [PATCH 05/98] selinux: constify nlmsg permission tables Constify nlmsg permission tables, which are initialized once and then do not change. Signed-off-by: James Morris Signed-off-by: Paul Moore --- security/selinux/nlmsgtab.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 2ca9cde939d4..57e2596bdd8a 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -28,7 +28,7 @@ struct nlmsg_perm { u32 perm; }; -static struct nlmsg_perm nlmsg_route_perms[] = +static const struct nlmsg_perm nlmsg_route_perms[] = { { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, @@ -80,7 +80,7 @@ static struct nlmsg_perm nlmsg_route_perms[] = { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, }; -static struct nlmsg_perm nlmsg_tcpdiag_perms[] = +static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = { { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, @@ -88,7 +88,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] = { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, }; -static struct nlmsg_perm nlmsg_xfrm_perms[] = +static const struct nlmsg_perm nlmsg_xfrm_perms[] = { { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, @@ -115,7 +115,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] = { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, }; -static struct nlmsg_perm nlmsg_audit_perms[] = +static const struct nlmsg_perm nlmsg_audit_perms[] = { { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, @@ -136,7 +136,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] = }; -static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize) +static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize) { int i, err = -EINVAL; From bad4417b692ede5cf31105b329cea1544875b526 Mon Sep 17 00:00:00 2001 From: James Morris Date: Mon, 13 Feb 2017 16:34:35 +1100 Subject: [PATCH 06/98] integrity: mark default IMA rules as __ro_after_init The default IMA rules are loaded during init and then do not change, so mark them as __ro_after_init. Signed-off-by: James Morris Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index aed47b777a57..e8498a3f4887 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -83,7 +83,7 @@ struct ima_rule_entry { * normal users can easily run the machine out of memory simply building * and running executables. */ -static struct ima_rule_entry dont_measure_rules[] = { +static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, @@ -97,7 +97,7 @@ static struct ima_rule_entry dont_measure_rules[] = { {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} }; -static struct ima_rule_entry original_measurement_rules[] = { +static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, @@ -108,7 +108,7 @@ static struct ima_rule_entry original_measurement_rules[] = { {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, }; -static struct ima_rule_entry default_measurement_rules[] = { +static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, @@ -122,7 +122,7 @@ static struct ima_rule_entry default_measurement_rules[] = { {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, }; -static struct ima_rule_entry default_appraise_rules[] = { +static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= Date: Fri, 24 Feb 2017 15:05:14 +0100 Subject: [PATCH 07/98] ima: accept previously set IMA_NEW_FILE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Modifying the attributes of a file makes ima_inode_post_setattr reset the IMA cache flags. So if the file, which has just been created, is opened a second time before the first file descriptor is closed, verification fails since the security.ima xattr has not been written yet. We therefore have to look at the IMA_NEW_FILE even if the file already existed. With this patch there should no longer be an error when cat tries to open testfile: $ rm -f testfile $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile A file being new is no reason to accept that it is missing a digital signature demanded by the policy. Signed-off-by: Daniel Glöckner Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 1fd9539a969d..5d0785cfe063 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -207,10 +207,11 @@ int ima_appraise_measurement(enum ima_hooks func, cause = "missing-hash"; status = INTEGRITY_NOLABEL; - if (opened & FILE_CREATED) { + if (opened & FILE_CREATED) iint->flags |= IMA_NEW_FILE; + if ((iint->flags & IMA_NEW_FILE) && + !(iint->flags & IMA_DIGSIG_REQUIRED)) status = INTEGRITY_PASS; - } goto out; } From c017c71ce09f4c7a5378fccbec6a3d7e96b0c5c2 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 5 Mar 2017 15:01:52 +0100 Subject: [PATCH 08/98] selinux: include sys/socket.h in host programs to have PF_MAX Compiling with clang and -Wundef makes the compiler report a usage of undefined PF_MAX macro in security/selinux/include/classmap.h: In file included from scripts/selinux/mdp/mdp.c:48: security/selinux/include/classmap.h:37:31: warning: no previous extern declaration for non-static variable 'secclass_map' [-Wmissing-variable-declarations] struct security_class_mapping secclass_map[] = { ^ security/selinux/include/classmap.h:235:5: error: 'PF_MAX' is not defined, evaluates to 0 [-Werror,-Wundef] #if PF_MAX > 43 ^ In file included from scripts/selinux/genheaders/genheaders.c:17: security/selinux/include/classmap.h:37:31: warning: no previous extern declaration for non-static variable 'secclass_map' [-Wmissing-variable-declarations] struct security_class_mapping secclass_map[] = { ^ security/selinux/include/classmap.h:235:5: error: 'PF_MAX' is not defined, evaluates to 0 [-Werror,-Wundef] #if PF_MAX > 43 ^ PF_MAX is defined in include/linux/socket.h but not in include/uapi/linux/socket.h. Therefore host programs have to rely on the definition from libc's /usr/include/bits/socket.h, included by . Fix the issue by using sys/socket.h in mdp and genheaders. When classmap.h is included by security/selinux/avc.c, it uses the kernel definition of PF_MAX, which makes the test consistent. Signed-off-by: Nicolas Iooss Signed-off-by: Paul Moore --- scripts/selinux/genheaders/genheaders.c | 1 + scripts/selinux/mdp/mdp.c | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c index f4dd41f900d5..6a24569c3578 100644 --- a/scripts/selinux/genheaders/genheaders.c +++ b/scripts/selinux/genheaders/genheaders.c @@ -8,6 +8,7 @@ #include #include #include +#include struct security_class_mapping { const char *name; diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index c29fa4a6228d..ffe8179f5d41 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -32,6 +32,7 @@ #include #include #include +#include static void usage(char *name) { From e2f586bd83177d22072b275edd4b8b872daba924 Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Mon, 6 Mar 2017 19:46:14 +0100 Subject: [PATCH 09/98] selinux: check for address length in selinux_socket_bind() KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in selinux_socket_bind(): ================================================================== BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x238/0x290 lib/dump_stack.c:51 [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 [] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288 [] security_socket_bind+0x1ec/0x240 security/security.c:1240 [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:? chained origin: 00000000ba6009bb [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67 [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530 [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380 [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:? origin description: ----address@SYSC_bind (origin=00000000b8c00900) ================================================================== (the line numbers are relative to 4.8-rc6, but the bug persists upstream) , when I run the following program as root: ======================================================= #include #include #include int main(int argc, char *argv[]) { struct sockaddr addr; int size = 0; if (argc > 1) { size = atoi(argv[1]); } memset(&addr, 0, sizeof(addr)); int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); bind(fd, &addr, size); return 0; } ======================================================= (for different values of |size| other error reports are printed). This happens because bind() unconditionally copies |size| bytes of |addr| to the kernel, leaving the rest uninitialized. Then security_socket_bind() reads the IP address bytes, including the uninitialized ones, to determine the port, or e.g. pass them further to sel_netnode_find(), which uses them to calculate a hash. Signed-off-by: Alexander Potapenko Acked-by: Eric Dumazet [PM: fixed some whitespace damage] Signed-off-by: Paul Moore --- security/selinux/hooks.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d37a72316e9d..e67a526d1f30 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4367,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in u32 sid, node_perm; if (family == PF_INET) { + if (addrlen < sizeof(struct sockaddr_in)) { + err = -EINVAL; + goto out; + } addr4 = (struct sockaddr_in *)address; snum = ntohs(addr4->sin_port); addrp = (char *)&addr4->sin_addr.s_addr; } else { + if (addrlen < SIN6_LEN_RFC2133) { + err = -EINVAL; + goto out; + } addr6 = (struct sockaddr_in6 *)address; snum = ntohs(addr6->sin6_port); addrp = (char *)&addr6->sin6_addr.s6_addr; From 3dd0c8d06511c7c61c62305fcf431ca28884d263 Mon Sep 17 00:00:00 2001 From: Mikhail Kurinnoi Date: Fri, 27 Jan 2017 19:23:01 +0300 Subject: [PATCH 10/98] ima: provide ">" and "<" operators for fowner/uid/euid rules. For now we have only "=" operator for fowner/uid/euid rules. This patch provide two more operators - ">" and "<" in order to make fowner/uid/euid rules more flexible. Examples of usage. Appraise all files owned by special and system users (SYS_UID_MAX 999): appraise fowner<1000 Don't appraise files owned by normal users (UID_MIN 1000): dont_appraise fowner>999 Appraise all files owned by users with UID 1000-1010: dont_appraise fowner>1010 appraise fowner>999 Changelog v3: - Removed code duplication in ima_parse_rule(). - Fix ima_policy_show() - (Mimi) Changelog v2: - Fixed default policy rules. Signed-off-by: Mikhail Kurinnoi Signed-off-by: Mimi Zohar security/integrity/ima/ima_policy.c | 115 +++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 28 deletions(-) --- security/integrity/ima/ima_policy.c | 115 +++++++++++++++++++++------- 1 file changed, 87 insertions(+), 28 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e8498a3f4887..3ab1067db624 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -64,6 +64,8 @@ struct ima_rule_entry { u8 fsuuid[16]; kuid_t uid; kuid_t fowner; + bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ + bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ int pcr; struct { void *rule; /* LSM file metadata specific */ @@ -103,7 +105,8 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, - .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_MASK | IMA_UID}, + .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, + .flags = IMA_FUNC | IMA_MASK | IMA_UID}, {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, }; @@ -114,9 +117,11 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, - .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, + .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, + .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, - .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, + .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, + .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, @@ -139,10 +144,11 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT - {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER}, + {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, + .flags = IMA_FOWNER}, #else /* force signature */ - {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, + {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, #endif }; @@ -240,19 +246,20 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, if ((rule->flags & IMA_FSUUID) && memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid))) return false; - if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) + if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) return false; if (rule->flags & IMA_EUID) { if (has_capability_noaudit(current, CAP_SETUID)) { - if (!uid_eq(rule->uid, cred->euid) - && !uid_eq(rule->uid, cred->suid) - && !uid_eq(rule->uid, cred->uid)) + if (!rule->uid_op(cred->euid, rule->uid) + && !rule->uid_op(cred->suid, rule->uid) + && !rule->uid_op(cred->uid, rule->uid)) return false; - } else if (!uid_eq(rule->uid, cred->euid)) + } else if (!rule->uid_op(cred->euid, rule->uid)) return false; } - if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) + if ((rule->flags & IMA_FOWNER) && + !rule->fowner_op(inode->i_uid, rule->fowner)) return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; @@ -486,7 +493,9 @@ enum { Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, Opt_func, Opt_mask, Opt_fsmagic, - Opt_fsuuid, Opt_uid, Opt_euid, Opt_fowner, + Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, + Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, + Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_permit_directio, Opt_pcr }; @@ -507,9 +516,15 @@ static match_table_t policy_tokens = { {Opt_mask, "mask=%s"}, {Opt_fsmagic, "fsmagic=%s"}, {Opt_fsuuid, "fsuuid=%s"}, - {Opt_uid, "uid=%s"}, - {Opt_euid, "euid=%s"}, - {Opt_fowner, "fowner=%s"}, + {Opt_uid_eq, "uid=%s"}, + {Opt_euid_eq, "euid=%s"}, + {Opt_fowner_eq, "fowner=%s"}, + {Opt_uid_gt, "uid>%s"}, + {Opt_euid_gt, "euid>%s"}, + {Opt_fowner_gt, "fowner>%s"}, + {Opt_uid_lt, "uid<%s"}, + {Opt_euid_lt, "euid<%s"}, + {Opt_fowner_lt, "fowner<%s"}, {Opt_appraise_type, "appraise_type=%s"}, {Opt_permit_directio, "permit_directio"}, {Opt_pcr, "pcr=%s"}, @@ -541,24 +556,37 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, return result; } -static void ima_log_string(struct audit_buffer *ab, char *key, char *value) +static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, + bool (*rule_operator)(kuid_t, kuid_t)) { - audit_log_format(ab, "%s=", key); + if (rule_operator == &uid_gt) + audit_log_format(ab, "%s>", key); + else if (rule_operator == &uid_lt) + audit_log_format(ab, "%s<", key); + else + audit_log_format(ab, "%s=", key); audit_log_untrustedstring(ab, value); audit_log_format(ab, " "); } +static void ima_log_string(struct audit_buffer *ab, char *key, char *value) +{ + ima_log_string_op(ab, key, value, NULL); +} static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) { struct audit_buffer *ab; char *from; char *p; + bool uid_token; int result = 0; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE); entry->uid = INVALID_UID; entry->fowner = INVALID_UID; + entry->uid_op = &uid_eq; + entry->fowner_op = &uid_eq; entry->action = UNKNOWN; while ((p = strsep(&rule, " \t")) != NULL) { substring_t args[MAX_OPT_ARGS]; @@ -694,11 +722,21 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (!result) entry->flags |= IMA_FSUUID; break; - case Opt_uid: - ima_log_string(ab, "uid", args[0].from); - case Opt_euid: - if (token == Opt_euid) - ima_log_string(ab, "euid", args[0].from); + case Opt_uid_gt: + case Opt_euid_gt: + entry->uid_op = &uid_gt; + case Opt_uid_lt: + case Opt_euid_lt: + if ((token == Opt_uid_lt) || (token == Opt_euid_lt)) + entry->uid_op = &uid_lt; + case Opt_uid_eq: + case Opt_euid_eq: + uid_token = (token == Opt_uid_eq) || + (token == Opt_uid_gt) || + (token == Opt_uid_lt); + + ima_log_string_op(ab, uid_token ? "uid" : "euid", + args[0].from, entry->uid_op); if (uid_valid(entry->uid)) { result = -EINVAL; @@ -713,12 +751,18 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) (uid_t)lnum != lnum) result = -EINVAL; else - entry->flags |= (token == Opt_uid) + entry->flags |= uid_token ? IMA_UID : IMA_EUID; } break; - case Opt_fowner: - ima_log_string(ab, "fowner", args[0].from); + case Opt_fowner_gt: + entry->fowner_op = &uid_gt; + case Opt_fowner_lt: + if (token == Opt_fowner_lt) + entry->fowner_op = &uid_lt; + case Opt_fowner_eq: + ima_log_string_op(ab, "fowner", args[0].from, + entry->fowner_op); if (uid_valid(entry->fowner)) { result = -EINVAL; @@ -1049,19 +1093,34 @@ int ima_policy_show(struct seq_file *m, void *v) if (entry->flags & IMA_UID) { snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); - seq_printf(m, pt(Opt_uid), tbuf); + if (entry->uid_op == &uid_gt) + seq_printf(m, pt(Opt_uid_gt), tbuf); + else if (entry->uid_op == &uid_lt) + seq_printf(m, pt(Opt_uid_lt), tbuf); + else + seq_printf(m, pt(Opt_uid_eq), tbuf); seq_puts(m, " "); } if (entry->flags & IMA_EUID) { snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); - seq_printf(m, pt(Opt_euid), tbuf); + if (entry->uid_op == &uid_gt) + seq_printf(m, pt(Opt_euid_gt), tbuf); + else if (entry->uid_op == &uid_lt) + seq_printf(m, pt(Opt_euid_lt), tbuf); + else + seq_printf(m, pt(Opt_euid_eq), tbuf); seq_puts(m, " "); } if (entry->flags & IMA_FOWNER) { snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); - seq_printf(m, pt(Opt_fowner), tbuf); + if (entry->fowner_op == &uid_gt) + seq_printf(m, pt(Opt_fowner_gt), tbuf); + else if (entry->fowner_op == &uid_lt) + seq_printf(m, pt(Opt_fowner_lt), tbuf); + else + seq_printf(m, pt(Opt_fowner_eq), tbuf); seq_puts(m, " "); } From f6076f704aa29679fdba114b0f60e71e0884840a Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 10:48:28 +0100 Subject: [PATCH 11/98] selinux: Use kmalloc_array() in cond_init_bool_indexes() * A multiplication for the size determination of a memory allocation indicated that an array data structure should be processed. Thus use the corresponding function "kmalloc_array". This issue was detected by using the Coccinelle software. * Replace the specification of a data type by a pointer dereference to make the corresponding size determination a bit safer according to the Linux coding style convention. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/conditional.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 34afeadd9e73..fcfab2635c11 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -176,8 +176,9 @@ void cond_policydb_destroy(struct policydb *p) int cond_init_bool_indexes(struct policydb *p) { kfree(p->bool_val_to_struct); - p->bool_val_to_struct = - kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL); + p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim, + sizeof(*p->bool_val_to_struct), + GFP_KERNEL); if (!p->bool_val_to_struct) return -ENOMEM; return 0; From e34cfef901badc0e17c2b296a535e7412ef038f3 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 11:00:23 +0100 Subject: [PATCH 12/98] selinux: Delete an unnecessary return statement in cond_compute_av() The script "checkpatch.pl" pointed information out like the following. WARNING: void function return statements are not generally useful Thus remove such a statement in the affected function. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/conditional.c | 1 - 1 file changed, 1 deletion(-) diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index fcfab2635c11..4a3bf29f7565 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -664,5 +664,4 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, (node->key.specified & AVTAB_XPERMS)) services_compute_xperms_drivers(xperms, node); } - return; } From fb13a312daa11005b0230695a1d6a0b4e2b27069 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 11:22:12 +0100 Subject: [PATCH 13/98] selinux: Improve size determinations in four functions Replace the specification of data structures by pointer dereferences as the parameter for the operator "sizeof" to make the corresponding size determination a bit safer. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/conditional.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 4a3bf29f7565..771c96afe1d5 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -227,7 +227,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) u32 len; int rc; - booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL); + booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL); if (!booldatum) return -ENOMEM; @@ -332,7 +332,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum goto err; } - list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL); + list = kzalloc(sizeof(*list), GFP_KERNEL); if (!list) { rc = -ENOMEM; goto err; @@ -421,7 +421,7 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) goto err; rc = -ENOMEM; - expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); + expr = kzalloc(sizeof(*expr), GFP_KERNEL); if (!expr) goto err; @@ -472,7 +472,7 @@ int cond_read_list(struct policydb *p, void *fp) for (i = 0; i < len; i++) { rc = -ENOMEM; - node = kzalloc(sizeof(struct cond_node), GFP_KERNEL); + node = kzalloc(sizeof(*node), GFP_KERNEL); if (!node) goto err; From 2f00e680fe25d8d2758879b772d54cb46a78b59d Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 12:06:13 +0100 Subject: [PATCH 14/98] selinux: Use kmalloc_array() in hashtab_create() A multiplication for the size determination of a memory allocation indicated that an array data structure should be processed. Thus use the corresponding function "kmalloc_array". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/hashtab.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index 2cc496149842..dc99fff64ecb 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c @@ -24,7 +24,7 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void * p->nel = 0; p->hash_value = hash_value; p->keycmp = keycmp; - p->htable = kmalloc(sizeof(*(p->htable)) * size, GFP_KERNEL); + p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL); if (p->htable == NULL) { kfree(p); return NULL; From cb8d21e3640f18444c597bddaec156637eacecf8 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 12:36:59 +0100 Subject: [PATCH 15/98] selinux: Adjust four checks for null pointers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The script "checkpatch.pl" pointed information out like the following. Comparison to NULL could be written !… Thus fix affected source code places. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/hashtab.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index dc99fff64ecb..3858706a29fb 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c @@ -17,7 +17,7 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void * u32 i; p = kzalloc(sizeof(*p), GFP_KERNEL); - if (p == NULL) + if (!p) return p; p->size = size; @@ -25,7 +25,7 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void * p->hash_value = hash_value; p->keycmp = keycmp; p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL); - if (p->htable == NULL) { + if (!p->htable) { kfree(p); return NULL; } @@ -58,7 +58,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum) return -EEXIST; newnode = kzalloc(sizeof(*newnode), GFP_KERNEL); - if (newnode == NULL) + if (!newnode) return -ENOMEM; newnode->key = key; newnode->datum = datum; @@ -87,7 +87,7 @@ void *hashtab_search(struct hashtab *h, const void *key) while (cur && h->keycmp(h, key, cur->key) > 0) cur = cur->next; - if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + if (!cur || (h->keycmp(h, key, cur->key) != 0)) return NULL; return cur->datum; From ad10a10567e243425d7be35a3d950709371fa048 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 13:08:59 +0100 Subject: [PATCH 16/98] selinux: Use kcalloc() in policydb_index() Multiplications for the size determination of memory allocations indicated that array data structures should be processed. Thus use the corresponding function "kcalloc". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 9c92f29a38ea..66b9a357fa1b 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -540,23 +540,23 @@ static int policydb_index(struct policydb *p) #endif rc = -ENOMEM; - p->class_val_to_struct = - kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), - GFP_KERNEL); + p->class_val_to_struct = kcalloc(p->p_classes.nprim, + sizeof(*p->class_val_to_struct), + GFP_KERNEL); if (!p->class_val_to_struct) goto out; rc = -ENOMEM; - p->role_val_to_struct = - kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), - GFP_KERNEL); + p->role_val_to_struct = kcalloc(p->p_roles.nprim, + sizeof(*p->role_val_to_struct), + GFP_KERNEL); if (!p->role_val_to_struct) goto out; rc = -ENOMEM; - p->user_val_to_struct = - kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), - GFP_KERNEL); + p->user_val_to_struct = kcalloc(p->p_users.nprim, + sizeof(*p->user_val_to_struct), + GFP_KERNEL); if (!p->user_val_to_struct) goto out; From b4e4686f65a3092f63ed01c887d9f56714d29f4a Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 14:00:02 +0100 Subject: [PATCH 17/98] selinux: Delete an unnecessary return statement in policydb_destroy() The script "checkpatch.pl" pointed information out like the following. WARNING: void function return statements are not generally useful Thus remove such a statement in the affected function. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 66b9a357fa1b..bccc9acf6bc5 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -880,8 +880,6 @@ void policydb_destroy(struct policydb *p) ebitmap_destroy(&p->filename_trans_ttypes); ebitmap_destroy(&p->policycaps); ebitmap_destroy(&p->permissive_map); - - return; } /* From 3a0aa56518432a1a598ac3e48a93f2e99c66a393 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 16:34:25 +0100 Subject: [PATCH 18/98] selinux: Return directly after a failed next_entry() in genfs_read() Return directly after a call of the function "next_entry" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index bccc9acf6bc5..375e304070e1 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -2006,7 +2006,7 @@ static int genfs_read(struct policydb *p, void *fp) rc = next_entry(buf, fp, sizeof(u32)); if (rc) - goto out; + return rc; nel = le32_to_cpu(buf[0]); for (i = 0; i < nel; i++) { From 315e01ada8047cba0520ecca050ad8f5237abb41 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 17:43:47 +0100 Subject: [PATCH 19/98] selinux: One function call less in genfs_read() after null pointer detection Call the function "kfree" at the end only after it was determined that the local variable "newgenfs" contained a non-null pointer. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 375e304070e1..4390558464c5 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -2098,9 +2098,10 @@ static int genfs_read(struct policydb *p, void *fp) } rc = 0; out: - if (newgenfs) + if (newgenfs) { kfree(newgenfs->fstype); - kfree(newgenfs); + kfree(newgenfs); + } ocontext_destroy(newc, OCON_FSUSE); return rc; From 02fcef27cc908e22ddb68d30ad1b7fd9ac3a1c24 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 19:02:42 +0100 Subject: [PATCH 20/98] selinux: Delete an unnecessary variable assignment in filename_trans_read() The local variable "ft" was set to a null pointer despite of an immediate reassignment. Thus remove this statement from the beginning of a loop. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 1 - 1 file changed, 1 deletion(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 4390558464c5..7131251be628 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1929,7 +1929,6 @@ static int filename_trans_read(struct policydb *p, void *fp) nel = le32_to_cpu(buf[0]); for (i = 0; i < nel; i++) { - ft = NULL; otype = NULL; name = NULL; From 57152a5be08e240654993984a0f6e54254882626 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 19:35:59 +0100 Subject: [PATCH 21/98] selinux: Return directly after a failed next_entry() in range_read() Return directly after a call of the function "next_entry" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 7131251be628..6c093018ae8d 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1852,7 +1852,7 @@ static int range_read(struct policydb *p, void *fp) rc = next_entry(buf, fp, sizeof(u32)); if (rc) - goto out; + return rc; nel = le32_to_cpu(buf[0]); for (i = 0; i < nel; i++) { From 9c312e79d6afb673114ebe7aabd5594e79827eea Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 20:40:12 +0100 Subject: [PATCH 22/98] selinux: Delete an unnecessary variable initialisation in range_read() The local variable "rt" will be set to an appropriate pointer a bit later. Thus omit the explicit initialisation at the beginning which became unnecessary with a previous update step. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 6c093018ae8d..a8389396e9a9 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1841,7 +1841,7 @@ u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) static int range_read(struct policydb *p, void *fp) { - struct range_trans *rt = NULL; + struct range_trans *rt; struct mls_range *r = NULL; int i, rc; __le32 buf[2]; From 3dfc9b02864b19f4dab376f14479ee4ad1de6c9e Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Wed, 22 Mar 2017 19:46:19 +0900 Subject: [PATCH 23/98] LSM: Initialize security_hook_heads upon registration. "struct security_hook_heads" is an array of "struct list_head" where elements can be initialized just before registration. There is no need to waste 350+ lines for initialization. Let's initialize "struct security_hook_heads" just before registration. Signed-off-by: Tetsuo Handa Acked-by: Kees Cook Cc: John Johansen Cc: Kees Cook Cc: Paul Moore Cc: Stephen Smalley Cc: Casey Schaufler Cc: James Morris Signed-off-by: James Morris --- security/security.c | 361 +------------------------------------------- 1 file changed, 7 insertions(+), 354 deletions(-) diff --git a/security/security.c b/security/security.c index d6d18a3721aa..2f15488dc6bc 100644 --- a/security/security.c +++ b/security/security.c @@ -32,6 +32,7 @@ /* Maximum number of letters for an LSM name string */ #define SECURITY_NAME_MAX 10 +struct security_hook_heads security_hook_heads __lsm_ro_after_init; char *lsm_names; /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = @@ -54,6 +55,12 @@ static void __init do_security_initcalls(void) */ int __init security_init(void) { + int i; + struct list_head *list = (struct list_head *) &security_hook_heads; + + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head); + i++) + INIT_LIST_HEAD(&list[i]); pr_info("Security Framework initialized\n"); /* @@ -1627,357 +1634,3 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, actx); } #endif /* CONFIG_AUDIT */ - -struct security_hook_heads security_hook_heads __lsm_ro_after_init = { - .binder_set_context_mgr = - LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr), - .binder_transaction = - LIST_HEAD_INIT(security_hook_heads.binder_transaction), - .binder_transfer_binder = - LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder), - .binder_transfer_file = - LIST_HEAD_INIT(security_hook_heads.binder_transfer_file), - - .ptrace_access_check = - LIST_HEAD_INIT(security_hook_heads.ptrace_access_check), - .ptrace_traceme = - LIST_HEAD_INIT(security_hook_heads.ptrace_traceme), - .capget = LIST_HEAD_INIT(security_hook_heads.capget), - .capset = LIST_HEAD_INIT(security_hook_heads.capset), - .capable = LIST_HEAD_INIT(security_hook_heads.capable), - .quotactl = LIST_HEAD_INIT(security_hook_heads.quotactl), - .quota_on = LIST_HEAD_INIT(security_hook_heads.quota_on), - .syslog = LIST_HEAD_INIT(security_hook_heads.syslog), - .settime = LIST_HEAD_INIT(security_hook_heads.settime), - .vm_enough_memory = - LIST_HEAD_INIT(security_hook_heads.vm_enough_memory), - .bprm_set_creds = - LIST_HEAD_INIT(security_hook_heads.bprm_set_creds), - .bprm_check_security = - LIST_HEAD_INIT(security_hook_heads.bprm_check_security), - .bprm_secureexec = - LIST_HEAD_INIT(security_hook_heads.bprm_secureexec), - .bprm_committing_creds = - LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds), - .bprm_committed_creds = - LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds), - .sb_alloc_security = - LIST_HEAD_INIT(security_hook_heads.sb_alloc_security), - .sb_free_security = - LIST_HEAD_INIT(security_hook_heads.sb_free_security), - .sb_copy_data = LIST_HEAD_INIT(security_hook_heads.sb_copy_data), - .sb_remount = LIST_HEAD_INIT(security_hook_heads.sb_remount), - .sb_kern_mount = - LIST_HEAD_INIT(security_hook_heads.sb_kern_mount), - .sb_show_options = - LIST_HEAD_INIT(security_hook_heads.sb_show_options), - .sb_statfs = LIST_HEAD_INIT(security_hook_heads.sb_statfs), - .sb_mount = LIST_HEAD_INIT(security_hook_heads.sb_mount), - .sb_umount = LIST_HEAD_INIT(security_hook_heads.sb_umount), - .sb_pivotroot = LIST_HEAD_INIT(security_hook_heads.sb_pivotroot), - .sb_set_mnt_opts = - LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts), - .sb_clone_mnt_opts = - LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts), - .sb_parse_opts_str = - LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str), - .dentry_init_security = - LIST_HEAD_INIT(security_hook_heads.dentry_init_security), - .dentry_create_files_as = - LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as), -#ifdef CONFIG_SECURITY_PATH - .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), - .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), - .path_rmdir = LIST_HEAD_INIT(security_hook_heads.path_rmdir), - .path_mknod = LIST_HEAD_INIT(security_hook_heads.path_mknod), - .path_truncate = - LIST_HEAD_INIT(security_hook_heads.path_truncate), - .path_symlink = LIST_HEAD_INIT(security_hook_heads.path_symlink), - .path_link = LIST_HEAD_INIT(security_hook_heads.path_link), - .path_rename = LIST_HEAD_INIT(security_hook_heads.path_rename), - .path_chmod = LIST_HEAD_INIT(security_hook_heads.path_chmod), - .path_chown = LIST_HEAD_INIT(security_hook_heads.path_chown), - .path_chroot = LIST_HEAD_INIT(security_hook_heads.path_chroot), -#endif - .inode_alloc_security = - LIST_HEAD_INIT(security_hook_heads.inode_alloc_security), - .inode_free_security = - LIST_HEAD_INIT(security_hook_heads.inode_free_security), - .inode_init_security = - LIST_HEAD_INIT(security_hook_heads.inode_init_security), - .inode_create = LIST_HEAD_INIT(security_hook_heads.inode_create), - .inode_link = LIST_HEAD_INIT(security_hook_heads.inode_link), - .inode_unlink = LIST_HEAD_INIT(security_hook_heads.inode_unlink), - .inode_symlink = - LIST_HEAD_INIT(security_hook_heads.inode_symlink), - .inode_mkdir = LIST_HEAD_INIT(security_hook_heads.inode_mkdir), - .inode_rmdir = LIST_HEAD_INIT(security_hook_heads.inode_rmdir), - .inode_mknod = LIST_HEAD_INIT(security_hook_heads.inode_mknod), - .inode_rename = LIST_HEAD_INIT(security_hook_heads.inode_rename), - .inode_readlink = - LIST_HEAD_INIT(security_hook_heads.inode_readlink), - .inode_follow_link = - LIST_HEAD_INIT(security_hook_heads.inode_follow_link), - .inode_permission = - LIST_HEAD_INIT(security_hook_heads.inode_permission), - .inode_setattr = - LIST_HEAD_INIT(security_hook_heads.inode_setattr), - .inode_getattr = - LIST_HEAD_INIT(security_hook_heads.inode_getattr), - .inode_setxattr = - LIST_HEAD_INIT(security_hook_heads.inode_setxattr), - .inode_post_setxattr = - LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr), - .inode_getxattr = - LIST_HEAD_INIT(security_hook_heads.inode_getxattr), - .inode_listxattr = - LIST_HEAD_INIT(security_hook_heads.inode_listxattr), - .inode_removexattr = - LIST_HEAD_INIT(security_hook_heads.inode_removexattr), - .inode_need_killpriv = - LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv), - .inode_killpriv = - LIST_HEAD_INIT(security_hook_heads.inode_killpriv), - .inode_getsecurity = - LIST_HEAD_INIT(security_hook_heads.inode_getsecurity), - .inode_setsecurity = - LIST_HEAD_INIT(security_hook_heads.inode_setsecurity), - .inode_listsecurity = - LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), - .inode_getsecid = - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), - .inode_copy_up = - LIST_HEAD_INIT(security_hook_heads.inode_copy_up), - .inode_copy_up_xattr = - LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = - LIST_HEAD_INIT(security_hook_heads.file_alloc_security), - .file_free_security = - LIST_HEAD_INIT(security_hook_heads.file_free_security), - .file_ioctl = LIST_HEAD_INIT(security_hook_heads.file_ioctl), - .mmap_addr = LIST_HEAD_INIT(security_hook_heads.mmap_addr), - .mmap_file = LIST_HEAD_INIT(security_hook_heads.mmap_file), - .file_mprotect = - LIST_HEAD_INIT(security_hook_heads.file_mprotect), - .file_lock = LIST_HEAD_INIT(security_hook_heads.file_lock), - .file_fcntl = LIST_HEAD_INIT(security_hook_heads.file_fcntl), - .file_set_fowner = - LIST_HEAD_INIT(security_hook_heads.file_set_fowner), - .file_send_sigiotask = - LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask), - .file_receive = LIST_HEAD_INIT(security_hook_heads.file_receive), - .file_open = LIST_HEAD_INIT(security_hook_heads.file_open), - .task_create = LIST_HEAD_INIT(security_hook_heads.task_create), - .task_free = LIST_HEAD_INIT(security_hook_heads.task_free), - .cred_alloc_blank = - LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank), - .cred_free = LIST_HEAD_INIT(security_hook_heads.cred_free), - .cred_prepare = LIST_HEAD_INIT(security_hook_heads.cred_prepare), - .cred_transfer = - LIST_HEAD_INIT(security_hook_heads.cred_transfer), - .kernel_act_as = - LIST_HEAD_INIT(security_hook_heads.kernel_act_as), - .kernel_create_files_as = - LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as), - .kernel_module_request = - LIST_HEAD_INIT(security_hook_heads.kernel_module_request), - .kernel_read_file = - LIST_HEAD_INIT(security_hook_heads.kernel_read_file), - .kernel_post_read_file = - LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file), - .task_fix_setuid = - LIST_HEAD_INIT(security_hook_heads.task_fix_setuid), - .task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid), - .task_getpgid = LIST_HEAD_INIT(security_hook_heads.task_getpgid), - .task_getsid = LIST_HEAD_INIT(security_hook_heads.task_getsid), - .task_getsecid = - LIST_HEAD_INIT(security_hook_heads.task_getsecid), - .task_setnice = LIST_HEAD_INIT(security_hook_heads.task_setnice), - .task_setioprio = - LIST_HEAD_INIT(security_hook_heads.task_setioprio), - .task_getioprio = - LIST_HEAD_INIT(security_hook_heads.task_getioprio), - .task_prlimit = - LIST_HEAD_INIT(security_hook_heads.task_prlimit), - .task_setrlimit = - LIST_HEAD_INIT(security_hook_heads.task_setrlimit), - .task_setscheduler = - LIST_HEAD_INIT(security_hook_heads.task_setscheduler), - .task_getscheduler = - LIST_HEAD_INIT(security_hook_heads.task_getscheduler), - .task_movememory = - LIST_HEAD_INIT(security_hook_heads.task_movememory), - .task_kill = LIST_HEAD_INIT(security_hook_heads.task_kill), - .task_prctl = LIST_HEAD_INIT(security_hook_heads.task_prctl), - .task_to_inode = - LIST_HEAD_INIT(security_hook_heads.task_to_inode), - .ipc_permission = - LIST_HEAD_INIT(security_hook_heads.ipc_permission), - .ipc_getsecid = LIST_HEAD_INIT(security_hook_heads.ipc_getsecid), - .msg_msg_alloc_security = - LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security), - .msg_msg_free_security = - LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security), - .msg_queue_alloc_security = - LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security), - .msg_queue_free_security = - LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security), - .msg_queue_associate = - LIST_HEAD_INIT(security_hook_heads.msg_queue_associate), - .msg_queue_msgctl = - LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl), - .msg_queue_msgsnd = - LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd), - .msg_queue_msgrcv = - LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv), - .shm_alloc_security = - LIST_HEAD_INIT(security_hook_heads.shm_alloc_security), - .shm_free_security = - LIST_HEAD_INIT(security_hook_heads.shm_free_security), - .shm_associate = - LIST_HEAD_INIT(security_hook_heads.shm_associate), - .shm_shmctl = LIST_HEAD_INIT(security_hook_heads.shm_shmctl), - .shm_shmat = LIST_HEAD_INIT(security_hook_heads.shm_shmat), - .sem_alloc_security = - LIST_HEAD_INIT(security_hook_heads.sem_alloc_security), - .sem_free_security = - LIST_HEAD_INIT(security_hook_heads.sem_free_security), - .sem_associate = - LIST_HEAD_INIT(security_hook_heads.sem_associate), - .sem_semctl = LIST_HEAD_INIT(security_hook_heads.sem_semctl), - .sem_semop = LIST_HEAD_INIT(security_hook_heads.sem_semop), - .netlink_send = LIST_HEAD_INIT(security_hook_heads.netlink_send), - .d_instantiate = - LIST_HEAD_INIT(security_hook_heads.d_instantiate), - .getprocattr = LIST_HEAD_INIT(security_hook_heads.getprocattr), - .setprocattr = LIST_HEAD_INIT(security_hook_heads.setprocattr), - .ismaclabel = LIST_HEAD_INIT(security_hook_heads.ismaclabel), - .secid_to_secctx = - LIST_HEAD_INIT(security_hook_heads.secid_to_secctx), - .secctx_to_secid = - LIST_HEAD_INIT(security_hook_heads.secctx_to_secid), - .release_secctx = - LIST_HEAD_INIT(security_hook_heads.release_secctx), - .inode_invalidate_secctx = - LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx), - .inode_notifysecctx = - LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx), - .inode_setsecctx = - LIST_HEAD_INIT(security_hook_heads.inode_setsecctx), - .inode_getsecctx = - LIST_HEAD_INIT(security_hook_heads.inode_getsecctx), -#ifdef CONFIG_SECURITY_NETWORK - .unix_stream_connect = - LIST_HEAD_INIT(security_hook_heads.unix_stream_connect), - .unix_may_send = - LIST_HEAD_INIT(security_hook_heads.unix_may_send), - .socket_create = - LIST_HEAD_INIT(security_hook_heads.socket_create), - .socket_post_create = - LIST_HEAD_INIT(security_hook_heads.socket_post_create), - .socket_bind = LIST_HEAD_INIT(security_hook_heads.socket_bind), - .socket_connect = - LIST_HEAD_INIT(security_hook_heads.socket_connect), - .socket_listen = - LIST_HEAD_INIT(security_hook_heads.socket_listen), - .socket_accept = - LIST_HEAD_INIT(security_hook_heads.socket_accept), - .socket_sendmsg = - LIST_HEAD_INIT(security_hook_heads.socket_sendmsg), - .socket_recvmsg = - LIST_HEAD_INIT(security_hook_heads.socket_recvmsg), - .socket_getsockname = - LIST_HEAD_INIT(security_hook_heads.socket_getsockname), - .socket_getpeername = - LIST_HEAD_INIT(security_hook_heads.socket_getpeername), - .socket_getsockopt = - LIST_HEAD_INIT(security_hook_heads.socket_getsockopt), - .socket_setsockopt = - LIST_HEAD_INIT(security_hook_heads.socket_setsockopt), - .socket_shutdown = - LIST_HEAD_INIT(security_hook_heads.socket_shutdown), - .socket_sock_rcv_skb = - LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb), - .socket_getpeersec_stream = - LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream), - .socket_getpeersec_dgram = - LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram), - .sk_alloc_security = - LIST_HEAD_INIT(security_hook_heads.sk_alloc_security), - .sk_free_security = - LIST_HEAD_INIT(security_hook_heads.sk_free_security), - .sk_clone_security = - LIST_HEAD_INIT(security_hook_heads.sk_clone_security), - .sk_getsecid = LIST_HEAD_INIT(security_hook_heads.sk_getsecid), - .sock_graft = LIST_HEAD_INIT(security_hook_heads.sock_graft), - .inet_conn_request = - LIST_HEAD_INIT(security_hook_heads.inet_conn_request), - .inet_csk_clone = - LIST_HEAD_INIT(security_hook_heads.inet_csk_clone), - .inet_conn_established = - LIST_HEAD_INIT(security_hook_heads.inet_conn_established), - .secmark_relabel_packet = - LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet), - .secmark_refcount_inc = - LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc), - .secmark_refcount_dec = - LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec), - .req_classify_flow = - LIST_HEAD_INIT(security_hook_heads.req_classify_flow), - .tun_dev_alloc_security = - LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security), - .tun_dev_free_security = - LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security), - .tun_dev_create = - LIST_HEAD_INIT(security_hook_heads.tun_dev_create), - .tun_dev_attach_queue = - LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue), - .tun_dev_attach = - LIST_HEAD_INIT(security_hook_heads.tun_dev_attach), - .