On 01/12/2017 11:55 PM, Jarkko Sakkinen wrote:
> On Thu, Jan 12, 2017 at 11:58:09AM -0500, Nayna Jain wrote:
>> This patch implements the TPM 2.0 capability TPM_CAP_PCRS to
>> retrieve the active PCR banks from the TPM. This is needed
>> to enable extending all active banks as recommended by TPM
On 01/12/2017 11:50 PM, Jarkko Sakkinen wrote:
> On Thu, Jan 12, 2017 at 11:58:10AM -0500, Nayna Jain wrote:
>> The current TPM 2.0 device driver extends only the SHA1 PCR bank
>> but the TCG Specification[1] recommends extending all active PCR
>> banks, to prevent malicious users from setting
On 01/12/2017 03:39 PM, Jarkko Sakkinen wrote:
> On Thu, Jan 12, 2017 at 07:40:43PM +0200, Jarkko Sakkinen wrote:
>> On Tue, Jan 10, 2017 at 05:04:04PM -0500, Stefan Berger wrote:
>>> Make sure that we have not received less bytes than what is indicated
>>> in the header of the TPM response. Also,
On Thu, Jan 12, 2017 at 07:46:06PM +0200, Jarkko Sakkinen wrote:
> Added ability to tpm_transmit() to supply a TPM space that contains
> mapping from virtual handles to physical handles and backing storage for
> swapping transient objects. TPM space is isolated from other users of
> the TPM.
>
>
On Thu, Jan 12, 2017 at 07:40:43PM +0200, Jarkko Sakkinen wrote:
> On Tue, Jan 10, 2017 at 05:04:04PM -0500, Stefan Berger wrote:
> > Make sure that we have not received less bytes than what is indicated
> > in the header of the TPM response. Also, check the number of bytes in
> > the response
On Thu, 2017-01-12 at 19:46 +0200, Jarkko Sakkinen wrote:
> +static int tpm2_map_response(struct tpm_chip *chip, u32 cc, u8 *rsp,
> size_t len)
> +{
> + struct tpm_space *space = >work_space;
> + u32 phandle;
> + u32 vhandle;
> + u32 attrs;
> + int i;
> + int
On Thu, Jan 12, 2017 at 07:12:06PM +0100, Maciej S. Szmigiero wrote:
> probe_itpm() function is supposed to send command without an itpm flag set
> and if this fails to repeat it, this time with the itpm flag set.
>
> However, commit 41a5e1cf1fe15 ("tpm/tpm_tis: Split tpm_tis driver into a
> core
On Thu, Jan 12, 2017 at 10:38:30AM -0800, James Bottomley wrote:
> On Thu, 2017-01-12 at 19:46 +0200, Jarkko Sakkinen wrote:
> > @@ -435,17 +440,23 @@ ssize_t tpm_transmit(struct tpm_chip *chip,
> > const u8 *buf, size_t bufsiz,
> > goto out;
> >
> > out_recv:
> > - rc =
On Thu, Jan 12, 2017 at 09:09:33PM +0100, Maciej S. Szmigiero wrote:
> Hi Jason,
>
> On 12.01.2017 19:42, Jason Gunthorpe wrote:
> > On Thu, Jan 12, 2017 at 07:08:53PM +0100, Maciej S. Szmigiero wrote:
> >> Since commit 1107d065fdf1 ("tpm_tis: Introduce intermediate layer for TPM
> >> access")
On Thu, 2017-01-12 at 19:46 +0200, Jarkko Sakkinen wrote:
> From: James Bottomley
>
> Currently the Resource Manager (RM) is not exposed to userspace.
> Make
> this exposure via a separate device, which can now be opened multiple
> times because each
On Thu, Jan 12, 2017 at 07:12:06PM +0100, Maciej S. Szmigiero wrote:
> probe_itpm() function is supposed to send command without an itpm flag set
> and if this fails to repeat it, this time with the itpm flag set.
>
> However, commit 41a5e1cf1fe15 ("tpm/tpm_tis: Split tpm_tis driver into a
> core
On Thu, Jan 12, 2017 at 07:08:53PM +0100, Maciej S. Szmigiero wrote:
> Since commit 1107d065fdf1 ("tpm_tis: Introduce intermediate layer for TPM
> access") Atmel 3203 TPM on ThinkPad X61S (TPM firmware version 13.9) no
> longer works.
