Re: [tpmdd-devel] [PATCH 09/13] tpm: Pull everything related to sysfs into tpm-sysfs.c

On 10/04/2013 01:08 PM, Jason Gunthorpe wrote: On Mon, Sep 30, 2013 at 05:09:51PM -0500, Joel Schopp wrote: So far, nobody I have talked to has offered any strong opinions on what locality should be used or how it should be set. I think finding a developer of trousers may be the most useful to

Re: [PATCH v4] Introduce v3 namespaced file capabilities

On 06/20/2017 01:42 AM, Amir Goldstein wrote: On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman wrote: "Serge E. Hallyn" writes: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 06/14/2017 11:05 PM, Serge E. Hallyn wrote: On Wed, Jun 14, 2017 at 08:27:40AM -0400, Ste

Re: [PATCH v4] Introduce v3 namespaced file capabilities

On 06/20/2017 08:19 AM, Stefan Berger wrote: On 06/20/2017 01:42 AM, Amir Goldstein wrote: On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman wrote: "Serge E. Hallyn" writes: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 06/14/2017 11:05 PM, Serge E. Hallyn wrote: O

Re: [PATCH] tpm: consolidate the TPM startup code

On 06/20/2017 04:55 PM, Jarkko Sakkinen wrote: On Tue, Jun 20, 2017 at 01:31:52PM -0600, Jason Gunthorpe wrote: On Tue, Jun 20, 2017 at 08:13:34PM +0200, Jarkko Sakkinen wrote: Consolidated all the "manual" TPM startup code to a single function in order to make code flows a bit cleaner and migr

Re: [PATCH] tpm: consolidate the TPM startup code

On 06/20/2017 05:38 PM, Jarkko Sakkinen wrote: On Tue, Jun 20, 2017 at 11:32:41PM +0200, Jarkko Sakkinen wrote: On Tue, Jun 20, 2017 at 05:25:57PM -0400, Stefan Berger wrote: On 06/20/2017 04:55 PM, Jarkko Sakkinen wrote: On Tue, Jun 20, 2017 at 01:31:52PM -0600, Jason Gunthorpe wrote: On

Re: [PATCH v2] tpm: consolidate the TPM startup code

On 06/21/2017 03:31 AM, Jarkko Sakkinen wrote: Consolidated all the "manual" TPM startup code to a single function in order to make code flows a bit cleaner and migrate to tpm_buf. Signed-off-by: Jarkko Sakkinen Tested-by: Stefan Berger FYI: swtpm chardev --vtpm-proxy --tpmstat

[PATCH 6/6] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7 ++- security/integrity

[PATCH 0/6] Have IMA find and use a tpm_chip until system shutdown

Stefan Stefan Berger (6): tpm: Introduce a kref for the tpm_chip tpm: Get additional kref with every call to tpm_try_get_ops() tpm: Implement tpm_chip_find() for other subsystems to call ima: Implement ima_shutdown and register it as a reboot_notifier ima: Use tpm_chip_find() and

[PATCH 5/6] ima: Use tpm_chip_find() and access TPM functions using it

ima_tpm_chip_lock. Use ima_shutdown to release the tpm_chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 3 +++ security/integrity/ima/ima_crypto.c | 12 ++-- security/integrity/ima/ima_init.c | 19 --- security/integrity/ima/ima_queue.c | 7

[PATCH 3/6] tpm: Implement tpm_chip_find() for other subsystems to call

Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Once done with using the chip, the reference is released using tpm_chip_put(). Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 27 +++ include/linux/tpm.h

[PATCH 2/6] tpm: Get additional kref with every call to tpm_try_get_ops()

Get a reference to the TPM chip on every call to tpm_try_get_ops() and release the reference in tpm_put_ops(). Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 5 - include/linux/tpm.h | 4 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/char

[PATCH 4/6] ima: Implement ima_shutdown and register it as a reboot_notifier

Implement ima_shutdown so that we can release the tpm_chip before devices are shut down. Register it as a low-priority reboot_notifier. Signed-off-by: Stefan Berger --- security/integrity/ima/ima_init.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/security/integrity/ima