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open), -#endif /* CONFIG_SECURITY_NETWORK */ -#ifdef CONFIG_SECURITY_NETWORK_XFRM - .xfrm_policy_alloc_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security), - .xfrm_policy_clone_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security), - .xfrm_policy_free_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security), - .xfrm_policy_delete_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security), - .xfrm_state_alloc = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc), - .xfrm_state_alloc_acquire = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire), - .xfrm_state_free_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security), - .xfrm_state_delete_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security), - .xfrm_policy_lookup = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup), - .xfrm_state_pol_flow_match = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match), - .xfrm_decode_session = - LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session), -#endif /* CONFIG_SECURITY_NETWORK_XFRM */ -#ifdef CONFIG_KEYS - .key_alloc = LIST_HEAD_INIT(security_hook_heads.key_alloc), - .key_free = LIST_HEAD_INIT(security_hook_heads.key_free), - .key_permission = - LIST_HEAD_INIT(security_hook_heads.key_permission), - .key_getsecurity = - LIST_HEAD_INIT(security_hook_heads.key_getsecurity), -#endif /* CONFIG_KEYS */ -#ifdef CONFIG_AUDIT - .audit_rule_init = - LIST_HEAD_INIT(security_hook_heads.audit_rule_init), - .audit_rule_known = - LIST_HEAD_INIT(security_hook_heads.audit_rule_known), - .audit_rule_match = - LIST_HEAD_INIT(security_hook_heads.audit_rule_match), - .audit_rule_free = - LIST_HEAD_INIT(security_hook_heads.audit_rule_free), -#endif /* CONFIG_AUDIT */ -}; From e4e55b47ed9ae2c05ff062601ff6dacbe9dc4775 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Fri, 24 Mar 2017 20:46:33 +0900 Subject: [PATCH 24/98] LSM: Revive security_task_alloc() hook and per "struct task_struct" security blob. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We switched from "struct task_struct"->security to "struct cred"->security in Linux 2.6.29. But not all LSM modules were happy with that change. TOMOYO LSM module is an example which want to use per "struct task_struct" security blob, for TOMOYO's security context is defined based on "struct task_struct" rather than "struct cred". AppArmor LSM module is another example which want to use it, for AppArmor is currently abusing the cred a little bit to store the change_hat and setexeccon info. Although security_task_free() hook was revived in Linux 3.4 because Yama LSM module wanted to release per "struct task_struct" security blob, security_task_alloc() hook and "struct task_struct"->security field were not revived. Nowadays, we are getting proposals of lightweight LSM modules which want to use per "struct task_struct" security blob. We are already allowing multiple concurrent LSM modules (up to one fully armored module which uses "struct cred"->security field or exclusive hooks like security_xfrm_state_pol_flow_match(), plus unlimited number of lightweight modules which do not use "struct cred"->security nor exclusive hooks) as long as they are built into the kernel. But this patch does not implement variable length "struct task_struct"->security field which will become needed when multiple LSM modules want to use "struct task_struct"-> security field. Although it won't be difficult to implement variable length "struct task_struct"->security field, let's think about it after we merged this patch. Signed-off-by: Tetsuo Handa Acked-by: John Johansen Acked-by: Serge Hallyn Acked-by: Casey Schaufler Tested-by: Djalal Harouni Acked-by: José Bollo Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: Kees Cook Cc: James Morris Cc: José Bollo Signed-off-by: James Morris --- include/linux/init_task.h | 7 +++++++ include/linux/lsm_hooks.h | 9 ++++++++- include/linux/sched.h | 4 ++++ include/linux/security.h | 7 +++++++ kernel/fork.c | 7 ++++++- security/security.c | 5 +++++ 6 files changed, 37 insertions(+), 2 deletions(-) diff --git a/include/linux/init_task.h b/include/linux/init_task.h index 91d9049f0039..926f2f553cc5 100644 --- a/include/linux/init_task.h +++ b/include/linux/init_task.h @@ -210,6 +210,12 @@ extern struct cred init_cred; # define INIT_TASK_TI(tsk) #endif +#ifdef CONFIG_SECURITY +#define INIT_TASK_SECURITY .security = NULL, +#else +#define INIT_TASK_SECURITY +#endif + /* * INIT_TASK is used to set up the first task table, touch at * your own risk!. Base=0, limit=0x1fffff (=2MB) @@ -288,6 +294,7 @@ extern struct cred init_cred; INIT_VTIME(tsk) \ INIT_NUMA_BALANCING(tsk) \ INIT_KASAN(tsk) \ + INIT_TASK_SECURITY \ } diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 1aa63335de9e..080f34e66017 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -533,8 +533,13 @@ * manual page for definitions of the @clone_flags. * @clone_flags contains the flags indicating what should be shared. * Return 0 if permission is granted. + * @task_alloc: + * @task task being allocated. + * @clone_flags contains the flags indicating what should be shared. + * Handle allocation of task-related resources. + * Returns a zero on success, negative values on failure. * @task_free: - * @task task being freed + * @task task about to be freed. * Handle release of task-related resources. (Note that this can be called * from interrupt context.) * @cred_alloc_blank: @@ -1482,6 +1487,7 @@ union security_list_options { int (*file_open)(struct file *file, const struct cred *cred); int (*task_create)(unsigned long clone_flags); + int (*task_alloc)(struct task_struct *task, unsigned long clone_flags); void (*task_free)(struct task_struct *task); int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp); void (*cred_free)(struct cred *cred); @@ -1748,6 +1754,7 @@ struct security_hook_heads { struct list_head file_receive; struct list_head file_open; struct list_head task_create; + struct list_head task_alloc; struct list_head task_free; struct list_head cred_alloc_blank; struct list_head cred_free; diff --git a/include/linux/sched.h b/include/linux/sched.h index d67eee84fd43..71b8df306bb0 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1037,6 +1037,10 @@ struct task_struct { #ifdef CONFIG_THREAD_INFO_IN_TASK /* A live task holds one reference: */ atomic_t stack_refcount; +#endif +#ifdef CONFIG_SECURITY + /* Used by LSM modules for access restriction: */ + void *security; #endif /* CPU-specific state of this task: */ struct thread_struct thread; diff --git a/include/linux/security.h b/include/linux/security.h index 97df7bac5b48..af675b576645 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -308,6 +308,7 @@ int security_file_send_sigiotask(struct task_struct *tsk, int security_file_receive(struct file *file); int security_file_open(struct file *file, const struct cred *cred); int security_task_create(unsigned long clone_flags); +int security_task_alloc(struct task_struct *task, unsigned long clone_flags); void security_task_free(struct task_struct *task); int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); @@ -861,6 +862,12 @@ static inline int security_task_create(unsigned long clone_flags) return 0; } +static inline int security_task_alloc(struct task_struct *task, + unsigned long clone_flags) +{ + return 0; +} + static inline void security_task_free(struct task_struct *task) { } diff --git a/kernel/fork.c b/kernel/fork.c index 6c463c80e93d..3d32513d6c73 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1679,9 +1679,12 @@ static __latent_entropy struct task_struct *copy_process( goto bad_fork_cleanup_perf; /* copy all the process information */ shm_init_task(p); - retval = copy_semundo(clone_flags, p); + retval = security_task_alloc(p, clone_flags); if (retval) goto bad_fork_cleanup_audit; + retval = copy_semundo(clone_flags, p); + if (retval) + goto bad_fork_cleanup_security; retval = copy_files(clone_flags, p); if (retval) goto bad_fork_cleanup_semundo; @@ -1903,6 +1906,8 @@ bad_fork_cleanup_files: exit_files(p); /* blocking */ bad_fork_cleanup_semundo: exit_sem(p); +bad_fork_cleanup_security: + security_task_free(p); bad_fork_cleanup_audit: audit_free(p); bad_fork_cleanup_perf: diff --git a/security/security.c b/security/security.c index 2f15488dc6bc..549bddcc2116 100644 --- a/security/security.c +++ b/security/security.c @@ -937,6 +937,11 @@ int security_task_create(unsigned long clone_flags) return call_int_hook(task_create, 0, clone_flags); } +int security_task_alloc(struct task_struct *task, unsigned long clone_flags) +{ + return call_int_hook(task_alloc, 0, task, clone_flags); +} + void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); From 7f6d0ad8b771a4936f448180de3bbfad92be34dc Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 21:20:43 +0100 Subject: [PATCH 25/98] selinux: Return directly after a failed kzalloc() in cat_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index a8389396e9a9..36285d12c2e9 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1637,10 +1637,9 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp) __le32 buf[3]; u32 len; - rc = -ENOMEM; catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC); if (!catdatum) - goto bad; + return -ENOMEM; rc = next_entry(buf, fp, sizeof buf); if (rc) From 3c354d7d7bd5e788c3d94969e4a85648d29d9d12 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 21:42:02 +0100 Subject: [PATCH 26/98] selinux: Return directly after a failed kzalloc() in sens_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 36285d12c2e9..aa1ce7ce3524 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1595,10 +1595,9 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp) __le32 buf[2]; u32 len; - rc = -ENOMEM; levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC); if (!levdatum) - goto bad; + return -ENOMEM; rc = next_entry(buf, fp, sizeof buf); if (rc) From b5921191005d050d55cf4f3b10f60110f7ed2c24 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 21:52:55 +0100 Subject: [PATCH 27/98] selinux: Improve another size determination in sens_read() Replace the specification of a data type by a pointer dereference as the parameter for the operator "sizeof" to make the corresponding size determination a bit safer according to the Linux coding style convention. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index aa1ce7ce3524..4759c22d1ae6 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1611,7 +1611,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp) goto bad; rc = -ENOMEM; - levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); + levdatum->level = kmalloc(sizeof(*levdatum->level), GFP_ATOMIC); if (!levdatum->level) goto bad; From 4bd9f07b89f1a300f96b4863c3a8a4ec36991930 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 22:08:22 +0100 Subject: [PATCH 28/98] selinux: Return directly after a failed kzalloc() in user_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 4759c22d1ae6..9a90953974b8 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1544,10 +1544,9 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp) __le32 buf[3]; u32 len; - rc = -ENOMEM; usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL); if (!usrdatum) - goto bad; + return -ENOMEM; if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) to_read = 3; From 549fe69ee5c7a7f55c34555032961a2265e6e713 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 22:15:54 +0100 Subject: [PATCH 29/98] selinux: Return directly after a failed kzalloc() in type_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 9a90953974b8..fd58de5a83ad 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1469,10 +1469,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) __le32 buf[4]; u32 len; - rc = -ENOMEM; typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); if (!typdatum) - goto bad; + return -ENOMEM; if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) to_read = 4; From ea6e2f7d12921f336def7398805ee3b1619e2f4b Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 22:20:25 +0100 Subject: [PATCH 30/98] selinux: Return directly after a failed kzalloc() in role_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index fd58de5a83ad..30f29c669e32 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1412,10 +1412,9 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) __le32 buf[3]; u32 len; - rc = -ENOMEM; role = kzalloc(sizeof(*role), GFP_KERNEL); if (!role) - goto bad; + return -ENOMEM; if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) to_read = 3; From df4a14dfb484f95d81126e481e66b6e22eec49e8 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sat, 14 Jan 2017 22:30:51 +0100 Subject: [PATCH 31/98] selinux: Return directly after a failed kzalloc() in class_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 30f29c669e32..edf173ed05f8 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1318,10 +1318,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) u32 len, len2, ncons, nel; int i, rc; - rc = -ENOMEM; cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL); if (!cladatum) - goto bad; + return -ENOMEM; rc = next_entry(buf, fp, sizeof(u32)*6); if (rc) From 442ca4d656645505346017c37ac137cde680bf38 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sun, 15 Jan 2017 11:15:19 +0100 Subject: [PATCH 32/98] selinux: Return directly after a failed kzalloc() in common_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index edf173ed05f8..99ee0ee2d92a 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1152,10 +1152,9 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp) u32 len, nel; int i, rc; - rc = -ENOMEM; comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL); if (!comdatum) - goto bad; + return -ENOMEM; rc = next_entry(buf, fp, sizeof buf); if (rc) From 7befb7514e5d53026e9fe4a6548f118a65a20a4f Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sun, 15 Jan 2017 11:20:13 +0100 Subject: [PATCH 33/98] selinux: Return directly after a failed kzalloc() in perm_read() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 99ee0ee2d92a..5ca2d26ecf7f 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1118,10 +1118,9 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp) __le32 buf[2]; u32 len; - rc = -ENOMEM; perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL); if (!perdatum) - goto bad; + return -ENOMEM; rc = next_entry(buf, fp, sizeof buf); if (rc) From ebd2b47ba52760e9653456ba19032f79d734a343 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sun, 15 Jan 2017 12:10:09 +0100 Subject: [PATCH 34/98] selinux: Return directly after a failed kzalloc() in roles_init() Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 5ca2d26ecf7f..658247f98dc1 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -178,10 +178,9 @@ static int roles_init(struct policydb *p) int rc; struct role_datum *role; - rc = -ENOMEM; role = kzalloc(sizeof(*role), GFP_KERNEL); if (!role) - goto out; + return -ENOMEM; rc = -EINVAL; role->value = ++p->p_roles.nprim; From b380f783772eeb66a0da85549a85aadbe5f8e76d Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sun, 15 Jan 2017 13:13:19 +0100 Subject: [PATCH 35/98] selinux: Use kmalloc_array() in sidtab_init() A multiplication for the size determination of a memory allocation indicated that an array data structure should be processed. Thus use the corresponding function "kmalloc_array". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/sidtab.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 5840a35155fc..c9533b21942b 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -18,7 +18,7 @@ int sidtab_init(struct sidtab *s) { int i; - s->htable = kmalloc(sizeof(*(s->htable)) * SIDTAB_SIZE, GFP_ATOMIC); + s->htable = kmalloc_array(SIDTAB_SIZE, sizeof(*s->htable), GFP_ATOMIC); if (!s->htable) return -ENOMEM; for (i = 0; i < SIDTAB_SIZE; i++) From 8ee4586ca5fe6c2a00f6a39f828f54c8f6cda472 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sun, 15 Jan 2017 13:30:20 +0100 Subject: [PATCH 36/98] selinux: Adjust two checks for null pointers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The script "checkpatch.pl" pointed information out like the following. Comparison to NULL could be written !… Thus fix affected source code places. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/ss/sidtab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index c9533b21942b..f6915f257486 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -54,7 +54,7 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context) } newnode = kmalloc(sizeof(*newnode), GFP_ATOMIC); - if (newnode == NULL) { + if (!newnode) { rc = -ENOMEM; goto out; } @@ -98,7 +98,7 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force) if (force && cur && sid == cur->sid && cur->context.len) return &cur->context; - if (cur == NULL || sid != cur->sid || cur->context.len) { + if (!cur || sid != cur->sid || cur->context.len) { /* Remap invalid SIDs to the unlabeled SID. */ sid = SECINITSID_UNLABELED; hvalue = SIDTAB_HASH(sid); From 710a0647ba955abd25460c36a09d80fdbe878273 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Sun, 15 Jan 2017 14:04:53 +0100 Subject: [PATCH 37/98] selinuxfs: Use seq_puts() in sel_avc_stats_seq_show() A string which did not contain data format specifications should be put into a sequence. Thus use the corresponding function "seq_puts". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Paul Moore --- security/selinux/selinuxfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index cb3fd98fb05a..ce7171884223 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1456,10 +1456,10 @@ static int sel_avc_stats_seq_show(struct seq_file *seq, void *v) { struct avc_cache_stats *st = v; - if (v == SEQ_START_TOKEN) - seq_printf(seq, "lookups hits misses allocations reclaims " - "frees\n"); - else { + if (v == SEQ_START_TOKEN) { + seq_puts(seq, + "lookups hits misses allocations reclaims frees\n"); + } else { unsigned int lookups = st->lookups; unsigned int misses = st->misses; unsigned int hits = lookups - misses; From 2a4c22426955d4fc04069811997b7390c0fb858e Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 10 Mar 2017 12:14:18 -0500 Subject: [PATCH 38/98] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only checked when required for the operation. Signed-off-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Serge Hallyn Acked-by: James Morris Signed-off-by: Paul Moore --- fs/namei.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index d41fab78798b..482414aa558b 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) if (S_ISDIR(inode->i_mode)) { /* DACs are overridable for directories */ - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) - return 0; if (!(mask & MAY_WRITE)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; - return -EACCES; - } - /* - * Read/write DACs are always overridable. - * Executable DACs are overridable when there is - * at least one exec bit set. - */ - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; + return -EACCES; + } /* * Searching includes executable on directories, else just read. @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) if (mask == MAY_READ) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; + /* + * Read/write DACs are always overridable. + * Executable DACs are overridable when there is + * at least one exec bit set. + */ + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) + return 0; return -EACCES; } From 342e91578eb6909529bc7095964cd44b9c057c4e Mon Sep 17 00:00:00 2001 From: Matthias Kaehlcke Date: Thu, 16 Mar 2017 15:26:52 -0700 Subject: [PATCH 39/98] selinux: Remove unnecessary check of array base in selinux_set_mapping() 'perms' will never be NULL since it isn't a plain pointer but an array of u32 values. This fixes the following warning when building with clang: security/selinux/ss/services.c:158:16: error: address of array 'p_in->perms' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] while (p_in->perms && p_in->perms[k]) { Signed-off-by: Matthias Kaehlcke Signed-off-by: Paul Moore --- security/selinux/ss/services.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b4aa491a0a23..60d9b0252321 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -157,7 +157,7 @@ static int selinux_set_mapping(struct policydb *pol, } k = 0; - while (p_in->perms && p_in->perms[k]) { + while (p_in->perms[k]) { /* An empty permission string skips ahead */ if (!*p_in->perms[k]) { k++; From 8291798dcf059cdc5e55a59b2c4ad70ae14508c2 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 29 Mar 2017 16:52:58 -0700 Subject: [PATCH 40/98] TOMOYO: Use designated initializers Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook Acked-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/file.c | 12 ++++++------ security/tomoyo/tomoyo.c | 20 ++++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 7041a580019e..223f21ffa632 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -692,7 +692,7 @@ int tomoyo_path_number_perm(const u8 type, const struct path *path, { struct tomoyo_request_info r; struct tomoyo_obj_info obj = { - .path1 = *path, + .path1 = { .mnt = path->mnt, .dentry = path->dentry }, }; int error = -ENOMEM; struct tomoyo_path_info buf; @@ -740,7 +740,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, struct tomoyo_path_info buf; struct tomoyo_request_info r; struct tomoyo_obj_info obj = { - .path1 = *path, + .path1 = { .mnt = path->mnt, .dentry = path->dentry }, }; int idx; @@ -786,7 +786,7 @@ int tomoyo_path_perm(const u8 operation, const struct path *path, const char *ta { struct tomoyo_request_info r; struct tomoyo_obj_info obj = { - .path1 = *path, + .path1 = { .mnt = path->mnt, .dentry = path->dentry }, }; int error; struct tomoyo_path_info buf; @@ -843,7 +843,7 @@ int tomoyo_mkdev_perm(const u8 operation, const struct path *path, { struct tomoyo_request_info r; struct tomoyo_obj_info obj = { - .path1 = *path, + .path1 = { .mnt = path->mnt, .dentry = path->dentry }, }; int error = -ENOMEM; struct tomoyo_path_info buf; @@ -890,8 +890,8 @@ int tomoyo_path2_perm(const u8 operation, const struct path *path1, struct tomoyo_path_info buf2; struct tomoyo_request_info r; struct tomoyo_obj_info obj = { - .path1 = *path1, - .path2 = *path2, + .path1 = { .mnt = path1->mnt, .dentry = path1->dentry }, + .path2 = { .mnt = path2->mnt, .dentry = path2->dentry } }; int idx; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index b5fb930349a9..130b4fa4f65f 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -165,7 +165,7 @@ static int tomoyo_path_truncate(const struct path *path) */ static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry) { - struct path path = { parent->mnt, dentry }; + struct path path = { .mnt = parent->mnt, .dentry = dentry }; return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path, NULL); } @@ -181,7 +181,7 @@ static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry) static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry, umode_t mode) { - struct path path = { parent->mnt, dentry }; + struct path path = { .mnt = parent->mnt, .dentry = dentry }; return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path, mode & S_IALLUGO); } @@ -196,7 +196,7 @@ static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry, */ static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry) { - struct path path = { parent->mnt, dentry }; + struct path path = { .mnt = parent->mnt, .dentry = dentry }; return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path, NULL); } @@ -212,7 +212,7 @@ static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry) static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry, const char *old_name) { - struct path path = { parent->mnt, dentry }; + struct path path = { .mnt = parent->mnt, .dentry = dentry }; return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path, old_name); } @@ -229,7 +229,7 @@ static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry, static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry, umode_t mode, unsigned int dev) { - struct path path = { parent->mnt, dentry }; + struct path path = { .mnt = parent->mnt, .dentry = dentry }; int type = TOMOYO_TYPE_CREATE; const unsigned int perm = mode & S_IALLUGO; @@ -268,8 +268,8 @@ static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry, static int tomoyo_path_link(struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry) { - struct path path1 = { new_dir->mnt, old_dentry }; - struct path path2 = { new_dir->mnt, new_dentry }; + struct path path1 = { .mnt = new_dir->mnt, .dentry = old_dentry }; + struct path path2 = { .mnt = new_dir->mnt, .dentry = new_dentry }; return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2); } @@ -288,8 +288,8 @@ static int tomoyo_path_rename(const struct path *old_parent, const struct path *new_parent, struct dentry *new_dentry) { - struct path path1 = { old_parent->mnt, old_dentry }; - struct path path2 = { new_parent->mnt, new_dentry }; + struct path path1 = { .mnt = old_parent->mnt, .dentry = old_dentry }; + struct path path2 = { .mnt = new_parent->mnt, .dentry = new_dentry }; return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2); } @@ -417,7 +417,7 @@ static int tomoyo_sb_mount(const char *dev_name, const struct path *path, */ static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) { - struct path path = { mnt, mnt->mnt_root }; + struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path, NULL); } From cae303df3f379f04ce7efadb2e30de460918b302 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 31 Mar 2017 18:21:18 +0300 Subject: [PATCH 41/98] selinux: Fix an uninitialized variable bug We removed this initialization as a cleanup but it is probably required. The concern is that "nel" can be zero. I'm not an expert on SELinux code but I think it looks possible to write an SELinux policy which triggers this bug. GCC doesn't catch this, but my static checker does. Fixes: 9c312e79d6af ("selinux: Delete an unnecessary variable initialisation in range_read()") Signed-off-by: Dan Carpenter Acked-by: Stephen Smalley Signed-off-by: Paul Moore --- security/selinux/ss/policydb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 658247f98dc1..0080122760ad 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1832,7 +1832,7 @@ u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) static int range_read(struct policydb *p, void *fp) { - struct range_trans *rt; + struct range_trans *rt = NULL; struct mls_range *r = NULL; int i, rc; __le32 buf[2]; From fff292914d3a2f1efd05ca71c2ba72a3c663201e Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Fri, 31 Mar 2017 15:20:48 +0300 Subject: [PATCH 42/98] security, keys: convert key.usage from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Acked-by: David Howells Signed-off-by: James Morris --- include/linux/key.h | 5 +++-- security/keys/gc.c | 2 +- security/keys/key.c | 6 +++--- security/keys/keyring.c | 8 ++++---- security/keys/proc.c | 2 +- security/keys/request_key_auth.c | 2 +- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/include/linux/key.h b/include/linux/key.h index e45212f2777e..9d9fac583dd3 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -23,6 +23,7 @@ #include #include #include +#include #ifdef __KERNEL__ #include @@ -135,7 +136,7 @@ static inline bool is_key_possessed(const key_ref_t key_ref) * - Kerberos TGTs and tickets */ struct key { - atomic_t usage; /* number of references */ + refcount_t usage; /* number of references */ key_serial_t serial; /* key serial number */ union { struct list_head graveyard_link; @@ -242,7 +243,7 @@ extern void key_put(struct key *key); static inline struct key *__key_get(struct key *key) { - atomic_inc(&key->usage); + refcount_inc(&key->usage); return key; } diff --git a/security/keys/gc.c b/security/keys/gc.c index addf060399e0..44789256c88c 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -220,7 +220,7 @@ continue_scanning: key = rb_entry(cursor, struct key, serial_node); cursor = rb_next(cursor); - if (atomic_read(&key->usage) == 0) + if (refcount_read(&key->usage) == 0) goto found_unreferenced_key; if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) { diff --git a/security/keys/key.c b/security/keys/key.c index 346fbf201c22..ff9244392d35 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -285,7 +285,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, if (!key->index_key.description) goto no_memory_3; - atomic_set(&key->usage, 1); + refcount_set(&key->usage, 1); init_rwsem(&key->sem); lockdep_set_class(&key->sem, &type->lock_class); key->index_key.type = type; @@ -621,7 +621,7 @@ void key_put(struct key *key) if (key) { key_check(key); - if (atomic_dec_and_test(&key->usage)) + if (refcount_dec_and_test(&key->usage)) schedule_work(&key_gc_work); } } @@ -656,7 +656,7 @@ not_found: found: /* pretend it doesn't exist if it is awaiting deletion */ - if (atomic_read(&key->usage) == 0) + if (refcount_read(&key->usage) == 0) goto not_found; /* this races with key_put(), but that doesn't matter since key_put() diff --git a/security/keys/keyring.c b/security/keys/keyring.c index c91e4e0cea08..3d95f7d02ba1 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -1033,7 +1033,7 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check) /* we've got a match but we might end up racing with * key_cleanup() if the keyring is currently 'dead' * (ie. it has a zero usage count) */ - if (!atomic_inc_not_zero(&keyring->usage)) + if (!refcount_inc_not_zero(&keyring->usage)) continue; keyring->last_used_at = current_kernel_time().tv_sec; goto out; @@ -1250,14 +1250,14 @@ int key_link(struct key *keyring, struct key *key) struct assoc_array_edit *edit; int ret; - kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage)); + kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage)); key_check(keyring); key_check(key); ret = __key_link_begin(keyring, &key->index_key, &edit); if (ret == 0) { - kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage)); + kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage)); ret = __key_link_check_restriction(keyring, key); if (ret == 0) ret = __key_link_check_live_key(keyring, key); @@ -1266,7 +1266,7 @@ int key_link(struct key *keyring, struct key *key) __key_link_end(keyring, &key->index_key, edit); } - kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage)); + kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage)); return ret; } EXPORT_SYMBOL(key_link); diff --git a/security/keys/proc.c b/security/keys/proc.c index b9f531c9e4fa..69199f18bfb3 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -252,7 +252,7 @@ static int proc_keys_show(struct seq_file *m, void *v) showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT), showflag(key, 'N', KEY_FLAG_NEGATIVE), showflag(key, 'i', KEY_FLAG_INVALIDATED), - atomic_read(&key->usage), + refcount_read(&key->usage), xbuf, key->perm, from_kuid_munged(seq_user_ns(m), key->uid), diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 6bbe2f535f08..0f062156dfb2 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -213,7 +213,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, if (ret < 0) goto error_inst; - kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage)); + kleave(" = {%d,%d}", authkey->serial, refcount_read(&authkey->usage)); return authkey; auth_key_revoked: From ddb99e118e37f324a4be65a411bb60ae62795cf9 Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Fri, 31 Mar 2017 15:20:49 +0300 Subject: [PATCH 43/98] security, keys: convert key_user.usage from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Acked-by: David Howells Signed-off-by: James Morris --- security/keys/internal.h | 3 ++- security/keys/key.c | 6 +++--- security/keys/proc.c | 2 +- security/keys/process_keys.c | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/security/keys/internal.h b/security/keys/internal.h index a2f4c0abb8d8..6bee06ae026d 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -17,6 +17,7 @@ #include #include #include +#include struct iovec; @@ -53,7 +54,7 @@ struct key_user { struct rb_node node; struct mutex cons_lock; /* construction initiation lock */ spinlock_t lock; - atomic_t usage; /* for accessing qnkeys & qnbytes */ + refcount_t usage; /* for accessing qnkeys & qnbytes */ atomic_t nkeys; /* number of keys */ atomic_t nikeys; /* number of instantiated keys */ kuid_t uid; diff --git a/security/keys/key.c b/security/keys/key.c index ff9244392d35..b4958b36fa27 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -93,7 +93,7 @@ try_again: /* if we get here, then the user record still hadn't appeared on the * second pass - so we use the candidate record */ - atomic_set(&candidate->usage, 1); + refcount_set(&candidate->usage, 1); atomic_set(&candidate->nkeys, 0); atomic_set(&candidate->nikeys, 0); candidate->uid = uid; @@ -110,7 +110,7 @@ try_again: /* okay - we found a user record for this UID */ found: - atomic_inc(&user->usage); + refcount_inc(&user->usage); spin_unlock(&key_user_lock); kfree(candidate); out: @@ -122,7 +122,7 @@ out: */ void key_user_put(struct key_user *user) { - if (atomic_dec_and_lock(&user->usage, &key_user_lock)) { + if (refcount_dec_and_lock(&user->usage, &key_user_lock)) { rb_erase(&user->node, &key_user_tree); spin_unlock(&key_user_lock); diff --git a/security/keys/proc.c b/security/keys/proc.c index 69199f18bfb3..bf08d02b6646 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -340,7 +340,7 @@ static int proc_key_users_show(struct seq_file *m, void *v) seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n", from_kuid_munged(seq_user_ns(m), user->uid), - atomic_read(&user->usage), + refcount_read(&user->usage), atomic_read(&user->nkeys), atomic_read(&user->nikeys), user->qnkeys, diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index b6fdd22205b1..44451af828c0 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -30,7 +30,7 @@ static DEFINE_MUTEX(key_user_keyring_mutex); /* The root user's tracking struct */ struct key_user root_key_user = { - .usage = ATOMIC_INIT(3), + .usage = REFCOUNT_INIT(3), .