:
* Add module parameter to handle ignoring of burst count during
tpm tis send() operation.
* Add improvements over sleep time to reduce delays.
Nayna Jain (4):
tpm: move wait_for_tpm_stat() to respective driver files
tpm: ignore burstcount to improve tpm_tis send() performance
tpm: reduce tp
The function wait_for_tpm_stat() is currently defined in
tpm-interface file. It is a hardware specific function used
only by tpm_tis and xen-tpmfront, so it is removed from
tpm-interface.c and defined in respective driver files.
Suggested-by: Jarkko Sakkinen
Signed-off-by: Nayna Jain
Reviewed
1000 extends improved from ~9sec to ~8sec.
Fixes: 3b9af007869("tpm: replace msleep() with usleep_range() in TPM 1.2/
2.0 generic drivers")
Signed-off-by: Nayna Jain
Acked-by: Mimi Zohar
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm.h | 4 ++--
1 fi
is valid, it writes
all the bytes at once, permitting wait state.
After this change, performance on a TPM 1.2 with an 8 byte
burstcount for 1000 extends improved from ~41sec to ~14sec.
Suggested-by: Ken Goldman in
conjunction with the TPM Device Driver work group.
Signed-off-by: Nayna Jain
burstcount in a loop. If it takes
lesser time for TPM to return, this 5msec delay is longer than
necessary.
After this change, performance on a TPM 1.2 with an 8 byte
burstcount for 1000 extends improved from ~14sec to ~9sec.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm_tis_core.c | 10
On 10/25/2017 03:51 AM, Jarkko Sakkinen wrote:
I noticed when making slides for KS that the naming for event log stuff
that the naming is so broken that it is hard to understand the code.
Here it really would make sense to have a patch set just to clean up the
cruft.
Random examples of more se
On 03/07/2018 09:33 PM, David Howells wrote:
Nayna Jain wrote:
+ key = key_create_or_update(make_key_ref(keyring, 1),
+ "asymmetric",
+ NULL,
+ p,
+
On 04/05/2018 03:42 PM, Jarkko Sakkinen wrote:
On Mon, Apr 02, 2018 at 09:50:06PM +0530, Nayna Jain wrote:
Commit e2fb992d82c6 ("tpm: add retry logic") introduced a new loop to
handle the TPM2_RC_RETRY error. The loop retries the command after
sleeping for the specified time
ring kexec. Because the platform keyring are builtin, it
cannot be updated from userspace.
This keyring can be enabled by setting CONFIG_PLATFORM_KEYRING. The
platform certificate can be provided using CONFIG_PLATFORM_TRUSTED_KEYS.
Signed-off-by: Nayna Jain
---
Changelog:
v2:
* Include David Howell&
Kconfig option "IMA_USE_PLATFORM_KEYRING".
Signed-off-by: Nayna Jain
---
Changelog:
v2:
* Rename integrity_load_keyring() to integrity_find_keyring()
* Fix the patch description per line length as suggested by Mimi
security/integrity/digsig.c | 15 +++
security
This patch exports the function find_keyring_by_name() to be used by
other subsystems.
Signed-off-by: Nayna Jain
---
Changelog:
v2:
* Fix the patch description per line length as suggested by Mimi
include/linux/key.h | 2 ++
security/keys/internal.h | 2 --
security/keys/keyring.c | 1
On 12/05/2018 05:10 AM, Jarkko Sakkinen wrote:
On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote:
Currently the TPM driver allows other kernel subsystems to read only the
SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and
tpm2_pcr_read() to pass a tpm_digest st
ob parser
Josh Boyer (2):
efi: Import certificates from UEFI Secure Boot
efi: Allow the "db" UEFI variable to be suppressed
Nayna Jain (3):
integrity: Define a trusted platform keyring
integrity: Load certs to the platform keyring
ima: Support platform
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
The patch refactors integrity_load_x509(), making it a wrapper for a new
function named integrity_add_key(). This patch also defines a new
function named integrity_load_cert() for loading the platform keys.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
---
security
: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
v2:
- Fixed the checkpatch.pl warnings
security/integrity/platform_certs/load_uefi.c | 45 +--
1 file changed, 35 insertions(+), 10 deletions(-)
diff --git a/security/integrity
x'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-by: Josh Bo
-appraisal access to those original keys, now
loaded on the platform keyring, needed for verifying the kernel image
and initramfs signatures.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
- replace 'rc' with 'xattr_len' when calling integrity_
From: Dave Howells
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
include/linux
Howells
Signed-off-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- removed the CONFIG EFI_SIGNATURE_LIST_PARSER
- moved efi_parser.c from certs to security/integrity/platform_certs
directory
v2:
- Fixed the checkpatch.pl warnings
include/linux/efi.h
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
n modified.
