On 10/04/2013 01:08 PM, Jason Gunthorpe wrote:
On Mon, Sep 30, 2013 at 05:09:51PM -0500, Joel Schopp wrote:
So far, nobody I have talked to has offered any strong opinions on
what locality should be used or how it should be set. I think finding
a developer of trousers may be the most useful to
On 06/20/2017 01:42 AM, Amir Goldstein wrote:
On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman
wrote:
"Serge E. Hallyn" writes:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:
On Wed, Jun 14, 2017 at 08:27:40AM -0400, Ste
On 06/20/2017 08:19 AM, Stefan Berger wrote:
On 06/20/2017 01:42 AM, Amir Goldstein wrote:
On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman
wrote:
"Serge E. Hallyn" writes:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:
O
On 06/20/2017 04:55 PM, Jarkko Sakkinen wrote:
On Tue, Jun 20, 2017 at 01:31:52PM -0600, Jason Gunthorpe wrote:
On Tue, Jun 20, 2017 at 08:13:34PM +0200, Jarkko Sakkinen wrote:
Consolidated all the "manual" TPM startup code to a single function
in order to make code flows a bit cleaner and migr
On 06/20/2017 05:38 PM, Jarkko Sakkinen wrote:
On Tue, Jun 20, 2017 at 11:32:41PM +0200, Jarkko Sakkinen wrote:
On Tue, Jun 20, 2017 at 05:25:57PM -0400, Stefan Berger wrote:
On 06/20/2017 04:55 PM, Jarkko Sakkinen wrote:
On Tue, Jun 20, 2017 at 01:31:52PM -0600, Jason Gunthorpe wrote:
On
On 06/21/2017 03:31 AM, Jarkko Sakkinen wrote:
Consolidated all the "manual" TPM startup code to a single function
in order to make code flows a bit cleaner and migrate to tpm_buf.
Signed-off-by: Jarkko Sakkinen
Tested-by: Stefan Berger
FYI:
swtpm chardev --vtpm-proxy --tpmstat
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7 ++-
security/integrity
Stefan
Stefan Berger (6):
tpm: Introduce a kref for the tpm_chip
tpm: Get additional kref with every call to tpm_try_get_ops()
tpm: Implement tpm_chip_find() for other subsystems to call
ima: Implement ima_shutdown and register it as a reboot_notifier
ima: Use tpm_chip_find() and
ima_tpm_chip_lock.
Use ima_shutdown to release the tpm_chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 3 +++
security/integrity/ima/ima_crypto.c | 12 ++--
security/integrity/ima/ima_init.c | 19 ---
security/integrity/ima/ima_queue.c | 7
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip. Once done with using the chip, the reference
is released using tpm_chip_put().
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 27 +++
include/linux/tpm.h
Get a reference to the TPM chip on every call to tpm_try_get_ops()
and release the reference in tpm_put_ops().
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 5 -
include/linux/tpm.h | 4
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/char
Implement ima_shutdown so that we can release the tpm_chip before
devices are shut down. Register it as a low-priority reboot_notifier.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima_init.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/security/integrity/ima
Introduce a kref for the tpm_chip that we initialize when the tpm_chip has
been allocated and release before the tpm_chip is to be freed.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 24 +++-
drivers/char/tpm/tpm.h | 1 +
2 files changed, 20
On 06/20/2018 02:38 PM, Jason Gunthorpe wrote:
On Wed, Jun 20, 2018 at 12:19:43PM -0400, Stefan Berger wrote:
Introduce a kref for the tpm_chip that we initialize when the tpm_chip has
been allocated and release before the tpm_chip is to be freed.
Signed-off-by: Stefan Berger
drivers/char
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7 ++-
security/integrity
Stefan
v1->v2:
- use the kref of the device via get_device()/put_device()
Stefan Berger (4):
tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems
ima: Implement ima_shutdown and register it as a reboot_notifier
ima: Use tpm_chip_find() and access TPM functions using
ima_tpm_chip_lock.
Use ima_shutdown to release the tpm_chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 3 +++
security/integrity/ima/ima_crypto.c | 12 ++--
security/integrity/ima/ima_init.c | 19 ---
security/integrity/ima/ima_queue.c | 7
Implement ima_shutdown so that we can release the tpm_chip before
devices are shut down. Register it as a low-priority reboot_notifier.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima_init.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/security/integrity/ima
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip. Once done with using the chip, the reference
is released using tpm_chip_put().
