On Thu, Nov 08, 2018 at 10:43:46AM -0500, Stefan Berger wrote: > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > > index f2b0e5c52a57..d6abc964ef66 100644 > > --- a/drivers/char/tpm/tpm2-cmd.c > > +++ b/drivers/char/tpm/tpm2-cmd.c > > @@ -652,17 +652,12 @@ int tpm2_unseal_trusted(struct tpm_chip *chip, > > u32 blob_handle; > > int rc; > > > > - mutex_lock(&chip->tpm_mutex); > > - rc = tpm2_load_cmd(chip, payload, options, &blob_handle, > > - TPM_TRANSMIT_UNLOCKED); > > + rc = tpm2_load_cmd(chip, payload, options, &blob_handle, 0); > > if (rc) > > - goto out; > > + return rc; > > > > - rc = tpm2_unseal_cmd(chip, payload, options, blob_handle, > > - TPM_TRANSMIT_UNLOCKED); > > - tpm2_flush_context_cmd(chip, blob_handle, TPM_TRANSMIT_UNLOCKED); > > -out: > > - mutex_unlock(&chip->tpm_mutex); > > + rc = tpm2_unseal_cmd(chip, payload, options, blob_handle, 0); > > + tpm2_flush_context_cmd(chip, blob_handle, 0); > > > This lock was covering quite a few commands from being interfered by others. > Is this still guaranteed to work after or can different subsystems like > trusted keys and IMA and /dev/tpm0 users interfere with this previous atomic > sequence ?
One way to keep this sequence atomic would be to use a TPM space. Then you can release the lock in-between the sequence. /Jarkko