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), .nkeys = ATOMIC_INIT(2), From 734114f8782f6c3398762f2353fe9101d87b6d06 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 3 Apr 2017 16:07:24 +0100 Subject: [PATCH 44/98] KEYS: Add a system blacklist keyring Add the following: (1) A new system keyring that is used to store information about blacklisted certificates and signatures. (2) A new key type (called 'blacklist') that is used to store a blacklisted hash in its description as a hex string. The key accepts no payload. (3) The ability to configure a list of blacklisted hashes into the kernel at build time. This is done by setting CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes that are in the form: "", "", ..., "" where each is a hex string representation of the hash and must include all necessary leading zeros to pad the hash to the right size. The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING. Once the kernel is booted, the blacklist keyring can be listed: root@andromeda ~]# keyctl show %:.blacklist Keyring 723359729 ---lswrv 0 0 keyring: .blacklist 676257228 ---lswrv 0 0 \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 The blacklist cannot currently be modified by userspace, but it will be possible to load it, for example, from the UEFI blacklist database. A later commit will make it possible to load blacklisted asymmetric keys in here too. Signed-off-by: David Howells --- certs/Kconfig | 18 ++++ certs/Makefile | 6 ++ certs/blacklist.c | 174 ++++++++++++++++++++++++++++++++++ certs/blacklist.h | 3 + certs/blacklist_hashes.c | 6 ++ certs/blacklist_nohashes.c | 5 + include/keys/system_keyring.h | 12 +++ 7 files changed, 224 insertions(+) create mode 100644 certs/blacklist.c create mode 100644 certs/blacklist.h create mode 100644 certs/blacklist_hashes.c create mode 100644 certs/blacklist_nohashes.c diff --git a/certs/Kconfig b/certs/Kconfig index fc5955f5fc8a..6ce51ede9e9b 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -64,4 +64,22 @@ config SECONDARY_TRUSTED_KEYRING those keys are not blacklisted and are vouched for by a key built into the kernel or already in the secondary trusted keyring. +config SYSTEM_BLACKLIST_KEYRING + bool "Provide system-wide ring of blacklisted keys" + depends on KEYS + help + Provide a system keyring to which blacklisted keys can be added. + Keys in the keyring are considered entirely untrusted. Keys in this + keyring are used by the module signature checking to reject loading + of modules signed with a blacklisted key. + +config SYSTEM_BLACKLIST_HASH_LIST + string "Hashes to be preloaded into the system blacklist keyring" + depends on SYSTEM_BLACKLIST_KEYRING + help + If set, this option should be the filename of a list of hashes in the + form "", "", ... . This will be included into a C + wrapper to incorporate the list into the kernel. Each should + be a string of hex digits. + endmenu diff --git a/certs/Makefile b/certs/Makefile index 2773c4afa24c..4119bb376ea1 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -3,6 +3,12 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o +ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o +else +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o +endif ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) diff --git a/certs/blacklist.c b/certs/blacklist.c new file mode 100644 index 000000000000..3eddce0e307a --- /dev/null +++ b/certs/blacklist.c @@ -0,0 +1,174 @@ +/* System hash blacklist. + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#define pr_fmt(fmt) "blacklist: "fmt +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "blacklist.h" + +static struct key *blacklist_keyring; + +/* + * The description must be a type prefix, a colon and then an even number of + * hex digits. The hash is kept in the description. + */ +static int blacklist_vet_description(const char *desc) +{ + int n = 0; + + if (*desc == ':') + return -EINVAL; + for (; *desc; desc++) + if (*desc == ':') + goto found_colon; + return -EINVAL; + +found_colon: + desc++; + for (; *desc; desc++) { + if (!isxdigit(*desc)) + return -EINVAL; + n++; + } + + if (n == 0 || n & 1) + return -EINVAL; + return 0; +} + +/* + * The hash to be blacklisted is expected to be in the description. There will + * be no payload. + */ +static int blacklist_preparse(struct key_preparsed_payload *prep) +{ + if (prep->datalen > 0) + return -EINVAL; + return 0; +} + +static void blacklist_free_preparse(struct key_preparsed_payload *prep) +{ +} + +static void blacklist_describe(const struct key *key, struct seq_file *m) +{ + seq_puts(m, key->description); +} + +static struct key_type key_type_blacklist = { + .name = "blacklist", + .vet_description = blacklist_vet_description, + .preparse = blacklist_preparse, + .free_preparse = blacklist_free_preparse, + .instantiate = generic_key_instantiate, + .describe = blacklist_describe, +}; + +/** + * mark_hash_blacklisted - Add a hash to the system blacklist + * @hash - The hash as a hex string with a type prefix (eg. "tbs:23aa429783") + */ +int mark_hash_blacklisted(const char *hash) +{ + key_ref_t key; + + key = key_create_or_update(make_key_ref(blacklist_keyring, true), + "blacklist", + hash, + NULL, + 0, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN); + if (IS_ERR(key)) { + pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key)); + return PTR_ERR(key); + } + return 0; +} + +/** + * is_hash_blacklisted - Determine if a hash is blacklisted + * @hash: The hash to be checked as a binary blob + * @hash_len: The length of the binary hash + * @type: Type of hash + */ +int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) +{ + key_ref_t kref; + size_t type_len = strlen(type); + char *buffer, *p; + int ret = 0; + + buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + p = memcpy(buffer, type, type_len); + p += type_len; + *p++ = ':'; + bin2hex(p, hash, hash_len); + p += hash_len * 2; + *p = 0; + + kref = keyring_search(make_key_ref(blacklist_keyring, true), + &key_type_blacklist, buffer); + if (!IS_ERR(kref)) { + key_ref_put(kref); + ret = -EKEYREJECTED; + } + + kfree(buffer); + return ret; +} +EXPORT_SYMBOL_GPL(is_hash_blacklisted); + +/* + * Intialise the blacklist + */ +static int __init blacklist_init(void) +{ + const char *const *bl; + + if (register_key_type(&key_type_blacklist) < 0) + panic("Can't allocate system blacklist key type\n"); + + blacklist_keyring = + keyring_alloc(".blacklist", + KUIDT_INIT(0), KGIDT_INIT(0), + current_cred(), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ | + KEY_USR_SEARCH, + KEY_ALLOC_NOT_IN_QUOTA | + KEY_FLAG_KEEP, + NULL, NULL); + if (IS_ERR(blacklist_keyring)) + panic("Can't allocate system blacklist keyring\n"); + + for (bl = blacklist_hashes; *bl; bl++) + if (mark_hash_blacklisted(*bl) < 0) + pr_err("- blacklisting failed\n"); + return 0; +} + +/* + * Must be initialised before we try and load the keys into the keyring. + */ +device_initcall(blacklist_init); diff --git a/certs/blacklist.h b/certs/blacklist.h new file mode 100644 index 000000000000..150d82da8e99 --- /dev/null +++ b/certs/blacklist.h @@ -0,0 +1,3 @@ +#include + +extern const char __initdata *const blacklist_hashes[]; diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c new file mode 100644 index 000000000000..5bd449f7db17 --- /dev/null +++ b/certs/blacklist_hashes.c @@ -0,0 +1,6 @@ +#include "blacklist.h" + +const char __initdata *const blacklist_hashes[] = { +#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST + , NULL +}; diff --git a/certs/blacklist_nohashes.c b/certs/blacklist_nohashes.c new file mode 100644 index 000000000000..851de10706a5 --- /dev/null +++ b/certs/blacklist_nohashes.c @@ -0,0 +1,5 @@ +#include "blacklist.h" + +const char __initdata *const blacklist_hashes[] = { + NULL +}; diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fbd4647767e9..0d8762622ab9 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -33,6 +33,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING +extern int mark_hash_blacklisted(const char *hash); +extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, + const char *type); +#else +static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, + const char *type) +{ + return 0; +} +#endif + #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; From 436529562df2748fd9918f578205b22cf8ced277 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 3 Apr 2017 16:07:25 +0100 Subject: [PATCH 45/98] X.509: Allow X.509 certs to be blacklisted Allow X.509 certs to be blacklisted based on their TBSCertificate hash. This is convenient since we have to determine this anyway to be able to check the signature on an X.509 certificate. This is also what UEFI uses in its blacklist. If a certificate built into the kernel is blacklisted, something like the following might then be seen during boot: X.509: Cert 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 is blacklisted Problem loading in-kernel X.509 certificate (-129) where the hex string shown is the blacklisted hash. Signed-off-by: David Howells --- crypto/asymmetric_keys/x509_parser.h | 1 + crypto/asymmetric_keys/x509_public_key.c | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 05eef1c68881..e373e7483812 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -42,6 +42,7 @@ struct x509_certificate { bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool unsupported_key; /* T if key uses unsupported crypto */ bool unsupported_sig; /* T if signature uses unsupported crypto */ + bool blacklisted; }; /* diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index fb732296cd36..eea71dc9686c 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -84,6 +84,16 @@ int x509_get_sig_params(struct x509_certificate *cert) goto error_2; might_sleep(); ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest); + if (ret < 0) + goto error_2; + + ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs"); + if (ret == -EKEYREJECTED) { + pr_err("Cert %*phN is blacklisted\n", + sig->digest_size, sig->digest); + cert->blacklisted = true; + ret = 0; + } error_2: kfree(desc); @@ -186,6 +196,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) cert->sig->pkey_algo, cert->sig->hash_algo); } + /* Don't permit addition of blacklisted keys */ + ret = -EKEYREJECTED; + if (cert->blacklisted) + goto error_free_cert; + /* Propose a description */ sulen = strlen(cert->subject); if (cert->raw_skid) { From 03bb79315ddc8972b1af71539799450acbc1be4f Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 3 Apr 2017 16:07:25 +0100 Subject: [PATCH 46/98] PKCS#7: Handle blacklisted certificates PKCS#7: Handle certificates that are blacklisted when verifying the chain of trust on the signatures on a PKCS#7 message. Signed-off-by: David Howells --- crypto/asymmetric_keys/pkcs7_parser.h | 1 + crypto/asymmetric_keys/pkcs7_verify.c | 32 ++++++++++++++++++++------- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h index f4e81074f5e0..ac341e19e530 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.h +++ b/crypto/asymmetric_keys/pkcs7_parser.h @@ -23,6 +23,7 @@ struct pkcs7_signed_info { struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ unsigned index; bool unsupported_crypto; /* T if not usable due to missing crypto */ + bool blacklisted; /* Message digest - the digest of the Content Data (or NULL) */ const void *msgdigest; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 2ffd69769466..2d93d9eccb4d 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -190,6 +190,18 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, x509->subject, x509->raw_serial_size, x509->raw_serial); x509->seen = true; + + if (x509->blacklisted) { + /* If this cert is blacklisted, then mark everything + * that depends on this as blacklisted too. + */ + sinfo->blacklisted = true; + for (p = sinfo->signer; p != x509; p = p->signer) + p->blacklisted = true; + pr_debug("- blacklisted\n"); + return 0; + } + if (x509->unsupported_key) goto unsupported_crypto_in_x509; @@ -357,17 +369,19 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7, * * (*) -EBADMSG if some part of the message was invalid, or: * - * (*) -ENOPKG if none of the signature chains are verifiable because suitable - * crypto modules couldn't be found, or: + * (*) 0 if no signature chains were found to be blacklisted or to contain + * unsupported crypto, or: * - * (*) 0 if all the signature chains that don't incur -ENOPKG can be verified - * (note that a signature chain may be of zero length), or: + * (*) -EKEYREJECTED if a blacklisted key was encountered, or: + * + * (*) -ENOPKG if none of the signature chains are verifiable because suitable + * crypto modules couldn't be found. */ int pkcs7_verify(struct pkcs7_message *pkcs7, enum key_being_used_for usage) { struct pkcs7_signed_info *sinfo; - int enopkg = -ENOPKG; + int actual_ret = -ENOPKG; int ret; kenter(""); @@ -412,6 +426,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { ret = pkcs7_verify_one(pkcs7, sinfo); + if (sinfo->blacklisted && actual_ret == -ENOPKG) + actual_ret = -EKEYREJECTED; if (ret < 0) { if (ret == -ENOPKG) { sinfo->unsupported_crypto = true; @@ -420,11 +436,11 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, kleave(" = %d", ret); return ret; } - enopkg = 0; + actual_ret = 0; } - kleave(" = %d", enopkg); - return enopkg; + kleave(" = %d", actual_ret); + return actual_ret; } EXPORT_SYMBOL_GPL(pkcs7_verify); From 469ff8f7d46d75b36de68a0411a2ce80109ad00b Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Mon, 25 Apr 2016 11:30:39 -0700 Subject: [PATCH 47/98] KEYS: Use a typedef for restrict_link function pointers This pointer type needs to be returned from a lookup function, and without a typedef the syntax gets cumbersome. Signed-off-by: Mat Martineau --- Documentation/security/keys.txt | 5 +---- include/linux/key.h | 16 +++++++--------- security/keys/key.c | 8 ++------ security/keys/keyring.c | 4 +--- 4 files changed, 11 insertions(+), 22 deletions(-) diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 0e03baf271bd..4502237b12a7 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -1032,10 +1032,7 @@ payload contents" for more information. struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, const struct cred *cred, key_perm_t perm, - int (*restrict_link)(struct key *, - const struct key_type *, - unsigned long, - const union key_payload *), + key_restrict_link_func_t restrict_link, unsigned long flags, struct key *dest); diff --git a/include/linux/key.h b/include/linux/key.h index 9d9fac583dd3..3bb327043869 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -127,6 +127,10 @@ static inline bool is_key_possessed(const key_ref_t key_ref) return (unsigned long) key_ref & 1UL; } +typedef int (*key_restrict_link_func_t)(struct key *keyring, + const struct key_type *type, + const union key_payload *payload); + /*****************************************************************************/ /* * authentication token / access credential / keyring @@ -215,9 +219,7 @@ struct key { * overrides this, allowing the kernel to add extra keys without * restriction. */ - int (*restrict_link)(struct key *keyring, - const struct key_type *type, - const union key_payload *payload); + key_restrict_link_func_t restrict_link; }; extern struct key *key_alloc(struct key_type *type, @@ -226,9 +228,7 @@ extern struct key *key_alloc(struct key_type *type, const struct cred *cred, key_perm_t perm, unsigned long flags, - int (*restrict_link)(struct key *, - const struct key_type *, - const union key_payload *)); + key_restrict_link_func_t restrict_link); #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ @@ -304,9 +304,7 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid const struct cred *cred, key_perm_t perm, unsigned long flags, - int (*restrict_link)(struct key *, - const struct key_type *, - const union key_payload *), + key_restrict_link_func_t restrict_link, struct key *dest); extern int restrict_link_reject(struct key *keyring, diff --git a/security/keys/key.c b/security/keys/key.c index b4958b36fa27..08dfa13f6a85 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -225,9 +225,7 @@ serial_exists: struct key *key_alloc(struct key_type *type, const char *desc, kuid_t uid, kgid_t gid, const struct cred *cred, key_perm_t perm, unsigned long flags, - int (*restrict_link)(struct key *, - const struct key_type *, - const union key_payload *)) + key_restrict_link_func_t restrict_link) { struct key_user *user = NULL; struct key *key; @@ -806,9 +804,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, struct key *keyring, *key = NULL; key_ref_t key_ref; int ret; - int (*restrict_link)(struct key *, - const struct key_type *, - const union key_payload *) = NULL; + key_restrict_link_func_t restrict_link = NULL; /* look up the key type to see if it's one of the registered kernel * types */ diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 3d95f7d02ba1..1b29ac759bf7 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -492,9 +492,7 @@ static long keyring_read(const struct key *keyring, struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, const struct cred *cred, key_perm_t perm, unsigned long flags, - int (*restrict_link)(struct key *, - const struct key_type *, - const union key_payload *), + key_restrict_link_func_t restrict_link, struct key *dest) { struct key *keyring; From aaf66c883813f0078e3dafe7d20d1461321ac14f Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Tue, 30 Aug 2016 11:33:13 -0700 Subject: [PATCH 48/98] KEYS: Split role of the keyring pointer for keyring restrict functions The first argument to the restrict_link_func_t functions was a keyring pointer. These functions are called by the key subsystem with this argument set to the destination keyring, but restrict_link_by_signature expects a pointer to the relevant trusted keyring. Restrict functions may need something other than a single struct key pointer to allow or reject key linkage, so the data used to make that decision (such as the trust keyring) is moved to a new, fourth argument. The first argument is now always the destination keyring. Signed-off-by: Mat Martineau --- Documentation/security/keys.txt | 8 ++++---- certs/system_keyring.c | 18 +++++++++++------- crypto/asymmetric_keys/restrict.c | 8 +++++--- include/crypto/public_key.h | 5 +++-- include/keys/system_keyring.h | 6 ++++-- include/linux/key.h | 8 +++++--- security/keys/key.c | 5 +++-- security/keys/keyring.c | 6 ++++-- 8 files changed, 39 insertions(+), 25 deletions(-) diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 4502237b12a7..bb575ab80207 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -1054,10 +1054,10 @@ payload contents" for more information. can be verified by a key the kernel already has. When called, the restriction function will be passed the keyring being - added to, the key flags value and the type and payload of the key being - added. Note that when a new key is being created, this is called between - payload preparsing and actual key creation. The function should return 0 - to allow the link or an error to reject it. + added to, the key type, the payload of the key being added, and data to be + used in the restriction check. Note that when a new key is being created, + this is called between payload preparsing and actual key creation. The + function should return 0 to allow the link or an error to reject it. A convenience function, restrict_link_reject, exists to always return -EPERM to in this case. diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 50979d6dcecd..e39cce68dcfa 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -32,11 +32,13 @@ extern __initconst const unsigned long system_certificate_list_size; * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. */ -int restrict_link_by_builtin_trusted(struct key *keyring, +int restrict_link_by_builtin_trusted(struct key *dest_keyring, const struct key_type *type, - const union key_payload *payload) + const union key_payload *payload, + struct key *restriction_key) { - return restrict_link_by_signature(builtin_trusted_keys, type, payload); + return restrict_link_by_signature(dest_keyring, type, payload, + builtin_trusted_keys); } #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING @@ -49,20 +51,22 @@ int restrict_link_by_builtin_trusted(struct key *keyring, * keyrings. */ int restrict_link_by_builtin_and_secondary_trusted( - struct key *keyring, + struct key *dest_keyring, const struct key_type *type, - const union key_payload *payload) + const union key_payload *payload, + struct key *restrict_key) { /* If we have a secondary trusted keyring, then that contains a link * through to the builtin keyring and the search will follow that link. */ if (type == &key_type_keyring && - keyring == secondary_trusted_keys && + dest_keyring == secondary_trusted_keys && payload == &builtin_trusted_keys->payload) /* Allow the builtin keyring to be added to the secondary */ return 0; - return restrict_link_by_signature(secondary_trusted_keys, type, payload); + return restrict_link_by_signature(dest_keyring, type, payload, + secondary_trusted_keys); } #endif diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 19d1afb9890f..a3afbf783255 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -56,9 +56,10 @@ __setup("ca_keys=", ca_keys_setup); /** * restrict_link_by_signature - Restrict additions to a ring of public keys - * @trust_keyring: A ring of keys that can be used to vouch for the new cert. + * @dest_keyring: Keyring being linked to. * @type: The type of key being added. * @payload: The payload of the new key. + * @trust_keyring: A ring of keys that can be used to vouch for the new cert. * * Check the new certificate against the ones in the trust keyring. If one of * those is the signing key and validates the new certificate, then mark the @@ -69,9 +70,10 @@ __setup("ca_keys=", ca_keys_setup); * signature check fails or the key is blacklisted and some other error if * there is a matching certificate but the signature check cannot be performed. */ -int restrict_link_by_signature(struct key *trust_keyring, +int restrict_link_by_signature(struct key *dest_keyring, const struct key_type *type, - const union key_payload *payload) + const union key_payload *payload, + struct key *trust_keyring) { const struct public_key_signature *sig; struct key *key; diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 882ca0e1e7a5..ec0262fa08f8 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -50,9 +50,10 @@ struct key; struct key_type; union key_payload; -extern int restrict_link_by_signature(struct key *trust_keyring, +extern int restrict_link_by_signature(struct key *dest_keyring, const struct key_type *type, - const union key_payload *payload); + const union key_payload *payload, + struct key *trust_keyring); extern int verify_signature(const struct key *key, const struct public_key_signature *sig); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 0d8762622ab9..359c2f936004 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -18,7 +18,8 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const struct key_type *type, - const union key_payload *payload); + const union key_payload *payload, + struct key *restriction_key); #else #define restrict_link_by_builtin_trusted restrict_link_reject @@ -28,7 +29,8 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, extern int restrict_link_by_builtin_and_secondary_trusted( struct key *keyring, const struct key_type *type, - const union key_payload *payload); + const union key_payload *payload, + struct key *restriction_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif diff --git a/include/linux/key.h b/include/linux/key.h index 3bb327043869..c59d1008c4fc 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -127,9 +127,10 @@ static inline bool is_key_possessed(const key_ref_t key_ref) return (unsigned long) key_ref & 1UL; } -typedef int (*key_restrict_link_func_t)(struct key *keyring, +typedef int (*key_restrict_link_func_t)(struct key *dest_keyring, const struct key_type *type, - const union key_payload *payload); + const union key_payload *payload, + struct key *restriction_key); /*****************************************************************************/ /* @@ -309,7 +310,8 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid extern int restrict_link_reject(struct key *keyring, const struct key_type *type, - const union key_payload *payload); + const union key_payload *payload, + struct key *restriction_key); extern int keyring_clear(struct key *keyring); diff --git a/security/keys/key.c b/security/keys/key.c index 08dfa13f6a85..27fc1bb40034 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -499,7 +499,7 @@ int key_instantiate_and_link(struct key *key, if (keyring) { if (keyring->restrict_link) { ret = keyring->restrict_link(keyring, key->type, - &prep.payload); + &prep.payload, NULL); if (ret < 0) goto error; } @@ -851,7 +851,8 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, index_key.desc_len = strlen(index_key.description); if (restrict_link) { - ret = restrict_link(keyring, index_key.type, &prep.payload); + ret = restrict_link(keyring, index_key.type, &prep.payload, + NULL); if (ret < 0) { key_ref = ERR_PTR(ret); goto error_free_prep; diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 1b29ac759bf7..2ccc66ec35d7 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -517,6 +517,7 @@ EXPORT_SYMBOL(keyring_alloc); * @keyring: The keyring being added to. * @type: The type of key being added. * @payload: The payload of the key intended to be added. + * @data: Additional data for evaluating restriction. * * Reject the addition of any links to a keyring. It can be overridden by * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when @@ -527,7 +528,8 @@ EXPORT_SYMBOL(keyring_alloc); */ int restrict_link_reject(struct key *keyring, const struct key_type *type, - const union key_payload *payload) + const union key_payload *payload, + struct key *restriction_key) { return -EPERM; } @@ -1220,7 +1222,7 @@ static int __key_link_check_restriction(struct key *keyring, struct key *key) { if (!keyring->restrict_link) return 0; - return keyring->restrict_link(keyring, key->type, &key->payload); + return keyring->restrict_link(keyring, key->type, &key->payload, NULL); } /** From e9cc0f689a7c0c9be6fed6861b3a3f49ad0e7a52 Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Mon, 27 Jun 2016 16:10:59 -0700 Subject: [PATCH 49/98] KEYS: Add a key restriction struct Key link restrictions require restriction-specific data as well as a restriction-specific function pointer. As a first step toward replacing the restrict_link pointer in struct key, define a more general key_restriction structure that captures the required function, key, and key type pointers. Key type modules should not be pinned on account of this key type pointer because the pointer will be cleared by the garbage collector if the key type is unregistered. Signed-off-by: Mat Martineau --- include/linux/key.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/linux/key.h b/include/linux/key.h index c59d1008c4fc..a06649f3223d 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -132,6 +132,12 @@ typedef int (*key_restrict_link_func_t)(struct key *dest_keyring, const union key_payload *payload, struct key *restriction_key); +struct key_restriction { + key_restrict_link_func_t check; + struct key *key; + struct key_type *keytype; +}; + /*****************************************************************************/ /* * authentication token / access credential / keyring From 302a6ad7fc77146191126a1f3e2c5d724fd72416 Mon Sep 17 00:00:00 2001 From: Alexander Steffen Date: Thu, 16 Feb 2017 15:33:36 +0000 Subject: [PATCH 50/98] tpm_tis_core: Choose appropriate timeout for reading burstcount TIS v1.3 for TPM 1.2 and PTP for TPM 2.0 disagree about which timeout value applies to reading a valid burstcount. It is TIMEOUT_D according to TIS, but TIMEOUT_A according to PTP, so choose the appropriate value depending on whether we deal with a TPM 1.2 or a TPM 2.0. This is important since according to the PTP TIMEOUT_D is much smaller than TIMEOUT_A. So the previous implementation could run into timeouts with a TPM 2.0, even though the TPM was behaving perfectly fine. During tpm2_probe TIMEOUT_D will be used even with a TPM 2.0, because TPM_CHIP_FLAG_TPM2 is not yet set. This is fine, since the timeout values will only be changed afterwards by tpm_get_timeouts. Until then TIS_TIMEOUT_D_MAX applies, which is large enough. Cc: stable@vger.kernel.org Fixes: aec04cbdf723 ("tpm: TPM 2.0 FIFO Interface") Signed-off-by: Alexander Steffen Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index c0f296b5d413..fc0e9a2734ed 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -160,8 +160,10 @@ static int get_burstcount(struct tpm_chip *chip) u32 value; /* wait for burstcount */ - /* which timeout value, spec has 2 answers (c & d) */ - stop = jiffies + chip->timeout_d; + if (chip->flags & TPM_CHIP_FLAG_TPM2) + stop = jiffies + chip->timeout_a; + else + stop = jiffies + chip->timeout_d; do { rc = tpm_tis_read32(priv, TPM_STS(priv->locality), &value); if (rc < 0) From b4e2eb0651ac3180a942d378b040c5cc045113ee Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe Date: Tue, 21 Feb 2017 14:14:24 -0700 Subject: [PATCH 51/98] tpm crb: Work around BIOS's that report the wrong ACPI region size The expectation is that the if the CRB cmd/rsp buffer falls within the ACPI region that the entire buffer will be within the reason. Otherwise resource reservation will fail when it crosses regions. Work around this BIOS bug by limiting the cmd/rsp buffer to the length of the declared ACPI region. BIOS vendors should fix this by making the ACPI and register length declarations consistent. Reported-by: Davide Guerri Signed-off-by: Jason Gunthorpe Reviewed-by: Jarkko Sakkinen Tested-by: Davide Guerri Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 86f355b6df1d..421dfa959a4f 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -295,6 +295,27 @@ static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv, return priv->iobase + (new_res.start - io_res->start); } +/* + * Work around broken BIOSs that return inconsistent values from the ACPI + * region vs the registers. Trust the ACPI region. Such broken systems + * probably cannot send large TPM commands since the buffer will be truncated. + */ +static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res, + u64 start, u64 size) +{ + if (io_res->start > start || io_res->end < start) + return size; + + if (start + size - 1 <= io_res->end) + return size; + + dev_err(dev, + FW_BUG "ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n", + io_res, start, size); + + return io_res->end - start + 1; +} + static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, struct acpi_table_tpm2 *buf) { @@ -340,7 +361,8 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, pa_high = ioread32(&priv->cca->cmd_pa_high); pa_low = ioread32(&priv->cca->cmd_pa_low); cmd_pa = ((u64)pa_high << 32) | pa_low; - cmd_size = ioread32(&priv->cca->cmd_size); + cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa, + ioread32(&priv->cca->cmd_size)); dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n", pa_high, pa_low, cmd_size); @@ -353,7 +375,8 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, memcpy_fromio(&rsp_pa, &priv->cca->rsp_pa, 8); rsp_pa = le64_to_cpu(rsp_pa); - rsp_size = ioread32(&priv->cca->rsp_size); + rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa, + ioread32(&priv->cca->rsp_size)); if (cmd_pa != rsp_pa) { priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size); From a233a0289cf9a96ef9b42c730a7621ccbf9a6f98 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Fri, 10 Mar 2017 13:45:53 -0500 Subject: [PATCH 52/98] tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver Commit 500462a9de65 "timers: Switch to a non-cascading wheel" replaced the 'classic' timer wheel, which aimed for near 'exact' expiry of the timers. Their analysis was that the vast majority of timeout timers are used as safeguards, not as real timers, and are cancelled or rearmed before expiration. The only exception noted to this were networking timers with a small expiry time. Not included in the analysis was the TPM polling timer, which resulted in a longer normal delay and, every so often, a very long delay. The non-cascading wheel delay is based on CONFIG_HZ. For a description of the different rings and their delays, refer to the comments in kernel/time/timer.c. Below are the delays given for rings 0 - 2, which explains the longer "normal" delays and the very, long delays as seen on systems with CONFIG_HZ 250. * HZ 1000 steps * Level Offset Granularity Range * 0 0 1 ms 0 ms - 63 ms * 1 64 8 ms 64 ms - 511 ms * 2 128 64 ms 512 ms - 4095 ms (512ms - ~4s) * HZ 250 * Level Offset Granularity Range * 0 0 4 ms 0 ms - 255 ms * 1 64 32 ms 256 ms - 2047 ms (256ms - ~2s) * 2 128 256 ms 2048 ms - 16383 ms (~2s - ~16s) Below is a comparison of extending the TPM with 1000 measurements, using msleep() vs. usleep_delay() when configured for 1000 hz vs. 250 hz, before and after commit 500462a9de65. linux-4.7 | msleep() usleep_range() 1000 hz: 0m44.628s | 1m34.497s 29.243s 250 hz: 1m28.510s | 4m49.269s 32.386s linux-4.7 | min-max (msleep) min-max (usleep_range) 1000 hz: 0:017 - 2:760s | 0:015 - 3:967s 0:014 - 0:418s 250 hz: 0:028 - 1:954s | 0:040 - 4:096s 0:016 - 0:816s This patch replaces the msleep() with usleep_range() calls in the i2c nuvoton driver with a consistent max range value. Signed-of-by: Mimi Zohar Cc: stable@vger.kernel.org (linux-4.8) Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_i2c_nuvoton.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c index e3a9155ee671..0c98c424d792 100644 --- a/drivers/char/tpm/tpm_i2c_nuvoton.c +++ b/drivers/char/tpm/tpm_i2c_nuvoton.c @@ -49,9 +49,10 @@ */ #define TPM_I2C_MAX_BUF_SIZE 32 #define TPM_I2C_RETRY_COUNT 32 -#define TPM_I2C_BUS_DELAY 1 /* msec */ -#define TPM_I2C_RETRY_DELAY_SHORT 2 /* msec */ -#define TPM_I2C_RETRY_DELAY_LONG 10 /* msec */ +#define TPM_I2C_BUS_DELAY 1000 /* usec */ +#define TPM_I2C_RETRY_DELAY_SHORT (2 * 1000) /* usec */ +#define TPM_I2C_RETRY_DELAY_LONG (10 * 1000) /* usec */ +#define TPM_I2C_DELAY_RANGE 300 /* usec */ #define OF_IS_TPM2 ((void *)1) #define I2C_IS_TPM2 1 @@ -123,7 +124,8 @@ static s32 i2c_nuvoton_write_status(struct i2c_client *client, u8 data) /* this causes the current command to be aborted */ for (i = 0, status = -1; i < TPM_I2C_RETRY_COUNT && status < 0; i++) { status = i2c_nuvoton_write_buf(client, TPM_STS, 1, &data); - msleep(TPM_I2C_BUS_DELAY); + usleep_range(TPM_I2C_BUS_DELAY, TPM_I2C_BUS_DELAY + + TPM_I2C_DELAY_RANGE); } return status; } @@ -160,7 +162,8 @@ static int i2c_nuvoton_get_burstcount(struct i2c_client *client, burst_count = min_t(u8, TPM_I2C_MAX_BUF_SIZE, data); break; } - msleep(TPM_I2C_BUS_DELAY); + usleep_range(TPM_I2C_BUS_DELAY, TPM_I2C_BUS_DELAY + + TPM_I2C_DELAY_RANGE); } while (time_before(jiffies, stop)); return burst_count; @@ -203,13 +206,17 @@ static int i2c_nuvoton_wait_for_stat(struct tpm_chip *chip, u8 mask, u8 value, return 0; /* use polling to wait for the event */ - ten_msec = jiffies + msecs_to_jiffies(TPM_I2C_RETRY_DELAY_LONG); + ten_msec = jiffies + usecs_to_jiffies(TPM_I2C_RETRY_DELAY_LONG); stop = jiffies + timeout; do { if (time_before(jiffies, ten_msec)) - msleep(TPM_I2C_RETRY_DELAY_SHORT); + usleep_range(TPM_I2C_RETRY_DELAY_SHORT, + TPM_I2C_RETRY_DELAY_SHORT + + TPM_I2C_DELAY_RANGE); else - msleep(TPM_I2C_RETRY_DELAY_LONG); + usleep_range(TPM_I2C_RETRY_DELAY_LONG, + TPM_I2C_RETRY_DELAY_LONG + + TPM_I2C_DELAY_RANGE); status_valid = i2c_nuvoton_check_status(chip, mask, value); if (status_valid) From 4bf4b4ed9de40eb58232a9f576391fdc5e13a7b4 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 28 Feb 2017 22:12:55 +0100 Subject: [PATCH 53/98] tpm: select CONFIG_CRYPTO We get a newly introduced harmless warning when CONFIG_CRYPTO is disabled: warning: (TCG_TPM && TRUSTED_KEYS && IMA) selects CRYPTO_HASH_INFO which has unmet direct dependencies (CRYPTO) This adds another select to avoid the warning, consistent with other users of the crypto code. Fixes: c1f92b4b04ad ("tpm: enhance TPM 2.0 PCR extend to support multiple banks") Signed-off-by: Arnd Bergmann Reviewed-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index af985cca413c..d520ac51c11c 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -6,6 +6,7 @@ menuconfig TCG_TPM tristate "TPM Hardware Support" depends on HAS_IOMEM select SECURITYFS + select CRYPTO select CRYPTO_HASH_INFO ---help--- If you have a TPM security chip in your system, which From 095fc30c2c8d2c63ec88745f57711f05af617581 Mon Sep 17 00:00:00 2001 From: "Winkler, Tomas" Date: Mon, 6 Mar 2017 01:53:35 +0200 Subject: [PATCH 54/98] tpm/tpm_crb: enter the low power state upon device suspend This fix enables a platform to enter the idle state (suspend-to-idle) The driver needs to request explicitly go_idle upon completion from the pm suspend handler. The runtime pm is disabled on suspend during prepare state by calling pm_runtime_get_noresume, hence we cannot relay on runtime pm to leave the device in low power state. Symmetrically cmdReady is called upon resume. Signed-off-by: Tomas Winkler Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Siged-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 421dfa959a4f..cb6fb131963f 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -502,10 +502,33 @@ static int crb_pm_runtime_resume(struct device *dev) return crb_cmd_ready(dev, priv); } + +static int crb_pm_suspend(struct device *dev) +{ + int ret; + + ret = tpm_pm_suspend(dev); + if (ret) + return ret; + + return crb_pm_runtime_suspend(dev); +} + +static int crb_pm_resume(struct device *dev) +{ + int ret; + + ret = crb_pm_runtime_resume(dev); + if (ret) + return ret; + + return tpm_pm_resume(dev); +} + #endif /* CONFIG_PM */ static const struct dev_pm_ops crb_pm = { - SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume) + SET_SYSTEM_SLEEP_PM_OPS(crb_pm_suspend, crb_pm_resume) SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL) }; From f848f2143ae42dc0918400039257a893835254d1 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 2 Mar 2017 13:03:11 +0000 Subject: [PATCH 55/98] tpm_tis_spi: Use single function to transfer data The algorithm for sending data to the TPM is mostly identical to the algorithm for receiving data from the TPM, so a single function is sufficient to handle both cases. This is a prequisite for all the other fixes, so we don't have to fix everything twice (send/receive) v2: u16 instead of u8 for the length. Cc: Fixes: 0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy") Signed-off-by: Alexander Steffen Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Tested-by: Benoit Houyere Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_spi.c | 87 ++++++++++------------------------ 1 file changed, 24 insertions(+), 63 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_spi.c b/drivers/char/tpm/tpm_tis_spi.c index 5292e5768a7e..062799e04f04 100644 --- a/drivers/char/tpm/tpm_tis_spi.c +++ b/drivers/char/tpm/tpm_tis_spi.c @@ -47,8 +47,8 @@ struct tpm_tis_spi_phy { struct tpm_tis_data priv; struct spi_device *spi_device; - u8 tx_buf[MAX_SPI_FRAMESIZE + 4]; - u8 rx_buf[MAX_SPI_FRAMESIZE + 4]; + u8 tx_buf[4]; + u8 rx_buf[4]; }; static inline struct tpm_tis_spi_phy *to_tpm_tis_spi_phy(struct tpm_tis_data *data) @@ -56,8 +56,8 @@ static inline struct tpm_tis_spi_phy *to_tpm_tis_spi_phy(struct tpm_tis_data *da return container_of(data, struct tpm_tis_spi_phy, priv); } -static int tpm_tis_spi_read_bytes(struct tpm_tis_data *data, u32 addr, - u16 len, u8 *result) +static int tpm_tis_spi_transfer(struct tpm_tis_data *data, u32 addr, u16 len, + u8 *buffer, u8 direction) { struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data); int ret, i; @@ -66,17 +66,17 @@ static int tpm_tis_spi_read_bytes(struct tpm_tis_data *data, u32 addr, .tx_buf = phy->tx_buf, .rx_buf = phy->rx_buf, .len = 4, + .cs_change = 1, }; if (len > MAX_SPI_FRAMESIZE) return -ENOMEM; - phy->tx_buf[0] = 0x80 | (len - 1); + phy->tx_buf[0] = direction | (len - 1); phy->tx_buf[1] = 0xd4; - phy->tx_buf[2] = (addr >> 8) & 0xFF; - phy->tx_buf[3] = addr & 0xFF; + phy->tx_buf[2] = addr >> 8; + phy->tx_buf[3] = addr; - spi_xfer.cs_change = 1; spi_message_init(&m); spi_message_add_tail(&spi_xfer, &m); @@ -85,7 +85,7 @@ static int tpm_tis_spi_read_bytes(struct tpm_tis_data *data, u32 addr, if (ret < 0) goto exit; - memset(phy->tx_buf, 0, len); + phy->tx_buf[0] = 0; /* According to TCG PTP specification, if there is no TPM present at * all, then the design has a weak pull-up on MISO. If a TPM is not @@ -103,7 +103,14 @@ static int tpm_tis_spi_read_bytes(struct tpm_tis_data *data, u32 addr, spi_xfer.cs_change = 0; spi_xfer.len = len; - spi_xfer.rx_buf = result; + + if (direction) { + spi_xfer.tx_buf = NULL; + spi_xfer.rx_buf = buffer; + } else { + spi_xfer.tx_buf = buffer; + spi_xfer.rx_buf = NULL; + } spi_message_init(&m); spi_message_add_tail(&spi_xfer, &m); @@ -114,62 +121,16 @@ exit: return ret; } +static int tpm_tis_spi_read_bytes(struct tpm_tis_data *data, u32 addr, + u16 len, u8 *result) +{ + return tpm_tis_spi_transfer(data, addr, len, result, 0x80); +} + static int tpm_tis_spi_write_bytes(struct tpm_tis_data *data, u32 addr, u16 len, u8 *value) { - struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data); - int ret, i; - struct spi_message m; - struct spi_transfer spi_xfer = { - .tx_buf = phy->tx_buf, - .rx_buf = phy->rx_buf, - .len = 4, - }; - - if (len > MAX_SPI_FRAMESIZE) - return -ENOMEM; - - phy->tx_buf[0] = len - 1; - phy->tx_buf[1] = 0xd4; - phy->tx_buf[2] = (addr >> 8) & 0xFF; - phy->tx_buf[3] = addr & 0xFF; - - spi_xfer.cs_change = 1; - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); - - spi_bus_lock(phy->spi_device->master); - ret = spi_sync_locked(phy->spi_device, &m); - if (ret < 0) - goto exit; - - memset(phy->tx_buf, 0, len); - - /* According to TCG PTP specification, if there is no TPM present at - * all, then the design has a weak pull-up on MISO. If a TPM is not - * present, a pull-up on MISO means that the SB controller sees a 1, - * and will latch in 0xFF on the read. - */ - for (i = 0; (phy->rx_buf[0] & 0x01) == 0 && i < TPM_RETRY; i++) { - spi_xfer.len = 1; - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); - ret = spi_sync_locked(phy->spi_device, &m); - if (ret < 0) - goto exit; - } - - spi_xfer.len = len; - spi_xfer.tx_buf = value; - spi_xfer.cs_change = 0; - spi_xfer.tx_buf = value; - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); - ret = spi_sync_locked(phy->spi_device, &m); - -exit: - spi_bus_unlock(phy->spi_device->master); - return ret; + return tpm_tis_spi_transfer(data, addr, len, value, 0); } static int tpm_tis_spi_read16(struct tpm_tis_data *data, u32 addr, u16 *result) From 975094ddc369a32f27210248bdd9bbd153061b00 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 2 Mar 2017 13:03:12 +0000 Subject: [PATCH 56/98] tpm_tis_spi: Abort transfer when too many wait states are signaled Abort the transfer with ETIMEDOUT when the TPM signals more than TPM_RETRY wait states. Continuing with the transfer in this state will only lead to arbitrary failures in other parts of the code. Cc: Fixes: 0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy") Signed-off-by: Alexander Steffen Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Tested-by: Benoit Houyere Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_spi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/char/tpm/tpm_tis_spi.c b/drivers/char/tpm/tpm_tis_spi.c index 062799e04f04..639614f2d415 100644 --- a/drivers/char/tpm/tpm_tis_spi.c +++ b/drivers/char/tpm/tpm_tis_spi.c @@ -101,6 +101,11 @@ static int tpm_tis_spi_transfer(struct tpm_tis_data *data, u32 addr, u16 len, goto exit; } + if (i == TPM_RETRY) { + ret = -ETIMEDOUT; + goto exit; + } + spi_xfer.cs_change = 0; spi_xfer.len = len; From e110cc69dc2ad679d6d478df636b99b14e6fbbc9 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 2 Mar 2017 13:03:13 +0000 Subject: [PATCH 57/98] tpm_tis_spi: Check correct byte for wait state indicator Wait states are signaled in the last byte received from the TPM in response to the header, not the first byte. Check rx_buf[3] instead of rx_buf[0]. Cc: Fixes: 0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy") Signed-off-by: Alexander Steffen Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Tested-by: Benoit Houyere Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_spi.