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 37 +
include
On 06/20/2018 04:50 PM, Jason Gunthorpe wrote:
On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote:
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip. Once done with using the chip, the reference
is released using tpm_chip_put
On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote:
On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote:
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip. Once done with using the chip, the reference
is released using tpm_chip_put
On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote:
On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote:
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip. Once done with using the chip, the reference
is released using tpm_chip_put
On 06/21/2018 01:56 PM, Jason Gunthorpe wrote:
On Thu, Jun 21, 2018 at 01:45:03PM -0400, Stefan Berger wrote:
On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote:
On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote:
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get
On 06/21/2018 03:06 PM, Jason Gunthorpe wrote:
On Thu, Jun 21, 2018 at 02:19:44PM -0400, Stefan Berger wrote:
On 06/21/2018 01:56 PM, Jason Gunthorpe wrote:
On Thu, Jun 21, 2018 at 01:45:03PM -0400, Stefan Berger wrote:
On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote:
On Wed, Jun 20, 2018 at
On 06/21/2018 04:53 PM, Mimi Zohar wrote:
On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote:
Rather than accessing the TPM functions using a NULL pointer, which
causes a lookup for a suitable chip every time, get a hold of a tpm_chip
and access the TPM functions using this chip. We call
On 06/21/2018 11:25 PM, Jason Gunthorpe wrote:
On Thu, Jun 21, 2018 at 04:59:55PM -0400, Stefan Berger wrote:
On 06/21/2018 04:53 PM, Mimi Zohar wrote:
On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote:
Rather than accessing the TPM functions using a NULL pointer, which
causes a lookup
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7 ++-
security/integrity
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 +
security
Stefan
v2->v3:
- renaming tpm_chip_find_get() to tpm_get_ops()
- IMA does not lock access to ima_tpm_chip anymore
- IMA does not have a reboot notifier to release the chip anymore
v1->v2:
- use the kref of the device via get_device()/put_device()
Stefan Berger (4):
tpm: rename t
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 27 +++
include/linux/tpm.h | 5 +
2 files changed, 32 insertions(+)
diff --git a/drivers/char
Rename tpm_chip_find_get() to tpm_get_ops(). This now matches
the name of its counter part tpm_put_ops() better.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 4 ++--
drivers/char/tpm/tpm-interface.c | 14 +++---
drivers/char/tpm/tpm.h | 2 +-
3 files
On 06/22/2018 04:43 PM, Jason Gunthorpe wrote:
On Fri, Jun 22, 2018 at 12:46:11PM -0400, Stefan Berger wrote:
Implement tpm_chip_find() for other subsystems to find a TPM chip and
get a reference to that chip.
Signed-off-by: Stefan Berger
drivers/char/tpm/tpm-chip.c | 27
Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match
the tpm_put_ops() counter part.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 9 ++---
drivers/char/tpm/tpm-interface.c | 14 +++---
drivers/char/tpm/tpm.h | 2 +-
3 files
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 +
security
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7 ++-
security/integrity
Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip
is passed in.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 32 +---
1 file changed, 13 insertions(+), 19 deletions(-)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm
Implement tpm_default_chip() to find a TPM chip and get a reference to it.
This function is also suitable for other subsystems to call and hold onto
the chip.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 27 +++
include/linux/tpm.h | 5 +
2
Stefan
v3->v4:
- followed Jason's suggestions
v2->v3:
- renaming tpm_chip_find_get() to tpm_get_ops()
- IMA does not lock access to ima_tpm_chip anymore
- IMA does not have a reboot notifier to release the chip anymore
v1->v2:
- use the kref of the device via get_device
On 05/10/2017 07:54 PM, Stefan Berger wrote:
Refactor tpm_transmit and pull out code sending the command
and receiving the response and put this into tpm_transfer.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-interface.c | 121 +++
1 file changed
This patch set implements an IMA namespace data structure that gets
created alongside a mount namespace with CLONE_NEWNS, and lays down the
foundation for namespacing the different aspects of IMA (eg. IMA-audit,
IMA-measurement, IMA-appraisal).
The original PoC patches [1] created a new CLONE_NEWI
From: Mehmet Kayaalp
This patch adds an rbtree to the IMA namespace structure that stores a
namespaced version of iint->flags in ns_status struct. Similar to the
integrity_iint_cache, both the iint ns_struct are looked up using the
inode pointer value. The lookup, allocate, and insertion code is
From: Mehmet Kayaalp
The iint cache stores whether the file is measured, appraised, audited
etc. This patch moves the IMA_AUDITED flag into the per-namespace
ns_status, enabling IMA audit mechanism to audit the same file each time
it is accessed in a new namespace.