Signed-off-by: Roberto Sassu
Acked-by: Mimi Zohar
Reviewed-by: Jarkko Sakkinen
Mimi, Nayna, can you help with testing this (because of the IMA change)?
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
/Jarkko
patch also sets the size of those arrays to zero and removes the definition
of TPM2_ACTIVE_PCR_BANKS.
Signed-off-by: Roberto Sassu
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
On 05/10/2018 06:11 PM, Nayna Jain wrote:
On 05/08/2018 10:04 PM, J Freyensee wrote:
do {
- tpm_msleep(TPM_POLL_SLEEP);
+ tpm_msleep(TPM_TIMEOUT_POLL);
I'm just curious why it was decided to still use tpm_msleep() here
instead of usleep_range() whic
if (tpm_buf_length(&buf) < TPM_HEADER_SIZE + 6 + data_len) {
rc = -EFAULT;
goto out;
}
Probably, all the changes related to the use of tpm_buf_length() could
be a separate patch in itself ?
Otherwise,
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
---
drivers/char/tpm/tpm2-cmd.c | 44
1 file changed, 12 insertions(+), 32 deletions(-)
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index
On 03/26/2018 05:44 PM, Jarkko Sakkinen wrote:
In order to make struct tpm_buf the first class object for constructing TPM
commands, migrate tpm2_probe() to use it.
Signed-off-by: Jarkko Sakkinen
Acked-by: Jay Freyensee
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Reg
On 03/26/2018 05:44 PM, Jarkko Sakkinen wrote:
In order to make struct tpm_buf the first class object for constructing TPM
commands, migrate tpm2_get_tpm_pt() to use it.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Regards,
- N
On 12/12/2018 12:17 AM, James Morris wrote:
On Sun, 9 Dec 2018, Nayna Jain wrote:
+/*
+ * Blacklist an X509 TBS hash.
+ */
+static __init void uefi_blacklist_x509_tbs(const char *source,
+ const void *data, size_t len)
+{
+ char *hash, *p
Boyer
Signed-off-by: David Howells
Signed-off-by: Nayna Jain
Acked-by: Serge Hallyn
Signed-off-by: Mimi Zohar
---
Changelog:
v2a:
- refactored uefi_blacklist_x509_tbs() and uefi_blacklist_binary()
v2:
- Fixed the checkpatch.pl warnings
v0:
- This patch replaces the loading of certificate
From: Nayna Jain
This patch removes the code duplication in ima_init_policy() by defining
a new function named add_rules(). The new function adds the rules to the
initial IMA policy, the custom policy or both based on the policy mask
(IMA_DEFAULT_POLICY, IMA_CUSTOM_POLICY).
Signed-off-by: Nayna
On 09/29/2018 04:00 AM, Tomas Winkler wrote:
Reimplement tpm1_continue_selftest() using tpm_buf structure.
This is the last command using the old tpm_cmd_t structure
and now the structure can be removed.
Cc: Nayna Jain
Signed-off-by: Tomas Winkler
Reviewed-by: Jarkko Sakkinen
Tested-by
On 10/17/2018 12:15 PM, Tomas Winkler wrote:
diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c
b/drivers/char/tpm/tpm_i2c_nuvoton.c
index caa86b19c76d..5d20e98b844f 100644
--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
@@ -370,6 +370,7 @@ static int i2c_nuvoto
On 10/17/2018 05:54 PM, Winkler, Tomas wrote:
ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
- rc = i2c_nuvoton_wait_for_data_avail(chip,
-tpm_calc_ordinal_duration(chip,
-
On 11/06/2018 08:31 PM, Roberto Sassu wrote:
This patch removes the hard-coded limit of the active_banks array size.