[PATCH 1/6] tpm: Introduce a kref for the tpm_chip

Introduce a kref for the tpm_chip that we initialize when the tpm_chip has been allocated and release before the tpm_chip is to be freed. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 24 +++- drivers/char/tpm/tpm.h | 1 + 2 files changed, 20

Re: [PATCH 1/6] tpm: Introduce a kref for the tpm_chip

On 06/20/2018 02:38 PM, Jason Gunthorpe wrote: On Wed, Jun 20, 2018 at 12:19:43PM -0400, Stefan Berger wrote: Introduce a kref for the tpm_chip that we initialize when the tpm_chip has been allocated and release before the tpm_chip is to be freed. Signed-off-by: Stefan Berger drivers/char

[PATCH v2 4/4] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7 ++- security/integrity

[PATCH v2 0/4] Have IMA find and use a tpm_chip until system shutdown

Stefan v1->v2: - use the kref of the device via get_device()/put_device() Stefan Berger (4): tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems ima: Implement ima_shutdown and register it as a reboot_notifier ima: Use tpm_chip_find() and access TPM functions using

[PATCH v2 3/4] ima: Use tpm_chip_find() and access TPM functions using it

ima_tpm_chip_lock. Use ima_shutdown to release the tpm_chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 3 +++ security/integrity/ima/ima_crypto.c | 12 ++-- security/integrity/ima/ima_init.c | 19 --- security/integrity/ima/ima_queue.c | 7

[PATCH v2 2/4] ima: Implement ima_shutdown and register it as a reboot_notifier

Implement ima_shutdown so that we can release the tpm_chip before devices are shut down. Register it as a low-priority reboot_notifier. Signed-off-by: Stefan Berger --- security/integrity/ima/ima_init.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/security/integrity/ima

[PATCH v2 1/4] tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems

Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Once done with using the chip, the reference is released using tpm_chip_put(). Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 37 + include

Re: [PATCH v2 1/4] tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems

On 06/20/2018 04:50 PM, Jason Gunthorpe wrote: On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote: Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Once done with using the chip, the reference is released using tpm_chip_put

Re: [PATCH v2 1/4] tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems

On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote: On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote: Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Once done with using the chip, the reference is released using tpm_chip_put

Re: [PATCH v2 1/4] tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems

On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote: On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote: Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Once done with using the chip, the reference is released using tpm_chip_put

Re: [PATCH v2 1/4] tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems

On 06/21/2018 01:56 PM, Jason Gunthorpe wrote: On Thu, Jun 21, 2018 at 01:45:03PM -0400, Stefan Berger wrote: On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote: On Wed, Jun 20, 2018 at 04:42:33PM -0400, Stefan Berger wrote: Implement tpm_chip_find() for other subsystems to find a TPM chip and get

Re: [PATCH v2 1/4] tpm: Implement tpm_chip_find() and tpm_chip_put() for other subsystems

On 06/21/2018 03:06 PM, Jason Gunthorpe wrote: On Thu, Jun 21, 2018 at 02:19:44PM -0400, Stefan Berger wrote: On 06/21/2018 01:56 PM, Jason Gunthorpe wrote: On Thu, Jun 21, 2018 at 01:45:03PM -0400, Stefan Berger wrote: On 06/21/2018 01:15 PM, Jarkko Sakkinen wrote: On Wed, Jun 20, 2018 at

Re: [PATCH v2 3/4] ima: Use tpm_chip_find() and access TPM functions using it

On 06/21/2018 04:53 PM, Mimi Zohar wrote: On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote: Rather than accessing the TPM functions using a NULL pointer, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using this chip. We call

Re: [PATCH v2 3/4] ima: Use tpm_chip_find() and access TPM functions using it

On 06/21/2018 11:25 PM, Jason Gunthorpe wrote: On Thu, Jun 21, 2018 at 04:59:55PM -0400, Stefan Berger wrote: On 06/21/2018 04:53 PM, Mimi Zohar wrote: On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote: Rather than accessing the TPM functions using a NULL pointer, which causes a lookup