The ns_status is not looked up
namespace
code
Signed-off-by: Yuqiong Sun
Signed-off-by: Mehmet Kayaalp
Signed-off-by: Stefan Berger
---
fs/mount.h | 14 -
fs/namespace.c | 29 --
include/linux/ima.h | 67 +++
inclu
From: Mehmet Kayaalp
This patch adds an rbtree to the IMA namespace structure that stores a
namespaced version of iint->flags in ns_status struct. Similar to the
integrity_iint_cache, both the iint ns_struct are looked up using the
inode pointer value. The lookup, allocate, and insertion code is
From: Mehmet Kayaalp
The iint cache stores whether the file is measured, appraised, audited
etc. This patch moves the IMA_AUDITED flag into the per-namespace
ns_status, enabling IMA audit mechanism to audit the same file each time
it is accessed in a new namespace.
The ns_status is not looked up
This patch set implements an IMA namespace data structure that gets
created alongside a user namespace with CLONE_NEWUSER, and lays down the
foundation for namespacing the different aspects of IMA (eg. IMA-audit,
IMA-measurement, IMA-appraisal).
The original PoC patches [1] created a new CLONE_NEW
Use existing ima.h headers
* Move the ima_namespace.c to security/integrity/ima/ima_ns.c
* Fix typo INFO->INO
* Each namespace free's itself, removed recursively free'ing
until init_ima_ns from free_ima_ns()
Signed-off-by: Yuqiong Sun
Signed-off-by: Mehmet Kayaalp
Signed-off-b
On 03/15/2018 03:01 PM, James Bottomley wrote:
On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:
On 03/15/2018 02:45 PM, James Bottomley wrote:
[...]
going to need some type of keyring namespace and there's
already
one hanging off the user_ns:
c
On 07/20/2017 06:50 PM, Mehmet Kayaalp wrote:
From: Yuqiong Sun
Add new CONFIG_IMA_NS config option. Let clone() create a new IMA
namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy.
ima_ns is allocated and freed upon IMA namespace creation and exit.
Currently, the ima_ns con
On 07/25/2017 04:46 PM, Serge E. Hallyn wrote:
On Tue, Jul 25, 2017 at 04:11:29PM -0400, Stefan Berger wrote:
On 07/25/2017 03:48 PM, Mimi Zohar wrote:
On Tue, 2017-07-25 at 12:08 -0700, James Bottomley wrote:
On Tue, 2017-07-25 at 14:04 -0500, Serge E. Hallyn wrote:
On Tue, Jul 25, 2017 at
On 03/08/2018 09:59 PM, Serge E. Hallyn wrote:
On Thu, Mar 08, 2018 at 09:04:52AM -0500, Stefan Berger wrote:
On 07/25/2017 04:46 PM, Serge E. Hallyn wrote:
On Tue, Jul 25, 2017 at 04:11:29PM -0400, Stefan Berger wrote:
On 07/25/2017 03:48 PM, Mimi Zohar wrote:
On Tue, 2017-07-25 at 12:08
On 03/11/2018 06:58 PM, James Morris wrote:
On Fri, 9 Mar 2018, Stefan Berger wrote:
Yuqiong is publishing a paper in this area. I believe the conference is only
later this year.
Our goals are to enable IMA measurements, appraisal, and auditing inside a
container using namespaces.
This is
On 11/16/18 7:38 AM, Jarkko Sakkinen wrote:
Call tpm_chip_start() and tpm_chip_stop() in
* tpm_try_get_ops() and tpm_put_ops()
* tpm_chip_register()
* tpm2_del_space()
And remove these calls from tpm_transmit(). The core reason for this
change is that in tpm_vtpm_proxy a locality change require
On 11/16/18 7:38 AM, Jarkko Sakkinen wrote:
Remove @flags from tpm_transmit() API. It is no longer used for
anything.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 32 ++---
drivers/char/tpm/tpm-dev-common.c | 2
On 11/16/18 7:38 AM, Jarkko Sakkinen wrote:
Encapsulate power gating and locality functionality to tpm_chip_start()
and tpm_chip_stop() in order to clean up the branching mess in
tpm_transmit().
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c
TPM_TRANSMIT_UNLOCKED.
Cc: James Bottomley
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-dev-common.c | 30 ++
drivers/char/tpm/tpm-interface.c | 29 +++--
drivers/char/tpm/tpm2-space.c | 12
+}
+
+/**
+ * tpm_chip_stop() - power off the TPM
+ * @chip: a TPM chip to use
+ * @flags: TPM transmit flags
+ *
+ * Return:
+ * * The response length - OK
+ * * -errno- A system error
This function returns void!