The hard-coded limit in static array active_banks[] represents the
maximum possible banks.
A TPM might have three banks, but only one bank may be active.
To confirm my und
On 11/07/2018 03:11 PM, Roberto Sassu wrote:
On 11/7/2018 7:14 AM, Nayna Jain wrote:
On 11/06/2018 08:31 PM, Roberto Sassu wrote:
This patch removes the hard-coded limit of the active_banks array size.
The hard-coded limit in static array active_banks[] represents the
maximum possible
On 09/29/2018 04:00 AM, Tomas Winkler wrote:
+unsigned long tpm1_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal)
+{
+ int duration_idx = TPM_UNDEFINED;
+ int duration = 0;
+
+ /*
+* We only have a duration table for protected commands, where the upper
+
On 09/29/2018 04:00 AM, Tomas Winkler wrote:
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 73511cd89bef..a97d72fcda5b 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -544,8 +544,10 @@ int tpm_startup(struct tpm_chip *chip);
ssize_t tpm_getcap(struct
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
+ TPM_DIGEST_SIZE, 0, log_msg);
+
+ tpm_buf_destroy(&buf);
+ return rc;
+}
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Sorry for bit delay in testing.
Thanks & Regards,
- Nayna
ip);
I only have Nuvoton TPM 2.0, tested for that.
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain (For TPM 2.0)
Thanks & Regards,
- Nayna
ring kexec. Because the
platform keyring are builtin, it cannot be updated from userspace.
This keyring can be enabled by setting CONFIG_PLATFORM_KEYRING.
The platform certificate can be provided using
CONFIG_PLATFORM_TRUSTED_KEYS.
Signed-off-by: Nayna Jain
---
certs/Kconfig
This patch exports the function find_keyring_by_name()
to be used by other subsystems.
Signed-off-by: Nayna Jain
---
include/linux/key.h | 2 ++
security/keys/internal.h | 2 --
security/keys/keyring.c | 1 +
3 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux
Kconfig option "IMA_USE_PLATFORM_KEYRING".
Signed-off-by: Nayna Jain
---
security/integrity/digsig.c | 15 +++
security/integrity/ima/Kconfig| 10 ++
security/integrity/ima/ima_appraise.c | 22 +-
security/integrity/ima/ima_init.
This patch moves TPM_POLL_SLEEP from tpm_tis_core.c to tpm.h, renaming
it to TPM_TIMEOUT_POLL, to follow the existing enum naming
conventions.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm.h | 3 ++-
drivers/char/tpm/tpm_tis_core.c | 10 ++
2 files changed, 4 insertions
a TPM 1.2 with an 8 byte
burstcount for 1000 extends improved from ~14sec to ~10.7sec.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm-interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index
sec to ~6.9sec.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 7e797377e1eb..8cad6bfc5f46 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -522,8 +522
On 03/01/2018 02:07 PM, Jarkko Sakkinen wrote:
Hi
On Wed, Feb 28, 2018 at 02:18:26PM -0500, Nayna Jain wrote:
This patch moves TPM_POLL_SLEEP from tpm_tis_core.c to tpm.h, renaming
it to TPM_TIMEOUT_POLL, to follow the existing enum naming
conventions.
Signed-off-by: Nayna Jain
The cover
On 03/01/2018 02:52 PM, Jarkko Sakkinen wrote:
On Wed, Feb 28, 2018 at 02:18:27PM -0500, Nayna Jain wrote:
In tpm_transmit, after send(), the code checks for status in a loop
Maybe cutting hairs now but please just use the actual function name
instead of send(). Just makes the commit log
10.4:
"This command(TPM2_GetTestResult) returns manufacturer-specific information
regarding the results of a self-test and an indication of the test status.