[PATCH v3 4/4] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7 ++- security/integrity

[PATCH v3 3/4] ima: Use tpm_chip_find() and call TPM functions with a tpm_chip

Rather than accessing the TPM functions by passing a NULL pointer for the tpm_chip, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using it. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 + security

[PATCH v3 0/4] Have IMA find and use a tpm_chip until system shutdown

Stefan v2->v3: - renaming tpm_chip_find_get() to tpm_get_ops() - IMA does not lock access to ima_tpm_chip anymore - IMA does not have a reboot notifier to release the chip anymore v1->v2: - use the kref of the device via get_device()/put_device() Stefan Berger (4): tpm: rename t

[PATCH v3 2/4] tpm: Implement tpm_chip_find() for other subsystems to find a TPM chip

Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 27 +++ include/linux/tpm.h | 5 + 2 files changed, 32 insertions(+) diff --git a/drivers/char

[PATCH v3 1/4] tpm: rename tpm_chip_find_get() to tpm_get_ops()

Rename tpm_chip_find_get() to tpm_get_ops(). This now matches the name of its counter part tpm_put_ops() better. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 4 ++-- drivers/char/tpm/tpm-interface.c | 14 +++--- drivers/char/tpm/tpm.h | 2 +- 3 files

Re: [PATCH v3 2/4] tpm: Implement tpm_chip_find() for other subsystems to find a TPM chip

On 06/22/2018 04:43 PM, Jason Gunthorpe wrote: On Fri, Jun 22, 2018 at 12:46:11PM -0400, Stefan Berger wrote: Implement tpm_chip_find() for other subsystems to find a TPM chip and get a reference to that chip. Signed-off-by: Stefan Berger drivers/char/tpm/tpm-chip.c | 27

[PATCH v4 1/5] tpm: rename tpm_chip_find_get() to tpm_find_get_ops()

Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match the tpm_put_ops() counter part. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 9 ++--- drivers/char/tpm/tpm-interface.c | 14 +++--- drivers/char/tpm/tpm.h | 2 +- 3 files

[PATCH v4 4/5] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

Rather than accessing the TPM functions by passing a NULL pointer for the tpm_chip, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using it. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 + security

[PATCH v4 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7 ++- security/integrity

[PATCH v4 3/5] tpm: Convert tpm_find_get_ops() to use tpm_default_chip()

Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip is passed in. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 32 +--- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm

[PATCH v4 2/5] tpm: Implement tpm_default_chip() to find a TPM chip

Implement tpm_default_chip() to find a TPM chip and get a reference to it. This function is also suitable for other subsystems to call and hold onto the chip. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 27 +++ include/linux/tpm.h | 5 + 2

[PATCH v4 0/5] Have IMA find and use a tpm_chip until system shutdown

Stefan v3->v4: - followed Jason's suggestions v2->v3: - renaming tpm_chip_find_get() to tpm_get_ops() - IMA does not lock access to ima_tpm_chip anymore - IMA does not have a reboot notifier to release the chip anymore v1->v2: - use the kref of the device via get_device

Re: [PATCH v4 1/2] tpm: Refactor tpm_transmit pulling out tpm_transfer function

On 05/10/2017 07:54 PM, Stefan Berger wrote: Refactor tpm_transmit and pull out code sending the command and receiving the response and put this into tpm_transfer. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-interface.c | 121 +++ 1 file changed

[RFC PATCH v2 0/3] ima: namespacing IMA

This patch set implements an IMA namespace data structure that gets created alongside a mount namespace with CLONE_NEWNS, and lays down the foundation for namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal). The original PoC patches [1] created a new CLONE_NEWI

[RFC PATCH v2 2/3] ima: Add ns_status for storing namespaced iint data

From: Mehmet Kayaalp This patch adds an rbtree to the IMA namespace structure that stores a namespaced version of iint->flags in ns_status struct. Similar to the integrity_iint_cache, both the iint ns_struct are looked up using the inode pointer value. The lookup, allocate, and insertion code is