+ */
+void tpm_chip_stop(struct tpm_chip
requires a virtual
TPM command (a command made up just for that driver).
The consequence of this is that this commit removes the remaining nested
calls.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 25 -
drivers/char
tpm_transmit() calls. The nesteds calls make the whole flow hard
to maintain, and thus, it is better to just fix things now before this
turns into a bigger mess.
Tested this series with the vtpm proxy test cases:
Tested-by: Stefan Berger
v9:
* Fixed again tpm_try_get_ops().
* Added missing reviewed
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 2 ++
drivers/char/tpm/tpm-dev-common.c | 4 +---
drivers/char/tpm/tpm-interface.c | 8
drivers/char/tpm/tpm.h| 8 ++--
drivers/char/tpm/tpm2-cmd.c | 13 -
drivers/char
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Encapsulate power gating and locality functionality to tpm_chip_start()
and tpm_chip_stop() in order to clean up the branching mess in
tpm_transmit().
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Call tpm_chip_start() and tpm_chip_stop() in
* tpm_try_get_ops() and tpm_put_ops()
* tpm_chip_register()
* tpm2_del_space()
And remove these calls from tpm_transmit(). The core reason for this
change is that in tpm_vtpm_proxy a locality change require
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Remove @flags from tpm_transmit() API. It is no longer used for
anything.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 32 ++---
drivers/char/tpm/tpm-dev-common.c | 2
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Encapsulate power gating and locality functionality to tpm_chip_start()
and tpm_chip_stop() in order to clean up the branching mess in
tpm_transmit().
I ran the vtpm proxy test suite on this series and got this error when
running it with 'make check
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Encapsulate power gating and locality functionality to tpm_chip_start()
and tpm_chip_stop() in order to clean up the branching mess in
tpm_transmit().
Signed-off-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 110
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Encapsulate power gating and locality functionality to tpm_chip_start()
and tpm_chip_stop() in order to clean up the branching mess in
tpm_transmit().
Signed-off-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 110
On 11/13/18 5:34 PM, Stefan Berger wrote:
On 11/13/18 1:36 PM, Jarkko Sakkinen wrote:
Encapsulate power gating and locality functionality to tpm_chip_start()
and tpm_chip_stop() in order to clean up the branching mess in
tpm_transmit().
I ran the vtpm proxy test suite on this series and got
On 06/29/2018 08:13 AM, Jarkko Sakkinen wrote:
On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote:
This series of patches converts IMA's usage of the tpm_chip to find a TPM
chip initially and use it until the machine is shut down. To do this we need
to introduce a kref for the tpm_chip
determining whether to call TPM functions.
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
security/integrity/ima/ima.h| 2 +-
security/integrity/ima/ima_crypto.c | 4 ++--
security/integrity/ima/ima_init.c | 16 +---
security/integrity/ima/ima_queue.c | 4
On 07/02/2018 11:11 AM, Mimi Zohar wrote:
Hi Stefan,
On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote:
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
I don't see a need for separating this change from the previous patch.
Remove the unused is_ima_appraise_enabled() function.
Signed-off-by: Stefan Berger
---
include/linux/ima.h | 6 --
security/integrity/ima/ima_appraise.c | 10 --
2 files changed, 16 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index
Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match
the tpm_put_ops() counter part.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 9 ++---
drivers/char/tpm/tpm-interface.c | 14 +++---
drivers/char/tpm/tpm.h | 2 +-
3 files
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7 ++-
security/integrity
v2->v3:
- renaming tpm_chip_find_get() to tpm_get_ops()
- IMA does not lock access to ima_tpm_chip anymore
- IMA does not have a reboot notifier to release the chip anymore
v1->v2:
- use the kref of the device via get_device()/put_device()
Stefan Berger (5):
tpm: rename tpm_chip_fin
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.
Signed-off-by: Stefan Berger
---
security/integrity/ima/ima.h| 1 +
security
Implement tpm_default_chip() to find a TPM chip and get a reference to it.
This function is also suitable for other subsystems to call and hold onto
the chip.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 27 +++
include/linux/tpm.h | 5 +
2
Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip
is passed in.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 32 +---
1 file changed, 13 insertions(+), 19 deletions(-)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
security/integrity/ima/ima.h
- new patch 3 that uses tpm_default_chip() in tpm_find_get_ops()
v2->v3:
- renaming tpm_chip_find_get() to tpm_get_ops()
- IMA does not lock access to ima_tpm_chip anymore
- IMA does not have a reboot notifier to release the chip anymore
v1->v2:
- use the kref of the device via get_device()/pu
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7
Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match
the tpm_put_ops() counter part.
