[PATCH v4 4/4] tpm2-sessions: Enforce single authorized handle

Fri, 05 Dec 2025 07:35:13 -0800 

Eliminate AUTH_MAX_NAMES and replace array of names with a buffer for
single TPM name, as this what call sites expect at worst.

Benefits are obvious i.e., removing dead code is usually a good idea
:-)

Signed-off-by: Jarkko Sakkinen <[email protected]>
---
 drivers/char/tpm/tpm2-sessions.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
index c8b44b1a6cb6..8bfe2875faf2 100644
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -72,9 +72,6 @@
 #include <crypto/sha2.h>
 #include <crypto/utils.h>
 
-/* maximum number of names the TPM must remember for authorization */
-#define AUTH_MAX_NAMES 3
-
 #define AES_KEY_BYTES  AES_KEYSIZE_128
 #define AES_KEY_BITS   (AES_KEY_BYTES*8)
 
@@ -136,8 +133,8 @@ struct tpm2_auth {
         * handle, but they are part of the session by name, which
         * we must compute and remember
         */
-       u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
-       u16 name_size_tbl[AUTH_MAX_NAMES];
+       u8 name[2 + SHA512_DIGEST_SIZE];
+       u16 name_size;
 };
 
 /**
@@ -182,7 +179,7 @@ int tpm_buf_append_name(struct tpm_chip *chip, struct 
tpm_buf *buf,
 
 #ifdef CONFIG_TCG_TPM2_HMAC
        slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4;
-       if (slot >= AUTH_MAX_NAMES) {
+       if (slot > 0) {
                dev_err(&chip->dev, "too many handles\n");
                ret = -EIO;
                goto err;
@@ -195,8 +192,8 @@ int tpm_buf_append_name(struct tpm_chip *chip, struct 
tpm_buf *buf,
        }
        tpm_buf_append_u32(buf, handle);
        auth->session += 4;
-       memcpy(auth->name[slot], name, name_size);
-       auth->name_size_tbl[slot] = name_size;
+       memcpy(auth->name, name, name_size);
+       auth->name_size = name_size;
 #endif
        return 0;
 
@@ -573,8 +570,7 @@ int tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct 
tpm_buf *buf)
        /* ordinal is already BE */
        sha256_update(&sctx, (u8 *)&head->ordinal, sizeof(head->ordinal));
        /* add the handle names */
-       for (i = 0; i < handles; i++)
-               sha256_update(&sctx, auth->name[i], auth->name_size_tbl[i]);
+       sha256_update(&sctx, auth->name, auth->name_size);
        if (offset_s != tpm_buf_length(buf))
                sha256_update(&sctx, &buf->data[offset_s],
                              tpm_buf_length(buf) - offset_s);
-- 
2.52.0

Reply via email to