Signed-off-by: Nayna Jain
Tested-by: Mimi Zohar (on Pi with TPM 2.0)
Tested-by: Stefan Berger (With QEMU with
swtpm TP
MHz clock and 64-byte transfers, it would take about 120 usec
to move 256B of data. Sending 1kB would take about 500 usec. If the
transactions are done using 4 bytes at a time, then it would take about
1 msec. to transfer 1kB of data."
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Rev
improved from ~14 sec to ~10.7 sec.
[1] All tests are performed on an x86 based, locked down, single purpose
closed system. It has Infineon TPM 1.2 using LPC Bus.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Jay Freyensee
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
ranularity less than 1msec
Nayna Jain (2):
tpm: reduce poll sleep time in tpm_transmit()
tpm: reduce polling time to usecs for even finer granularity
drivers/char/tpm/tpm-interface.c | 2 +-
drivers/char/tpm/tpm.h | 5 -
drivers/char/tpm/tpm_tis_core.c | 11 +++
d time for IMA_APPRAISE_MODSIG as well
Nayna Jain (5):
keys: cleanup build time module signing keys
keys: generate self-signed module signing key using CSR
ima: update kernel module signing process during build
keys: define build time generated ephemeral kernel CA key
ima: enable loading of
CSR.
Signed-off-by: Nayna Jain
---
Makefile | 3 ++-
certs/Makefile | 15 +++
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index af18aab6bbee..9c87fdd600d8 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
certs/Kconfig | 2 +-
init/Kconfig | 6 +++---
2 files changed, 4 insertions(+), 4 deletions
The "mrproper" target is still looking for build time generated keys
in the old path instead of certs/ directory.
This patch fixes the path as well removes the names of the files which
are no longer generated.
Signed-off-by: Nayna Jain
Fixes: 28a68f828266 ("modsign: Use sing
Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin and secondary trusted keyring.
This patch creates and includes in the kernel image an ephemeral CA
key, at build time when IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
Makefile
trusted keyring.
Signed-off-by: Nayna Jain
---
certs/system_keyring.c| 56 +++
include/keys/system_keyring.h | 9 +-
security/integrity/digsig.c | 4 +++
3 files changed, 55 insertions(+), 14 deletions(-)
diff --git a/certs/system_keyring.c b/certs
The "mrproper" target is still looking for build time generated keys in
the old path instead of certs/ directory. Fix the path and remove the
names of the files which are no longer generated.
Fixes: fb1179499134 ("modsign: Use single PEM file for autogenerated key")
Signe
d time for IMA_APPRAISE_MODSIG as well
v2:
* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (5):
keys: cleanup build time module sign
-off-by: Nayna Jain
---
Makefile | 3 ++-
certs/Makefile | 15 +++
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 004163a4e6b3..a971d4ae40bd 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config
)
Signed-off-by: Nayna Jain
---
Makefile| 2 ++
certs/Makefile | 68 ++---
certs/system_certificates.S | 16 -
3 files changed, 80 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index a971d4ae40bd
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
certs/Kconfig | 2 +-
init/Kconfig | 6 +++---
2 files changed, 4 insertions(+), 4 deletions
builtin trusted keyring.
Signed-off-by: Nayna Jain
---
certs/system_keyring.c| 55 ++-
include/keys/system_keyring.h | 9 +-
security/integrity/digsig.c | 4 +++
3 files changed, 54 insertions(+), 14 deletions(-)
diff --git a/certs/system_keyring.c b
The "mrproper" target is still looking for build time generated keys in
the kernel root directory instead of certs directory. Fix the path and
remove the names of the files which are no longer generated.
Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.
Signed-off-by: Nayna Jain
---
certs/system_certificates.S | 13 +-
certs/system_keyring.c| 47
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
certs/Kconfig | 2 +-
certs/Makefile | 8
init/Kconfig | 6 +++---
3 files changed
ing.
v2:
* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (3):
keys: cleanup build time module signing keys
ima: enable signing o
5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (3):
keys: cleanup build time module signing keys
ima: enable signing of modules with build time generated key
ima: enable loading of build time generated key on .ima keyring
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
Acked-by: Stefan Berger
---
certs/Kconfig | 2 +-
certs/Makefile | 8
init/Kconfig | 6
The "mrproper" target is still looking for build time generated keys in
the kernel root directory instead of certs directory. Fix the path and
remove the names of the files which are no longer generated.
Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.
Signed-off-by: Nayna Jain
Acked-by: Stefan Berger
---
certs/system_certificates.S | 13 -
certs/system_keyring.c| 50
This patch updates the arch specific policies for PowernV systems
to add check against blacklisted hashes before doing the verification.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel
This patch deprecates the existing permit_directio flag, instead adds
it as possible value to appraise_flag parameter.
For eg.
appraise_flag=permit_directio
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 4 ++--
security/integrity/ima/ima_policy.c | 2 ++
2 files changed
ECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (2):
powerpc: detect the secure boot mode of the system
powerpc: Add support to initialize ima policy rules
arch/powerpc/Kconfig | 13 ++
arch/powerpc/include/asm/secb
Secure boot on POWER defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel/ima_arch.c | 50 ++
include/linux/ima.h| 3 +-
4 files changed
e based on CONFIG_MODULE_SIG
instead.
Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
Signed-off-by: Nayna Jain
---
v2:
* Fixes the patch description to specify the problem more clearly as asked
by Michael Ellerman.
arch/powerpc/kernel/ima_arch.c | 6 ++
l Suchanek
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Sachin Sant
Tested-by: Michal Suchánek
---
Changelog:
v3:
* Includes Stefan's feedback correctly:
* Fixed handling of rc > 0 error
* Includes Jarkko's feedback related to comment and the function.
v2:
* Incl
kernel panic during boot.
This patch moves the pcr allocation outside the auto startup function
into tpm_chip_register. This ensures that allocated banks are initialized
in any case.
Fixes: 879b589210a9 ("tpm: retrieve digest size of unknown algorithms with
PCR read")
Signed-off-by:
CONFIG_KEXEC_VERIFY_SIG for CONFIG_IMA_ARCH_POLICY
Fixes: d958083a8f640 (x86/ima: define arch_get_ima_policy() for x86)
Signed-off-by: Nayna Jain
Cc: Eric Biederman
Cc: Dave Young
---
security/integrity/ima/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity
l Suchanek
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Sachin Sant
Tested-by: Michal Suchánek
---
Changelog:
v2:
* Includes Jarkko's feedbacks
* fixes the function name to tpm_get_pcr_allocation()
* adds new function tpm1_get_pcr_allocation()
* updates patch summary
On 09/21/2018 07:28 PM, Tomas Winkler wrote:
TPM manual startup is used only from within TPM 1.x or TPM 2.x
code, hence remove tpm_startup() function from tpm-interface.c
and add two static functions implementations tpm1_startup()
and tpm2_startup() into to tpm1-cmd.c and tpm2-cmd.c respective
On 09/21/2018 07:28 PM, Tomas Winkler wrote:
Reimplement tpm1_continue_selftest() using tpm_buf structure.
This is the last command using the old tpm_cmd_t structure
and now the structure can be removed.
Signed-off-by: Tomas Winkler
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
-
On 09/19/2018 07:36 PM, Jarkko Sakkinen wrote:
On Tue, Sep 18, 2018 at 12:34:45PM +0300, Tomas Winkler wrote:
Move tpm1_pcr_extend to tpm1-cmd.c and remove
unused pcrextend_header structure.
Fixes warning:
drivers/char/tpm/tpm-interface.c:609:38: warning: ‘pcrextend_header’ defined
but not
On 09/21/2018 07:28 PM, Tomas Winkler wrote:
1. TPM2_CC_LAST has moved from 182 to 193
2. Convert tpm2_ordinal_duration from an array into a switch statement,
as there are not so many commands that require special duration
relative to a number of commands, the switch statement function
On 09/21/2018 07:28 PM, Tomas Winkler wrote:
Factor out TPM 1.x commands calculation into tpm1-cmd.c file.
and change the prefix from tpm_ to tpm1_.
No functional change is done here.