Signed-off-by: Stefan Berger
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 9 ++---
drivers/char/tpm/tpm-interface.c | 14
ff-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 27 +++
include/linux/tpm.h | 5 +
2 files changed, 32 insertions(+)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 242b716aed5e..f551061262c9 100644
--- a/drivers/char/tpm/tpm-c
Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip
is passed in.
Signed-off-by: Stefan Berger
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 32 +---
1 file changed, 13 insertions(+), 19 deletions(-)
diff --git a/drivers/char/tpm
On 06/26/2018 01:23 PM, Stefan Berger wrote:
Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip
is passed in.
Signed-off-by: Stefan Berger
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 32 +---
1 file changed, 13 insertions
reboot notifier to release the chip anymore
v1->v2:
- use the kref of the device via get_device()/put_device()
Stefan Berger (5):
tpm: rename tpm_chip_find_get() to tpm_find_get_ops()
tpm: Implement tpm_default_chip() to find a TPM chip
tpm: Convert tpm_find_get_ops() to use tpm_default_c
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
security/integrity/ima/ima.h| 1 -
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_init.c | 7
Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip
is passed in.
Signed-off-by: Stefan Berger
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 32 +---
1 file changed, 13 insertions(+), 19 deletions(-)
diff --git a/drivers/char/tpm
ff-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 27 +++
include/linux/tpm.h | 5 +
2 files changed, 32 insertions(+)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 242b716aed5e..f551061262c9 100644
--- a/drivers/char/tpm/tpm-c
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
security/integrity/ima/ima.h
Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match
the tpm_put_ops() counter part.
Signed-off-by: Stefan Berger
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-chip.c | 9 ++---
drivers/char/tpm/tpm-interface.c | 14
Use tpm_default_chip() to find the system's default TPM chip and
use it as the tpm_chip parameter for all TPM operations. Release
the tpm_chip when the module is shut down.
Signed-off-by: Stefan Berger
---
security/keys/trusted.c | 41 -
1 file ch
Some subsystems that got a hold of a TPM chip through tpm_default_chip()
need a way to release the reference to the TPM chip when they shut down.
The tpm_put_chip() function enables this.
Signed-off-by: Stefan Berger
---
drivers/char/tpm/tpm-chip.c | 10 ++
include/linux/tpm.h
The following patches build on top of the series of patches that
convert IMA to find and use the system's default TPM chip.
I have done some successful testing with trusted keys using publicly
available examples.
Stefan
Stefan Berger (2):
tpm: Implement public tpm_put_chip() to re
Implement audit_log_tty() so that IMA can add tty= to its audit records.
Signed-off-by: Stefan Berger
---
include/linux/audit.h | 5 +
kernel/audit.c| 8
2 files changed, 13 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 90aa63ddc9be
Remove the usage of audit_log_string() and replace it with
audit_log_format().
Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
Reviewed-by: Mimi Zohar
---
security/integrity/ima/ima_policy.c | 3 +--
security/integrity/integrity_audit.c | 6 +-
2 files changed, 2 insertions(+), 7
The parameters passed to this logging function are all provided by
a privileged user and therefore we can call audit_log_string()
rather than audit_log_untrustedstring().
Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1
Factor out a common part of integrity_audit_msg() that others
can also call.
Signed-off-by: Stefan Berger
---
security/integrity/integrity.h | 16
security/integrity/integrity_audit.c | 24
2 files changed, 32 insertions(+), 8 deletions(-)
diff
Use the new public audit functions to add the exe= and tty=
parts to the integrity audit records. We place them before
res=.
Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
---
security/integrity/integrity_audit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/integrity
If Integrity is not auditing, IMA shouldn't audit, either.
Signed-off-by: Stefan Berger
---
security/integrity/ima/Kconfig | 1 +
security/integrity/ima/ima_policy.c | 6 +-
security/integrity/integrity.h | 10 ++
3 files changed, 16 insertions(+), 1 deletion(-)
" exe="/usr/bin/echo" \
tty=tty2 res=1
Signed-off-by: Stefan Berger
---
include/uapi/linux/audit.h | 3 ++-
security/integrity/ima/ima_policy.c | 5 +++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/li
1 - 100 of 598 matches
Mail list logo