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_spi.c b/drivers/char/tpm/tpm_tis_spi.c index 639614f2d415..62f50b6c9ef6 100644 --- a/drivers/char/tpm/tpm_tis_spi.c +++ b/drivers/char/tpm/tpm_tis_spi.c @@ -85,25 +85,25 @@ static int tpm_tis_spi_transfer(struct tpm_tis_data *data, u32 addr, u16 len, if (ret < 0) goto exit; - phy->tx_buf[0] = 0; + if ((phy->rx_buf[3] & 0x01) == 0) { + // handle SPI wait states + phy->tx_buf[0] = 0; - /* According to TCG PTP specification, if there is no TPM present at - * all, then the design has a weak pull-up on MISO. If a TPM is not - * present, a pull-up on MISO means that the SB controller sees a 1, - * and will latch in 0xFF on the read. - */ - for (i = 0; (phy->rx_buf[0] & 0x01) == 0 && i < TPM_RETRY; i++) { - spi_xfer.len = 1; - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); - ret = spi_sync_locked(phy->spi_device, &m); - if (ret < 0) + for (i = 0; i < TPM_RETRY; i++) { + spi_xfer.len = 1; + spi_message_init(&m); + spi_message_add_tail(&spi_xfer, &m); + ret = spi_sync_locked(phy->spi_device, &m); + if (ret < 0) + goto exit; + if (phy->rx_buf[0] & 0x01) + break; + } + + if (i == TPM_RETRY) { + ret = -ETIMEDOUT; goto exit; - } - - if (i == TPM_RETRY) { - ret = -ETIMEDOUT; - goto exit; + } } spi_xfer.cs_change = 0; From 591e48c26ced7c455751eef27fb5963e902c2137 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 2 Mar 2017 13:03:14 +0000 Subject: [PATCH 58/98] tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes Limiting transfers to MAX_SPI_FRAMESIZE was not expected by the upper layers, as tpm_tis has no such limitation. Add a loop to hide that limitation. v2: Moved scope of spi_message to the top as requested by Jarkko Cc: Fixes: 0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy") Signed-off-by: Alexander Steffen Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Tested-by: Benoit Houyere Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_spi.c | 111 ++++++++++++++++++--------------- 1 file changed, 60 insertions(+), 51 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_spi.c b/drivers/char/tpm/tpm_tis_spi.c index 62f50b6c9ef6..3015c8b65f18 100644 --- a/drivers/char/tpm/tpm_tis_spi.c +++ b/drivers/char/tpm/tpm_tis_spi.c @@ -60,67 +60,76 @@ static int tpm_tis_spi_transfer(struct tpm_tis_data *data, u32 addr, u16 len, u8 *buffer, u8 direction) { struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data); - int ret, i; + int ret = 0; + int i; struct spi_message m; - struct spi_transfer spi_xfer = { - .tx_buf = phy->tx_buf, - .rx_buf = phy->rx_buf, - .len = 4, - .cs_change = 1, - }; - - if (len > MAX_SPI_FRAMESIZE) - return -ENOMEM; - - phy->tx_buf[0] = direction | (len - 1); - phy->tx_buf[1] = 0xd4; - phy->tx_buf[2] = addr >> 8; - phy->tx_buf[3] = addr; - - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); + struct spi_transfer spi_xfer; + u8 transfer_len; spi_bus_lock(phy->spi_device->master); - ret = spi_sync_locked(phy->spi_device, &m); - if (ret < 0) - goto exit; - if ((phy->rx_buf[3] & 0x01) == 0) { - // handle SPI wait states - phy->tx_buf[0] = 0; + while (len) { + transfer_len = min_t(u16, len, MAX_SPI_FRAMESIZE); - for (i = 0; i < TPM_RETRY; i++) { - spi_xfer.len = 1; - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); - ret = spi_sync_locked(phy->spi_device, &m); - if (ret < 0) - goto exit; - if (phy->rx_buf[0] & 0x01) - break; - } + phy->tx_buf[0] = direction | (transfer_len - 1); + phy->tx_buf[1] = 0xd4; + phy->tx_buf[2] = addr >> 8; + phy->tx_buf[3] = addr; - if (i == TPM_RETRY) { - ret = -ETIMEDOUT; + memset(&spi_xfer, 0, sizeof(spi_xfer)); + spi_xfer.tx_buf = phy->tx_buf; + spi_xfer.rx_buf = phy->rx_buf; + spi_xfer.len = 4; + spi_xfer.cs_change = 1; + + spi_message_init(&m); + spi_message_add_tail(&spi_xfer, &m); + ret = spi_sync_locked(phy->spi_device, &m); + if (ret < 0) goto exit; + + if ((phy->rx_buf[3] & 0x01) == 0) { + // handle SPI wait states + phy->tx_buf[0] = 0; + + for (i = 0; i < TPM_RETRY; i++) { + spi_xfer.len = 1; + spi_message_init(&m); + spi_message_add_tail(&spi_xfer, &m); + ret = spi_sync_locked(phy->spi_device, &m); + if (ret < 0) + goto exit; + if (phy->rx_buf[0] & 0x01) + break; + } + + if (i == TPM_RETRY) { + ret = -ETIMEDOUT; + goto exit; + } } + + spi_xfer.cs_change = 0; + spi_xfer.len = transfer_len; + + if (direction) { + spi_xfer.tx_buf = NULL; + spi_xfer.rx_buf = buffer; + } else { + spi_xfer.tx_buf = buffer; + spi_xfer.rx_buf = NULL; + } + + spi_message_init(&m); + spi_message_add_tail(&spi_xfer, &m); + ret = spi_sync_locked(phy->spi_device, &m); + if (ret < 0) + goto exit; + + len -= transfer_len; + buffer += transfer_len; } - spi_xfer.cs_change = 0; - spi_xfer.len = len; - - if (direction) { - spi_xfer.tx_buf = NULL; - spi_xfer.rx_buf = buffer; - } else { - spi_xfer.tx_buf = buffer; - spi_xfer.rx_buf = NULL; - } - - spi_message_init(&m); - spi_message_add_tail(&spi_xfer, &m); - ret = spi_sync_locked(phy->spi_device, &m); - exit: spi_bus_unlock(phy->spi_device->master); return ret; From 5cc0101d1f88500f8901d01b035af743215d4c3a Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 2 Mar 2017 13:03:15 +0000 Subject: [PATCH 59/98] tpm_tis_spi: Add small delay after last transfer Testing the implementation with a Raspberry Pi 2 showed that under some circumstances its SPI master erroneously releases the CS line before the transfer is complete, i.e. before the end of the last clock. In this case the TPM ignores the transfer and misses for example the GO command. The driver is unable to detect this communication problem and will wait for a command response that is never going to arrive, timing out eventually. As a workaround, the small delay ensures that the CS line is held long enough, even with a faulty SPI master. Other SPI masters are not affected, except for a negligible performance penalty. Cc: Fixes: 0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy") Signed-off-by: Alexander Steffen Signed-off-by: Peter Huewe Reviewed-by: Jarkko Sakkinen Tested-by: Benoit Houyere Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_spi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/char/tpm/tpm_tis_spi.c b/drivers/char/tpm/tpm_tis_spi.c index 3015c8b65f18..88fe72ae967f 100644 --- a/drivers/char/tpm/tpm_tis_spi.c +++ b/drivers/char/tpm/tpm_tis_spi.c @@ -111,6 +111,7 @@ static int tpm_tis_spi_transfer(struct tpm_tis_data *data, u32 addr, u16 len, spi_xfer.cs_change = 0; spi_xfer.len = transfer_len; + spi_xfer.delay_usecs = 5; if (direction) { spi_xfer.tx_buf = NULL; From 13b1f4a571cc1ffe9c7d5bb894318cabdd81fcc2 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Wed, 8 Feb 2017 13:11:35 +0200 Subject: [PATCH 60/98] tpm_crb: map locality registers In order to provide access to locality registers, this commits adds mapping of the head of the CRB registers, which are located right before the control area. Signed-off-by: Jarkko Sakkinen Reviewed-by: Jerry Snitselaar Tested-by: Gang Wei --- drivers/char/tpm/tpm_crb.c | 89 ++++++++++++++++++++++++-------------- 1 file changed, 57 insertions(+), 32 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index cb6fb131963f..60c2b726e685 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -52,18 +52,28 @@ enum crb_cancel { CRB_CANCEL_INVOKE = BIT(0), }; -struct crb_control_area { - u32 req; - u32 sts; - u32 cancel; - u32 start; - u32 int_enable; - u32 int_sts; - u32 cmd_size; - u32 cmd_pa_low; - u32 cmd_pa_high; - u32 rsp_size; - u64 rsp_pa; +struct crb_regs_head { + u32 loc_state; + u32 reserved1; + u32 loc_ctrl; + u32 loc_sts; + u8 reserved2[32]; + u64 intf_id; + u64 ctrl_ext; +} __packed; + +struct crb_regs_tail { + u32 ctrl_req; + u32 ctrl_sts; + u32 ctrl_cancel; + u32 ctrl_start; + u32 ctrl_int_enable; + u32 ctrl_int_sts; + u32 ctrl_cmd_size; + u32 ctrl_cmd_pa_low; + u32 ctrl_cmd_pa_high; + u32 ctrl_rsp_size; + u64 ctrl_rsp_pa; } __packed; enum crb_status { @@ -78,7 +88,8 @@ enum crb_flags { struct crb_priv { unsigned int flags; void __iomem *iobase; - struct crb_control_area __iomem *cca; + struct crb_regs_head __iomem *regs_h; + struct crb_regs_tail __iomem *regs_t; u8 __iomem *cmd; u8 __iomem *rsp; u32 cmd_size; @@ -104,7 +115,7 @@ static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) if (priv->flags & CRB_FL_ACPI_START) return 0; - iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->cca->req); + iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req); /* we don't really care when this settles */ return 0; @@ -128,21 +139,23 @@ static int __maybe_unused crb_cmd_ready(struct device *dev, struct crb_priv *priv) { ktime_t stop, start; + u32 req; if (priv->flags & CRB_FL_ACPI_START) return 0; - iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->cca->req); + iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req); start = ktime_get(); stop = ktime_add(start, ms_to_ktime(TPM2_TIMEOUT_C)); do { - if (!(ioread32(&priv->cca->req) & CRB_CTRL_REQ_CMD_READY)) + req = ioread32(&priv->regs_t->ctrl_req); + if (!(req & CRB_CTRL_REQ_CMD_READY)) return 0; usleep_range(50, 100); } while (ktime_before(ktime_get(), stop)); - if (ioread32(&priv->cca->req) & CRB_CTRL_REQ_CMD_READY) { + if (ioread32(&priv->regs_t->ctrl_req) & CRB_CTRL_REQ_CMD_READY) { dev_warn(dev, "cmdReady timed out\n"); return -ETIME; } @@ -155,7 +168,7 @@ static u8 crb_status(struct tpm_chip *chip) struct crb_priv *priv = dev_get_drvdata(&chip->dev); u8 sts = 0; - if ((ioread32(&priv->cca->start) & CRB_START_INVOKE) != + if ((ioread32(&priv->regs_t->ctrl_start) & CRB_START_INVOKE) != CRB_START_INVOKE) sts |= CRB_DRV_STS_COMPLETE; @@ -171,7 +184,7 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) if (count < 6) return -EIO; - if (ioread32(&priv->cca->sts) & CRB_CTRL_STS_ERROR) + if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR) return -EIO; memcpy_fromio(buf, priv->rsp, 6); @@ -210,7 +223,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len) /* Zero the cancel register so that the next command will not get * canceled. */ - iowrite32(0, &priv->cca->cancel); + iowrite32(0, &priv->regs_t->ctrl_cancel); if (len > priv->cmd_size) { dev_err(&chip->dev, "invalid command count value %zd %d\n", @@ -224,7 +237,7 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len) wmb(); if (priv->flags & CRB_FL_CRB_START) - iowrite32(CRB_START_INVOKE, &priv->cca->start); + iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start); if (priv->flags & CRB_FL_ACPI_START) rc = crb_do_acpi_start(chip); @@ -236,7 +249,7 @@ static void crb_cancel(struct tpm_chip *chip) { struct crb_priv *priv = dev_get_drvdata(&chip->dev); - iowrite32(CRB_CANCEL_INVOKE, &priv->cca->cancel); + iowrite32(CRB_CANCEL_INVOKE, &priv->regs_t->ctrl_cancel); if ((priv->flags & CRB_FL_ACPI_START) && crb_do_acpi_start(chip)) dev_err(&chip->dev, "ACPI Start failed\n"); @@ -245,7 +258,7 @@ static void crb_cancel(struct tpm_chip *chip) static bool crb_req_canceled(struct tpm_chip *chip, u8 status) { struct crb_priv *priv = dev_get_drvdata(&chip->dev); - u32 cancel = ioread32(&priv->cca->cancel); + u32 cancel = ioread32(&priv->regs_t->ctrl_cancel); return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE; } @@ -345,10 +358,22 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, if (IS_ERR(priv->iobase)) return PTR_ERR(priv->iobase); - priv->cca = crb_map_res(dev, priv, &io_res, buf->control_address, - sizeof(struct crb_control_area)); - if (IS_ERR(priv->cca)) - return PTR_ERR(priv->cca); + /* The ACPI IO region starts at the head area and continues to include + * the control area, as one nice sane region except for some older + * stuff that puts the control area outside the ACPI IO region. + */ + if (!(priv->flags & CRB_FL_ACPI_START)) { + if (buf->control_address == io_res.start + + sizeof(*priv->regs_h)) + priv->regs_h = priv->iobase; + else + dev_warn(dev, FW_BUG "Bad ACPI memory layout"); + } + + priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address, + sizeof(struct crb_regs_tail)); + if (IS_ERR(priv->regs_t)) + return PTR_ERR(priv->regs_t); /* * PTT HW bug w/a: wake up the device to access @@ -358,11 +383,11 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, if (ret) return ret; - pa_high = ioread32(&priv->cca->cmd_pa_high); - pa_low = ioread32(&priv->cca->cmd_pa_low); + pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high); + pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low); cmd_pa = ((u64)pa_high << 32) | pa_low; cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa, - ioread32(&priv->cca->cmd_size)); + ioread32(&priv->regs_t->ctrl_cmd_size)); dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n", pa_high, pa_low, cmd_size); @@ -373,10 +398,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, goto out; } - memcpy_fromio(&rsp_pa, &priv->cca->rsp_pa, 8); + memcpy_fromio(&rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8); rsp_pa = le64_to_cpu(rsp_pa); rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa, - ioread32(&priv->cca->rsp_size)); + ioread32(&priv->regs_t->ctrl_rsp_size)); if (cmd_pa != rsp_pa) { priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size); From 38eb24ebb01f875f812aa869c4cd62959510111c Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Wed, 8 Feb 2017 13:11:36 +0200 Subject: [PATCH 61/98] tpm_crb: encapsulate crb_wait_for_reg_32 Encapsulated crb_wait_for_reg32() so that state changes in other CRB registers than TPM_CRB_CTRL_REQ_x can be waited. Signed-off-by: Jarkko Sakkinen Reviewed-by: Jerry Snitselaar Tested-by: Gang Wei --- drivers/char/tpm/tpm_crb.c | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 60c2b726e685..324561845dc2 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -121,6 +121,25 @@ static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) return 0; } +static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value, + unsigned long timeout) +{ + ktime_t start; + ktime_t stop; + + start = ktime_get(); + stop = ktime_add(start, ms_to_ktime(timeout)); + + do { + if ((ioread32(reg) & mask) == value) + return true; + + usleep_range(50, 100); + } while (ktime_before(ktime_get(), stop)); + + return false; +} + /** * crb_cmd_ready - request tpm crb device to enter ready state * @@ -138,24 +157,14 @@ static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) static int __maybe_unused crb_cmd_ready(struct device *dev, struct crb_priv *priv) { - ktime_t stop, start; - u32 req; - if (priv->flags & CRB_FL_ACPI_START) return 0; iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req); - - start = ktime_get(); - stop = ktime_add(start, ms_to_ktime(TPM2_TIMEOUT_C)); - do { - req = ioread32(&priv->regs_t->ctrl_req); - if (!(req & CRB_CTRL_REQ_CMD_READY)) - return 0; - usleep_range(50, 100); - } while (ktime_before(ktime_get(), stop)); - - if (ioread32(&priv->regs_t->ctrl_req) & CRB_CTRL_REQ_CMD_READY) { + if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req, + CRB_CTRL_REQ_CMD_READY /* mask */, + 0, /* value */ + TPM2_TIMEOUT_C)) { dev_warn(dev, "cmdReady timed out\n"); return -ETIME; } From a147918e79c3a239be59358af659ea9f0959538b Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Tue, 14 Feb 2017 21:57:42 +0200 Subject: [PATCH 62/98] tpm: move length validation to tpm_transmit() Check that the length matches the length reported by the response header already in tpm_transmit() to improve validation. Signed-off-by: Jarkko Sakkinen Tested-by: James Bottomley Reviewed-by: James Bottomley --- drivers/char/tpm/tpm-interface.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bd2128e0b56c..708d3563ee7d 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -343,6 +343,7 @@ EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration); ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, unsigned int flags) { + const struct tpm_output_header *header = (void *)buf; ssize_t rc; u32 count, ordinal; unsigned long stop; @@ -406,9 +407,18 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, out_recv: rc = chip->ops->recv(chip, (u8 *) buf, bufsiz); - if (rc < 0) + if (rc < 0) { dev_err(&chip->dev, "tpm_transmit: tpm_recv: error %zd\n", rc); + goto out; + } else if (rc < TPM_HEADER_SIZE) { + rc = -EFAULT; + goto out; + } + + if (rc != be32_to_cpu(header->length)) + goto out; + out: if (chip->dev.parent) pm_runtime_put_sync(chip->dev.parent); @@ -438,19 +448,13 @@ ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *buf, size_t bufsiz, size_t min_rsp_body_length, unsigned int flags, const char *desc) { - const struct tpm_output_header *header; + const struct tpm_output_header *header = buf; int err; ssize_t len; len = tpm_transmit(chip, (const u8 *)buf, bufsiz, flags); if (len < 0) return len; - else if (len < TPM_HEADER_SIZE) - return -EFAULT; - - header = buf; - if (len != be32_to_cpu(header->length)) - return -EFAULT; err = be32_to_cpu(header->return_code); if (err != 0 && desc) From 9aa36b399a50bf8a1c9dae33c25164afae14e1e3 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Sat, 26 Nov 2016 13:39:35 +0200 Subject: [PATCH 63/98] tpm: export tpm2_flush_context_cmd Signed-off-by: Jarkko Sakkinen Tested-by: James Bottomley Reviewed-by: James Bottomley --- drivers/char/tpm/tpm.h | 2 ++ drivers/char/tpm/tpm2-cmd.c | 62 +++++++++++++++++-------------------- 2 files changed, 31 insertions(+), 33 deletions(-) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 4937b56a275c..08c1f61d396f 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -541,6 +541,8 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, struct tpm2_digest *digests); int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); +void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, + unsigned int flags); int tpm2_seal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, struct trusted_key_options *options); diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 881aea9732bf..620a27b0412b 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -418,6 +418,35 @@ static const struct tpm_input_header tpm2_get_tpm_pt_header = { .ordinal = cpu_to_be32(TPM2_CC_GET_CAPABILITY) }; +/** + * tpm2_flush_context_cmd() - execute a TPM2_FlushContext command + * @chip: TPM chip to use + * @payload: the key data in clear and encrypted form + * @options: authentication values and other options + * + * Return: same as with tpm_transmit_cmd + */ +void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, + unsigned int flags) +{ + struct tpm_buf buf; + int rc; + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); + if (rc) { + dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", + handle); + return; + } + + tpm_buf_append_u32(&buf, handle); + + (void) tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, flags, + "flushing context"); + + tpm_buf_destroy(&buf); +} + /** * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. * @@ -627,39 +656,6 @@ out: return rc; } -/** - * tpm2_flush_context_cmd() - execute a TPM2_FlushContext command - * - * @chip: TPM chip to use - * @handle: the key data in clear and encrypted form - * @flags: tpm transmit flags - * - * Return: Same as with tpm_transmit_cmd. - */ -static void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, - unsigned int flags) -{ - struct tpm_buf buf; - int rc; - - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); - if (rc) { - dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", - handle); - return; - } - - tpm_buf_append_u32(&buf, handle); - - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, flags, - "flushing context"); - if (rc) - dev_warn(&chip->dev, "0x%08x was not flushed, rc=%d\n", handle, - rc); - - tpm_buf_destroy(&buf); -} - /** * tpm2_unseal_cmd() - execute a TPM2_Unload command * From 58472f5cd4f6ff02488c8da3cdbf719e9dd21e48 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Thu, 10 Nov 2016 20:42:07 -0800 Subject: [PATCH 64/98] tpm: validate TPM 2.0 commands Check for every TPM 2.0 command that the command code is supported and the command buffer has at least the length that can contain the header and the handle area. For ContextSave and FlushContext we mark the body to be part of the handle area. This gives validation for these commands at zero cost, including the body of the command. The more important reason for this is that we can virtualize these commands in the same way as you would virtualize the handle area of a command. Signed-off-by: Jarkko Sakkinen Tested-by: James Bottomley Reviewed-by: James Bottomley --- drivers/char/tpm/tpm-interface.c | 38 ++++++++++++++- drivers/char/tpm/tpm.h | 15 ++++++ drivers/char/tpm/tpm2-cmd.c | 84 ++++++++++++++++++++++++++++++-- 3 files changed, 132 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 708d3563ee7d..20b1fe3b36b1 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -328,6 +328,42 @@ unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip, } EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration); +static bool tpm_validate_command(struct tpm_chip *chip, const u8 *cmd, + size_t len) +{ + const struct tpm_input_header *header = (const void *)cmd; + int i; + u32 cc; + u32 attrs; + unsigned int nr_handles; + + if (len < TPM_HEADER_SIZE) + return false; + + if (chip->flags & TPM_CHIP_FLAG_TPM2 && chip->nr_commands) { + cc = be32_to_cpu(header->ordinal); + + i = tpm2_find_cc(chip, cc); + if (i < 0) { + dev_dbg(&chip->dev, "0x%04X is an invalid command\n", + cc); + return false; + } + + attrs = chip->cc_attrs_tbl[i]; + nr_handles = + 4 * ((attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0)); + if (len < TPM_HEADER_SIZE + 4 * nr_handles) + goto err_len; + } + + return true; +err_len: + dev_dbg(&chip->dev, + "%s: insufficient command length %zu", __func__, len); + return false; +} + /** * tmp_transmit - Internal kernel interface to transmit TPM commands. * @@ -348,7 +384,7 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, u32 count, ordinal; unsigned long stop; - if (bufsiz < TPM_HEADER_SIZE) + if (!tpm_validate_command(chip, buf, bufsiz)) return -EINVAL; if (bufsiz > TPM_BUFSIZE) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 08c1f61d396f..dd5f526a62b5 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -114,6 +114,7 @@ enum tpm2_command_codes { TPM2_CC_CREATE = 0x0153, TPM2_CC_LOAD = 0x0157, TPM2_CC_UNSEAL = 0x015E, + TPM2_CC_CONTEXT_SAVE = 0x0162, TPM2_CC_FLUSH_CONTEXT = 0x0165, TPM2_CC_GET_CAPABILITY = 0x017A, TPM2_CC_GET_RANDOM = 0x017B, @@ -127,15 +128,25 @@ enum tpm2_permanent_handles { }; enum tpm2_capabilities { + TPM2_CAP_COMMANDS = 2, TPM2_CAP_PCRS = 5, TPM2_CAP_TPM_PROPERTIES = 6, }; +enum tpm2_properties { + TPM_PT_TOTAL_COMMANDS = 0x0129, +}; + enum tpm2_startup_types { TPM2_SU_CLEAR = 0x0000, TPM2_SU_STATE = 0x0001, }; +enum tpm2_cc_attrs { + TPM2_CC_ATTR_CHANDLES = 25, + TPM2_CC_ATTR_RHANDLE = 28, +}; + #define TPM_VID_INTEL 0x8086 #define TPM_VID_WINBOND 0x1050 #define TPM_VID_STM 0x104A @@ -199,6 +210,9 @@ struct tpm_chip { acpi_handle acpi_dev_handle; char ppi_version[TPM_PPI_VERSION_LEN + 1]; #endif /* CONFIG_ACPI */ + + u32 nr_commands; + u32 *cc_attrs_tbl; }; #define to_tpm_chip(d) container_of(d, struct tpm_chip, dev) @@ -556,4 +570,5 @@ int tpm2_auto_startup(struct tpm_chip *chip); void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type); unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); int tpm2_probe(struct tpm_chip *chip); +int tpm2_find_cc(struct tpm_chip *chip, u32 cc); #endif diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 620a27b0412b..ec05ab373a2b 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -1063,15 +1063,76 @@ out: return rc; } +static int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip) +{ + struct tpm_buf buf; + u32 nr_commands; + u32 *attrs; + u32 cc; + int i; + int rc; + + rc = tpm2_get_tpm_pt(chip, TPM_PT_TOTAL_COMMANDS, &nr_commands, NULL); + if (rc) + goto out; + + if (nr_commands > 0xFFFFF) { + rc = -EFAULT; + goto out; + } + + chip->cc_attrs_tbl = devm_kzalloc(&chip->dev, 4 * nr_commands, + GFP_KERNEL); + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY); + if (rc) + goto out; + + tpm_buf_append_u32(&buf, TPM2_CAP_COMMANDS); + tpm_buf_append_u32(&buf, TPM2_CC_FIRST); + tpm_buf_append_u32(&buf, nr_commands); + + rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9 + 4 * nr_commands, + 0, NULL); + if (rc) { + tpm_buf_destroy(&buf); + goto out; + } + + if (nr_commands != + be32_to_cpup((__be32 *)&buf.data[TPM_HEADER_SIZE + 5])) { + tpm_buf_destroy(&buf); + goto out; + } + + chip->nr_commands = nr_commands; + + attrs = (u32 *)&buf.data[TPM_HEADER_SIZE + 9]; + for (i = 0; i < nr_commands; i++, attrs++) { + chip->cc_attrs_tbl[i] = be32_to_cpup(attrs); + cc = chip->cc_attrs_tbl[i] & 0xFFFF; + + if (cc == TPM2_CC_CONTEXT_SAVE || cc == TPM2_CC_FLUSH_CONTEXT) { + chip->cc_attrs_tbl[i] &= + ~(GENMASK(2, 0) << TPM2_CC_ATTR_CHANDLES); + chip->cc_attrs_tbl[i] |= 1 << TPM2_CC_ATTR_CHANDLES; + } + } + + tpm_buf_destroy(&buf); + +out: + if (rc > 0) + rc = -ENODEV; + return rc; +} + /** * tpm2_auto_startup - Perform the standard automatic TPM initialization * sequence * @chip: TPM chip to use * - * Initializes timeout values for operation and command durations, conducts - * a self-test and reads the list of active PCR banks. - * - * Return: 0 on success. Otherwise, a system error code is returned. + * Returns 0 on success, < 0 in case of fatal error. */ int tpm2_auto_startup(struct tpm_chip *chip) { @@ -1100,9 +1161,24 @@ int tpm2_auto_startup(struct tpm_chip *chip) } rc = tpm2_get_pcr_allocation(chip); + if (rc) + goto out; + + rc = tpm2_get_cc_attrs_tbl(chip); out: if (rc > 0) rc = -ENODEV; return rc; } + +int tpm2_find_cc(struct tpm_chip *chip, u32 cc) +{ + int i; + + for (i = 0; i < chip->nr_commands; i++) + if (cc == (chip->cc_attrs_tbl[i] & GENMASK(15, 0))) + return i; + + return -1; +} From 745b361e989af21ad40811c2586b60229f870a68 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Fri, 6 Jan 2017 14:03:45 +0200 Subject: [PATCH 65/98] tpm: infrastructure for TPM spaces Added an ability to virtualize TPM commands into an isolated context that we call a TPM space because the word context is already heavily used in the TPM specification. Both the handle areas and bodies (where necessary) are virtualized. The mechanism works by adding a new parameter struct tpm_space to the tpm_transmit() function. This new structure contains the list of virtual handles and a buffer of page size (currently) for backing storage. When tpm_transmit() is called with a struct tpm_space instance it will execute the following sequence: 1. Take locks. 2. Load transient objects from the backing storage by using ContextLoad and map virtual handles to physical handles. 3. Perform the transaction. 4. Save transient objects to backing storage by using ContextSave and map resulting physical handle to virtual handle if there is such. This commit does not implement virtualization support for hmac and policy sessions. Signed-off-by: Jarkko Sakkinen Tested-by: James Bottomley Reviewed-by: James Bottomley --- drivers/char/tpm/Makefile | 2 +- drivers/char/tpm/tpm-chip.c | 7 + drivers/char/tpm/tpm-dev.c | 2 +- drivers/char/tpm/tpm-interface.c | 77 +++--- drivers/char/tpm/tpm-sysfs.c | 2 +- drivers/char/tpm/tpm.h | 26 +- drivers/char/tpm/tpm2-cmd.c | 33 +-- drivers/char/tpm/tpm2-space.c | 431 +++++++++++++++++++++++++++++++ 8 files changed, 527 insertions(+), 53 deletions(-) create mode 100644 drivers/char/tpm/tpm2-space.c diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 3d386a8c579f..8f07fcfbcdfb 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -3,7 +3,7 @@ # obj-$(CONFIG_TCG_TPM) += tpm.o tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o \ - tpm1_eventlog.o tpm2_eventlog.o + tpm1_eventlog.o tpm2_eventlog.o tpm2-space.o tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_acpi.o tpm-$(CONFIG_OF) += tpm_of.o obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index c406343848da..993b9ae42876 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -128,6 +128,7 @@ static void tpm_dev_release(struct device *dev) mutex_unlock(&idr_lock); kfree(chip->log.bios_event_log); + kfree(chip->work_space.context_buf); kfree(chip); } @@ -189,6 +190,12 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, chip->cdev.owner = THIS_MODULE; chip->cdev.kobj.parent = &chip->dev.kobj; + chip->work_space.context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); + if (!chip->work_space.context_buf) { + rc = -ENOMEM; + goto out; + } + return chip; out: diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c index 02a8850d3a69..414553bc115b 100644 --- a/drivers/char/tpm/tpm-dev.c +++ b/drivers/char/tpm/tpm-dev.c @@ -147,7 +147,7 @@ static ssize_t tpm_write(struct file *file, const char __user *buf, mutex_unlock(&priv->buffer_mutex); return -EPIPE; } - out_size = tpm_transmit(priv->chip, priv->data_buffer, + out_size = tpm_transmit(priv->chip, NULL, priv->data_buffer, sizeof(priv->data_buffer), 0); tpm_put_ops(priv->chip); diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 20b1fe3b36b1..d09cf26365c3 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -328,7 +328,9 @@ unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip, } EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration); -static bool tpm_validate_command(struct tpm_chip *chip, const u8 *cmd, +static bool tpm_validate_command(struct tpm_chip *chip, + struct tpm_space *space, + const u8 *cmd, size_t len) { const struct tpm_input_header *header = (const void *)cmd; @@ -340,6 +342,9 @@ static bool tpm_validate_command(struct tpm_chip *chip, const u8 *cmd, if (len < TPM_HEADER_SIZE) return false; + if (!space) + return true; + if (chip->flags & TPM_CHIP_FLAG_TPM2 && chip->nr_commands) { cc = be32_to_cpu(header->ordinal); @@ -376,15 +381,16 @@ err_len: * 0 when the operation is successful. * A negative number for system errors (errno). */ -ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, - unsigned int flags) +ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, + u8 *buf, size_t bufsiz, unsigned int flags) { - const struct tpm_output_header *header = (void *)buf; - ssize_t rc; + struct tpm_output_header *header = (void *)buf; + int rc; + ssize_t len = 0; u32 count, ordinal; unsigned long stop; - if (!tpm_validate_command(chip, buf, bufsiz)) + if (!tpm_validate_command(chip, space, buf, bufsiz)) return -EINVAL; if (bufsiz > TPM_BUFSIZE) @@ -406,10 +412,14 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, if (chip->dev.parent) pm_runtime_get_sync(chip->dev.parent); + rc = tpm2_prepare_space(chip, space, ordinal, buf); + if (rc) + goto out; + rc = chip->ops->send(chip, (u8 *) buf, count); if (rc < 0) { dev_err(&chip->dev, - "tpm_transmit: tpm_send: error %zd\n", rc); + "tpm_transmit: tpm_send: error %d\n", rc); goto out; } @@ -442,18 +452,23 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, goto out; out_recv: - rc = chip->ops->recv(chip, (u8 *) buf, bufsiz); - if (rc < 0) { + len = chip->ops->recv(chip, (u8 *) buf, bufsiz); + if (len < 0) { + rc = len; dev_err(&chip->dev, - "tpm_transmit: tpm_recv: error %zd\n", rc); + "tpm_transmit: tpm_recv: error %d\n", rc); goto out; - } else if (rc < TPM_HEADER_SIZE) { + } else if (len < TPM_HEADER_SIZE) { rc = -EFAULT; goto out; } - if (rc != be32_to_cpu(header->length)) + if (len != be32_to_cpu(header->length)) { + rc = -EFAULT; goto out; + } + + rc = tpm2_commit_space(chip, space, ordinal, buf, &len); out: if (chip->dev.parent) @@ -461,7 +476,7 @@ out: if (!(flags & TPM_TRANSMIT_UNLOCKED)) mutex_unlock(&chip->tpm_mutex); - return rc; + return rc ? rc : len; } /** @@ -480,15 +495,16 @@ out: * A negative number for system errors (errno). * A positive number for a TPM error. */ -ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *buf, - size_t bufsiz, size_t min_rsp_body_length, - unsigned int flags, const char *desc) +ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_space *space, + const void *buf, size_t bufsiz, + size_t min_rsp_body_length, unsigned int flags, + const char *desc) { const struct tpm_output_header *header = buf; int err; ssize_t len; - len = tpm_transmit(chip, (const u8 *)buf, bufsiz, flags); + len = tpm_transmit(chip, space, (u8 *)buf, bufsiz, flags); if (len < 0) return len; @@ -541,7 +557,7 @@ ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap, tpm_cmd.params.getcap_in.subcap_size = cpu_to_be32(4); tpm_cmd.params.getcap_in.subcap = cpu_to_be32(subcap_id); } - rc = tpm_transmit_cmd(chip, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, + rc = tpm_transmit_cmd(chip, NULL, &tpm_cmd, TPM_INTERNAL_RESULT_SIZE, min_cap_length, 0, desc); if (!rc) *cap = tpm_cmd.params.getcap_out.cap; @@ -565,7 +581,8 @@ static int tpm_startup(struct tpm_chip *chip, __be16 startup_type) start_cmd.header.in = tpm_startup_header; start_cmd.params.startup_in.startup_type = startup_type; - return tpm_transmit_cmd(chip, &start_cmd, TPM_INTERNAL_RESULT_SIZE, 0, + return tpm_transmit_cmd(chip, NULL, &start_cmd, + TPM_INTERNAL_RESULT_SIZE, 0, 0, "attempting to start the TPM"); } @@ -722,8 +739,8 @@ static int tpm_continue_selftest(struct tpm_chip *chip) struct tpm_cmd_t cmd; cmd.header.in = continue_selftest_header; - rc = tpm_transmit_cmd(chip, &cmd, CONTINUE_SELFTEST_RESULT_SIZE, 0, 0, - "continue selftest"); + rc = tpm_transmit_cmd(chip, NULL, &cmd, CONTINUE_SELFTEST_RESULT_SIZE, + 0, 0, "continue selftest"); return rc; } @@ -743,7 +760,7 @@ int tpm_pcr_read_dev(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) cmd.header.in = pcrread_header; cmd.params.pcrread_in.pcr_idx = cpu_to_be32(pcr_idx); - rc = tpm_transmit_cmd(chip, &cmd, READ_PCR_RESULT_SIZE, + rc = tpm_transmit_cmd(chip, NULL, &cmd, READ_PCR_RESULT_SIZE, READ_PCR_RESULT_BODY_SIZE, 0, "attempting to read a pcr value"); @@ -855,7 +872,7 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) cmd.header.in = pcrextend_header; cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(pcr_idx); memcpy(cmd.params.pcrextend_in.hash, hash, TPM_DIGEST_SIZE); - rc = tpm_transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, + rc = tpm_transmit_cmd(chip, NULL, &cmd, EXTEND_PCR_RESULT_SIZE, EXTEND_PCR_RESULT_BODY_SIZE, 0, "attempting extend a PCR value"); @@ -960,8 +977,8 @@ int tpm_send(u32 chip_num, void *cmd, size_t buflen) if (chip == NULL) return -ENODEV; - rc = tpm_transmit_cmd(chip, cmd, buflen, 0, 0, "attempting tpm_cmd"); - + rc = tpm_transmit_cmd(chip, NULL, cmd, buflen, 0, 0, + "attempting tpm_cmd"); tpm_put_ops(chip); return rc; } @@ -1062,16 +1079,16 @@ int tpm_pm_suspend(struct device *dev) cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(tpm_suspend_pcr); memcpy(cmd.params.pcrextend_in.hash, dummy_hash, TPM_DIGEST_SIZE); - rc = tpm_transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, - EXTEND_PCR_RESULT_BODY_SIZE, 0, + rc = tpm_transmit_cmd(chip, NULL, &cmd, EXTEND_PCR_RESULT_SIZE, + EXTEND_PCR_RESULT_BODY_SIZE, 0, "extending dummy pcr before suspend"); } /* now do the actual savestate */ for (try = 0; try < TPM_RETRY; try++) { cmd.header.in = savestate_header; - rc = tpm_transmit_cmd(chip, &cmd, SAVESTATE_RESULT_SIZE, 0, - 0, NULL); + rc = tpm_transmit_cmd(chip, NULL, &cmd, SAVESTATE_RESULT_SIZE, + 0, 0, NULL); /* * If the TPM indicates that it is too busy to respond to @@ -1154,7 +1171,7 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); - err = tpm_transmit_cmd(chip, &tpm_cmd, + err = tpm_transmit_cmd(chip, NULL, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes, offsetof(struct tpm_getrandom_out, rng_data), diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c index 2f596d74f80c..55405dbe43fa 100644 --- a/drivers/char/tpm/tpm-sysfs.c +++ b/drivers/char/tpm/tpm-sysfs.c @@ -40,7 +40,7 @@ static ssize_t pubek_show(struct device *dev, struct device_attribute *attr, struct tpm_chip *chip = to_tpm_chip(dev); tpm_cmd.header.in = tpm_readpubek_header; - err = tpm_transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE, + err = tpm_transmit_cmd(chip, NULL, &tpm_cmd, READ_PUBEK_RESULT_SIZE, READ_PUBEK_RESULT_MIN_BODY_SIZE, 0, "attempting to read the PUBEK"); if (err) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index dd5f526a62b5..023fc02ad0f6 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -89,10 +89,13 @@ enum tpm2_structures { }; enum tpm2_return_codes { + TPM2_RC_SUCCESS = 0x0000, TPM2_RC_HASH = 0x0083, /* RC_FMT1 */ + TPM2_RC_HANDLE = 0x008B, TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */ TPM2_RC_DISABLED = 0x0120, TPM2_RC_TESTING = 0x090A, /* RC_WARN */ + TPM2_RC_REFERENCE_H0 = 0x0910, }; enum tpm2_algorithms { @@ -114,6 +117,7 @@ enum tpm2_command_codes { TPM2_CC_CREATE = 0x0153, TPM2_CC_LOAD = 0x0157, TPM2_CC_UNSEAL = 0x015E, + TPM2_CC_CONTEXT_LOAD = 0x0161, TPM2_CC_CONTEXT_SAVE = 0x0162, TPM2_CC_FLUSH_CONTEXT = 0x0165, TPM2_CC_GET_CAPABILITY = 0x017A, @@ -128,6 +132,7 @@ enum tpm2_permanent_handles { }; enum tpm2_capabilities { + TPM2_CAP_HANDLES = 1, TPM2_CAP_COMMANDS = 2, TPM2_CAP_PCRS = 5, TPM2_CAP_TPM_PROPERTIES = 6, @@ -153,6 +158,11 @@ enum tpm2_cc_attrs { #define TPM_PPI_VERSION_LEN 3 +struct tpm_space { + u32 context_tbl[3]; + u8 *context_buf; +}; + enum tpm_chip_flags { TPM_CHIP_FLAG_TPM2 = BIT(1), TPM_CHIP_FLAG_IRQ = BIT(2), @@ -211,6 +221,7 @@ struct tpm_chip { char ppi_version[TPM_PPI_VERSION_LEN + 1]; #endif /* CONFIG_ACPI */ + struct tpm_space work_space; u32 nr_commands; u32 *cc_attrs_tbl; }; @@ -507,10 +518,11 @@ enum tpm_transmit_flags { TPM_TRANSMIT_UNLOCKED = BIT(0), }; -ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, - unsigned int flags); -ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *buf, size_t bufsiz, - size_t min_rsp_body_len, unsigned int flags, +ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, + u8 *buf, size_t bufsiz, unsigned int flags); +ssize_t tpm_transmit_cmd(struct