[RFC PATCH v2 3/3] ima: mamespace audit status flags

From: Mehmet Kayaalp The iint cache stores whether the file is measured, appraised, audited etc. This patch moves the IMA_AUDITED flag into the per-namespace ns_status, enabling IMA audit mechanism to audit the same file each time it is accessed in a new namespace. The ns_status is not looked up

[RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

namespace code Signed-off-by: Yuqiong Sun Signed-off-by: Mehmet Kayaalp Signed-off-by: Stefan Berger --- fs/mount.h | 14 - fs/namespace.c | 29 -- include/linux/ima.h | 67 +++ inclu

[RFC PATCH v3 2/3] ima: Add ns_status for storing namespaced iint data

From: Mehmet Kayaalp This patch adds an rbtree to the IMA namespace structure that stores a namespaced version of iint->flags in ns_status struct. Similar to the integrity_iint_cache, both the iint ns_struct are looked up using the inode pointer value. The lookup, allocate, and insertion code is

[RFC PATCH v3 3/3] ima: mamespace audit status flags

From: Mehmet Kayaalp The iint cache stores whether the file is measured, appraised, audited etc. This patch moves the IMA_AUDITED flag into the per-namespace ns_status, enabling IMA audit mechanism to audit the same file each time it is accessed in a new namespace. The ns_status is not looked up

[RFC PATCH v3 0/3] ima: namespacing IMA

This patch set implements an IMA namespace data structure that gets created alongside a user namespace with CLONE_NEWUSER, and lays down the foundation for namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal). The original PoC patches [1] created a new CLONE_NEW

[RFC PATCH v3 1/3] ima: extend clone() with IMA namespace support

Use existing ima.h headers * Move the ima_namespace.c to security/integrity/ima/ima_ns.c * Fix typo INFO->INO * Each namespace free's itself, removed recursively free'ing until init_ima_ns from free_ima_ns() Signed-off-by: Yuqiong Sun Signed-off-by: Mehmet Kayaalp Signed-off-b

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the user_ns: c

Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

On 07/20/2017 06:50 PM, Mehmet Kayaalp wrote: From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone() create a new IMA namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. ima_ns is allocated and freed upon IMA namespace creation and exit. Currently, the ima_ns con

Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

On 07/25/2017 04:46 PM, Serge E. Hallyn wrote: On Tue, Jul 25, 2017 at 04:11:29PM -0400, Stefan Berger wrote: On 07/25/2017 03:48 PM, Mimi Zohar wrote: On Tue, 2017-07-25 at 12:08 -0700, James Bottomley wrote: On Tue, 2017-07-25 at 14:04 -0500, Serge E. Hallyn wrote: On Tue, Jul 25, 2017 at

Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

On 03/08/2018 09:59 PM, Serge E. Hallyn wrote: On Thu, Mar 08, 2018 at 09:04:52AM -0500, Stefan Berger wrote: On 07/25/2017 04:46 PM, Serge E. Hallyn wrote: On Tue, Jul 25, 2017 at 04:11:29PM -0400, Stefan Berger wrote: On 07/25/2017 03:48 PM, Mimi Zohar wrote: On Tue, 2017-07-25 at 12:08

Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

On 03/11/2018 06:58 PM, James Morris wrote: On Fri, 9 Mar 2018, Stefan Berger wrote: Yuqiong is publishing a paper in this area. I believe the conference is only later this year. Our goals are to enable IMA measurements, appraisal, and auditing inside a container using namespaces. This is

Re: [PATCH v8 16/17] tpm: take TPM chip power gating out of tpm_transmit()

On 11/16/18 7:38 AM, Jarkko Sakkinen wrote: Call tpm_chip_start() and tpm_chip_stop() in * tpm_try_get_ops() and tpm_put_ops() * tpm_chip_register() * tpm2_del_space() And remove these calls from tpm_transmit(). The core reason for this change is that in tpm_vtpm_proxy a locality change require

Re: [PATCH v8 17/17] tpm: remove @flags from tpm_transmit()