Signed-off-by: Tomas Winkler
Tested-by: Jarkko Sakkinen
---
V2-V3: Rebase
V4: 1. Remove the licence stateme
On 10/02/2018 06:12 AM, Jarkko Sakkinen wrote:
On Sat, Sep 29, 2018 at 01:30:20AM +0300, Tomas Winkler wrote:
Move tpm1_pcr_extend to tpm1-cmd.c and remove
unused pcrextend_header structure and
EXTEND_PCR_RESULT_SIZE and EXTEND_PCR_RESULT_BODY_SIZE
defines.
Fixes warning:
drivers/char/tpm/tp
me.
Fixes: commit e2fb992d82c6 ("tpm: add retry logic")
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
drivers/char/tpm/tpm-interface.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.
On 03/01/2018 03:28 PM, Jarkko Sakkinen wrote:
On Wed, Feb 28, 2018 at 02:18:28PM -0500, Nayna Jain wrote:
When 'commit 9f3fc7bcddcb ("tpm: replace msleep() with usleep_range()
in TPM 1.2/2.0 generic drivers")' was upstreamed, it replaced the
"was upstreamed"
s 1.939667 time.
Signed-off-by: Nayna Jain
Tested-by: Mimi Zohar (on Pi with TPM 2.0)
Signed-off-by: Mimi Zohar
---
drivers/char/tpm/tpm.h | 2 ++
drivers/char/tpm/tpm2-cmd.c | 59 +
2 files changed, 61 insertions(+)
diff --git a/drivers/char/tpm/
ng 4 bytes at a time, then it would take about
1 msec. to transfer 1kB of data."
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm.h | 4 +++-
drivers/char/tpm/tpm_tis_core.c | 5 +++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/char/tpm/tpm.h b/d
TPM_POLL_SLEEP and moves it to tpm.h as
an enum value.
After this change, performance on a TPM 1.2 with an 8 byte burstcount
for 1000 extends improved from ~14 sec to ~10.7 sec.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm-interface.c | 2 +-
drivers/char/tpm/tpm.h | 3 ++-
drivers
tpm: reduce polling time to usecs for even finer granularity
* directly use usleep_range with finer granularity less than 1msec
Nayna Jain (2):
tpm: reduce poll sleep time in tpm_transmit()
tpm: reduce polling time to usecs for even finer granularity
drivers/char/tpm/tpm-interface.c
On 05/08/2018 10:04 PM, J Freyensee wrote:
do {
- tpm_msleep(TPM_POLL_SLEEP);
+ tpm_msleep(TPM_TIMEOUT_POLL);
I'm just curious why it was decided to still use tpm_msleep() here
instead of usleep_range() which was used in the 2nd patch.
TPM_TIMEOUT_POLL is i
and an indication of the test status."
Signed-off-by: Nayna Jain
Tested-by: Mimi Zohar (on Pi with TPM 2.0)
---
Changelog v2:
* changed the subject and updated patch description
* removed the logs
drivers/char/tpm/tpm.h | 2 ++
drivers/char/tpm/tpm2-cmd.c | 48 +++
reduce polling time to usecs for even finer granularity
* directly use usleep_range with finer granularity less than 1msec
Nayna Jain (2):
tpm: reduce poll sleep time in tpm_transmit()
tpm: reduce polling time to usecs for even finer granularity
drivers/char/tpm/tpm-interface.c | 2 +-
d
improved from ~14 sec to ~10.7 sec.
[1] All tests are performed on an x86 based, locked down, single purpose
closed system. It has Infineon TPM 1.2 using LPC Bus.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm-interface.c | 2 +-
drivers/char/tpm/tpm.h | 3 ++-
drivers/char/tpm
MHz clock and 64-byte transfers, it would take about 120 usec
to move 256B of data. Sending 1kB would take about 500 usec. If the
transactions are done using 4 bytes at a time, then it would take about
1 msec. to transfer 1kB of data."
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Reviewe
moves the init functions into
tpm_eventlog_init.c.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/Makefile| 2 +-
drivers/char/tpm/tpm_eventlog.c | 165 +-
drivers/char/tpm/tpm_eventlog.h | 3 +
drivers/char/tpm/tpm_eventlog_init.c | 189
1 - 100 of 174 matches
Mail list logo