tpm_chip *chip, struct tpm_space *space, + const void *buf, size_t bufsiz, + size_t min_rsp_body_length, unsigned int flags, const char *desc); ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap, const char *desc, size_t min_cap_length); @@ -571,4 +583,10 @@ void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type); unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); int tpm2_probe(struct tpm_chip *chip); int tpm2_find_cc(struct tpm_chip *chip, u32 cc); +int tpm2_init_space(struct tpm_space *space); +void tpm2_del_space(struct tpm_space *space); +int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, + u8 *cmd); +int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, + u32 cc, u8 *buf, size_t *bufsiz); #endif diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index ec05ab373a2b..3ee6883f26c1 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -266,7 +266,7 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) sizeof(cmd.params.pcrread_in.pcr_select)); cmd.params.pcrread_in.pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7); - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), + rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), TPM2_PCR_READ_RESP_BODY_SIZE, 0, "attempting to read a pcr value"); if (rc == 0) { @@ -333,7 +333,7 @@ int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, } } - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, 0, + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, "attempting extend a PCR value"); tpm_buf_destroy(&buf); @@ -382,7 +382,7 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max) cmd.header.in = tpm2_getrandom_header; cmd.params.getrandom_in.size = cpu_to_be16(num_bytes); - err = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), + err = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), offsetof(struct tpm2_get_random_out, buffer), 0, "attempting get random"); @@ -441,7 +441,7 @@ void tpm2_flush_context_cmd(struct tpm_chip *chip, u32 handle, tpm_buf_append_u32(&buf, handle); - (void) tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 0, flags, + (void) tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, flags, "flushing context"); tpm_buf_destroy(&buf); @@ -557,7 +557,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out; } - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 4, 0, + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 4, 0, "sealing data"); if (rc) goto out; @@ -641,7 +641,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, goto out; } - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 4, flags, + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 4, flags, "loading blob"); if (!rc) *blob_handle = be32_to_cpup( @@ -693,7 +693,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, options->blobauth /* hmac */, TPM_DIGEST_SIZE); - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 6, flags, + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 6, flags, "unsealing"); if (rc > 0) rc = -EPERM; @@ -770,7 +770,7 @@ ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32 property_id, u32 *value, cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(property_id); cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), + rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), TPM2_GET_TPM_PT_OUT_BODY_SIZE, 0, desc); if (!rc) *value = be32_to_cpu(cmd.params.get_tpm_pt_out.value); @@ -805,7 +805,7 @@ static int tpm2_startup(struct tpm_chip *chip, u16 startup_type) cmd.header.in = tpm2_startup_header; cmd.params.startup_in.startup_type = cpu_to_be16(startup_type); - return tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 0, + return tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, "attempting to start the TPM"); } @@ -834,7 +834,7 @@ void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type) cmd.header.in = tpm2_shutdown_header; cmd.params.startup_in.startup_type = cpu_to_be16(shutdown_type); - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 0, + rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, "stopping the TPM"); /* In places where shutdown command is sent there's no much we can do @@ -898,7 +898,7 @@ static int tpm2_start_selftest(struct tpm_chip *chip, bool full) cmd.header.in = tpm2_selftest_header; cmd.params.selftest_in.full_test = full; - rc = tpm_transmit_cmd(chip, &cmd, TPM2_SELF_TEST_IN_SIZE, 0, 0, + rc = tpm_transmit_cmd(chip, NULL, &cmd, TPM2_SELF_TEST_IN_SIZE, 0, 0, "continue selftest"); /* At least some prototype chips seem to give RC_TESTING error @@ -949,7 +949,8 @@ static int tpm2_do_selftest(struct tpm_chip *chip) cmd.params.pcrread_in.pcr_select[1] = 0x00; cmd.params.pcrread_in.pcr_select[2] = 0x00; - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 0, NULL); + rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, + NULL); if (rc < 0) break; @@ -982,7 +983,7 @@ int tpm2_probe(struct tpm_chip *chip) cmd.params.get_tpm_pt_in.property_id = cpu_to_be32(0x100); cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1); - rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, 0, NULL); + rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, 0, NULL); if (rc < 0) return rc; @@ -1020,7 +1021,7 @@ static ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip) tpm_buf_append_u32(&buf, 0); tpm_buf_append_u32(&buf, 1); - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9, 0, + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 9, 0, "get tpm pcr allocation"); if (rc) goto out; @@ -1092,8 +1093,8 @@ static int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip) tpm_buf_append_u32(&buf, TPM2_CC_FIRST); tpm_buf_append_u32(&buf, nr_commands); - rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, 9 + 4 * nr_commands, - 0, NULL); + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, + 9 + 4 * nr_commands, 0, NULL); if (rc) { tpm_buf_destroy(&buf); goto out; diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c new file mode 100644 index 000000000000..e955548dbeed --- /dev/null +++ b/drivers/char/tpm/tpm2-space.c @@ -0,0 +1,431 @@ +/* + * Copyright (C) 2016 Intel Corporation + * + * Authors: + * Jarkko Sakkinen + * + * Maintained by: + * + * This file contains TPM2 protocol implementations of the commands + * used by the kernel internally. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; version 2 + * of the License. + */ + +#include +#include +#include "tpm.h" + +enum tpm2_handle_types { + TPM2_HT_HMAC_SESSION = 0x02000000, + TPM2_HT_POLICY_SESSION = 0x03000000, + TPM2_HT_TRANSIENT = 0x80000000, +}; + +struct tpm2_context { + __be64 sequence; + __be32 saved_handle; + __be32 hierarchy; + __be16 blob_size; +} __packed; + +int tpm2_init_space(struct tpm_space *space) +{ + space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); + if (!space->context_buf) + return -ENOMEM; + + return 0; +} + +void tpm2_del_space(struct tpm_space *space) +{ + kfree(space->context_buf); +} + +static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, + unsigned int *offset, u32 *handle) +{ + struct tpm_buf tbuf; + struct tpm2_context *ctx; + unsigned int body_size; + int rc; + + rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_LOAD); + if (rc) + return rc; + + ctx = (struct tpm2_context *)&buf[*offset]; + body_size = sizeof(*ctx) + be16_to_cpu(ctx->blob_size); + tpm_buf_append(&tbuf, &buf[*offset], body_size); + + rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4, + TPM_TRANSMIT_UNLOCKED, NULL); + if (rc < 0) { + dev_warn(&chip->dev, "%s: failed with a system error %d\n", + __func__, rc); + tpm_buf_destroy(&tbuf); + return -EFAULT; + } else if (rc > 0) { + dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", + __func__, rc); + tpm_buf_destroy(&tbuf); + return -EFAULT; + } + + *handle = be32_to_cpup((__be32 *)&tbuf.data[TPM_HEADER_SIZE]); + *offset += body_size; + + tpm_buf_destroy(&tbuf); + return 0; +} + +static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf, + unsigned int buf_size, unsigned int *offset) +{ + struct tpm_buf tbuf; + unsigned int body_size; + int rc; + + rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_SAVE); + if (rc) + return rc; + + tpm_buf_append_u32(&tbuf, handle); + + rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0, + TPM_TRANSMIT_UNLOCKED, NULL); + if (rc < 0) { + dev_warn(&chip->dev, "%s: failed with a system error %d\n", + __func__, rc); + tpm_buf_destroy(&tbuf); + return -EFAULT; + } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) { + tpm_buf_destroy(&tbuf); + return -ENOENT; + } else if (rc) { + dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", + __func__, rc); + tpm_buf_destroy(&tbuf); + return -EFAULT; + } + + body_size = tpm_buf_length(&tbuf) - TPM_HEADER_SIZE; + if ((*offset + body_size) > buf_size) { + dev_warn(&chip->dev, "%s: out of backing storage\n", __func__); + tpm_buf_destroy(&tbuf); + return -ENOMEM; + } + + memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size); + tpm2_flush_context_cmd(chip, handle, TPM_TRANSMIT_UNLOCKED); + *offset += body_size; + tpm_buf_destroy(&tbuf); + return 0; +} + +static void tpm2_flush_space(struct tpm_chip *chip) +{ + struct tpm_space *space = &chip->work_space; + int i; + + for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) + if (space->context_tbl[i] && ~space->context_tbl[i]) + tpm2_flush_context_cmd(chip, space->context_tbl[i], + TPM_TRANSMIT_UNLOCKED); +} + +static int tpm2_load_space(struct tpm_chip *chip) +{ + struct tpm_space *space = &chip->work_space; + unsigned int offset; + int i; + int rc; + + for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) { + if (!space->context_tbl[i]) + continue; + + /* sanity check, should never happen */ + if (~space->context_tbl[i]) { + dev_err(&chip->dev, "context table is inconsistent"); + return -EFAULT; + } + + rc = tpm2_load_context(chip, space->context_buf, &offset, + &space->context_tbl[i]); + if (rc) + return rc; + } + + return 0; +} + +static bool tpm2_map_to_phandle(struct tpm_space *space, void *handle) +{ + u32 vhandle = be32_to_cpup((__be32 *)handle); + u32 phandle; + int i; + + i = 0xFFFFFF - (vhandle & 0xFFFFFF); + if (i > ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i]) + return false; + + phandle = space->context_tbl[i]; + *((__be32 *)handle) = cpu_to_be32(phandle); + return true; +} + +static int tpm2_map_command(struct tpm_chip *chip, u32 cc, u8 *cmd) +{ + struct tpm_space *space = &chip->work_space; + unsigned int nr_handles; + u32 attrs; + u32 *handle; + int i; + + i = tpm2_find_cc(chip, cc); + if (i < 0) + return -EINVAL; + + attrs = chip->cc_attrs_tbl[i]; + nr_handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0); + + handle = (u32 *)&cmd[TPM_HEADER_SIZE]; + for (i = 0; i < nr_handles; i++, handle++) { + if ((be32_to_cpu(*handle) & 0xFF000000) == TPM2_HT_TRANSIENT) { + if (!tpm2_map_to_phandle(space, handle)) + return -EINVAL; + } + } + + return 0; +} + +int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, + u8 *cmd) +{ + int rc; + + if (!space) + return 0; + + memcpy(&chip->work_space.context_tbl, &space->context_tbl, + sizeof(space->context_tbl)); + memcpy(chip->work_space.context_buf, space->context_buf, PAGE_SIZE); + + rc = tpm2_load_space(chip); + if (rc) { + tpm2_flush_space(chip); + return rc; + } + + rc = tpm2_map_command(chip, cc, cmd); + if (rc) { + tpm2_flush_space(chip); + return rc; + } + + return 0; +} + +static u32 tpm2_map_to_vhandle(struct tpm_space *space, u32 phandle, bool alloc) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) { + if (alloc) { + if (!space->context_tbl[i]) { + space->context_tbl[i] = phandle; + break; + } + } else if (space->context_tbl[i] == phandle) + break; + } + + if (i == ARRAY_SIZE(space->context_tbl)) + return 0; + + return TPM2_HT_TRANSIENT | (0xFFFFFF - i); +} + +static int tpm2_map_response_header(struct tpm_chip *chip, u32 cc, u8 *rsp, + size_t len) +{ + struct tpm_space *space = &chip->work_space; + struct tpm_output_header *header = (void *)rsp; + u32 phandle; + u32 phandle_type; + u32 vhandle; + u32 attrs; + int i; + + if (be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS) + return 0; + + i = tpm2_find_cc(chip, cc); + /* sanity check, should never happen */ + if (i < 0) + return -EFAULT; + + attrs = chip->cc_attrs_tbl[i]; + if (!((attrs >> TPM2_CC_ATTR_RHANDLE) & 1)) + return 0; + + phandle = be32_to_cpup((__be32 *)&rsp[TPM_HEADER_SIZE]); + phandle_type = phandle & 0xFF000000; + + switch (phandle_type) { + case TPM2_HT_TRANSIENT: + vhandle = tpm2_map_to_vhandle(space, phandle, true); + if (!vhandle) + goto out_no_slots; + + *(__be32 *)&rsp[TPM_HEADER_SIZE] = cpu_to_be32(vhandle); + break; + case TPM2_HT_HMAC_SESSION: + case TPM2_HT_POLICY_SESSION: + break; + default: + dev_err(&chip->dev, "%s: unknown handle 0x%08X\n", + __func__, phandle); + break; + }; + + return 0; +out_no_slots: + tpm2_flush_context_cmd(chip, phandle, TPM_TRANSMIT_UNLOCKED); + dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__, + phandle); + return -ENOMEM; +} + +struct tpm2_cap_handles { + u8 more_data; + __be32 capability; + __be32 count; + __be32 handles[]; +} __packed; + +static int tpm2_map_response_body(struct tpm_chip *chip, u32 cc, u8 *rsp, + size_t len) +{ + struct tpm_space *space = &chip->work_space; + struct tpm_output_header *header = (void *)rsp; + struct tpm2_cap_handles *data; + u32 phandle; + u32 phandle_type; + u32 vhandle; + int i; + int j; + + if (cc != TPM2_CC_GET_CAPABILITY || + be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS) { + return 0; + } + + if (len < TPM_HEADER_SIZE + 9) + return -EFAULT; + + data = (void *)&rsp[TPM_HEADER_SIZE]; + if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES) + return 0; + + if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count)) + return -EFAULT; + + for (i = 0, j = 0; i < be32_to_cpu(data->count); i++) { + phandle = be32_to_cpup((__be32 *)&data->handles[i]); + phandle_type = phandle & 0xFF000000; + + switch (phandle_type) { + case TPM2_HT_TRANSIENT: + vhandle = tpm2_map_to_vhandle(space, phandle, false); + if (!vhandle) + break; + + data->handles[j] = cpu_to_be32(vhandle); + j++; + break; + case TPM2_HT_HMAC_SESSION: + case TPM2_HT_POLICY_SESSION: + data->handles[j] = cpu_to_be32(phandle); + j++; + break; + default: + dev_err(&chip->dev, "%s: unknown handle 0x%08X\n", + __func__, phandle); + break; + } + + } + + header->length = cpu_to_be32(TPM_HEADER_SIZE + 9 + 4 * j); + data->count = cpu_to_be32(j); + return 0; +} + +static int tpm2_save_space(struct tpm_chip *chip) +{ + struct tpm_space *space = &chip->work_space; + unsigned int offset; + int i; + int rc; + + for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) { + if (!(space->context_tbl[i] && ~space->context_tbl[i])) + continue; + + rc = tpm2_save_context(chip, space->context_tbl[i], + space->context_buf, PAGE_SIZE, + &offset); + if (rc == -ENOENT) { + space->context_tbl[i] = 0; + continue; + } else if (rc) + return rc; + + space->context_tbl[i] = ~0; + } + + return 0; +} + +int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, + u32 cc, u8 *buf, size_t *bufsiz) +{ + struct tpm_output_header *header = (void *)buf; + int rc; + + if (!space) + return 0; + + rc = tpm2_map_response_header(chip, cc, buf, *bufsiz); + if (rc) { + tpm2_flush_space(chip); + return rc; + } + + rc = tpm2_map_response_body(chip, cc, buf, *bufsiz); + if (rc) { + tpm2_flush_space(chip); + return rc; + } + + rc = tpm2_save_space(chip); + if (rc) { + tpm2_flush_space(chip); + return rc; + } + + *bufsiz = be32_to_cpu(header->length); + + memcpy(&space->context_tbl, &chip->work_space.context_tbl, + sizeof(space->context_tbl)); + memcpy(space->context_buf, chip->work_space.context_buf, PAGE_SIZE); + + return 0; +} From ecb38e2f521b01f0fd0b0a3261921b0bcc002dd0 Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Tue, 10 Jan 2017 19:08:53 -0800 Subject: [PATCH 66/98] tpm: split out tpm-dev.c into tpm-dev.c and tpm-common-dev.c Signed-off-by: James Bottomley Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/Makefile | 2 +- drivers/char/tpm/tpm-dev-common.c | 148 ++++++++++++++++++++++++++++++ drivers/char/tpm/tpm-dev.c | 143 +++-------------------------- drivers/char/tpm/tpm-dev.h | 27 ++++++ 4 files changed, 190 insertions(+), 130 deletions(-) create mode 100644 drivers/char/tpm/tpm-dev-common.c create mode 100644 drivers/char/tpm/tpm-dev.h diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 8f07fcfbcdfb..10e5827445fc 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -3,7 +3,7 @@ # obj-$(CONFIG_TCG_TPM) += tpm.o tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o \ - tpm1_eventlog.o tpm2_eventlog.o tpm2-space.o + tpm-dev-common.o tpm1_eventlog.o tpm2_eventlog.o tpm2-space.o tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_acpi.o tpm-$(CONFIG_OF) += tpm_of.o obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c new file mode 100644 index 000000000000..610638a80383 --- /dev/null +++ b/drivers/char/tpm/tpm-dev-common.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2004 IBM Corporation + * Authors: + * Leendert van Doorn + * Dave Safford + * Reiner Sailer + * Kylene Hall + * + * Copyright (C) 2013 Obsidian Research Corp + * Jason Gunthorpe + * + * Device file system interface to the TPM + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + */ +#include +#include +#include "tpm.h" +#include "tpm-dev.h" + +static void user_reader_timeout(unsigned long ptr) +{ + struct file_priv *priv = (struct file_priv *)ptr; + + pr_warn("TPM user space timeout is deprecated (pid=%d)\n", + task_tgid_nr(current)); + + schedule_work(&priv->work); +} + +static void timeout_work(struct work_struct *work) +{ + struct file_priv *priv = container_of(work, struct file_priv, work); + + mutex_lock(&priv->buffer_mutex); + atomic_set(&priv->data_pending, 0); + memset(priv->data_buffer, 0, sizeof(priv->data_buffer)); + mutex_unlock(&priv->buffer_mutex); +} + +void tpm_common_open(struct file *file, struct tpm_chip *chip, + struct file_priv *priv) +{ + priv->chip = chip; + atomic_set(&priv->data_pending, 0); + mutex_init(&priv->buffer_mutex); + setup_timer(&priv->user_read_timer, user_reader_timeout, + (unsigned long)priv); + INIT_WORK(&priv->work, timeout_work); + + file->private_data = priv; +} + +ssize_t tpm_common_read(struct file *file, char __user *buf, + size_t size, loff_t *off) +{ + struct file_priv *priv = file->private_data; + ssize_t ret_size; + ssize_t orig_ret_size; + int rc; + + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); + ret_size = atomic_read(&priv->data_pending); + if (ret_size > 0) { /* relay data */ + orig_ret_size = ret_size; + if (size < ret_size) + ret_size = size; + + mutex_lock(&priv->buffer_mutex); + rc = copy_to_user(buf, priv->data_buffer, ret_size); + memset(priv->data_buffer, 0, orig_ret_size); + if (rc) + ret_size = -EFAULT; + + mutex_unlock(&priv->buffer_mutex); + } + + atomic_set(&priv->data_pending, 0); + + return ret_size; +} + +ssize_t tpm_common_write(struct file *file, const char __user *buf, + size_t size, loff_t *off, struct tpm_space *space) +{ + struct file_priv *priv = file->private_data; + size_t in_size = size; + ssize_t out_size; + + /* Cannot perform a write until the read has cleared either via + * tpm_read or a user_read_timer timeout. This also prevents split + * buffered writes from blocking here. + */ + if (atomic_read(&priv->data_pending) != 0) + return -EBUSY; + + if (in_size > TPM_BUFSIZE) + return -E2BIG; + + mutex_lock(&priv->buffer_mutex); + + if (copy_from_user + (priv->data_buffer, (void __user *) buf, in_size)) { + mutex_unlock(&priv->buffer_mutex); + return -EFAULT; + } + + /* atomic tpm command send and result receive. We only hold the ops + * lock during this period so that the tpm can be unregistered even if + * the char dev is held open. + */ + if (tpm_try_get_ops(priv->chip)) { + mutex_unlock(&priv->buffer_mutex); + return -EPIPE; + } + out_size = tpm_transmit(priv->chip, space, priv->data_buffer, + sizeof(priv->data_buffer), 0); + + tpm_put_ops(priv->chip); + if (out_size < 0) { + mutex_unlock(&priv->buffer_mutex); + return out_size; + } + + atomic_set(&priv->data_pending, out_size); + mutex_unlock(&priv->buffer_mutex); + + /* Set a timeout by which the reader must come claim the result */ + mod_timer(&priv->user_read_timer, jiffies + (120 * HZ)); + + return in_size; +} + +/* + * Called on file close + */ +void tpm_common_release(struct file *file, struct file_priv *priv) +{ + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); + file->private_data = NULL; + atomic_set(&priv->data_pending, 0); +} diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c index 414553bc115b..ebd74ab5abef 100644 --- a/drivers/char/tpm/tpm-dev.c +++ b/drivers/char/tpm/tpm-dev.c @@ -18,48 +18,15 @@ * */ #include -#include -#include "tpm.h" - -struct file_priv { - struct tpm_chip *chip; - - /* Data passed to and from the tpm via the read/write calls */ - atomic_t data_pending; - struct mutex buffer_mutex; - - struct timer_list user_read_timer; /* user needs to claim result */ - struct work_struct work; - - u8 data_buffer[TPM_BUFSIZE]; -}; - -static void user_reader_timeout(unsigned long ptr) -{ - struct file_priv *priv = (struct file_priv *)ptr; - - pr_warn("TPM user space timeout is deprecated (pid=%d)\n", - task_tgid_nr(current)); - - schedule_work(&priv->work); -} - -static void timeout_work(struct work_struct *work) -{ - struct file_priv *priv = container_of(work, struct file_priv, work); - - mutex_lock(&priv->buffer_mutex); - atomic_set(&priv->data_pending, 0); - memset(priv->data_buffer, 0, sizeof(priv->data_buffer)); - mutex_unlock(&priv->buffer_mutex); -} +#include "tpm-dev.h" static int tpm_open(struct inode *inode, struct file *file) { - struct tpm_chip *chip = - container_of(inode->i_cdev, struct tpm_chip, cdev); + struct tpm_chip *chip; struct file_priv *priv; + chip = container_of(inode->i_cdev, struct tpm_chip, cdev); + /* It's assured that the chip will be opened just once, * by the check of is_open variable, which is protected * by driver_lock. */ @@ -69,100 +36,22 @@ static int tpm_open(struct inode *inode, struct file *file) } priv = kzalloc(sizeof(*priv), GFP_KERNEL); - if (priv == NULL) { - clear_bit(0, &chip->is_open); - return -ENOMEM; - } + if (priv == NULL) + goto out; - priv->chip = chip; - atomic_set(&priv->data_pending, 0); - mutex_init(&priv->buffer_mutex); - setup_timer(&priv->user_read_timer, user_reader_timeout, - (unsigned long)priv); - INIT_WORK(&priv->work, timeout_work); + tpm_common_open(file, chip, priv); - file->private_data = priv; return 0; -} -static ssize_t tpm_read(struct file *file, char __user *buf, - size_t size, loff_t *off) -{ - struct file_priv *priv = file->private_data; - ssize_t ret_size; - int rc; - - del_singleshot_timer_sync(&priv->user_read_timer); - flush_work(&priv->work); - ret_size = atomic_read(&priv->data_pending); - if (ret_size > 0) { /* relay data */ - ssize_t orig_ret_size = ret_size; - if (size < ret_size) - ret_size = size; - - mutex_lock(&priv->buffer_mutex); - rc = copy_to_user(buf, priv->data_buffer, ret_size); - memset(priv->data_buffer, 0, orig_ret_size); - if (rc) - ret_size = -EFAULT; - - mutex_unlock(&priv->buffer_mutex); - } - - atomic_set(&priv->data_pending, 0); - - return ret_size; + out: + clear_bit(0, &chip->is_open); + return -ENOMEM; } static ssize_t tpm_write(struct file *file, const char __user *buf, size_t size, loff_t *off) { - struct file_priv *priv = file->private_data; - size_t in_size = size; - ssize_t out_size; - - /* cannot perform a write until the read has cleared - either via tpm_read or a user_read_timer timeout. - This also prevents splitted buffered writes from blocking here. - */ - if (atomic_read(&priv->data_pending) != 0) - return -EBUSY; - - if (in_size > TPM_BUFSIZE) - return -E2BIG; - - mutex_lock(&priv->buffer_mutex); - - if (copy_from_user - (priv->data_buffer, (void __user *) buf, in_size)) { - mutex_unlock(&priv->buffer_mutex); - return -EFAULT; - } - - /* atomic tpm command send and result receive. We only hold the ops - * lock during this period so that the tpm can be unregistered even if - * the char dev is held open. - */ - if (tpm_try_get_ops(priv->chip)) { - mutex_unlock(&priv->buffer_mutex); - return -EPIPE; - } - out_size = tpm_transmit(priv->chip, NULL, priv->data_buffer, - sizeof(priv->data_buffer), 0); - - tpm_put_ops(priv->chip); - if (out_size < 0) { - mutex_unlock(&priv->buffer_mutex); - return out_size; - } - - atomic_set(&priv->data_pending, out_size); - mutex_unlock(&priv->buffer_mutex); - - /* Set a timeout by which the reader must come claim the result */ - mod_timer(&priv->user_read_timer, jiffies + (120 * HZ)); - - return in_size; + return tpm_common_write(file, buf, size, off, NULL); } /* @@ -172,12 +61,10 @@ static int tpm_release(struct inode *inode, struct file *file) { struct file_priv *priv = file->private_data; - del_singleshot_timer_sync(&priv->user_read_timer); - flush_work(&priv->work); - file->private_data = NULL; - atomic_set(&priv->data_pending, 0); + tpm_common_release(file, priv); clear_bit(0, &priv->chip->is_open); kfree(priv); + return 0; } @@ -185,9 +72,7 @@ const struct file_operations tpm_fops = { .owner = THIS_MODULE, .llseek = no_llseek, .open = tpm_open, - .read = tpm_read, + .read = tpm_common_read, .write = tpm_write, .release = tpm_release, }; - - diff --git a/drivers/char/tpm/tpm-dev.h b/drivers/char/tpm/tpm-dev.h new file mode 100644 index 000000000000..ff15cf719bad --- /dev/null +++ b/drivers/char/tpm/tpm-dev.h @@ -0,0 +1,27 @@ +#ifndef _TPM_DEV_H +#define _TPM_DEV_H + +#include "tpm.h" + +struct file_priv { + struct tpm_chip *chip; + + /* Data passed to and from the tpm via the read/write calls */ + atomic_t data_pending; + struct mutex buffer_mutex; + + struct timer_list user_read_timer; /* user needs to claim result */ + struct work_struct work; + + u8 data_buffer[TPM_BUFSIZE]; +}; + +void tpm_common_open(struct file *file, struct tpm_chip *chip, + struct file_priv *priv); +ssize_t tpm_common_read(struct file *file, char __user *buf, + size_t size, loff_t *off); +ssize_t tpm_common_write(struct file *file, const char __user *buf, + size_t size, loff_t *off, struct tpm_space *space); +void tpm_common_release(struct file *file, struct file_priv *priv); + +#endif From fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Tue, 3 Jan 2017 09:07:32 -0800 Subject: [PATCH 67/98] tpm: expose spaces via a device link /dev/tpmrm Currently the tpm spaces are not exposed to userspace. Make this exposure via a separate device, which can now be opened multiple times because each read/write transaction goes separately via the space. Concurrency is protected by the chip->tpm_mutex for each read/write transaction separately. The TPM is cleared of all transient objects by the time the mutex is dropped, so there should be no interference between the kernel and userspace. Signed-off-by: James Bottomley Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/Makefile | 3 +- drivers/char/tpm/tpm-chip.c | 58 +++++++++++++++++++++++++++- drivers/char/tpm/tpm-interface.c | 13 ++++++- drivers/char/tpm/tpm.h | 4 ++ drivers/char/tpm/tpmrm-dev.c | 65 ++++++++++++++++++++++++++++++++ 5 files changed, 139 insertions(+), 4 deletions(-) create mode 100644 drivers/char/tpm/tpmrm-dev.c diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 10e5827445fc..23681f01f95a 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -3,7 +3,8 @@ # obj-$(CONFIG_TCG_TPM) += tpm.o tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o \ - tpm-dev-common.o tpm1_eventlog.o tpm2_eventlog.o tpm2-space.o + tpm-dev-common.o tpmrm-dev.o tpm1_eventlog.o tpm2_eventlog.o \ + tpm2-space.o tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_acpi.o tpm-$(CONFIG_OF) += tpm_of.o obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 993b9ae42876..187ec04ce9c3 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -33,6 +33,7 @@ DEFINE_IDR(dev_nums_idr); static DEFINE_MUTEX(idr_lock); struct class *tpm_class; +struct class *tpmrm_class; dev_t tpm_devt; /** @@ -132,6 +133,14 @@ static void tpm_dev_release(struct device *dev) kfree(chip); } +static void tpm_devs_release(struct device *dev) +{ + struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs); + + /* release the master device reference */ + put_device(&chip->dev); +} + /** * tpm_chip_alloc() - allocate a new struct tpm_chip instance * @pdev: device to which the chip is associated @@ -168,18 +177,35 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, chip->dev_num = rc; device_initialize(&chip->dev); + device_initialize(&chip->devs); chip->dev.class = tpm_class; chip->dev.release = tpm_dev_release; chip->dev.parent = pdev; chip->dev.groups = chip->groups; + chip->devs.parent = pdev; + chip->devs.class = tpmrm_class; + chip->devs.release = tpm_devs_release; + /* get extra reference on main device to hold on + * behalf of devs. This holds the chip structure + * while cdevs is in use. The corresponding put + * is in the tpm_devs_release + */ + get_device(&chip->dev); + if (chip->dev_num == 0) chip->dev.devt = MKDEV(MISC_MAJOR, TPM_MINOR); else chip->dev.devt = MKDEV(MAJOR(tpm_devt), chip->dev_num); + chip->devs.devt = + MKDEV(MAJOR(tpm_devt), chip->dev_num + TPM_NUM_DEVICES); + rc = dev_set_name(&chip->dev, "tpm%d", chip->dev_num); + if (rc) + goto out; + rc = dev_set_name(&chip->devs, "tpmrm%d", chip->dev_num); if (rc) goto out; @@ -187,8 +213,11 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, chip->flags |= TPM_CHIP_FLAG_VIRTUAL; cdev_init(&chip->cdev, &tpm_fops); + cdev_init(&chip->cdevs, &tpmrm_fops); chip->cdev.owner = THIS_MODULE; + chip->cdevs.owner = THIS_MODULE; chip->cdev.kobj.parent = &chip->dev.kobj; + chip->cdevs.kobj.parent = &chip->devs.kobj; chip->work_space.context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); if (!chip->work_space.context_buf) { @@ -199,6 +228,7 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, return chip; out: + put_device(&chip->devs); put_device(&chip->dev); return ERR_PTR(rc); } @@ -243,7 +273,6 @@ static int tpm_add_char_device(struct tpm_chip *chip) "unable to cdev_add() %s, major %d, minor %d, err=%d\n", dev_name(&chip->dev), MAJOR(chip->dev.devt), MINOR(chip->dev.devt), rc); - return rc; } @@ -258,6 +287,29 @@ static int tpm_add_char_device(struct tpm_chip *chip) return rc; } + if (chip->flags & TPM_CHIP_FLAG_TPM2) + rc = cdev_add(&chip->cdevs, chip->devs.devt, 1); + if (rc) { + dev_err(&chip->dev, + "unable to cdev_add() %s, major %d, minor %d, err=%d\n", + dev_name(&chip->devs), MAJOR(chip->devs.devt), + MINOR(chip->devs.devt), rc); + tpm_del_char_device(chip, true); + return rc; + } + + if (chip->flags & TPM_CHIP_FLAG_TPM2) + rc = device_add(&chip->devs); + if (rc) { + dev_err(&chip->dev, + "unable to device_register() %s, major %d, minor %d, err=%d\n", + dev_name(&chip->devs), MAJOR(chip->devs.devt), + MINOR(chip->devs.devt), rc); + cdev_del(&chip->cdevs); + tpm_del_char_device(chip, true); + return rc; + } + /* Make the chip available. */ mutex_lock(&idr_lock); idr_replace(&dev_nums_idr, chip, chip->dev_num); @@ -391,6 +443,10 @@ void tpm_chip_unregister(struct tpm_chip *chip) { tpm_del_legacy_sysfs(chip); tpm_bios_log_teardown(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + cdev_del(&chip->cdevs); + device_del(&chip->devs); + } tpm_del_char_device(chip); } EXPORT_SYMBOL_GPL(tpm_chip_unregister); diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index d09cf26365c3..16abbf9cb53a 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -1262,9 +1262,17 @@ static int __init tpm_init(void) return PTR_ERR(tpm_class); } - rc = alloc_chrdev_region(&tpm_devt, 0, TPM_NUM_DEVICES, "tpm"); + tpmrm_class = class_create(THIS_MODULE, "tpmrm"); + if (IS_ERR(tpmrm_class)) { + pr_err("couldn't create tpmrm class\n"); + class_destroy(tpm_class); + return PTR_ERR(tpmrm_class); + } + + rc = alloc_chrdev_region(&tpm_devt, 0, 2*TPM_NUM_DEVICES, "tpm"); if (rc < 0) { pr_err("tpm: failed to allocate char dev region\n"); + class_destroy(tpmrm_class); class_destroy(tpm_class); return rc; } @@ -1276,7 +1284,8 @@ static void __exit tpm_exit(void) { idr_destroy(&dev_nums_idr); class_destroy(tpm_class); - unregister_chrdev_region(tpm_devt, TPM_NUM_DEVICES); + class_destroy(tpmrm_class); + unregister_chrdev_region(tpm_devt, 2*TPM_NUM_DEVICES); } subsys_initcall(tpm_init); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 023fc02ad0f6..16dd207a4542 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -182,7 +182,9 @@ struct tpm_chip_seqops { struct tpm_chip { struct device dev; + struct device devs; struct cdev cdev; + struct cdev cdevs; /* A driver callback under ops cannot be run unless ops_sem is held * (sometimes implicitly, eg for the sysfs code). ops becomes null @@ -510,8 +512,10 @@ static inline void tpm_buf_append_u32(struct tpm_buf *buf, const u32 value) } extern struct class *tpm_class; +extern struct class *tpmrm_class; extern dev_t tpm_devt; extern const struct file_operations tpm_fops; +extern const struct file_operations tpmrm_fops; extern struct idr dev_nums_idr; enum tpm_transmit_flags { diff --git a/drivers/char/tpm/tpmrm-dev.c b/drivers/char/tpm/tpmrm-dev.c new file mode 100644 index 000000000000..630bddce65a8 --- /dev/null +++ b/drivers/char/tpm/tpmrm-dev.c @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2017 James.Bottomley@HansenPartnership.com + * + * GPLv2 + */ +#include +#include "tpm-dev.h" + +struct tpmrm_priv { + struct file_priv priv; + struct tpm_space space; +}; + +static int tpmrm_open(struct inode *inode, struct file *file) +{ + struct tpm_chip *chip; + struct tpmrm_priv *priv; + int rc; + + chip = container_of(inode->i_cdev, struct tpm_chip, cdevs); + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (priv == NULL) + return -ENOMEM; + + rc = tpm2_init_space(&priv->space); + if (rc) { + kfree(priv); + return -ENOMEM; + } + + tpm_common_open(file, chip, &priv->priv); + + return 0; +} + +static int tpmrm_release(struct inode *inode, struct file *file) +{ + struct file_priv *fpriv = file->private_data; + struct tpmrm_priv *priv = container_of(fpriv, struct tpmrm_priv, priv); + + tpm_common_release(file, fpriv); + tpm2_del_space(&priv->space); + kfree(priv); + + return 0; +} + +ssize_t tpmrm_write(struct file *file, const char __user *buf, + size_t size, loff_t *off) +{ + struct file_priv *fpriv = file->private_data; + struct tpmrm_priv *priv = container_of(fpriv, struct tpmrm_priv, priv); + + return tpm_common_write(file, buf, size, off, &priv->space); +} + +const struct file_operations tpmrm_fops = { + .owner = THIS_MODULE, + .llseek = no_llseek, + .open = tpmrm_open, + .read = tpm_common_read, + .write = tpmrm_write, + .release = tpmrm_release, +}; + From 4d57856a21ed2abe33412e0526cc84bdcf67ea08 Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Tue, 31 Jan 2017 15:47:31 -0800 Subject: [PATCH 68/98] tpm2: add session handle context saving and restoring to the space code Sessions are different from transient objects in that their handles may not be virtualized (because they're used for some hmac calculations). Additionally when a session is context saved, a vestigial memory remains in the TPM and if it is also flushed, that will be lost and the session context will refuse to load next time, so the code is updated to flush only transient objects after a context save. Add a separate array (chip->session_tbl) to save and restore sessions by handle. Use the failure of a context save or load to signal that the session has been flushed from the TPM and we can remove its memory from chip->session_tbl. Sessions are also isolated during each instance of a tpm space. This means that spaces shouldn't be able to see each other's sessions and is enforced by ensuring that a space user may only refer to sessions handles that are present in their own chip->session_tbl. Finally when a space is closed, all the sessions belonging to it should be flushed so the handles may be re-used by other spaces. Note that if we get a session save or load error, all sessions are effectively flushed. Even though we restore the session buffer, all the old sessions will refuse to load after the flush and they'll be purged from our session memory. This means that while transient context handling is still soft in the face of errors, session handling is hard (any failure of the model means all sessions are lost). Fixes-from: Colin Ian King Signed-off-by: James Bottomley Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 8 ++- drivers/char/tpm/tpm.h | 4 +- drivers/char/tpm/tpm2-space.c | 115 +++++++++++++++++++++++++++++++--- drivers/char/tpm/tpmrm-dev.c | 2 +- 4 files changed, 116 insertions(+), 13 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 187ec04ce9c3..aade6995f310 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -130,6 +130,7 @@ static void tpm_dev_release(struct device *dev) kfree(chip->log.bios_event_log); kfree(chip->work_space.context_buf); + kfree(chip->work_space.session_buf); kfree(chip); } @@ -224,6 +225,11 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, rc = -ENOMEM; goto out; } + chip->work_space.session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); + if (!chip->work_space.session_buf) { + rc = -ENOMEM; + goto out; + } return chip; @@ -294,7 +300,6 @@ static int tpm_add_char_device(struct tpm_chip *chip) "unable to cdev_add() %s, major %d, minor %d, err=%d\n", dev_name(&chip->devs), MAJOR(chip->devs.devt), MINOR(chip->devs.devt), rc); - tpm_del_char_device(chip, true); return rc; } @@ -306,7 +311,6 @@ static int tpm_add_char_device(struct tpm_chip *chip) dev_name(&chip->devs), MAJOR(chip->devs.devt), MINOR(chip->devs.devt), rc); cdev_del(&chip->cdevs); - tpm_del_char_device(chip, true); return rc; } diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 16dd207a4542..5eacb3fd2ed2 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -161,6 +161,8 @@ enum tpm2_cc_attrs { struct tpm_space { u32 context_tbl[3]; u8 *context_buf; + u32 session_tbl[3]; + u8 *session_buf; }; enum tpm_chip_flags { @@ -588,7 +590,7 @@ unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); int tpm2_probe(struct tpm_chip *chip); int tpm2_find_cc(struct tpm_chip *chip, u32 cc); int tpm2_init_space(struct tpm_space *space); -void tpm2_del_space(struct tpm_space *space); +void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space); int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, u8 *cmd); int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index e955548dbeed..e2e059d8ffec 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -32,18 +32,39 @@ struct tpm2_context { __be16 blob_size; } __packed; +static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) { + if (space->session_tbl[i]) + tpm2_flush_context_cmd(chip, space->session_tbl[i], + TPM_TRANSMIT_UNLOCKED); + } +} + int tpm2_init_space(struct tpm_space *space) { space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); if (!space->context_buf) return -ENOMEM; + space->session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); + if (space->session_buf == NULL) { + kfree(space->context_buf); + return -ENOMEM; + } + return 0; } -void tpm2_del_space(struct tpm_space *space) +void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) { + mutex_lock(&chip->tpm_mutex); + tpm2_flush_sessions(chip, space); + mutex_unlock(&chip->tpm_mutex); kfree(space->context_buf); + kfree(space->session_buf); } static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, @@ -69,6 +90,20 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, __func__, rc); tpm_buf_destroy(&tbuf); return -EFAULT; + } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE || + rc == TPM2_RC_REFERENCE_H0) { + /* + * TPM_RC_HANDLE means that the session context can't + * be loaded because of an internal counter mismatch + * that makes the TPM think there might have been a + * replay. This might happen if the context was saved + * and loaded outside the space. + * + * TPM_RC_REFERENCE_H0 means the session has been + * flushed outside the space + */ + rc = -ENOENT; + tpm_buf_destroy(&tbuf); } else if (rc > 0) { dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", __func__, rc); @@ -121,7 +156,6 @@ static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf, } memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size); - tpm2_flush_context_cmd(chip, handle, TPM_TRANSMIT_UNLOCKED); *offset += body_size; tpm_buf_destroy(&tbuf); return 0; @@ -136,6 +170,8 @@ static void tpm2_flush_space(struct tpm_chip *chip) if (space->context_tbl[i] && ~space->context_tbl[i]) tpm2_flush_context_cmd(chip, space->context_tbl[i], TPM_TRANSMIT_UNLOCKED); + + tpm2_flush_sessions(chip, space); } static int tpm2_load_space(struct tpm_chip *chip) @@ -161,6 +197,28 @@ static int tpm2_load_space(struct tpm_chip *chip) return rc; } + for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) { + u32 handle; + + if (!space->session_tbl[i]) + continue; + + rc = tpm2_load_context(chip, space->session_buf, + &offset, &handle); + if (rc == -ENOENT) { + /* load failed, just forget session */ + space->session_tbl[i] = 0; + } else if (rc) { + tpm2_flush_space(chip); + return rc; + } + if (handle != space->session_tbl[i]) { + dev_warn(&chip->dev, "session restored to wrong handle\n"); + tpm2_flush_space(chip); + return -EFAULT; + } + } + return 0; } @@ -171,7 +229,7 @@ static bool tpm2_map_to_phandle(struct tpm_space *space, void *handle) int i; i = 0xFFFFFF - (vhandle & 0xFFFFFF); - if (i > ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i]) + if (i >= ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i]) return false; phandle = space->context_tbl[i]; @@ -215,7 +273,10 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, memcpy(&chip->work_space.context_tbl, &space->context_tbl, sizeof(space->context_tbl)); + memcpy(&chip->work_space.session_tbl, &space->session_tbl, + sizeof(space->session_tbl)); memcpy(chip->work_space.context_buf, space->context_buf, PAGE_SIZE); + memcpy(chip->work_space.session_buf, space->session_buf, PAGE_SIZE); rc = tpm2_load_space(chip); if (rc) { @@ -232,6 +293,22 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, return 0; } +static bool tpm2_add_session(struct tpm_chip *chip, u32 handle) +{ + struct tpm_space *space = &chip->work_space; + int i; + + for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) + if (space->session_tbl[i] == 0) + break; + + if (i == ARRAY_SIZE(space->session_tbl)) + return false; + + space->session_tbl[i] = handle; + return true; +} + static u32 tpm2_map_to_vhandle(struct tpm_space *space, u32 phandle, bool alloc) { int i; @@ -288,6 +365,8 @@ static int tpm2_map_response_header(struct tpm_chip *chip, u32 cc, u8 *rsp, break; case TPM2_HT_HMAC_SESSION: case TPM2_HT_POLICY_SESSION: + if (!tpm2_add_session(chip, phandle)) + goto out_no_slots; break; default: dev_err(&chip->dev, "%s: unknown handle 0x%08X\n", @@ -350,15 +429,11 @@ static int tpm2_map_response_body(struct tpm_chip *chip, u32 cc, u8 *rsp, data->handles[j] = cpu_to_be32(vhandle); j++; break; - case TPM2_HT_HMAC_SESSION: - case TPM2_HT_POLICY_SESSION: + + default: data->handles[j] = cpu_to_be32(phandle); j++; break; - default: - dev_err(&chip->dev, "%s: unknown handle 0x%08X\n", - __func__, phandle); - break; } } @@ -388,9 +463,28 @@ static int tpm2_save_space(struct tpm_chip *chip) } else if (rc) return rc; + tpm2_flush_context_cmd(chip, space->context_tbl[i], + TPM_TRANSMIT_UNLOCKED); space->context_tbl[i] = ~0; } + for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) { + if (!space->session_tbl[i]) + continue; + + rc = tpm2_save_context(chip, space->session_tbl[i], + space->session_buf, PAGE_SIZE, + &offset); + + if (rc == -ENOENT) { + /* handle error saving session, just forget it */ + space->session_tbl[i] = 0; + } else if (rc < 0) { + tpm2_flush_space(chip); + return rc; + } + } + return 0; } @@ -425,7 +519,10 @@ int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, memcpy(&space->context_tbl, &chip->work_space.context_tbl, sizeof(space->context_tbl)); + memcpy(&space->session_tbl, &chip->work_space.session_tbl, + sizeof(space->session_tbl)); memcpy(space->context_buf, chip->work_space.context_buf, PAGE_SIZE); + memcpy(space->session_buf, chip->work_space.session_buf, PAGE_SIZE); return 0; } diff --git a/drivers/char/tpm/tpmrm-dev.c b/drivers/char/tpm/tpmrm-dev.c index 630bddce65a8..c636e7fdd1f5 100644 --- a/drivers/char/tpm/tpmrm-dev.c +++ b/drivers/char/tpm/tpmrm-dev.c @@ -39,7 +39,7 @@ static int tpmrm_release(struct inode *inode, struct file *file) struct tpmrm_priv *priv = container_of(fpriv, struct tpmrm_priv, priv); tpm_common_release(file, fpriv); - tpm2_del_space(&priv->space); + tpm2_del_space(fpriv->chip, &priv->space); kfree(priv); return 0; From 8569defde8057258835c51ce01a33de82e14b148 Mon Sep 17 00:00:00 2001 From: Jerry Snitselaar Date: Fri, 10 Mar 2017 17:46:04 -0700 Subject: [PATCH 69/98] tpm_crb: check for bad response size Make sure size of response buffer is at least 6 bytes, or we will underflow and pass large size_t to memcpy_fromio(). This was encountered while testing earlier version of locality patchset. Cc: stable@vger.kernel.org Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface") Signed-off-by: Jerry Snitselaar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 324561845dc2..1dfc37e33c02 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -198,8 +198,7 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) memcpy_fromio(buf, priv->rsp, 6); expected = be32_to_cpup((__be32 *) &buf[2]); - - if (expected > count) + if (expected > count || expected < 6) return -EIO; memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); From 31574d321c70f6d3b40fe98f9b2eafd9a903fef9 Mon Sep 17 00:00:00 2001 From: "Hon Ching \\(Vicky\\) Lo" Date: Wed, 15 Mar 2017 01:28:07 -0400 Subject: [PATCH 70/98] vTPM: Fix missing NULL check The current code passes the address of tpm_chip as the argument to dev_get_drvdata() without prior NULL check in tpm_ibmvtpm_get_desired_dma. This resulted an oops during kernel boot when vTPM is enabled in Power partition configured in active memory sharing mode. The vio_driver's get_desired_dma() is called before the probe(), which for vtpm is tpm_ibmvtpm_probe, and it's this latter function that initializes the driver and set data. Attempting to get data before the probe() caused the problem. This patch adds a NULL check to the tpm_ibmvtpm_get_desired_dma. fixes: 9e0d39d8a6a0 ("tpm: Remove useless priv field in struct tpm_vendor_specific") Cc: Signed-off-by: Hon Ching(Vicky) Lo Reviewed-by: Jarkko Sakkine Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_ibmvtpm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c index 1b9d61ffe991..f01d083eced2 100644 --- a/drivers/char/tpm/tpm_ibmvtpm.c +++ b/drivers/char/tpm/tpm_ibmvtpm.c @@ -299,6 +299,8 @@ static int tpm_ibmvtpm_remove(struct vio_dev *vdev) } kfree(ibmvtpm); + /* For tpm_ibmvtpm_get_desired_dma */ + dev_set_drvdata(&vdev->dev, NULL); return 0; } @@ -313,14 +315,16 @@ static int tpm_ibmvtpm_remove(struct vio_dev *vdev) static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev) { struct tpm_chip *chip = dev_get_drvdata(&vdev->dev); - struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev); + struct ibmvtpm_dev *ibmvtpm; /* * ibmvtpm initializes at probe time, so the data we are * asking for may not be set yet. Estimate that 4K required * for TCE-mapped buffer in addition to CRQ. */ - if (!ibmvtpm) + if (chip) + ibmvtpm = dev_get_drvdata(&chip->dev); + else return CRQ_RES_BUF_SIZE + PAGE_SIZE; return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size; From 2d2e376f05f23f46ff7138a6c3f1df7a6f9a96a4 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Wed, 15 Mar 2017 21:58:00 +0200 Subject: [PATCH 71/98] tpm/st33zp24: Add GPIO ACPI mapping table In order to make GPIO ACPI library stricter prepare users of gpiod_get_index() to correctly behave when there no mapping is provided by firmware. Here we add explicit mapping between _CRS GpioIo() resources and their names used in the driver. Signed-off-by: Andy Shevchenko Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/st33zp24/i2c.c | 23 ++++++++++++++++++++--- drivers/char/tpm/st33zp24/spi.c | 23 ++++++++++++++++++++--- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/drivers/char/tpm/st33zp24/i2c.c b/drivers/char/tpm/st33zp24/i2c.c index 028a9cd76b63..1b10e38f214e 100644 --- a/drivers/char/tpm/st33zp24/i2c.c +++ b/drivers/char/tpm/st33zp24/i2c.c @@ -111,6 +111,13 @@ static const struct st33zp24_phy_ops i2c_phy_ops = { .recv = st33zp24_i2c_recv, }; +static const struct acpi_gpio_params lpcpd_gpios = { 1, 0, false }; + +static const struct acpi_gpio_mapping acpi_st33zp24_gpios[] = { + { "lpcpd-gpios", &lpcpd_gpios, 1 }, + {}, +}; + static int st33zp24_i2c_acpi_request_resources(struct i2c_client *client) { struct tpm_chip *chip = i2c_get_clientdata(client); @@ -118,10 +125,14 @@ static int st33zp24_i2c_acpi_request_resources(struct i2c_client *client) struct st33zp24_i2c_phy *phy = tpm_dev->phy_id; struct gpio_desc *gpiod_lpcpd; struct device *dev = &client->dev; + int ret; + + ret = acpi_dev_add_driver_gpios(ACPI_COMPANION(dev), acpi_st33zp24_gpios); + if (ret) + return ret; /* Get LPCPD GPIO from ACPI */ - gpiod_lpcpd = devm_gpiod_get_index(dev, "TPM IO LPCPD", 1, - GPIOD_OUT_HIGH); + gpiod_lpcpd = devm_gpiod_get(dev, "lpcpd", GPIOD_OUT_HIGH); if (IS_ERR(gpiod_lpcpd)) { dev_err(&client->dev, "Failed to retrieve lpcpd-gpios from acpi.\n"); @@ -268,8 +279,14 @@ static int st33zp24_i2c_probe(struct i2c_client *client, static int st33zp24_i2c_remove(struct i2c_client *client) { struct tpm_chip *chip = i2c_get_clientdata(client); + int ret; - return st33zp24_remove(chip); + ret = st33zp24_remove(chip); + if (ret) + return ret; + + acpi_dev_remove_driver_gpios(ACPI_COMPANION(&client->dev)); + return 0; } static const struct i2c_device_id st33zp24_i2c_id[] = { diff --git a/drivers/char/tpm/st33zp24/spi.c b/drivers/char/tpm/st33zp24/spi.c index 9f5a0117098c..c69d15198f84 100644 --- a/drivers/char/tpm/st33zp24/spi.c +++ b/drivers/char/tpm/st33zp24/spi.c @@ -230,6 +230,13 @@ static const struct st33zp24_phy_ops spi_phy_ops = { .recv = st33zp24_spi_recv, }; +static const struct acpi_gpio_params lpcpd_gpios = { 1, 0, false }; + +static const struct acpi_gpio_mapping acpi_st33zp24_gpios[] = { + { "lpcpd-gpios", &lpcpd_gpios, 1 }, + {}, +}; + static int st33zp24_spi_acpi_request_resources(struct spi_device *spi_dev) { struct tpm_chip *chip = spi_get_drvdata(spi_dev); @@ -237,10 +244,14 @@ static int st33zp24_spi_acpi_request_resources(struct spi_device *spi_dev) struct st33zp24_spi_phy *phy = tpm_dev->phy_id; struct gpio_desc *gpiod_lpcpd; struct device *dev = &spi_dev->dev; + int ret; + + ret = acpi_dev_add_driver_gpios(ACPI_COMPANION(dev), acpi_st33zp24_gpios); + if (ret) + return ret; /* Get LPCPD GPIO from ACPI */ - gpiod_lpcpd = devm_gpiod_get_index(dev, "TPM IO LPCPD", 1, - GPIOD_OUT_HIGH); + gpiod_lpcpd = devm_gpiod_get(dev, "lpcpd", GPIOD_OUT_HIGH); if (IS_ERR(gpiod_lpcpd)) { dev_err(dev, "Failed to retrieve lpcpd-gpios from acpi.\n"); phy->io_lpcpd = -1; @@ -385,8 +396,14 @@ static int st33zp24_spi_probe(struct spi_device *dev) static int st33zp24_spi_remove(struct spi_device *dev) { struct tpm_chip *chip = spi_get_drvdata(dev); + int ret; - return st33zp24_remove(chip); + ret = st33zp24_remove(chip); + if (ret) + return ret; + + acpi_dev_remove_driver_gpios(ACPI_COMPANION(&dev->dev)); + return 0; } static const struct spi_device_id st33zp24_spi_id[] = { From 0afb7118ae021e80ecf70f5a3336e0935505518a Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Fri, 10 Mar 2017 13:45:54 -0500 Subject: [PATCH 72/98] tpm: add sleep only for retry in i2c_nuvoton_write_status() Currently, there is an unnecessary 1 msec delay added in i2c_nuvoton_write_status() for the successful case. This function is called multiple times during send() and recv(), which implies adding multiple extra delays for every TPM operation. This patch calls usleep_range() only if retry is to be done. Signed-off-by: Nayna Jain Cc: stable@vger.kernel.org (linux-4.8) Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_i2c_nuvoton.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c index 0c98c424d792..c6428771841f 100644 --- a/drivers/char/tpm/tpm_i2c_nuvoton.c +++ b/drivers/char/tpm/tpm_i2c_nuvoton.c @@ -124,8 +124,9 @@ static s32 i2c_nuvoton_write_status(struct i2c_client *client, u8 data) /* this causes the current command to be aborted */ for (i = 0, status = -1; i < TPM_I2C_RETRY_COUNT && status < 0; i++) { status = i2c_nuvoton_write_buf(client, TPM_STS, 1, &data); - usleep_range(TPM_I2C_BUS_DELAY, TPM_I2C_BUS_DELAY - + TPM_I2C_DELAY_RANGE); + if (status < 0) + usleep_range(TPM_I2C_BUS_DELAY, TPM_I2C_BUS_DELAY + + TPM_I2C_DELAY_RANGE); } return status; } From 67c2f3d388efe1a47e201b906d80545eaab7da22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lefaure?= Date: Thu, 16 Mar 2017 21:51:33 -0400 Subject: [PATCH 73/98] tpm/tpm_crb: fix unused warnings on suspend/resume functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When PM_SLEEP is disabled crb_pm_suspend and crb_pm_resume are not used by SET_SYSTEM_SLEEP_PM_OPS even if PM is enabled: drvers/char/tpm/tpm_crb.c:540:12: warning: ‘crb_pm_suspend’ defined but not used [-Wunused-function] static int crb_pm_suspend(struct device *dev) ^ drivers/char/tpm/tpm_crb.c:551:12: warning: ‘crb_pm_resume’ defined but not used [-Wunused-function] static int crb_pm_resume(struct device *dev) ^ The preprocessor condition should be on CONFIG_PM_SLEEP, not on CONFIG_PM. However, this patch fixes this warning by using __maybe_unused on function that are in the preprocessor condition. Fixes: 848efcfb560c ("tpm/tpm_crb: enter the low power state upon device suspend") Signed-off-by: Jérémy Lefaure Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 1dfc37e33c02..9f3160912152 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -519,8 +519,7 @@ static int crb_acpi_remove(struct acpi_device *device) return 0; } -#ifdef CONFIG_PM -static int crb_pm_runtime_suspend(struct device *dev) +static int __maybe_unused crb_pm_runtime_suspend(struct device *dev) { struct tpm_chip *chip = dev_get_drvdata(dev); struct crb_priv *priv = dev_get_drvdata(&chip->dev); @@ -528,7 +527,7 @@ static int crb_pm_runtime_suspend(struct device *dev) return crb_go_idle(dev, priv); } -static int crb_pm_runtime_resume(struct device *dev) +static int __maybe_unused crb_pm_runtime_resume(struct device *dev) { struct tpm_chip *chip = dev_get_drvdata(dev); struct crb_priv *priv = dev_get_drvdata(&chip->dev); @@ -536,7 +535,7 @@ static int crb_pm_runtime_resume(struct device *dev) return crb_cmd_ready(dev, priv); } -static int crb_pm_suspend(struct device *dev) +static int __maybe_unused crb_pm_suspend(struct device *dev) { int ret; @@ -547,7 +546,7 @@ static int crb_pm_suspend(struct device *dev) return crb_pm_runtime_suspend(dev); } -static int crb_pm_resume(struct device *dev) +static int __maybe_unused crb_pm_resume(struct device *dev) { int ret; @@ -558,8 +557,6 @@ static int crb_pm_resume(struct device *dev) return tpm_pm_resume(dev); } -#endif /* CONFIG_PM */ - static const struct dev_pm_ops crb_pm = { SET_SYSTEM_SLEEP_PM_OPS(crb_pm_suspend, crb_pm_resume) SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL) From 84d25940678b7f93665d0964c9729680fa4a97e9 Mon Sep 17 00:00:00 2001 From: Jerry Snitselaar Date: Sat, 18 Mar 2017 01:59:57 -0700 Subject: [PATCH 74/98] tpm: make check_locality return bool Since check_locality is checking to see if a certain locality is active, return true if active otherwise return false. Cc: Christophe Ricard Cc: Jason Gunthorpe Cc: Marcel Selhorst Cc: Jarkko Sakkinen Cc: Peter Huewe Signed-off-by: Jerry Snitselaar Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/st33zp24/st33zp24.c | 12 ++++++------ drivers/char/tpm/tpm_i2c_infineon.c | 12 ++++++------ drivers/char/tpm/tpm_tis_core.c | 20 +++++++++++--------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c index e8e0f7c02686..4d1dc8b46877 100644 --- a/drivers/char/tpm/st33zp24/st33zp24.c +++ b/drivers/char/tpm/st33zp24/st33zp24.c @@ -117,9 +117,9 @@ static u8 st33zp24_status(struct tpm_chip *chip) /* * check_locality if the locality is active * @param: chip, the tpm chip description - * @return: the active locality or -EACCESS. + * @return: true if LOCALITY0 is active, otherwise false */ -static int check_locality(struct tpm_chip *chip) +static bool check_locality(struct tpm_chip *chip) { struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev); u8 data; @@ -129,9 +129,9 @@ static int check_locality(struct tpm_chip *chip) if (status && (data & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) == (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) - return tpm_dev->locality; + return true; - return -EACCES; + return false; } /* check_locality() */ /* @@ -146,7 +146,7 @@ static int request_locality(struct tpm_chip *chip) long ret; u8 data; - if (check_locality(chip) == tpm_dev->locality) + if (check_locality(chip)) return tpm_dev->locality; data = TPM_ACCESS_REQUEST_USE; @@ -158,7 +158,7 @@ static int request_locality(struct tpm_chip *chip) /* Request locality is usually effective after the request */ do { - if (check_locality(chip) >= 0) + if (check_locality(chip)) return tpm_dev->locality; msleep(TPM_TIMEOUT); } while (time_before(jiffies, stop)); diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c index 62ee44e57ddc..dc47fa222a26 100644 --- a/drivers/char/tpm/tpm_i2c_infineon.c +++ b/drivers/char/tpm/tpm_i2c_infineon.c @@ -278,22 +278,22 @@ enum tis_defaults { #define TPM_DATA_FIFO(l) (0x0005 | ((l) << 4)) #define TPM_DID_VID(l) (0x0006 | ((l) << 4)) -static int check_locality(struct tpm_chip *chip, int loc) +static bool check_locality(struct tpm_chip *chip, int loc) { u8 buf; int rc; rc = iic_tpm_read(TPM_ACCESS(loc), &buf, 1); if (rc < 0) - return rc; + return false; if ((buf & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) == (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) { tpm_dev.locality = loc; - return loc; + return true; } - return -EIO; + return false; } /* implementation similar to tpm_tis */ @@ -315,7 +315,7 @@ static int request_locality(struct tpm_chip *chip, int loc) unsigned long stop; u8 buf = TPM_ACCESS_REQUEST_USE; - if (check_locality(chip, loc) >= 0) + if (check_locality(chip, loc)) return loc; iic_tpm_write(TPM_ACCESS(loc), &buf, 1); @@ -323,7 +323,7 @@ static int request_locality(struct tpm_chip *chip, int loc) /* wait for burstcount */ stop = jiffies + chip->timeout_a; do { - if (check_locality(chip, loc) >= 0) + if (check_locality(chip, loc)) return loc; usleep_range(TPM_TIMEOUT_US_LOW, TPM_TIMEOUT_US_HI); } while (time_before(jiffies, stop)); diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index fc0e9a2734ed..f31fc831c8f9 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -56,7 +56,7 @@ static int wait_startup(struct tpm_chip *chip, int l) return -1; } -static int check_locality(struct tpm_chip *chip, int l) +static bool check_locality(struct tpm_chip *chip, int l) { struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev); int rc; @@ -64,13 +64,15 @@ static int check_locality(struct tpm_chip *chip, int l) rc = tpm_tis_read8(priv, TPM_ACCESS(l), &access); if (rc < 0) - return rc; + return false; if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) == - (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) - return priv->locality = l; + (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) { + priv->locality = l; + return true; + } - return -1; + return false; } static void release_locality(struct tpm_chip *chip, int l, int force) @@ -96,7 +98,7 @@ static int request_locality(struct tpm_chip *chip, int l) unsigned long stop, timeout; long rc; - if (check_locality(chip, l) >= 0) + if (check_locality(chip, l)) return l; rc = tpm_tis_write8(priv, TPM_ACCESS(l), TPM_ACCESS_REQUEST_USE); @@ -112,7 +114,7 @@ again: return -1; rc = wait_event_interruptible_timeout(priv->int_queue, (check_locality - (chip, l) >= 0), + (chip, l)), timeout); if (rc > 0) return l; @@ -123,7 +125,7 @@ again: } else { /* wait for burstcount */ do { - if (check_locality(chip, l) >= 0) + if (check_locality(chip, l)) return l; msleep(TPM_TIMEOUT); } while (time_before(jiffies, stop)); @@ -535,7 +537,7 @@ static irqreturn_t tis_int_handler(int dummy, void *dev_id) wake_up_interruptible(&priv->read_queue); if (interrupt & TPM_INTF_LOCALITY_CHANGE_INT) for (i = 0; i < 5; i++) - if (check_locality(chip, i) >= 0) + if (check_locality(chip, i)) break; if (interrupt & (TPM_INTF_LOCALITY_CHANGE_INT | TPM_INTF_STS_VALID_INT | From 877c57d0d0cac2c8fc661f708d8ee3fa7aa8d28b Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Fri, 24 Mar 2017 11:45:49 +0200 Subject: [PATCH 75/98] tpm_crb: request and relinquish locality 0 This commit adds support for requesting and relinquishing locality 0 in tpm_crb for the course of command transmission. In order to achieve this, two new callbacks are added to struct tpm_class_ops: - request_locality - relinquish_locality With CRB interface you first set either requestAccess or relinquish bit from TPM_LOC_CTRL_x register and then wait for locAssigned and tpmRegValidSts bits to be set in the TPM_LOC_STATE_x register. The reason why were are doing this is to make sure that the driver will work properly with Intel TXT that uses locality 2. There's no explicit guarantee that it would relinquish this locality. In more general sense this commit enables tpm_crb to be a well behaving citizen in a multi locality environment. Signed-off-by: Jarkko Sakkinen Reviewed-by: Jerry Snitselaar Tested-by: Jerry Snitselaar --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-interface.c | 16 +++++++++++++ drivers/char/tpm/tpm.h | 3 +++ drivers/char/tpm/tpm_crb.c | 41 ++++++++++++++++++++++++++++++++ include/linux/tpm.h | 3 ++- 5 files changed, 63 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index aade6995f310..a321bd57f3e9 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -231,6 +231,7 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, goto out; } + chip->locality = -1; return chip; out: diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 16abbf9cb53a..158c1db83f05 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -389,6 +389,7 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, ssize_t len = 0; u32 count, ordinal; unsigned long stop; + bool need_locality; if (!tpm_validate_command(chip, space, buf, bufsiz)) return -EINVAL; @@ -412,6 +413,16 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, if (chip->dev.parent) pm_runtime_get_sync(chip->dev.parent); + /* Store the decision as chip->locality will be changed. */ + need_locality = chip->locality == -1; + + if (need_locality && chip->ops->request_locality) { + rc = chip->ops->request_locality(chip, 0); + if (rc < 0) + goto out_no_locality; + chip->locality = rc; + } + rc = tpm2_prepare_space(chip, space, ordinal, buf); if (rc) goto out; @@ -471,6 +482,11 @@ out_recv: rc = tpm2_commit_space(chip, space, ordinal, buf, &len); out: + if (need_locality && chip->ops->relinquish_locality) { + chip->ops->relinquish_locality(chip, chip->locality); + chip->locality = -1; + } +out_no_locality: if (chip->dev.parent) pm_runtime_put_sync(chip->dev.parent); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 5eacb3fd2ed2..4b4c8dee3096 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -228,6 +228,9 @@ struct tpm_chip { struct tpm_space work_space; u32 nr_commands; u32 *cc_attrs_tbl; + + /* active locality */ + int locality; }; #define to_tpm_chip(d) container_of(d, struct tpm_chip, dev) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 9f3160912152..d91e47dc2d79 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -34,6 +34,16 @@ enum crb_defaults { CRB_ACPI_START_INDEX = 1, }; +enum crb_loc_ctrl { + CRB_LOC_CTRL_REQUEST_ACCESS = BIT(0), + CRB_LOC_CTRL_RELINQUISH = BIT(1), +}; + +enum crb_loc_state { + CRB_LOC_STATE_LOC_ASSIGNED = BIT(1), + CRB_LOC_STATE_TPM_REG_VALID_STS = BIT(7), +}; + enum crb_ctrl_req { CRB_CTRL_REQ_CMD_READY = BIT(0), CRB_CTRL_REQ_GO_IDLE = BIT(1), @@ -172,6 +182,35 @@ static int __maybe_unused crb_cmd_ready(struct device *dev, return 0; } +static int crb_request_locality(struct tpm_chip *chip, int loc) +{ + struct crb_priv *priv = dev_get_drvdata(&chip->dev); + u32 value = CRB_LOC_STATE_LOC_ASSIGNED | + CRB_LOC_STATE_TPM_REG_VALID_STS; + + if (!priv->regs_h) + return 0; + + iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS, &priv->regs_h->loc_ctrl); + if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, value, value, + TPM2_TIMEOUT_C)) { + dev_warn(&chip->dev, "TPM_LOC_STATE_x.requestAccess timed out\n"); + return -ETIME; + } + + return 0; +} + +static void crb_relinquish_locality(struct tpm_chip *chip, int loc) +{ + struct crb_priv *priv = dev_get_drvdata(&chip->dev); + + if (!priv->regs_h) + return; + + iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl); +} + static u8 crb_status(struct tpm_chip *chip) { struct crb_priv *priv = dev_get_drvdata(&chip->dev); @@ -278,6 +317,8 @@ static const struct tpm_class_ops tpm_crb = { .send = crb_send, .cancel = crb_cancel, .req_canceled = crb_req_canceled, + .request_locality = crb_request_locality, + .relinquish_locality = crb_relinquish_locality, .req_complete_mask = CRB_DRV_STS_COMPLETE, .req_complete_val = CRB_DRV_STS_COMPLETE, }; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index da158f06e0b2..5a090f5ab335 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -48,7 +48,8 @@ struct tpm_class_ops { u8 (*status) (struct tpm_chip *chip); bool (*update_timeouts)(struct tpm_chip *chip, unsigned long *timeout_cap); - + int (*request_locality)(struct tpm_chip *chip, int loc); + void (*relinquish_locality)(struct tpm_chip *chip, int loc); }; #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) From cf8252ca7ca76fa47acf29b717bd52b738538c1e Mon Sep 17 00:00:00 2001 From: Jiandi An Date: Fri, 24 Mar 2017 04:55:44 -0500 Subject: [PATCH 76/98] ACPICA: Update TPM2 ACPI table TCG ACPI Specification Family "1.2" and "2.0" Version 1.2 Revision 8 introduces new start method for ARM SMC. - Add new start method (type 11) for ARM SMC - Add start method specific parameters offset for ARM SMC start method Signed-off-by: Jiandi An Tested-by: Shanker Donthineni Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen (on x86/PTT) Signed-off-by: Jarkko Sakkinen --- include/acpi/actbl2.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/acpi/actbl2.h b/include/acpi/actbl2.h index 7aee9fb3bd1f..2b4af0769a28 100644 --- a/include/acpi/actbl2.h +++ b/include/acpi/actbl2.h @@ -1294,6 +1294,9 @@ struct acpi_table_tpm2 { #define ACPI_TPM2_MEMORY_MAPPED 6 #define ACPI_TPM2_COMMAND_BUFFER 7 #define ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD 8 +#define ACPI_TPM2_COMMAND_BUFFER_WITH_SMC 11 + +#define ACPI_TPM2_START_METHOD_PARAMETER_OFFSET 52 /******************************************************************************* * From 08eff49d63ca2bf4cd98c4bdc07dc9d07d52f8f5 Mon Sep 17 00:00:00 2001 From: Jiandi An Date: Fri, 24 Mar 2017 04:55:45 -0500 Subject: [PATCH 77/98] tpm/tpm_crb: Enable TPM CRB interface for ARM64 This enables TPM Command Response Buffer interface driver for ARM64 and implements an ARM specific TPM CRB start method that invokes a Secure Monitor Call (SMC) to request the TrustZone Firmware to execute or cancel a TPM 2.0 command. In ARM, TrustZone security extensions enable a secure software environment with Secure Monitor mode. A Secure Monitor Call (SMC) is used to enter the Secure Monitor mode and perform a Secure Monitor service to communicate with TrustZone firmware which has control over the TPM hardware. Signed-off-by: Jiandi An Tested-by: Shanker Donthineni Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen (on x86/PTT) Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/Kconfig | 2 +- drivers/char/tpm/tpm_crb.c | 67 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 66 insertions(+), 3 deletions(-) diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index d520ac51c11c..a30352202f1f 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -136,7 +136,7 @@ config TCG_XEN config TCG_CRB tristate "TPM 2.0 CRB Interface" - depends on X86 && ACPI + depends on ACPI ---help--- If you have a TPM security chip that is compliant with the TCG CRB 2.0 TPM specification say Yes and it will be accessible diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index d91e47dc2d79..72b03c328198 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -20,6 +20,9 @@ #include #include #include +#ifdef CONFIG_ARM64 +#include +#endif #include "tpm.h" #define ACPI_SIG_TPM2 "TPM2" @@ -93,6 +96,7 @@ enum crb_status { enum crb_flags { CRB_FL_ACPI_START = BIT(0), CRB_FL_CRB_START = BIT(1), + CRB_FL_CRB_SMC_START = BIT(2), }; struct crb_priv { @@ -103,6 +107,15 @@ struct crb_priv { u8 __iomem *cmd; u8 __iomem *rsp; u32 cmd_size; + u32 smc_func_id; +}; + +struct tpm2_crb_smc { + u32 interrupt; + u8 interrupt_flags; + u8 op_flags; + u16 reserved2; + u32 smc_func_id; }; /** @@ -122,7 +135,8 @@ struct crb_priv { */ static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) { - if (priv->flags & CRB_FL_ACPI_START) + if ((priv->flags & CRB_FL_ACPI_START) || + (priv->flags & CRB_FL_CRB_SMC_START)) return 0; iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req); @@ -167,7 +181,8 @@ static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value, static int __maybe_unused crb_cmd_ready(struct device *dev, struct crb_priv *priv) { - if (priv->flags & CRB_FL_ACPI_START) + if ((priv->flags & CRB_FL_ACPI_START) || + (priv->flags & CRB_FL_CRB_SMC_START)) return 0; iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req); @@ -262,6 +277,34 @@ static int crb_do_acpi_start(struct tpm_chip *chip) return rc; } +#ifdef CONFIG_ARM64 +/* + * This is a TPM Command Response Buffer start method that invokes a + * Secure Monitor Call to requrest the firmware to execute or cancel + * a TPM 2.0 command. + */ +static int tpm_crb_smc_start(struct device *dev, unsigned long func_id) +{ + struct arm_smccc_res res; + + arm_smccc_smc(func_id, 0, 0, 0, 0, 0, 0, 0, &res); + if (res.a0 != 0) { + dev_err(dev, + FW_BUG "tpm_crb_smc_start() returns res.a0 = 0x%lx\n", + res.a0); + return -EIO; + } + + return 0; +} +#else +static int tpm_crb_smc_start(struct device *dev, unsigned long func_id) +{ + dev_err(dev, FW_BUG "tpm_crb: incorrect start method\n"); + return -EINVAL; +} +#endif + static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len) { struct crb_priv *priv = dev_get_drvdata(&chip->dev); @@ -289,6 +332,11 @@ static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len) if (priv->flags & CRB_FL_ACPI_START) rc = crb_do_acpi_start(chip); + if (priv->flags & CRB_FL_CRB_SMC_START) { + iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start); + rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id); + } + return rc; } @@ -483,6 +531,7 @@ static int crb_acpi_add(struct acpi_device *device) struct crb_priv *priv; struct tpm_chip *chip; struct device *dev = &device->dev; + struct tpm2_crb_smc *crb_smc; acpi_status status; u32 sm; int rc; @@ -515,6 +564,20 @@ static int crb_acpi_add(struct acpi_device *device) sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) priv->flags |= CRB_FL_ACPI_START; + if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_SMC) { + if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) { + dev_err(dev, + FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n", + buf->header.length, + ACPI_TPM2_COMMAND_BUFFER_WITH_SMC); + return -EINVAL; + } + crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, + ACPI_TPM2_START_METHOD_PARAMETER_OFFSET); + priv->smc_func_id = crb_smc->smc_func_id; + priv->flags |= CRB_FL_CRB_SMC_START; + } + rc = crb_map_io(device, priv, buf); if (rc) return rc; From 2b6aa412ff23a02ac777ad307249c60a839cfd25 Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Wed, 31 Aug 2016 16:05:43 -0700 Subject: [PATCH 78/98] KEYS: Use structure to capture key restriction function and data Replace struct key's restrict_link function pointer with a pointer to the new struct key_restriction. The structure contains pointers to the restriction function as well as relevant data for evaluating the restriction. The garbage collector checks restrict_link->keytype when key types are unregistered. Restrictions involving a removed key type are converted to use restrict_link_reject so that restrictions cannot be removed by unregistering key types. Signed-off-by: Mat Martineau --- Documentation/security/keys.txt | 21 +++++----- certs/system_keyring.c | 21 +++++++++- include/linux/key.h | 8 ++-- security/integrity/digsig.c | 9 ++++- security/integrity/ima/ima_mok.c | 11 +++++- security/keys/gc.c | 11 ++++++ security/keys/internal.h | 2 + security/keys/key.c | 23 ++++++----- security/keys/keyring.c | 68 +++++++++++++++++++++++++++++--- 9 files changed, 144 insertions(+), 30 deletions(-) diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index bb575ab80207..e35de987fc48 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -1032,7 +1032,7 @@ payload contents" for more information. struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, const struct cred *cred, key_perm_t perm, - key_restrict_link_func_t restrict_link, + struct key_restriction *restrict_link, unsigned long flags, struct key *dest); @@ -1044,14 +1044,17 @@ payload contents" for more information. KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted towards the user's quota). Error ENOMEM can also be returned. - If restrict_link not NULL, it should point to a function that will be - called each time an attempt is made to link a key into the new keyring. - This function is called to check whether a key may be added into the keying - or not. Callers of key_create_or_update() within the kernel can pass - KEY_ALLOC_BYPASS_RESTRICTION to suppress the check. An example of using - this is to manage rings of cryptographic keys that are set up when the - kernel boots where userspace is also permitted to add keys - provided they - can be verified by a key the kernel already has. + If restrict_link is not NULL, it should point to a structure that contains + the function that will be called each time an attempt is made to link a + key into the new keyring. The structure may also contain a key pointer + and an associated key type. The function is called to check whether a key + may be added into the keyring or not. The key type is used by the garbage + collector to clean up function or data pointers in this structure if the + given key type is unregistered. Callers of key_create_or_update() within + the kernel can pass KEY_ALLOC_BYPASS_RESTRICTION to suppress the check. + An example of using this is to manage rings of cryptographic keys that are + set up when the kernel boots where userspace is also permitted to add keys + - provided they can be verified by a key the kernel already has. When called, the restriction function will be passed the keyring being added to, the key type, the payload of the key being added, and data to be diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e39cce68dcfa..6251d1b27f0c 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -68,6 +69,24 @@ int restrict_link_by_builtin_and_secondary_trusted( return restrict_link_by_signature(dest_keyring, type, payload, secondary_trusted_keys); } + +/** + * Allocate a struct key_restriction for the "builtin and secondary trust" + * keyring. Only for use in system_trusted_keyring_init(). + */ +static __init struct key_restriction *get_builtin_and_secondary_restriction(void) +{ + struct key_restriction *restriction; + + restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); + + if (!restriction) + panic("Can't allocate secondary trusted keyring restriction\n"); + + restriction->check = restrict_link_by_builtin_and_secondary_trusted; + + return restriction; +} #endif /* @@ -95,7 +114,7 @@ static __init int system_trusted_keyring_init(void) KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | KEY_USR_WRITE), KEY_ALLOC_NOT_IN_QUOTA, - restrict_link_by_builtin_and_secondary_trusted, + get_builtin_and_secondary_restriction(), NULL); if (IS_ERR(secondary_trusted_keys)) panic("Can't allocate secondary trusted keyring\n"); diff --git a/include/linux/key.h b/include/linux/key.h index a06649f3223d..d2916363689c 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -217,7 +217,7 @@ struct key { }; /* This is set on a keyring to restrict the addition of a link to a key - * to it. If this method isn't provided then it is assumed that the + * to it. If this structure isn't provided then it is assumed that the * keyring is open to any addition. It is ignored for non-keyring * keys. * @@ -226,7 +226,7 @@ struct key { * overrides this, allowing the kernel to add extra keys without * restriction. */ - key_restrict_link_func_t restrict_link; + struct key_restriction *restrict_link; }; extern struct key *key_alloc(struct key_type *type, @@ -235,7 +235,7 @@ extern struct key *key_alloc(struct key_type *type, const struct cred *cred, key_perm_t perm, unsigned long flags, - key_restrict_link_func_t restrict_link); + struct key_restriction *restrict_link); #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ @@ -311,7 +311,7 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid const struct cred *cred, key_perm_t perm, unsigned long flags, - key_restrict_link_func_t restrict_link, + struct key_restriction *restrict_link, struct key *dest); extern int restrict_link_reject(struct key *keyring, diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 106e855e2d9d..06554c448dce 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -81,18 +81,25 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int __init integrity_init_keyring(const unsigned int id) { const struct cred *cred = current_cred(); + struct key_restriction *restriction; int err = 0; if (!init_keyring) return 0; + restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); + if (!restriction) + return -ENOMEM; + + restriction->check = restrict_link_to_ima; + keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), KGIDT_INIT(0), cred, ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE | KEY_USR_SEARCH), KEY_ALLOC_NOT_IN_QUOTA, - restrict_link_to_ima, NULL); + restriction, NULL); if (IS_ERR(keyring[id])) { err = PTR_ERR(keyring[id]); pr_info("Can't allocate %s keyring (%d)\n", diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c index 74a279957464..073ddc9bce5b 100644 --- a/security/integrity/ima/ima_mok.c +++ b/security/integrity/ima/ima_mok.c @@ -17,6 +17,7 @@ #include #include #include +#include #include @@ -27,15 +28,23 @@ struct key *ima_blacklist_keyring; */ __init int ima_mok_init(void) { + struct key_restriction *restriction; + pr_notice("Allocating IMA blacklist keyring.