On 11/16/18 7:38 AM, Jarkko Sakkinen wrote: Remove @flags from tpm_transmit() API. It is no longer used for anything. Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 32 ++--- drivers/char/tpm/tpm-dev-common.c | 2

Re: [PATCH v8 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

On 11/16/18 7:38 AM, Jarkko Sakkinen wrote: Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c

Re: [PATCH v8 11/17] tpm: move TPM space code out of tpm_transmit()

TPM_TRANSMIT_UNLOCKED. Cc: James Bottomley Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-dev-common.c | 30 ++ drivers/char/tpm/tpm-interface.c | 29 +++-- drivers/char/tpm/tpm2-space.c | 12

Re: [PATCH v9 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

+} + +/** + * tpm_chip_stop() - power off the TPM + * @chip: a TPM chip to use + * @flags: TPM transmit flags + * + * Return: + * * The response length - OK + * * -errno- A system error This function returns void! + */ +void tpm_chip_stop(struct tpm_chip

Re: [PATCH v9 16/17] tpm: take TPM chip power gating out of tpm_transmit()

requires a virtual TPM command (a command made up just for that driver). The consequence of this is that this commit removes the remaining nested calls. Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 25 - drivers/char

Re: [PATCH v9 00/17] Removed nested TPM operations

tpm_transmit() calls. The nesteds calls make the whole flow hard to maintain, and thus, it is better to just fix things now before this turns into a bigger mess. Tested this series with the vtpm proxy test cases: Tested-by: Stefan Berger v9: * Fixed again tpm_try_get_ops(). * Added missing reviewed

Re: [PATCH v7 14/17] tpm: remove TPM_TRANSMIT_UNLOCKED flag

Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 2 ++ drivers/char/tpm/tpm-dev-common.c | 4 +--- drivers/char/tpm/tpm-interface.c | 8 drivers/char/tpm/tpm.h| 8 ++-- drivers/char/tpm/tpm2-cmd.c | 13 - drivers/char

Re: [PATCH v7 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c

Re: [PATCH v7 16/17] tpm: take TPM chip power gating out of tpm_transmit()

On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Call tpm_chip_start() and tpm_chip_stop() in * tpm_try_get_ops() and tpm_put_ops() * tpm_chip_register() * tpm2_del_space() And remove these calls from tpm_transmit(). The core reason for this change is that in tpm_vtpm_proxy a locality change require

Re: [PATCH v7 17/17] tpm: remove @flags from tpm_transmit()

On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Remove @flags from tpm_transmit() API. It is no longer used for anything. Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 32 ++--- drivers/char/tpm/tpm-dev-common.c | 2

Re: [PATCH v7 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). I ran the vtpm proxy test suite on this series and got this error when running it with 'make check

Re: [PATCH v7 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 110

Re: [PATCH v7 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 110

Re: [PATCH v7 15/17] tpm: introduce tpm_chip_start() and tpm_chip_stop()

On 11/13/18 5:34 PM, Stefan Berger wrote: On 11/13/18 1:36 PM, Jarkko Sakkinen wrote: Encapsulate power gating and locality functionality to tpm_chip_start() and tpm_chip_stop() in order to clean up the branching mess in tpm_transmit(). I ran the vtpm proxy test suite on this series and got

Re: [PATCH v7 0/5] Have IMA find and use a tpm_chip until system shutdown

On 06/29/2018 08:13 AM, Jarkko Sakkinen wrote: On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote: This series of patches converts IMA's usage of the tpm_chip to find a TPM chip initially and use it until the machine is shut down. To do this we need to introduce a kref for the tpm_chip

[PATCH] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

determining whether to call TPM functions. Signed-off-by: Stefan Berger Acked-by: Jarkko Sakkinen --- security/integrity/ima/ima.h| 2 +- security/integrity/ima/ima_crypto.c | 4 ++-- security/integrity/ima/ima_init.c | 16 +--- security/integrity/ima/ima_queue.c | 4

Re: [PATCH v7 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

On 07/02/2018 11:11 AM, Mimi Zohar wrote: Hi Stefan, On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote: Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. I don't see a need for separating this change from the previous patch.

[PATCH] ima: Remove unused is_ima_appraise_enabled() function.