> It turns out the initialization proceeds fine until we get
On Thu, Jan 12, 2017 at 07:46:08PM +0200, Jarkko Sakkinen wrote:
> struct tpm_chip {
> - struct device dev;
> - struct cdev cdev;
> + struct device dev, devrm;
Hum.. devrm adds a new kref but doesn't do anything with the release
function, so that is going to use after free, ie here:
On Thu, 2017-01-12 at 19:46 +0200, Jarkko Sakkinen wrote:
> @@ -435,17 +440,23 @@ ssize_t tpm_transmit(struct tpm_chip *chip,
> const u8 *buf, size_t bufsiz,
> goto out;
>
> out_recv:
> - rc = chip->ops->recv(chip, (u8 *) buf, bufsiz);
> - if (rc < 0)
> + len =
On Thu, Jan 12, 2017 at 11:58:10AM -0500, Nayna Jain wrote:
> The current TPM 2.0 device driver extends only the SHA1 PCR bank
> but the TCG Specification[1] recommends extending all active PCR
> banks, to prevent malicious users from setting unused PCR banks with
> fake measurements and quoting
Since commit 1107d065fdf1 ("tpm_tis: Introduce intermediate layer for TPM
access") Atmel 3203 TPM on ThinkPad X61S (TPM firmware version 13.9) no
longer works.
It turns out the initialization proceeds fine until we get and start using
chip-reported timeouts - and the chip reports C and D timeouts
Signed-off-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm.h | 2 ++
drivers/char/tpm/tpm2-cmd.c | 65 ++---
2 files changed, 34 insertions(+), 33 deletions(-)
diff --git a/drivers/char/tpm/tpm.h
This patch set adds support for TPM spaces that provide a context
for isolating and swapping transient objects. This patch set does
not yet include support for isolating policy and HMAC sessions but
it is trivial to add once the basic approach is settled (and that's
why I created an RFC patch
From: James Bottomley
Currently the Resource Manager (RM) is not exposed to userspace. Make
this exposure via a separate device, which can now be opened multiple
times because each read/write transaction goes separately via the RM.
Concurrency is
Check for every TPM 2.0 command that the command code is supported and
the command buffer has at least the length that can contain the header
and the handle area.
Signed-off-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm-interface.c | 32 -
From: James Bottomley
Signed-off-by: James Bottomley
---
drivers/char/tpm/Makefile | 2 +-
drivers/char/tpm/tpm-dev-common.c | 145 ++
drivers/char/tpm/tpm-dev.c|
Added ability to tpm_transmit() to supply a TPM space that contains
mapping from virtual handles to physical handles and backing storage for
swapping transient objects. TPM space is isolated from other users of
the TPM.
Signed-off-by: Jarkko Sakkinen
---
On Tue, Jan 10, 2017 at 05:04:04PM -0500, Stefan Berger wrote:
> Make sure that we have not received less bytes than what is indicated
> in the header of the TPM response. Also, check the number of bytes in
> the response before accessing its data.
>
> Signed-off-by: Stefan Berger
On Thu, Jan 12, 2017 at 10:18:39AM -0700, Jason Gunthorpe wrote:
> On Thu, Jan 12, 2017 at 04:43:21PM +0200, Jarkko Sakkinen wrote:
> > On Tue, Jan 10, 2017 at 03:15:41PM -0500, Stefan Berger wrote:
> > > Make sure that we have not received less bytes than what is indicated
> > > in the header of
On Thu, Jan 12, 2017 at 04:43:21PM +0200, Jarkko Sakkinen wrote:
> On Tue, Jan 10, 2017 at 03:15:41PM -0500, Stefan Berger wrote:
> > Make sure that we have not received less bytes than what is indicated
> > in the header of the TPM response. Also, check the number of bytes in
> > the response
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused PCR banks with
fake measurements and quoting them.
The existing in-kernel interface(tpm_pcr_extend()) expects
IMA extends its hash measurements in the TPM PCRs, based on policy.
The existing in-kernel TPM extend function extends only the SHA1
PCR bank. TPM 2.0 defines multiple PCR banks, to support different
hash algorithms. The TCG TPM 2.0 Specification[1] recommends
extending all active PCR banks to
This patch implements the TPM 2.0 capability TPM_CAP_PCRS to
retrieve the active PCR banks from the TPM. This is needed
to enable extending all active banks as recommended by TPM 2.0
TCG Specification.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm.h | 4 +++
The result of getcapability for transient objects should normally be
virtual handles that the application sees, not the TPM handles.
However, there is a corner case - auditing the getcapability command.
Audit is a TPM function that maintains a hash of commands
and responses, and
Question 1 of 2:
The RM is virtualizing transient handles. When getcapability returns
TPM handles, they have to be mapped to the virtual handles.
Where should the mapping occur? RM vs. user space TSS?
- The RM sees the TPM physical handles, and knows the mapping to virtual
handles for that
On Tue, Jan 10, 2017 at 09:18:11AM -0500, Stefan Berger wrote:
> Make sure that we have not received less bytes than what is indicated
> in the header of the TPM response.
>
> Signed-off-by: Stefan Berger
NAK for the whole patch set as it is missing the cover letter.
On Tue, Jan 10, 2017 at 03:15:41PM -0500, Stefan Berger wrote:
> Make sure that we have not received less bytes than what is indicated
> in the header of the TPM response. Also, check the number of bytes in
> the response before accessing its data.
>
> Signed-off-by: Stefan Berger
32 matches
Mail list logo