\n"); + restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); + if (!restriction) + panic("Can't allocate IMA blacklist restriction."); + + restriction->check = restrict_link_by_builtin_trusted; + ima_blacklist_keyring = keyring_alloc(".ima_blacklist", KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE | KEY_USR_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, - restrict_link_by_builtin_trusted, NULL); + restriction, NULL); if (IS_ERR(ima_blacklist_keyring)) panic("Can't allocate IMA blacklist keyring."); diff --git a/security/keys/gc.c b/security/keys/gc.c index 44789256c88c..15b9ddf510e4 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -229,6 +229,9 @@ continue_scanning: set_bit(KEY_FLAG_DEAD, &key->flags); key->perm = 0; goto skip_dead_key; + } else if (key->type == &key_type_keyring && + key->restrict_link) { + goto found_restricted_keyring; } } @@ -334,6 +337,14 @@ found_unreferenced_key: gc_state |= KEY_GC_REAP_AGAIN; goto maybe_resched; + /* We found a restricted keyring and need to update the restriction if + * it is associated with the dead key type. + */ +found_restricted_keyring: + spin_unlock(&key_serial_lock); + keyring_restriction_gc(key, key_gc_dead_keytype); + goto maybe_resched; + /* We found a keyring and we need to check the payload for links to * dead or expired keys. We don't flag another reap immediately as we * have to wait for the old payload to be destroyed by RCU before we diff --git a/security/keys/internal.h b/security/keys/internal.h index 6bee06ae026d..24762ae9a198 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -168,6 +168,8 @@ extern void key_change_session_keyring(struct callback_head *twork); extern struct work_struct key_gc_work; extern unsigned key_gc_delay; extern void keyring_gc(struct key *keyring, time_t limit); +extern void keyring_restriction_gc(struct key *keyring, + struct key_type *dead_type); extern void key_schedule_gc(time_t gc_at); extern void key_schedule_gc_links(void); extern void key_gc_keytype(struct key_type *ktype); diff --git a/security/keys/key.c b/security/keys/key.c index 27fc1bb40034..2ea5967121de 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -201,12 +201,15 @@ serial_exists: * @cred: The credentials specifying UID namespace. * @perm: The permissions mask of the new key. * @flags: Flags specifying quota properties. - * @restrict_link: Optional link restriction method for new keyrings. + * @restrict_link: Optional link restriction for new keyrings. * * Allocate a key of the specified type with the attributes given. The key is * returned in an uninstantiated state and the caller needs to instantiate the * key before returning. * + * The restrict_link structure (if not NULL) will be freed when the + * keyring is destroyed, so it must be dynamically allocated. + * * The user's key count quota is updated to reflect the creation of the key and * the user's key data quota has the default for the key type reserved. The * instantiation function should amend this as necessary. If insufficient @@ -225,7 +228,7 @@ serial_exists: struct key *key_alloc(struct key_type *type, const char *desc, kuid_t uid, kgid_t gid, const struct cred *cred, key_perm_t perm, unsigned long flags, - key_restrict_link_func_t restrict_link) + struct key_restriction *restrict_link) { struct key_user *user = NULL; struct key *key; @@ -497,9 +500,11 @@ int key_instantiate_and_link(struct key *key, } if (keyring) { - if (keyring->restrict_link) { - ret = keyring->restrict_link(keyring, key->type, - &prep.payload, NULL); + if (keyring->restrict_link && keyring->restrict_link->check) { + struct key_restriction *keyres = keyring->restrict_link; + + ret = keyres->check(keyring, key->type, &prep.payload, + keyres->key); if (ret < 0) goto error; } @@ -804,7 +809,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, struct key *keyring, *key = NULL; key_ref_t key_ref; int ret; - key_restrict_link_func_t restrict_link = NULL; + struct key_restriction *restrict_link = NULL; /* look up the key type to see if it's one of the registered kernel * types */ @@ -850,9 +855,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } index_key.desc_len = strlen(index_key.description); - if (restrict_link) { - ret = restrict_link(keyring, index_key.type, &prep.payload, - NULL); + if (restrict_link && restrict_link->check) { + ret = restrict_link->check(keyring, index_key.type, + &prep.payload, restrict_link->key); if (ret < 0) { key_ref = ERR_PTR(ret); goto error_free_prep; diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 2ccc66ec35d7..838334fec6ce 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -394,6 +394,13 @@ static void keyring_destroy(struct key *keyring) write_unlock(&keyring_name_lock); } + if (keyring->restrict_link) { + struct key_restriction *keyres = keyring->restrict_link; + + key_put(keyres->key); + kfree(keyres); + } + assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); } @@ -492,7 +499,7 @@ static long keyring_read(const struct key *keyring, struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, const struct cred *cred, key_perm_t perm, unsigned long flags, - key_restrict_link_func_t restrict_link, + struct key_restriction *restrict_link, struct key *dest) { struct key *keyring; @@ -523,8 +530,8 @@ EXPORT_SYMBOL(keyring_alloc); * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when * adding a key to a keyring. * - * This is meant to be passed as the restrict_link parameter to - * keyring_alloc(). + * This is meant to be stored in a key_restriction structure which is passed + * in the restrict_link parameter to keyring_alloc(). */ int restrict_link_reject(struct key *keyring, const struct key_type *type, @@ -1220,9 +1227,10 @@ void __key_link_end(struct key *keyring, */ static int __key_link_check_restriction(struct key *keyring, struct key *key) { - if (!keyring->restrict_link) + if (!keyring->restrict_link || !keyring->restrict_link->check) return 0; - return keyring->restrict_link(keyring, key->type, &key->payload, NULL); + return keyring->restrict_link->check(keyring, key->type, &key->payload, + keyring->restrict_link->key); } /** @@ -1426,3 +1434,53 @@ do_gc: up_write(&keyring->sem); kleave(" [gc]"); } + +/* + * Garbage collect restriction pointers from a keyring. + * + * Keyring restrictions are associated with a key type, and must be cleaned + * up if the key type is unregistered. The restriction is altered to always + * reject additional keys so a keyring cannot be opened up by unregistering + * a key type. + * + * Not called with any keyring locks held. The keyring's key struct will not + * be deallocated under us as only our caller may deallocate it. + * + * The caller is required to hold key_types_sem and dead_type->sem. This is + * fulfilled by key_gc_keytype() holding the locks on behalf of + * key_garbage_collector(), which it invokes on a workqueue. + */ +void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type) +{ + struct key_restriction *keyres; + + kenter("%x{%s}", keyring->serial, keyring->description ?: ""); + + /* + * keyring->restrict_link is only assigned at key allocation time + * or with the key type locked, so the only values that could be + * concurrently assigned to keyring->restrict_link are for key + * types other than dead_type. Given this, it's ok to check + * the key type before acquiring keyring->sem. + */ + if (!dead_type || !keyring->restrict_link || + keyring->restrict_link->keytype != dead_type) { + kleave(" [no restriction gc]"); + return; + } + + /* Lock the keyring to ensure that a link is not in progress */ + down_write(&keyring->sem); + + keyres = keyring->restrict_link; + + keyres->check = restrict_link_reject; + + key_put(keyres->key); + keyres->key = NULL; + keyres->keytype = NULL; + + up_write(&keyring->sem); + + kleave(" [restriction gc]"); +} From efba797b977c99bc6e0c301299272c80fb8b287f Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Fri, 6 May 2016 15:38:17 -0700 Subject: [PATCH 79/98] KEYS: Add an optional lookup_restriction hook to key_type The restrict_link functions used to validate keys as they are linked to a keyring can be associated with specific key types. Each key type may be loaded (or not) at runtime, so lookup of restrict_link functions needs to be part of the key type implementation to ensure that the requested keys can be examined. Signed-off-by: Mat Martineau --- Documentation/security/keys.txt | 9 +++++++++ include/linux/key-type.h | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index e35de987fc48..5fe04a7cc03d 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -1445,6 +1445,15 @@ The structure has a number of fields, some of which are mandatory: The authorisation key. + (*) struct key_restriction *(*lookup_restriction)(const char *params); + + This optional method is used to enable userspace configuration of keyring + restrictions. The restriction parameter string (not including the key type + name) is passed in, and this method returns a pointer to a key_restriction + structure containing the relevant functions and data to evaluate each + attempted key link operation. If there is no match, -EINVAL is returned. + + ============================ REQUEST-KEY CALLBACK SERVICE ============================ diff --git a/include/linux/key-type.h b/include/linux/key-type.h index eaee981c5558..8496cf64575c 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -147,6 +147,14 @@ struct key_type { */ request_key_actor_t request_key; + /* Look up a keyring access restriction (optional) + * + * - NULL is a valid return value (meaning the requested restriction + * is known but will never block addition of a key) + * - should return -EINVAL if the restriction is unknown + */ + struct key_restriction *(*lookup_restriction)(const char *params); + /* internal fields */ struct list_head link; /* link in types list */ struct lock_class_key lock_class; /* key->sem lock class */ From 4a420896f12d2d043602f134ae18ad6be5b9d9dd Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Tue, 4 Oct 2016 16:27:32 -0700 Subject: [PATCH 80/98] KEYS: Consistent ordering for __key_link_begin and restrict check The keyring restrict callback was sometimes called before __key_link_begin and sometimes after, which meant that the keyring semaphores were not always held during the restrict callback. If the semaphores are consistently acquired before checking link restrictions, keyring contents cannot be changed after the restrict check is complete but before the evaluated key is linked to the keyring. Signed-off-by: Mat Martineau --- security/keys/key.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/security/keys/key.c b/security/keys/key.c index 2ea5967121de..455c04d80bbb 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -500,21 +500,23 @@ int key_instantiate_and_link(struct key *key, } if (keyring) { + ret = __key_link_begin(keyring, &key->index_key, &edit); + if (ret < 0) + goto error; + if (keyring->restrict_link && keyring->restrict_link->check) { struct key_restriction *keyres = keyring->restrict_link; ret = keyres->check(keyring, key->type, &prep.payload, keyres->key); if (ret < 0) - goto error; + goto error_link_end; } - ret = __key_link_begin(keyring, &key->index_key, &edit); - if (ret < 0) - goto error; } ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); +error_link_end: if (keyring) __key_link_end(keyring, &key->index_key, edit); @@ -855,21 +857,21 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } index_key.desc_len = strlen(index_key.description); + ret = __key_link_begin(keyring, &index_key, &edit); + if (ret < 0) { + key_ref = ERR_PTR(ret); + goto error_free_prep; + } + if (restrict_link && restrict_link->check) { ret = restrict_link->check(keyring, index_key.type, &prep.payload, restrict_link->key); if (ret < 0) { key_ref = ERR_PTR(ret); - goto error_free_prep; + goto error_link_end; } } - ret = __key_link_begin(keyring, &index_key, &edit); - if (ret < 0) { - key_ref = ERR_PTR(ret); - goto error_free_prep; - } - /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE); From 6563c91fd645556c7801748f15bc727c77fcd311 Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Wed, 1 Mar 2017 16:44:09 -0800 Subject: [PATCH 81/98] KEYS: Add KEYCTL_RESTRICT_KEYRING Keyrings recently gained restrict_link capabilities that allow individual keys to be validated prior to linking. This functionality was only available using internal kernel APIs. With the KEYCTL_RESTRICT_KEYRING command existing keyrings can be configured to check the content of keys before they are linked, and then allow or disallow linkage of that key to the keyring. To restrict a keyring, call: keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring, const char *type, const char *restriction) where 'type' is the name of a registered key type and 'restriction' is a string describing how key linkage is to be restricted. The restriction option syntax is specific to each key type. Signed-off-by: Mat Martineau --- Documentation/security/keys.txt | 25 ++++++++ include/linux/key.h | 6 +- include/uapi/linux/keyctl.h | 1 + security/keys/compat.c | 4 ++ security/keys/internal.h | 3 + security/keys/keyctl.c | 58 ++++++++++++++++++ security/keys/keyring.c | 105 ++++++++++++++++++++++++++++++++ 7 files changed, 201 insertions(+), 1 deletion(-) diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 5fe04a7cc03d..5f554aab8751 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -857,6 +857,31 @@ The keyctl syscall functions are: supported, error ENOKEY if the key could not be found, or error EACCES if the key is not readable by the caller. + (*) Restrict keyring linkage + + long keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring, + const char *type, const char *restriction); + + An existing keyring can restrict linkage of additional keys by evaluating + the contents of the key according to a restriction scheme. + + "keyring" is the key ID for an existing keyring to apply a restriction + to. It may be empty or may already have keys linked. Existing linked keys + will remain in the keyring even if the new restriction would reject them. + + "type" is a registered key type. + + "restriction" is a string describing how key linkage is to be restricted. + The format varies depending on the key type, and the string is passed to + the lookup_restriction() function for the requested type. It may specify + a method and relevant data for the restriction such as signature + verification or constraints on key payload. If the requested key type is + later unregistered, no keys may be added to the keyring after the key type + is removed. + + To apply a keyring restriction the process must have Set Attribute + permission and the keyring must not be previously restricted. + =============== KERNEL SERVICES =============== diff --git a/include/linux/key.h b/include/linux/key.h index d2916363689c..0c9b93b0d1f7 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -219,7 +219,8 @@ struct key { /* This is set on a keyring to restrict the addition of a link to a key * to it. If this structure isn't provided then it is assumed that the * keyring is open to any addition. It is ignored for non-keyring - * keys. + * keys. Only set this value using keyring_restrict(), keyring_alloc(), + * or key_alloc(). * * This is intended for use with rings of trusted keys whereby addition * to the keyring needs to be controlled. KEY_ALLOC_BYPASS_RESTRICTION @@ -328,6 +329,9 @@ extern key_ref_t keyring_search(key_ref_t keyring, extern int keyring_add_key(struct key *keyring, struct key *key); +extern int keyring_restrict(key_ref_t keyring, const char *type, + const char *restriction); + extern struct key *key_lookup(key_serial_t id); static inline key_serial_t key_serial(const struct key *key) diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h index 86eddd6241f3..ff79c44e49a3 100644 --- a/include/uapi/linux/keyctl.h +++ b/include/uapi/linux/keyctl.h @@ -60,6 +60,7 @@ #define KEYCTL_INVALIDATE 21 /* invalidate a key */ #define KEYCTL_GET_PERSISTENT 22 /* get a user's persistent keyring */ #define KEYCTL_DH_COMPUTE 23 /* Compute Diffie-Hellman values */ +#define KEYCTL_RESTRICT_KEYRING 29 /* Restrict keys allowed to link to a keyring */ /* keyctl structures */ struct keyctl_dh_params { diff --git a/security/keys/compat.c b/security/keys/compat.c index 36c80bf5b89c..bb98f2b8dd7d 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c @@ -136,6 +136,10 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option, return keyctl_dh_compute(compat_ptr(arg2), compat_ptr(arg3), arg4, compat_ptr(arg5)); + case KEYCTL_RESTRICT_KEYRING: + return keyctl_restrict_keyring(arg2, compat_ptr(arg3), + compat_ptr(arg4)); + default: return -EOPNOTSUPP; } diff --git a/security/keys/internal.h b/security/keys/internal.h index 24762ae9a198..6ce016314897 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -252,6 +252,9 @@ struct iov_iter; extern long keyctl_instantiate_key_common(key_serial_t, struct iov_iter *, key_serial_t); +extern long keyctl_restrict_keyring(key_serial_t id, + const char __user *_type, + const char __user *_restriction); #ifdef CONFIG_PERSISTENT_KEYRINGS extern long keyctl_get_persistent(uid_t, key_serial_t); extern unsigned persistent_keyring_expiry; diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 52c34532c785..6ee2826a2d06 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1582,6 +1582,59 @@ error_keyring: return ret; } +/* + * Apply a restriction to a given keyring. + * + * The caller must have Setattr permission to change keyring restrictions. + * + * The requested type name may be a NULL pointer to reject all attempts + * to link to the keyring. If _type is non-NULL, _restriction can be + * NULL or a pointer to a string describing the restriction. If _type is + * NULL, _restriction must also be NULL. + * + * Returns 0 if successful. + */ +long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, + const char __user *_restriction) +{ + key_ref_t key_ref; + bool link_reject = !_type; + char type[32]; + char *restriction = NULL; + long ret; + + key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); + if (IS_ERR(key_ref)) + return PTR_ERR(key_ref); + + if (_type) { + ret = key_get_type_from_user(type, _type, sizeof(type)); + if (ret < 0) + goto error; + } + + if (_restriction) { + if (!_type) { + ret = -EINVAL; + goto error; + } + + restriction = strndup_user(_restriction, PAGE_SIZE); + if (IS_ERR(restriction)) { + ret = PTR_ERR(restriction); + goto error; + } + } + + ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction); + kfree(restriction); + +error: + key_ref_put(key_ref); + + return ret; +} + /* * The key control system call */ @@ -1693,6 +1746,11 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, (char __user *) arg3, (size_t) arg4, (void __user *) arg5); + case KEYCTL_RESTRICT_KEYRING: + return keyctl_restrict_keyring((key_serial_t) arg2, + (const char __user *) arg3, + (const char __user *) arg4); + default: return -EOPNOTSUPP; } diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 838334fec6ce..4d1678e4586f 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -947,6 +947,111 @@ key_ref_t keyring_search(key_ref_t keyring, } EXPORT_SYMBOL(keyring_search); +static struct key_restriction *keyring_restriction_alloc( + key_restrict_link_func_t check) +{ + struct key_restriction *keyres = + kzalloc(sizeof(struct key_restriction), GFP_KERNEL); + + if (!keyres) + return ERR_PTR(-ENOMEM); + + keyres->check = check; + + return keyres; +} + +/* + * Semaphore to serialise restriction setup to prevent reference count + * cycles through restriction key pointers. + */ +static DECLARE_RWSEM(keyring_serialise_restrict_sem); + +/* + * Check for restriction cycles that would prevent keyring garbage collection. + * keyring_serialise_restrict_sem must be held. + */ +static bool keyring_detect_restriction_cycle(const struct key *dest_keyring, + struct key_restriction *keyres) +{ + while (keyres && keyres->key && + keyres->key->type == &key_type_keyring) { + if (keyres->key == dest_keyring) + return true; + + keyres = keyres->key->restrict_link; + } + + return false; +} + +/** + * keyring_restrict - Look up and apply a restriction to a keyring + * + * @keyring: The keyring to be restricted + * @restriction: The restriction options to apply to the keyring + */ +int keyring_restrict(key_ref_t keyring_ref, const char *type, + const char *restriction) +{ + struct key *keyring; + struct key_type *restrict_type = NULL; + struct key_restriction *restrict_link; + int ret = 0; + + keyring = key_ref_to_ptr(keyring_ref); + key_check(keyring); + + if (keyring->type != &key_type_keyring) + return -ENOTDIR; + + if (!type) { + restrict_link = keyring_restriction_alloc(restrict_link_reject); + } else { + restrict_type = key_type_lookup(type); + + if (IS_ERR(restrict_type)) + return PTR_ERR(restrict_type); + + if (!restrict_type->lookup_restriction) { + ret = -ENOENT; + goto error; + } + + restrict_link = restrict_type->lookup_restriction(restriction); + } + + if (IS_ERR(restrict_link)) { + ret = PTR_ERR(restrict_link); + goto error; + } + + down_write(&keyring->sem); + down_write(&keyring_serialise_restrict_sem); + + if (keyring->restrict_link) + ret = -EEXIST; + else if (keyring_detect_restriction_cycle(keyring, restrict_link)) + ret = -EDEADLK; + else + keyring->restrict_link = restrict_link; + + up_write(&keyring_serialise_restrict_sem); + up_write(&keyring->sem); + + if (ret < 0) { + key_put(restrict_link->key); + kfree(restrict_link); + } + +error: + if (restrict_type) + key_type_put(restrict_type); + + return ret; +} +EXPORT_SYMBOL(keyring_restrict); + /* * Search the given keyring for a key that might be updated. * From 97d3aa0f313435a24440e7157c9c9115c58ca463 Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Fri, 6 May 2016 14:25:39 -0700 Subject: [PATCH 82/98] KEYS: Add a lookup_restriction function for the asymmetric key type Look up asymmetric keyring restriction information using the key-type lookup_restrict hook. Signed-off-by: Mat Martineau --- Documentation/crypto/asymmetric-keys.txt | 35 ++++++++++++++++ crypto/asymmetric_keys/asymmetric_type.c | 52 ++++++++++++++++++++---- 2 files changed, 79 insertions(+), 8 deletions(-) diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index 2b7816dea370..4373e7d86c6a 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt @@ -311,3 +311,38 @@ Functions are provided to register and unregister parsers: Parsers may not have the same name. The names are otherwise only used for displaying in debugging messages. + + +========================= +KEYRING LINK RESTRICTIONS +========================= + +Keyrings created from userspace using add_key can be configured to check the +signature of the key being linked. + +Several restriction methods are available: + + (1) Restrict using the kernel builtin trusted keyring + + - Option string used with KEYCTL_RESTRICT_KEYRING: + - "builtin_trusted" + + The kernel builtin trusted keyring will be searched for the signing + key. The ca_keys kernel parameter also affects which keys are used for + signature verification. + + (2) Restrict using the kernel builtin and secondary trusted keyrings + + - Option string used with KEYCTL_RESTRICT_KEYRING: + - "builtin_and_secondary_trusted" + + The kernel builtin and secondary trusted keyrings will be searched for the + signing key. The ca_keys kernel parameter also affects which keys are used + for signature verification. + +In all of these cases, if the signing key is found the signature of the key to +be linked will be verified using the signing key. The requested key is added +to the keyring only if the signature is successfully verified. -ENOKEY is +returned if the parent certificate could not be found, or -EKEYREJECTED is +returned if the signature check fails or the key is blacklisted. Other errors +may be returned if the signature check could not be performed. diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index 6600181d5d01..2e3380d09631 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "asymmetric_keys.h" MODULE_LICENSE("GPL"); @@ -451,15 +452,50 @@ static void asymmetric_key_destroy(struct key *key) asymmetric_key_free_kids(kids); } +static struct key_restriction *asymmetric_restriction_alloc( + key_restrict_link_func_t check, + struct key *key) +{ + struct key_restriction *keyres = + kzalloc(sizeof(struct key_restriction), GFP_KERNEL); + + if (!keyres) + return ERR_PTR(-ENOMEM); + + keyres->check = check; + keyres->key = key; + keyres->keytype = &key_type_asymmetric; + + return keyres; +} + +/* + * look up keyring restrict functions for asymmetric keys + */ +static struct key_restriction *asymmetric_lookup_restriction( + const char *restriction) +{ + if (strcmp("builtin_trusted", restriction) == 0) + return asymmetric_restriction_alloc( + restrict_link_by_builtin_trusted, NULL); + + if (strcmp("builtin_and_secondary_trusted", restriction) == 0) + return asymmetric_restriction_alloc( + restrict_link_by_builtin_and_secondary_trusted, NULL); + + return ERR_PTR(-EINVAL); +} + struct key_type key_type_asymmetric = { - .name = "asymmetric", - .preparse = asymmetric_key_preparse, - .free_preparse = asymmetric_key_free_preparse, - .instantiate = generic_key_instantiate, - .match_preparse = asymmetric_key_match_preparse, - .match_free = asymmetric_key_match_free, - .destroy = asymmetric_key_destroy, - .describe = asymmetric_key_describe, + .name = "asymmetric", + .preparse = asymmetric_key_preparse, + .free_preparse = asymmetric_key_free_preparse, + .instantiate = generic_key_instantiate, + .match_preparse = asymmetric_key_match_preparse, + .match_free = asymmetric_key_match_free, + .destroy = asymmetric_key_destroy, + .describe = asymmetric_key_describe, + .lookup_restriction = asymmetric_lookup_restriction, }; EXPORT_SYMBOL_GPL(key_type_asymmetric); From 7e3c4d22083f6e7316c5229b6197ca2d5335aa35 Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Mon, 27 Jun 2016 16:45:16 -0700 Subject: [PATCH 83/98] KEYS: Restrict asymmetric key linkage using a specific keychain Adds restrict_link_by_signature_keyring(), which uses the restrict_key member of the provided destination_keyring data structure as the key or keyring to search for signing keys. Signed-off-by: Mat Martineau --- Documentation/crypto/asymmetric-keys.txt | 11 ++++ crypto/asymmetric_keys/asymmetric_type.c | 35 +++++++++++- crypto/asymmetric_keys/restrict.c | 71 ++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++ 4 files changed, 121 insertions(+), 1 deletion(-) diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index 4373e7d86c6a..9814722f4b6b 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt @@ -340,6 +340,17 @@ Several restriction methods are available: signing key. The ca_keys kernel parameter also affects which keys are used for signature verification. + (3) Restrict using a separate key or keyring + + - Option string used with KEYCTL_RESTRICT_KEYRING: + - "key_or_keyring:" + + Whenever a key link is requested, the link will only succeed if the key + being linked is signed by one of the designated keys. This key may be + specified directly by providing a serial number for one asymmetric key, or + a group of keys may be searched for the signing key by providing the + serial number for a keyring. + In all of these cases, if the signing key is found the signature of the key to be linked will be verified using the signing key. The requested key is added to the keyring only if the signature is successfully verified. -ENOKEY is diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index 2e3380d09631..72700ed81594 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -475,6 +475,11 @@ static struct key_restriction *asymmetric_restriction_alloc( static struct key_restriction *asymmetric_lookup_restriction( const char *restriction) { + char *restrict_method; + char *parse_buf; + char *next; + struct key_restriction *ret = ERR_PTR(-EINVAL); + if (strcmp("builtin_trusted", restriction) == 0) return asymmetric_restriction_alloc( restrict_link_by_builtin_trusted, NULL); @@ -483,7 +488,35 @@ static struct key_restriction *asymmetric_lookup_restriction( return asymmetric_restriction_alloc( restrict_link_by_builtin_and_secondary_trusted, NULL); - return ERR_PTR(-EINVAL); + parse_buf = kstrndup(restriction, PAGE_SIZE, GFP_KERNEL); + if (!parse_buf) + return ERR_PTR(-ENOMEM); + + next = parse_buf; + restrict_method = strsep(&next, ":"); + + if ((strcmp(restrict_method, "key_or_keyring") == 0) && next) { + key_serial_t serial; + struct key *key; + + if (kstrtos32(next, 0, &serial) < 0) + goto out; + + key = key_lookup(serial); + if (IS_ERR(key)) { + ret = ERR_CAST(key); + goto out; + } + + ret = asymmetric_restriction_alloc( + restrict_link_by_key_or_keyring, key); + if (IS_ERR(ret)) + key_put(key); + } + +out: + kfree(parse_buf); + return ret; } struct key_type key_type_asymmetric = { diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index a3afbf783255..183cb642580e 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,3 +108,74 @@ int restrict_link_by_signature(struct key *dest_keyring, key_put(key); return ret; } + +/** + * restrict_link_by_key_or_keyring - Restrict additions to a ring of public + * keys using the restrict_key information stored in the ring. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: A key or ring of keys that can be used to vouch for the new cert. + * + * Check the new certificate only against the key or keys passed in the data + * parameter. If one of those is the signing key and validates the new + * certificate, then mark the new certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we + * couldn't find a matching parent certificate in the trusted list, + * -EKEYREJECTED if the signature check fails, and some other error if + * there is a matching certificate but the signature check cannot be + * performed. + */ +int restrict_link_by_key_or_keyring(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trusted) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + pr_devel("==>%s()\n", __func__); + + if (!dest_keyring) + return -ENOKEY; + else if (dest_keyring->type != &key_type_keyring) + return -EOPNOTSUPP; + + if (!trusted) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + if (trusted->type == &key_type_keyring) { + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trusted, sig->auth_ids[0], + sig->auth_ids[1], false); + if (IS_ERR(key)) + return -ENOKEY; + } else if (trusted->type == &key_type_asymmetric) { + const struct asymmetric_key_ids *kids; + + kids = asymmetric_key_ids(trusted); + + if (!asymmetric_key_id_same(kids->id[1], sig->auth_ids[0])) + return -ENOKEY; + + key = __key_get(trusted); + } else { + return -EOPNOTSUPP; + } + + ret = key_validate(key); + if (ret == 0) + ret = verify_signature(key, sig); + + key_put(key); + return ret; +} diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index ec0262fa08f8..bb6a884352a5 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -55,6 +55,11 @@ extern int restrict_link_by_signature(struct key *dest_keyring, const union key_payload *payload, struct key *trust_keyring); +extern int restrict_link_by_key_or_keyring(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trusted); + extern int verify_signature(const struct key *key, const struct public_key_signature *sig); From 8e323a02e866014091180443ccb186fee1e3d30d Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Tue, 4 Oct 2016 16:42:45 -0700 Subject: [PATCH 84/98] KEYS: Keyring asymmetric key restrict method with chaining Add a restrict_link_by_key_or_keyring_chain link restriction that searches for signing keys in the destination keyring in addition to the signing key or keyring designated when the destination keyring was created. Userspace enables this behavior by including the "chain" option in the keyring restriction: keyctl(KEYCTL_RESTRICT_KEYRING, keyring, "asymmetric", "key_or_keyring::chain"); Signed-off-by: Mat Martineau --- Documentation/crypto/asymmetric-keys.txt | 7 +- crypto/asymmetric_keys/asymmetric_type.c | 33 +++-- crypto/asymmetric_keys/restrict.c | 174 +++++++++++++++++------ include/crypto/public_key.h | 5 + 4 files changed, 164 insertions(+), 55 deletions(-) diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index 9814722f4b6b..5ad6480e3fb9 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt @@ -343,7 +343,7 @@ Several restriction methods are available: (3) Restrict using a separate key or keyring - Option string used with KEYCTL_RESTRICT_KEYRING: - - "key_or_keyring:" + - "key_or_keyring:[:chain]" Whenever a key link is requested, the link will only succeed if the key being linked is signed by one of the designated keys. This key may be @@ -351,6 +351,11 @@ Several restriction methods are available: a group of keys may be searched for the signing key by providing the serial number for a keyring. + When the "chain" option is provided at the end of the string, the keys + within the destination keyring will also be searched for signing keys. + This allows for verification of certificate chains by adding each + cert in order (starting closest to the root) to one keyring. + In all of these cases, if the signing key is found the signature of the key to be linked will be verified using the signing key. The requested key is added to the keyring only if the signature is successfully verified. -ENOKEY is diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index 72700ed81594..e4b0ed386bc8 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -496,20 +496,37 @@ static struct key_restriction *asymmetric_lookup_restriction( restrict_method = strsep(&next, ":"); if ((strcmp(restrict_method, "key_or_keyring") == 0) && next) { + char *key_text; key_serial_t serial; struct key *key; + key_restrict_link_func_t link_fn = + restrict_link_by_key_or_keyring; + bool allow_null_key = false; - if (kstrtos32(next, 0, &serial) < 0) - goto out; + key_text = strsep(&next, ":"); - key = key_lookup(serial); - if (IS_ERR(key)) { - ret = ERR_CAST(key); - goto out; + if (next) { + if (strcmp(next, "chain") != 0) + goto out; + + link_fn = restrict_link_by_key_or_keyring_chain; + allow_null_key = true; } - ret = asymmetric_restriction_alloc( - restrict_link_by_key_or_keyring, key); + if (kstrtos32(key_text, 0, &serial) < 0) + goto out; + + if ((serial == 0) && allow_null_key) { + key = NULL; + } else { + key = key_lookup(serial); + if (IS_ERR(key)) { + ret = ERR_CAST(key); + goto out; + } + } + + ret = asymmetric_restriction_alloc(link_fn, key); if (IS_ERR(ret)) key_put(key); } diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 183cb642580e..86fb68508952 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -109,6 +109,105 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +static bool match_either_id(const struct asymmetric_key_ids *pair, + const struct asymmetric_key_id *single) +{ + return (asymmetric_key_id_same(pair->id[0], single) || + asymmetric_key_id_same(pair->id[1], single)); +} + +static int key_or_keyring_common(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trusted, bool check_dest) +{ + const struct public_key_signature *sig; + struct key *key = NULL; + int ret; + + pr_devel("==>%s()\n", __func__); + + if (!dest_keyring) + return -ENOKEY; + else if (dest_keyring->type != &key_type_keyring) + return -EOPNOTSUPP; + + if (!trusted && !check_dest) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + if (trusted) { + if (trusted->type == &key_type_keyring) { + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trusted, sig->auth_ids[0], + sig->auth_ids[1], false); + if (IS_ERR(key)) + key = NULL; + } else if (trusted->type == &key_type_asymmetric) { + const struct asymmetric_key_ids *signer_ids; + + signer_ids = asymmetric_key_ids(trusted); + + /* + * The auth_ids come from the candidate key (the + * one that is being considered for addition to + * dest_keyring) and identify the key that was + * used to sign. + * + * The signer_ids are identifiers for the + * signing key specified for dest_keyring. + * + * The first auth_id is the preferred id, and + * the second is the fallback. If only one + * auth_id is present, it may match against + * either signer_id. If two auth_ids are + * present, the first auth_id must match one + * signer_id and the second auth_id must match + * the second signer_id. + */ + if (!sig->auth_ids[0] || !sig->auth_ids[1]) { + const struct asymmetric_key_id *auth_id; + + auth_id = sig->auth_ids[0] ?: sig->auth_ids[1]; + if (match_either_id(signer_ids, auth_id)) + key = __key_get(trusted); + + } else if (asymmetric_key_id_same(signer_ids->id[1], + sig->auth_ids[1]) && + match_either_id(signer_ids, + sig->auth_ids[0])) { + key = __key_get(trusted); + } + } else { + return -EOPNOTSUPP; + } + } + + if (check_dest && !key) { + /* See if the destination has a key that signed this one. */ + key = find_asymmetric_key(dest_keyring, sig->auth_ids[0], + sig->auth_ids[1], false); + if (IS_ERR(key)) + key = NULL; + } + + if (!key) + return -ENOKEY; + + ret = key_validate(key); + if (ret == 0) + ret = verify_signature(key, sig); + + key_put(key); + return ret; +} + /** * restrict_link_by_key_or_keyring - Restrict additions to a ring of public * keys using the restrict_key information stored in the ring. @@ -132,50 +231,33 @@ int restrict_link_by_key_or_keyring(struct key *dest_keyring, const union key_payload *payload, struct key *trusted) { - const struct public_key_signature *sig; - struct key *key; - int ret; - - pr_devel("==>%s()\n", __func__); - - if (!dest_keyring) - return -ENOKEY; - else if (dest_keyring->type != &key_type_keyring) - return -EOPNOTSUPP; - - if (!trusted) - return -ENOKEY; - - if (type != &key_type_asymmetric) - return -EOPNOTSUPP; - - sig = payload->data[asym_auth]; - if (!sig->auth_ids[0] && !sig->auth_ids[1]) - return -ENOKEY; - - if (trusted->type == &key_type_keyring) { - /* See if we have a key that signed this one. */ - key = find_asymmetric_key(trusted, sig->auth_ids[0], - sig->auth_ids[1], false); - if (IS_ERR(key)) - return -ENOKEY; - } else if (trusted->type == &key_type_asymmetric) { - const struct asymmetric_key_ids *kids; - - kids = asymmetric_key_ids(trusted); - - if (!asymmetric_key_id_same(kids->id[1], sig->auth_ids[0])) - return -ENOKEY; - - key = __key_get(trusted); - } else { - return -EOPNOTSUPP; - } - - ret = key_validate(key); - if (ret == 0) - ret = verify_signature(key, sig); - - key_put(key); - return ret; + return key_or_keyring_common(dest_keyring, type, payload, trusted, + false); +} + +/** + * restrict_link_by_key_or_keyring_chain - Restrict additions to a ring of + * public keys using the restrict_key information stored in the ring. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: A key or ring of keys that can be used to vouch for the new cert. + * + * Check the new certificate only against the key or keys passed in the data + * parameter. If one of those is the signing key and validates the new + * certificate, then mark the new certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we + * couldn't find a matching parent certificate in the trusted list, + * -EKEYREJECTED if the signature check fails, and some other error if + * there is a matching certificate but the signature check cannot be + * performed. + */ +int restrict_link_by_key_or_keyring_chain(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trusted) +{ + return key_or_keyring_common(dest_keyring, type, payload, trusted, + true); } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index bb6a884352a5..e0b681a717ba 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -60,6 +60,11 @@ extern int restrict_link_by_key_or_keyring(struct key *dest_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trusted); + extern int verify_signature(const struct key *key, const struct public_key_signature *sig); From f1c316a3ab9d24df6022682422fe897492f2c0c8 Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Fri, 19 Aug 2016 20:39:09 +0200 Subject: [PATCH 85/98] KEYS: add SP800-56A KDF support for DH SP800-56A defines the use of DH with key derivation function based on a counter. The input to the KDF is defined as (DH shared secret || other information). The value for the "other information" is to be provided by the caller. The KDF is implemented using the hash support from the kernel crypto API. The implementation uses the symmetric hash support as the input to the hash operation is usually very small. The caller is allowed to specify the hash name that he wants to use to derive the key material allowing the use of all supported hashes provided with the kernel crypto API. As the KDF implements the proper truncation of the DH shared secret to the requested size, this patch fills the caller buffer up to its size. The patch is tested with a new test added to the keyutils user space code which uses a CAVS test vector testing the compliance with SP800-56A. Signed-off-by: Stephan Mueller Signed-off-by: David Howells --- Documentation/security/keys.txt | 34 +++-- include/linux/compat.h | 7 + include/uapi/linux/keyctl.h | 7 + security/keys/Kconfig | 1 + security/keys/Makefile | 3 +- security/keys/compat.c | 5 +- security/keys/compat_dh.c | 38 ++++++ security/keys/dh.c | 220 ++++++++++++++++++++++++++++++-- security/keys/internal.h | 24 +++- security/keys/keyctl.c | 2 +- 10 files changed, 315 insertions(+), 26 deletions(-) create mode 100644 security/keys/compat_dh.c diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 5f554aab8751..cd5019934d7f 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -827,7 +827,7 @@ The keyctl syscall functions are: long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params, char *buffer, size_t buflen, - void *reserved); + struct keyctl_kdf_params *kdf); The params struct contains serial numbers for three keys: @@ -844,18 +844,36 @@ The keyctl syscall functions are: public key. If the base is the remote public key, the result is the shared secret. - The reserved argument must be set to NULL. + If the parameter kdf is NULL, the following applies: - The buffer length must be at least the length of the prime, or zero. + - The buffer length must be at least the length of the prime, or zero. - If the buffer length is nonzero, the length of the result is - returned when it is successfully calculated and copied in to the - buffer. When the buffer length is zero, the minimum required - buffer length is returned. + - If the buffer length is nonzero, the length of the result is + returned when it is successfully calculated and copied in to the + buffer. When the buffer length is zero, the minimum required + buffer length is returned. + + The kdf parameter allows the caller to apply a key derivation function + (KDF) on the Diffie-Hellman computation where only the result + of the KDF is returned to the caller. The KDF is characterized with + struct keyctl_kdf_params as follows: + + - char *hashname specifies the NUL terminated string identifying + the hash used from the kernel crypto API and applied for the KDF + operation. The KDF implemenation complies with SP800-56A as well + as with SP800-108 (the counter KDF). + + - char *otherinfo specifies the OtherInfo data as documented in + SP800-56A section 5.8.1.2. The length of the buffer is given with + otherinfolen. The format of OtherInfo is defined by the caller. + The otherinfo pointer may be NULL if no OtherInfo shall be used. This function will return error EOPNOTSUPP if the key type is not supported, error ENOKEY if the key could not be found, or error - EACCES if the key is not readable by the caller. + EACCES if the key is not readable by the caller. In addition, the + function will return EMSGSIZE when the parameter kdf is non-NULL + and either the buffer length or the OtherInfo length exceeds the + allowed length. (*) Restrict keyring linkage diff --git a/include/linux/compat.h b/include/linux/compat.h index aef47be2a5c1..993c87182e02 100644 --- a/include/linux/compat.h +++ b/include/linux/compat.h @@ -295,6 +295,13 @@ struct compat_old_sigaction { }; #endif +struct compat_keyctl_kdf_params { + compat_uptr_t hashname; + compat_uptr_t otherinfo; + __u32 otherinfolen; + __u32 __spare[8]; +}; + struct compat_statfs; struct compat_statfs64; struct compat_old_linux_dirent; diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h index ff79c44e49a3..201c6644b237 100644 --- a/include/uapi/linux/keyctl.h +++ b/include/uapi/linux/keyctl.h @@ -69,4 +69,11 @@ struct keyctl_dh_params { __s32 base; }; +struct keyctl_kdf_params { + char *hashname; + char *otherinfo; + __u32 otherinfolen; + __u32 __spare[8]; +}; + #endif /* _LINUX_KEYCTL_H */ diff --git a/security/keys/Kconfig b/security/keys/Kconfig index d942c7c2bc0a..4ac1b83a23f8 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -90,6 +90,7 @@ config KEY_DH_OPERATIONS bool "Diffie-Hellman operations on retained keys" depends on KEYS select MPILIB + select CRYPTO_HASH help This option provides support for calculating Diffie-Hellman public keys and shared secrets using values stored as keys diff --git a/security/keys/Makefile b/security/keys/Makefile index 1fd4a16e6daf..57dff0c15809 100644 --- a/security/keys/Makefile +++ b/security/keys/Makefile @@ -15,7 +15,8 @@ obj-y := \ request_key.o \ request_key_auth.o \ user_defined.o -obj-$(CONFIG_KEYS_COMPAT) += compat.o +compat-obj-$(CONFIG_KEY_DH_OPERATIONS) += compat_dh.o +obj-$(CONFIG_KEYS_COMPAT) += compat.o $(compat-obj-y) obj-$(CONFIG_PROC_FS) += proc.o obj-$(CONFIG_SYSCTL) += sysctl.o obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o diff --git a/security/keys/compat.c b/security/keys/compat.c index bb98f2b8dd7d..e87c89c0177c 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c @@ -133,8 +133,9 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option, return keyctl_get_persistent(arg2, arg3); case KEYCTL_DH_COMPUTE: - return keyctl_dh_compute(compat_ptr(arg2), compat_ptr(arg3), - arg4, compat_ptr(arg5)); + return compat_keyctl_dh_compute(compat_ptr(arg2), + compat_ptr(arg3), + arg4, compat_ptr(arg5)); case KEYCTL_RESTRICT_KEYRING: return keyctl_restrict_keyring(arg2, compat_ptr(arg3), diff --git a/security/keys/compat_dh.c b/security/keys/compat_dh.c new file mode 100644 index 000000000000..a6a659b6bcb6 --- /dev/null +++ b/security/keys/compat_dh.c @@ -0,0 +1,38 @@ +/* 32-bit compatibility syscall for 64-bit systems for DH operations + * + * Copyright (C) 2016 Stephan Mueller + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + */ + +#include + +#include "internal.h" + +/* + * Perform the DH computation or DH based key derivation. + * + * If successful, 0 will be returned. + */ +long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params, + char __user *buffer, size_t buflen, + struct compat_keyctl_kdf_params __user *kdf) +{ + struct keyctl_kdf_params kdfcopy; + struct compat_keyctl_kdf_params compat_kdfcopy; + + if (!kdf) + return __keyctl_dh_compute(params, buffer, buflen, NULL); + + if (copy_from_user(&compat_kdfcopy, kdf, sizeof(compat_kdfcopy)) != 0) + return -EFAULT; + + kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname); + kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo); + kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen; + + return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); +} diff --git a/security/keys/dh.c b/security/keys/dh.c index 893af4c45038..e603bd912e4c 100644 --- a/security/keys/dh.c +++ b/security/keys/dh.c @@ -11,6 +11,8 @@ #include #include #include +#include +#include #include #include "internal.h" @@ -77,9 +79,146 @@ error: return ret; } -long keyctl_dh_compute(struct keyctl_dh_params __user *params, - char __user *buffer, size_t buflen, - void __user *reserved) +struct kdf_sdesc { + struct shash_desc shash; + char ctx[]; +}; + +static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname) +{ + struct crypto_shash *tfm; + struct kdf_sdesc *sdesc; + int size; + + /* allocate synchronous hash */ + tfm = crypto_alloc_shash(hashname, 0, 0); + if (IS_ERR(tfm)) { + pr_info("could not allocate digest TFM handle %s\n", hashname); + return PTR_ERR(tfm); + } + + size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm); + sdesc = kmalloc(size, GFP_KERNEL); + if (!sdesc) + return -ENOMEM; + sdesc->shash.tfm = tfm; + sdesc->shash.flags = 0x0; + + *sdesc_ret = sdesc; + + return 0; +} + +static void kdf_dealloc(struct kdf_sdesc *sdesc) +{ + if (!sdesc) + return; + + if (sdesc->shash.tfm) + crypto_free_shash(sdesc->shash.tfm); + + kzfree(sdesc); +} + +/* convert 32 bit integer into its string representation */ +static inline void crypto_kw_cpu_to_be32(u32 val, u8 *buf) +{ + __be32 *a = (__be32 *)buf; + + *a = cpu_to_be32(val); +} + +/* + * Implementation of the KDF in counter mode according to SP800-108 section 5.1 + * as well as SP800-56A section 5.8.1 (Single-step KDF). + * + * SP800-56A: + * The src pointer is defined as Z || other info where Z is the shared secret + * from DH and other info is an arbitrary string (see SP800-56A section + * 5.8.1.2). + */ +static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, + u8 *dst, unsigned int dlen) +{ + struct shash_desc *desc = &sdesc->shash; + unsigned int h = crypto_shash_digestsize(desc->tfm); + int err = 0; + u8 *dst_orig = dst; + u32 i = 1; + u8 iteration[sizeof(u32)]; + + while (dlen) { + err = crypto_shash_init(desc); + if (err) + goto err; + + crypto_kw_cpu_to_be32(i, iteration); + err = crypto_shash_update(desc, iteration, sizeof(u32)); + if (err) + goto err; + + if (src && slen) { + err = crypto_shash_update(desc, src, slen); + if (err) + goto err; + } + + if (dlen < h) { + u8 tmpbuffer[h]; + + err = crypto_shash_final(desc, tmpbuffer); + if (err) + goto err; + memcpy(dst, tmpbuffer, dlen); + memzero_explicit(tmpbuffer, h); + return 0; + } else { + err = crypto_shash_final(desc, dst); + if (err) + goto err; + + dlen -= h; + dst += h; + i++; + } + } + + return 0; + +err: + memzero_explicit(dst_orig, dlen); + return err; +} + +static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, + char __user *buffer, size_t buflen, + uint8_t *kbuf, size_t kbuflen) +{ + uint8_t *outbuf = NULL; + int ret; + + outbuf = kmalloc(buflen, GFP_KERNEL); + if (!outbuf) { + ret = -ENOMEM; + goto err; + } + + ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, buflen); + if (ret) + goto err; + + ret = buflen; + if (copy_to_user(buffer, outbuf, buflen) != 0) + ret = -EFAULT; + +err: + kzfree(outbuf); + return ret; +} + +long __keyctl_dh_compute(struct keyctl_dh_params __user *params, + char __user *buffer, size_t buflen, + struct keyctl_kdf_params *kdfcopy) { long ret; MPI base, private, prime, result; @@ -88,6 +227,7 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params, uint8_t *kbuf; ssize_t keylen; size_t resultlen; + struct kdf_sdesc *sdesc = NULL; if (!params || (!buffer && buflen)) { ret = -EINVAL; @@ -98,12 +238,34 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params, goto out; } - if (reserved) { - ret = -EINVAL; - goto out; + if (kdfcopy) { + char *hashname; + + if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN || + kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) { + ret = -EMSGSIZE; + goto out; + } + + /* get KDF name string */ + hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME); + if (IS_ERR(hashname)) { + ret = PTR_ERR(hashname); + goto out; + } + + /* allocate KDF from the kernel crypto API */ + ret = kdf_alloc(&sdesc, hashname); + kfree(hashname); + if (ret) + goto out; } - keylen = mpi_from_key(pcopy.prime, buflen, &prime); + /* + * If the caller requests postprocessing with a KDF, allow an + * arbitrary output buffer size since the KDF ensures proper truncation. + */ + keylen = mpi_from_key(pcopy.prime, kdfcopy ? SIZE_MAX : buflen, &prime); if (keylen < 0 || !prime) { /* buflen == 0 may be used to query the required buffer size, * which is the prime key length. @@ -133,12 +295,25 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params, goto error3; } - kbuf = kmalloc(resultlen, GFP_KERNEL); + /* allocate space for DH shared secret and SP800-56A otherinfo */ + kbuf = kmalloc(kdfcopy ? (resultlen + kdfcopy->otherinfolen) : resultlen, + GFP_KERNEL); if (!kbuf) { ret = -ENOMEM; goto error4; } + /* + * Concatenate SP800-56A otherinfo past DH shared secret -- the + * input to the KDF is (DH shared secret || otherinfo) + */ + if (kdfcopy && kdfcopy->otherinfo && + copy_from_user(kbuf + resultlen, kdfcopy->otherinfo, + kdfcopy->otherinfolen) != 0) { + ret = -EFAULT; + goto error5; + } + ret = do_dh(result, base, private, prime); if (ret) goto error5; @@ -147,12 +322,17 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params, if (ret != 0) goto error5; - ret = nbytes; - if (copy_to_user(buffer, kbuf, nbytes) != 0) - ret = -EFAULT; + if (kdfcopy) { + ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf, + resultlen + kdfcopy->otherinfolen); + } else { + ret = nbytes; + if (copy_to_user(buffer, kbuf, nbytes) != 0) + ret = -EFAULT; + } error5: - kfree(kbuf); + kzfree(kbuf); error4: mpi_free(result); error3: @@ -162,5 +342,21 @@ error2: error1: mpi_free(prime); out: + kdf_dealloc(sdesc); return ret; } + +long keyctl_dh_compute(struct keyctl_dh_params __user *params, + char __user *buffer, size_t buflen, + struct keyctl_kdf_params __user *kdf) +{ + struct keyctl_kdf_params kdfcopy; + + if (!kdf) + return __keyctl_dh_compute(params, buffer, buflen, NULL); + + if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0) + return -EFAULT; + + return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); +} diff --git a/security/keys/internal.h b/security/keys/internal.h index 6ce016314897..c0f8682eba69 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -18,6 +18,7 @@ #include #include #include +#include struct iovec; @@ -267,14 +268,33 @@ static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring) #ifdef CONFIG_KEY_DH_OPERATIONS extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *, - size_t, void __user *); + size_t, struct keyctl_kdf_params __user *); +extern long __keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *, + size_t, struct keyctl_kdf_params *); +#ifdef CONFIG_KEYS_COMPAT +extern long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params, + char __user *buffer, size_t buflen, + struct compat_keyctl_kdf_params __user *kdf); +#endif +#define KEYCTL_KDF_MAX_OUTPUT_LEN 1024 /* max length of KDF output */ +#define KEYCTL_KDF_MAX_OI_LEN 64 /* max length of otherinfo */ #else static inline long keyctl_dh_compute(struct keyctl_dh_params __user *params, char __user *buffer, size_t buflen, - void __user *reserved) + struct keyctl_kdf_params __user *kdf) { return -EOPNOTSUPP; } + +#ifdef CONFIG_KEYS_COMPAT +static inline long compat_keyctl_dh_compute( + struct keyctl_dh_params __user *params, + char __user *buffer, size_t buflen, + struct keyctl_kdf_params __user *kdf) +{ + return -EOPNOTSUPP; +} +#endif #endif /* diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 6ee2826a2d06..10fcea154c0f 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1744,7 +1744,7 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, case KEYCTL_DH_COMPUTE: return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, (char __user *) arg3, (size_t) arg4, - (void __user *) arg5); + (struct keyctl_kdf_params __user *) arg5); case KEYCTL_RESTRICT_KEYRING: return keyctl_restrict_keyring((key_serial_t) arg2, From c3c8dc9f13e2e13013822ee54a529a6fe284f1e1 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Fri, 24 Mar 2017 20:42:05 +0900 Subject: [PATCH 86/98] smack: fix double free in smack_parse_opts_str() smack_parse_opts_str() calls kfree(opts->mnt_opts) when kcalloc() for opts->mnt_opts_flags failed. But it should not have called it because security_free_mnt_opts() will call kfree(opts->mnt_opts). Signed-off-by: Tetsuo Handa Signed-off-by: Casey Schaufler fixes: 3bf2789cad9e6573 ("smack: allow mount opts setting over filesystems with binary mount data") Cc: Vivek Trivedi Cc: Amit Sahrawat Cc: Casey Schaufler --- security/smack/smack_lsm.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 927e60e622d1..658f5d8c7e76 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -695,10 +695,8 @@ static int smack_parse_opts_str(char *options, opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), GFP_KERNEL); - if (!opts->mnt_opts_flags) { - kfree(opts->mnt_opts); + if (!opts->mnt_opts_flags) goto out_err; - } if (fsdefault) { opts->mnt_opts[num_mnt_opts] = fsdefault; From af96f0d6394a0af59c4dd71d6bcd3b1ddfba5196 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 14 Nov 2016 20:12:56 +0900 Subject: [PATCH 87/98] Smack: Use GFP_KERNEL for smk_netlbl_mls(). Since all callers of smk_netlbl_mls() are GFP_KERNEL context (smk_set_cipso() calls memdup_user_nul(), init_smk_fs() calls __kernfs_new_node(), smk_import_entry() calls kzalloc(GFP_KERNEL)), it is safe to use GFP_KERNEL from netlbl_catmap_setbit(). Signed-off-by: Tetsuo Handa Signed-off-by: Casey Schaufler --- security/smack/smack_access.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 356e3764cad9..a4b2e6b94abd 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -504,7 +504,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, if ((m & *cp) == 0) continue; rc = netlbl_catmap_setbit(&sap->attr.mls.cat, - cat, GFP_ATOMIC); + cat, GFP_KERNEL); if (rc < 0) { netlbl_catmap_free(sap->attr.mls.cat); return rc; From b9c42ac76ea13ab6d07681ff3079b3a242333764 Mon Sep 17 00:00:00 2001 From: kbuild test robot Date: Thu, 6 Apr 2017 06:55:19 -0700 Subject: [PATCH 88/98] apparmor: fix boolreturn.cocci warnings security/apparmor/lib.c:132:9-10: WARNING: return of 0/1 in function 'aa_policy_init' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci Signed-off-by: Fengguang Wu Signed-off-by: John Johansen Signed-off-by: James Morris --- security/apparmor/lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 66475bda6f72..32cafc12593e 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -180,13 +180,13 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix, } else policy->hname = kstrdup(name, gfp); if (!policy->hname) - return 0; + return false; /* base.name is a substring of fqname */ policy->name = basename(policy->hname); INIT_LIST_HEAD(&policy->list); INIT_LIST_HEAD(&policy->profiles); - return 1; + return true; } /** From eea7a05f1937b585cf53c6d53a4dd88fcb398eb8 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 6 Apr 2017 06:55:20 -0700 Subject: [PATCH 89/98] security/apparmor/lsm.c: set debug messages Add the _APPARMOR substring to reference the intended Kconfig option. Signed-off-by: Valentin Rothberg Signed-off-by: John Johansen Signed-off-by: James Morris --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e287b691a30e..4aa944794c7b 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); #endif /* Debug mode */ -bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES); +bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); /* Audit mode */ From 9814448da7a84dd50b69e4ada2d7d1c042493daf Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Thu, 6 Apr 2017 06:55:21 -0700 Subject: [PATCH 90/98] apparmor: use SHASH_DESC_ON_STACK When building the kernel with clang, the compiler fails to build security/apparmor/crypto.c with the following error: security/apparmor/crypto.c:36:8: error: fields must have a constant size: 'variable length array in structure' extension will never be supported char ctx[crypto_shash_descsize(apparmor_tfm)]; ^ Since commit a0a77af14117 ("crypto: LLVMLinux: Add macro to remove use of VLAIS in crypto code"), include/crypto/hash.h defines SHASH_DESC_ON_STACK to work around this issue. Use it in aa_calc_hash() and aa_calc_profile_hash(). Signed-off-by: Nicolas Iooss Signed-off-by: John Johansen Signed-off-by: James Morris --- security/apparmor/crypto.c | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c index de8dc78b6144..136f2a047836 100644 --- a/security/apparmor/crypto.c +++ b/security/apparmor/crypto.c @@ -31,10 +31,7 @@ unsigned int aa_hash_size(void) char *aa_calc_hash(void *data, size_t len) { - struct { - struct shash_desc shash; - char ctx[crypto_shash_descsize(apparmor_tfm)]; - } desc; + SHASH_DESC_ON_STACK(desc, apparmor_tfm); char *hash = NULL; int error = -ENOMEM; @@ -45,16 +42,16 @@ char *aa_calc_hash(void *data, size_t len) if (!hash) goto fail; - desc.shash.tfm = apparmor_tfm; - desc.shash.flags = 0; + desc->tfm = apparmor_tfm; + desc->flags = 0; - error = crypto_shash_init(&desc.shash); + error = crypto_shash_init(desc); if (error) goto fail; - error = crypto_shash_update(&desc.shash, (u8 *) data, len); + error = crypto_shash_update(desc, (u8 *) data, len); if (error) goto fail; - error = crypto_shash_final(&desc.shash, hash); + error = crypto_shash_final(desc, hash); if (error) goto fail; @@ -69,10 +66,7 @@ fail: int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, size_t len) { - struct { - struct shash_desc shash; - char ctx[crypto_shash_descsize(apparmor_tfm)]; - } desc; + SHASH_DESC_ON_STACK(desc, apparmor_tfm); int error = -ENOMEM; __le32 le32_version = cpu_to_le32(version); @@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, if (!profile->hash) goto fail; - desc.shash.tfm = apparmor_tfm; - desc.shash.flags = 0; + desc->tfm = apparmor_tfm; + desc->flags = 0; - error = crypto_shash_init(&desc.shash); + error = crypto_shash_init(desc); if (error) goto fail; - error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4); + error = crypto_shash_update(desc, (u8 *) &le32_version, 4); if (error) goto fail; - error = crypto_shash_update(&desc.shash, (u8 *) start, len); + error = crypto_shash_update(desc, (u8 *) start, len); if (error) goto fail; - error = crypto_shash_final(&desc.shash, profile->hash); + error = crypto_shash_final(desc, profile->hash); if (error) goto fail; From b9b144bcafbdd53f68e227968009327b76db08a4 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 6 Apr 2017 06:55:22 -0700 Subject: [PATCH 91/98] apparmor: fix invalid reference to index variable of iterator line 836 Once the loop on lines 836-853 is complete and exits normally, ent is a pointer to the dummy list head value. The derefernces accessible from eg the goto fail on line 860 or the various goto fail_lock's afterwards thus seem incorrect. Reported-by: Julia Lawall Signed-off-by: John Johansen Signed-off-by: James Morris --- security/apparmor/policy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index def1fbd6bdfd..cf9d670dca94 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -876,9 +876,11 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, if (ns_name) { ns = aa_prepare_ns(view, ns_name); if (IS_ERR(ns)) { + op = OP_PROF_LOAD; info = "failed to prepare namespace"; error = PTR_ERR(ns); ns = NULL; + ent = NULL; goto fail; } } else @@ -1013,7 +1015,7 @@ fail_lock: /* audit cause of failure */ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; fail: - audit_policy(profile, op, ns_name, ent->new->base.hname, + audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL, info, error); /* audit status that rest of profiles in the atomic set failed too */ info = "valid profile in failed atomic policy load"; @@ -1023,7 +1025,7 @@ fail: /* skip entry that caused failure */ continue; } - op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; + op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL; audit_policy(profile, op, ns_name, tmp->new->base.hname, info, error); } From 545de8fe0f1b3b97d6a29a78ccdc3403a8296710 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 6 Apr 2017 06:55:23 -0700 Subject: [PATCH 92/98] apparmor: fix parameters so that the permission test is bypassed at boot Boot parameters are written before apparmor is ready to answer whether the user is policy_view_capable(). Setting the parameters at boot results in an oops and failure to boot. Setting the parameters at boot is obviously allowed so skip the permission check when apparmor is not initialized. While we are at it move the more complicated check to last. Signed-off-by: John Johansen Signed-off-by: James Morris --- security/apparmor/include/lib.h | 2 +- security/apparmor/lsm.c | 47 +++++++++++++++------------------ 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index 65ff492a9807..0291ff3902f9 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -57,7 +57,7 @@ pr_err_ratelimited("AppArmor: " fmt, ##args) /* Flag indicating whether initialization completed */ -extern int apparmor_initialized __initdata; +extern int apparmor_initialized; /* fn's in lib */ char *aa_split_fqname(char *args, char **ns_name); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4aa944794c7b..35444c8e9064 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -39,7 +39,7 @@ #include "include/procattr.h" /* Flag indicating whether initialization completed */ -int apparmor_initialized __initdata; +int apparmor_initialized; DEFINE_PER_CPU(struct aa_buffers, aa_buffers); @@ -738,78 +738,77 @@ __setup("apparmor=", apparmor_enabled_setup); /* set global flag turning off the ability to load policy */ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) { - if (!policy_admin_capable(NULL)) + if (!apparmor_enabled) + return -EINVAL; + if (apparmor_initialized && !policy_admin_capable(NULL)) return -EPERM; return param_set_bool(val, kp); } static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) { - if (!policy_view_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; + if (apparmor_initialized && !policy_view_capable(NULL)) + return -EPERM; return param_get_bool(buffer, kp); } static int param_set_aabool(const char *val, const struct kernel_param *kp) { - if (!policy_admin_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; + if (apparmor_initialized && !policy_admin_capable(NULL)) + return -EPERM; return param_set_bool(val, kp); } static int param_get_aabool(char *buffer, const struct kernel_param *kp) { - if (!policy_view_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; + if (apparmor_initialized && !policy_view_capable(NULL)) + return -EPERM; return param_get_bool(buffer, kp); } static int param_set_aauint(const char *val, const struct kernel_param *kp) { - if (!policy_admin_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; + if (apparmor_initialized && !policy_admin_capable(NULL)) + return -EPERM; return param_set_uint(val, kp); } static int param_get_aauint(char *buffer, const struct kernel_param *kp) { - if (!policy_view_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; + if (apparmor_initialized && !policy_view_capable(NULL)) + return -EPERM; return param_get_uint(buffer, kp); } static int param_get_audit(char *buffer, struct kernel_param *kp) { - if (!policy_view_capable(NULL)) - return -EPERM; - if (!apparmor_enabled) return -EINVAL; - + if (apparmor_initialized && !policy_view_capable(NULL)) + return -EPERM; return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); } static int param_set_audit(const char *val, struct kernel_param *kp) { int i; - if (!policy_admin_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; - if (!val) return -EINVAL; + if (apparmor_initialized && !policy_admin_capable(NULL)) + return -EPERM; for (i = 0; i < AUDIT_MAX_INDEX; i++) { if (strcmp(val, audit_mode_names[i]) == 0) { @@ -823,11 +822,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp) static int param_get_mode(char *buffer, struct kernel_param *kp) { - if (!policy_view_capable(NULL)) - return -EPERM; - if (!apparmor_enabled) return -EINVAL; + if (apparmor_initialized && !policy_view_capable(NULL)) + return -EPERM; return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); } @@ -835,14 +833,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp) static int param_set_mode(const char *val, struct kernel_param *kp) { int i; - if (!policy_admin_capable(NULL)) - return -EPERM; if (!apparmor_enabled) return -EINVAL; - if (!val) return -EINVAL; + if (apparmor_initialized && !policy_admin_capable(NULL)) + return -EPERM; for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { if (strcmp(val, aa_profile_mode_names[i]) == 0) { From 622f6e3265707ebf02ba776ac6e68003bcc31213 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 6 Apr 2017 06:55:24 -0700 Subject: [PATCH 93/98] apparmor: Make path_max parameter readonly The path_max parameter determines the max size of buffers allocated but it should not be setable at run time. If can be used to cause an oops root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max Killed [ 122.141911] BUG: unable to handle kernel paging request at ffff880080945fff [ 122.143497] IP: [] d_absolute_path+0x44/0xa0 [ 122.144742] PGD 220c067 PUD 0 [ 122.145453] Oops: 0002 [#1] SMP [ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect [ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes [ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu [ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000 [ 122.170018] RIP: 0010:[] [] d_absolute_path+0x44/0xa0 [ 122.171525] RSP: 0018:ffff880076477b90 EFLAGS: 00010206 [ 122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000 [ 122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010 [ 122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000 [ 122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000 [ 122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400 [ 122.178745] FS: 00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000 [ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0 [ 122.182469] Stack: [ 122.182843] 00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000 [ 122.184409] 00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58 [ 122.185810] 0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000 [ 122.187231] Call Trace: [ 122.187680] [] aa_path_name+0x81/0x370 [ 122.188637] [] profile_transition+0xbd/0xb80 [ 122.190181] [] ? zone_statistics+0x7c/0xa0 [ 122.191674] [] apparmor_bprm_set_creds+0x9b0/0xac0 [ 122.193288] [] ? ext4_xattr_get+0x81/0x220 [ 122.194793] [] ? ext4_xattr_security_get+0x1c/0x30 [ 122.196392] [] ? get_vfs_caps_from_disk+0x69/0x110 [ 122.198004] [] ? mnt_may_suid+0x3f/0x50 [ 122.199737] [] ? cap_bprm_set_creds+0xa3/0x600 [ 122.201377] [] security_bprm_set_creds+0x33/0x50 [ 122.203024] [] prepare_binprm+0x85/0x190 [ 122.204515] [] do_execveat_common.isra.33+0x485/0x710 [ 122.206200] [] SyS_execve+0x3a/0x50 [ 122.207615] [] stub_execve+0x5/0x5 [ 122.208978] [] ? entry_SYSCALL_64_fastpath+0x16/0x71 [ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8 [ 122.217320] RIP [] d_absolute_path+0x44/0xa0 [ 122.218860] RSP [ 122.219919] CR2: ffff880080945fff [ 122.220936] ---[ end trace 506cdbd85eb6c55e ]--- Reported-by: Tetsuo Handa Signed-off-by: John Johansen Signed-off-by: James Morris --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 35444c8e9064..8f3c0f7aca5a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -710,7 +710,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); /* Maximum pathname length before accesses will start getting rejected */ unsigned int aa_g_path_max = 2 * PATH_MAX; -module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); +module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); /* Determines how paranoid loading of policy is and how much verification * on the loaded policy is done. From 4cd4ca7cc848bedc70b5d0acac9d1ae33d73513a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20M=C3=BCller?= Date: Tue, 11 Apr 2017 13:07:07 +0200 Subject: [PATCH 94/98] keys: select CONFIG_CRYPTO when selecting DH / KDF Select CONFIG_CRYPTO in addition to CONFIG_HASH to ensure that also CONFIG_HASH2 is selected. Both are needed for the shash cipher support required for the KDF operation. Signed-off-by: Stephan Mueller Signed-off-by: David Howells --- security/keys/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/security/keys/Kconfig b/security/keys/Kconfig index 4ac1b83a23f8..6fd95f76bfae 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -90,6 +90,7 @@ config KEY_DH_OPERATIONS bool "Diffie-Hellman operations on retained keys" depends on KEYS select MPILIB + select CRYPTO select CRYPTO_HASH help This option provides support for calculating Diffie-Hellman From 3b395d67d9d6c20d142f6a1618c44577d3d79347 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Wed, 5 Apr 2017 14:07:24 +0300 Subject: [PATCH 95/98] tpm_crb: remove a cruft constant Remove a useless constant that slipped through me when I did the code review. This commit fixes the issue. Cc: Jiandi An Fixes: 69c558de63c7 ("tpm/tpm_crb: Enable TPM CRB interface for ARM64") Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 3 +-- include/acpi/actbl2.h | 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 72b03c328198..b917b9d5f710 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -572,8 +572,7 @@ static int crb_acpi_add(struct acpi_device *device) ACPI_TPM2_COMMAND_BUFFER_WITH_SMC); return -EINVAL; } - crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, - ACPI_TPM2_START_METHOD_PARAMETER_OFFSET); + crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf)); priv->smc_func_id = crb_smc->smc_func_id; priv->flags |= CRB_FL_CRB_SMC_START; } diff --git a/include/acpi/actbl2.h b/include/acpi/actbl2.h index 2b4af0769a28..0ff3c64ce924 100644 --- a/include/acpi/actbl2.h +++ b/include/acpi/actbl2.h @@ -1296,8 +1296,6 @@ struct acpi_table_tpm2 { #define ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD 8 #define ACPI_TPM2_COMMAND_BUFFER_WITH_SMC 11 -#define ACPI_TPM2_START_METHOD_PARAMETER_OFFSET 52 - /******************************************************************************* * * UEFI - UEFI Boot optimization Table From fd5c78694f3f1c875e293de7a641ba8a3d60d00d Mon Sep 17 00:00:00 2001 From: Petr Vandrovec Date: Wed, 29 Mar 2017 00:43:30 -0700 Subject: [PATCH 96/98] tpm: fix handling of the TPM 2.0 event logs When TPM2 log has entries with more than 3 digests, or with digests not listed in the log header, log gets misparsed, eventually leading to kernel complaint that code tried to vmalloc 512MB of memory (I have no idea what would happen on bigger system). So code should not parse only first 3 digests: both event header and event itself are already in memory, so we can parse any number of digests, as long as we do not try to parse whole memory when given count of 0xFFFFFFFF. So this change: * Rejects event entry with more digests than log header describes. Digest types should be unique, and all should be described in log header, so there cannot be more digests in the event than in the header. * Reject event entry with digest that is not described in the log header. In theory code could hardcode information about digest IDs already assigned by TCG, but if firmware authors cannot get event log format right, why should anyone believe that they got event log content right. Cc: stable@vger.kernel.org Fixes: 4d23cc323cdb ("tpm: add securityfs support for TPM 2.0 firmware event log") Signed-off-by: Petr Vandrovec Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2_eventlog.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/char/tpm/tpm2_eventlog.c b/drivers/char/tpm/tpm2_eventlog.c index 513897cf9c4b..34a8afa69138 100644 --- a/drivers/char/tpm/tpm2_eventlog.c +++ b/drivers/char/tpm/tpm2_eventlog.c @@ -56,18 +56,24 @@ static int calc_tpm2_event_size(struct tcg_pcr_event2 *event, efispecid = (struct tcg_efi_specid_event *)event_header->event; - for (i = 0; (i < event->count) && (i < TPM2_ACTIVE_PCR_BANKS); - i++) { + /* Check if event is malformed. */ + if (event->count > efispecid->num_algs) + return 0; + + for (i = 0; i < event->count; i++) { halg_size = sizeof(event->digests[i].alg_id); memcpy(&halg, marker, halg_size); marker = marker + halg_size; - for (j = 0; (j < efispecid->num_algs); j++) { + for (j = 0; j < efispecid->num_algs; j++) { if (halg == efispecid->digest_sizes[j].alg_id) { - marker = marker + + marker += efispecid->digest_sizes[j].digest_size; break; } } + /* Algorithm without known length. Such event is unparseable. */ + if (j == efispecid->num_algs) + return 0; } event_field = (struct tcg_event_field *)marker; From e6aef069b6e97790cb127d5eeb86ae9ff0b7b0e3 Mon Sep 17 00:00:00 2001 From: Jerry Snitselaar Date: Mon, 27 Mar 2017 08:46:04 -0700 Subject: [PATCH 97/98] tpm_tis: convert to using locality callbacks This patch converts tpm_tis to use of the new tpm class ops request_locality, and relinquish_locality. With the move to using the callbacks, release_locality is changed so that we now release the locality even if there is no request pending. This required some changes to the tpm_tis_core_init code path to make sure locality is requested when needed: - tpm2_probe code path will end up calling request/release through callbacks, so request_locality prior to tpm2_probe not needed. - probe_itpm makes calls to tpm_tis_send_data which no longer calls request_locality, so add request_locality prior to tpm_tis_send_data calls. Also drop release_locality call in middleof probe_itpm, and keep locality until release_locality called at end of probe_itpm. Cc: Peter Huewe Cc: Jarkko Sakkinen Cc: Jason Gunthorpe Cc: Marcel Selhorst Signed-off-by: Jerry Snitselaar Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_core.c | 34 ++++++++------------------------- 1 file changed, 8 insertions(+), 26 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index f31fc831c8f9..b617b2eeb080 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -75,21 +75,11 @@ static bool check_locality(struct tpm_chip *chip, int l) return false; } -static void release_locality(struct tpm_chip *chip, int l, int force) +static void release_locality(struct tpm_chip *chip, int l) { struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev); - int rc; - u8 access; - - rc = tpm_tis_read8(priv, TPM_ACCESS(l), &access); - if (rc < 0) - return; - - if (force || (access & - (TPM_ACCESS_REQUEST_PENDING | TPM_ACCESS_VALID)) == - (TPM_ACCESS_REQUEST_PENDING | TPM_ACCESS_VALID)) - tpm_tis_write8(priv, TPM_ACCESS(l), TPM_ACCESS_ACTIVE_LOCALITY); + tpm_tis_write8(priv, TPM_ACCESS(l), TPM_ACCESS_ACTIVE_LOCALITY); } static int request_locality(struct tpm_chip *chip, int l) @@ -254,7 +244,6 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count) out: tpm_tis_ready(chip); - release_locality(chip, priv->locality, 0); return size; } @@ -270,9 +259,6 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) size_t count = 0; bool itpm = priv->flags & TPM_TIS_ITPM_WORKAROUND; - if (request_locality(chip, 0) < 0) - return -EBUSY; - status = tpm_tis_status(chip); if ((status & TPM_STS_COMMAND_READY) == 0) { tpm_tis_ready(chip); @@ -331,7 +317,6 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) out_err: tpm_tis_ready(chip); - release_locality(chip, priv->locality, 0); return rc; } @@ -392,7 +377,6 @@ static int tpm_tis_send_main(struct tpm_chip *chip, u8 *buf, size_t len) return len; out_err: tpm_tis_ready(chip); - release_locality(chip, priv->locality, 0); return rc; } @@ -479,12 +463,14 @@ static int probe_itpm(struct tpm_chip *chip) if (vendor != TPM_VID_INTEL) return 0; + if (request_locality(chip, 0) != 0) + return -EBUSY; + rc = tpm_tis_send_data(chip, cmd_getticks, len); if (rc == 0) goto out; tpm_tis_ready(chip); - release_locality(chip, priv->locality, 0); priv->flags |= TPM_TIS_ITPM_WORKAROUND; @@ -498,7 +484,7 @@ static int probe_itpm(struct tpm_chip *chip) out: tpm_tis_ready(chip); - release_locality(chip, priv->locality, 0); + release_locality(chip, priv->locality); return rc; } @@ -672,7 +658,6 @@ void tpm_tis_remove(struct tpm_chip *chip) interrupt = 0; tpm_tis_write32(priv, reg, ~TPM_GLOBAL_INT_ENABLE & interrupt); - release_locality(chip, priv->locality, 1); } EXPORT_SYMBOL_GPL(tpm_tis_remove); @@ -686,6 +671,8 @@ static const struct tpm_class_ops tpm_tis = { .req_complete_mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID, .req_complete_val = TPM_STS_DATA_AVAIL | TPM_STS_VALID, .req_canceled = tpm_tis_req_canceled, + .request_locality = request_locality, + .relinquish_locality = release_locality, }; int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, @@ -728,11 +715,6 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, intmask &= ~TPM_GLOBAL_INT_ENABLE; tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask); - if (request_locality(chip, 0) != 0) { - rc = -ENODEV; - goto out_err; - } - rc = tpm2_probe(chip); if (rc) goto out_err; From 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 17 Apr 2017 21:58:26 -0400 Subject: [PATCH 98/98] tpm: Fix reference count to main device The main device is currently not properly released due to one additional reference to the 'devs' device which is only released in case of a TPM 2. So, also get the additional reference only in case of a TPM2. Fixes: fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm") Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index a321bd57f3e9..9dec9f551b83 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -191,9 +191,10 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, /* get extra reference on main device to hold on * behalf of devs. This holds the chip structure * while cdevs is in use. The corresponding put - * is in the tpm_devs_release + * is in the tpm_devs_release (TPM2 only) */ - get_device(&chip->dev); + if (chip->flags & TPM_CHIP_FLAG_TPM2) + get_device(&chip->dev); if (chip->dev_num == 0) chip->dev.devt = MKDEV(MISC_MAJOR, TPM_MINOR);