Remove the unused is_ima_appraise_enabled() function. Signed-off-by: Stefan Berger --- include/linux/ima.h | 6 -- security/integrity/ima/ima_appraise.c | 10 -- 2 files changed, 16 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index

[PATCH v5 1/5] tpm: rename tpm_chip_find_get() to tpm_find_get_ops()

Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match the tpm_put_ops() counter part. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 9 ++--- drivers/char/tpm/tpm-interface.c | 14 +++--- drivers/char/tpm/tpm.h | 2 +- 3 files

[PATCH v5 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7 ++- security/integrity

[PATCH v5 0/5] Have IMA find and use a tpm_chip until system shutdown

v2->v3: - renaming tpm_chip_find_get() to tpm_get_ops() - IMA does not lock access to ima_tpm_chip anymore - IMA does not have a reboot notifier to release the chip anymore v1->v2: - use the kref of the device via get_device()/put_device() Stefan Berger (5): tpm: rename tpm_chip_fin

[PATCH v5 4/5] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

Rather than accessing the TPM functions by passing a NULL pointer for the tpm_chip, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using it. Signed-off-by: Stefan Berger --- security/integrity/ima/ima.h| 1 + security

[PATCH v5 2/5] tpm: Implement tpm_default_chip() to find a TPM chip

Implement tpm_default_chip() to find a TPM chip and get a reference to it. This function is also suitable for other subsystems to call and hold onto the chip. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 27 +++ include/linux/tpm.h | 5 + 2

[PATCH v5 3/5] tpm: Convert tpm_find_get_ops() to use tpm_default_chip()

Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip is passed in. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 32 +--- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm

[PATCH v6 4/5] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

Rather than accessing the TPM functions by passing a NULL pointer for the tpm_chip, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using it. Signed-off-by: Stefan Berger Acked-by: Jarkko Sakkinen --- security/integrity/ima/ima.h

[PATCH v6 0/5] Have IMA find and use a tpm_chip until system shutdown

- new patch 3 that uses tpm_default_chip() in tpm_find_get_ops() v2->v3: - renaming tpm_chip_find_get() to tpm_get_ops() - IMA does not lock access to ima_tpm_chip anymore - IMA does not have a reboot notifier to release the chip anymore v1->v2: - use the kref of the device via get_device()/pu

[PATCH v6 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger Acked-by: Jarkko Sakkinen --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7

[PATCH v6 1/5] tpm: rename tpm_chip_find_get() to tpm_find_get_ops()

Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match the tpm_put_ops() counter part. Signed-off-by: Stefan Berger Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 9 ++--- drivers/char/tpm/tpm-interface.c | 14

[PATCH v6 2/5] tpm: Implement tpm_default_chip() to find a TPM chip

ff-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 27 +++ include/linux/tpm.h | 5 + 2 files changed, 32 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 242b716aed5e..f551061262c9 100644 --- a/drivers/char/tpm/tpm-c

[PATCH v6 3/5] tpm: Convert tpm_find_get_ops() to use tpm_default_chip()

Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip is passed in. Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 32 +--- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/drivers/char/tpm

Re: [PATCH v6 3/5] tpm: Convert tpm_find_get_ops() to use tpm_default_chip()

On 06/26/2018 01:23 PM, Stefan Berger wrote: Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip is passed in. Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 32 +--- 1 file changed, 13 insertions

[PATCH v7 0/5] Have IMA find and use a tpm_chip until system shutdown

reboot notifier to release the chip anymore v1->v2: - use the kref of the device via get_device()/put_device() Stefan Berger (5): tpm: rename tpm_chip_find_get() to tpm_find_get_ops() tpm: Implement tpm_default_chip() to find a TPM chip tpm: Convert tpm_find_get_ops() to use tpm_default_c

[PATCH v7 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger Acked-by: Jarkko Sakkinen --- security/integrity/ima/ima.h| 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7

[PATCH v7 3/5] tpm: Convert tpm_find_get_ops() to use tpm_default_chip()

Convert tpm_find_get_ops() to use tpm_default_chip() in case no chip is passed in. Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 32 +--- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/drivers/char/tpm

[PATCH v7 2/5] tpm: Implement tpm_default_chip() to find a TPM chip

ff-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 27 +++ include/linux/tpm.h | 5 + 2 files changed, 32 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 242b716aed5e..f551061262c9 100644 --- a/drivers/char/tpm/tpm-c

[PATCH v7 4/5] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

Rather than accessing the TPM functions by passing a NULL pointer for the tpm_chip, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using it. Signed-off-by: Stefan Berger Acked-by: Jarkko Sakkinen --- security/integrity/ima/ima.h

[PATCH v7 1/5] tpm: rename tpm_chip_find_get() to tpm_find_get_ops()

Rename tpm_chip_find_get() to tpm_find_get_ops() to more closely match the tpm_put_ops() counter part. Signed-off-by: Stefan Berger Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 9 ++--- drivers/char/tpm/tpm-interface.c | 14

[PATCH 2/2] KEYS: trusted: Find tpm_chip and use it until module shutdown

Use tpm_default_chip() to find the system's default TPM chip and use it as the tpm_chip parameter for all TPM operations. Release the tpm_chip when the module is shut down. Signed-off-by: Stefan Berger --- security/keys/trusted.c | 41 - 1 file ch

[PATCH 1/2] tpm: Implement public tpm_put_chip() to release reference to chip

Some subsystems that got a hold of a TPM chip through tpm_default_chip() need a way to release the reference to the TPM chip when they shut down. The tpm_put_chip() function enables this. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm-chip.c | 10 ++ include/linux/tpm.h

[PATCH 0/2] Convert trusted keys to find and use the default TPM chip

The following patches build on top of the series of patches that convert IMA to find and use the system's default TPM chip. I have done some successful testing with trusted keys using publicly available examples. Stefan Stefan Berger (2): tpm: Implement public tpm_put_chip() to re

[PATCH 3/8] audit: Implement audit_log_tty()

Implement audit_log_tty() so that IMA can add tty= to its audit records. Signed-off-by: Stefan Berger --- include/linux/audit.h | 5 + kernel/audit.c| 8 2 files changed, 13 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 90aa63ddc9be

[PATCH 2/8] ima: Use audit_log_format() rather than audit_log_string()

Remove the usage of audit_log_string() and replace it with audit_log_format(). Signed-off-by: Stefan Berger Suggested-by: Steve Grubb Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 3 +-- security/integrity/integrity_audit.c | 6 +- 2 files changed, 2 insertions(+), 7

[PATCH 1/8] ima: Call audit_log_string() rather than logging it untrusted

The parameters passed to this logging function are all provided by a privileged user and therefore we can call audit_log_string() rather than audit_log_untrustedstring(). Signed-off-by: Stefan Berger Suggested-by: Steve Grubb --- security/integrity/ima/ima_policy.c | 2 +- 1 file changed, 1

[PATCH 6/8] integrity: Factor out common part of integrity_audit_msg()

Factor out a common part of integrity_audit_msg() that others can also call. Signed-off-by: Stefan Berger --- security/integrity/integrity.h | 16 security/integrity/integrity_audit.c | 24 2 files changed, 32 insertions(+), 8 deletions(-) diff

[PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits

Use the new public audit functions to add the exe= and tty= parts to the integrity audit records. We place them before res=. Signed-off-by: Stefan Berger Suggested-by: Steve Grubb --- security/integrity/integrity_audit.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity

[PATCH 7/8] ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set

If Integrity is not auditing, IMA shouldn't audit, either. Signed-off-by: Stefan Berger --- security/integrity/ima/Kconfig | 1 + security/integrity/ima/ima_policy.c | 6 +- security/integrity/integrity.h | 10 ++ 3 files changed, 16 insertions(+), 1 deletion(-)

[PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions

" exe="/usr/bin/echo" \ tty=tty2 res=1 Signed-off-by: Stefan Berger --- include/uapi/linux/audit.h | 3 ++- security/integrity/ima/ima_policy.c | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/li

  1   2   3   4   5   6   >