On Thu, Feb 16, 2017 at 09:25:20PM +0200, Jarkko Sakkinen wrote: > From: James Bottomley <james.bottom...@hansenpartnership.com> > > Sessions are different from transient objects in that their handles > may not be virtualized (because they're used for some hmac > calculations). Additionally when a session is context saved, a > vestigial memory remains in the TPM and if it is also flushed, that > will be lost and the session context will refuse to load next time, so > the code is updated to flush only transient objects after a context > save. Add a separate array (chip->session_tbl) to save and restore > sessions by handle. Use the failure of a context save or load to > signal that the session has been flushed from the TPM and we can > remove its memory from chip->session_tbl. > > Sessions are also isolated during each instance of a tpm space. This > means that spaces shouldn't be able to see each other's sessions and > is enforced by ensuring that a space user may only refer to sessions > handles that are present in their own chip->session_tbl. Finally when > a space is closed, all the sessions belonging to it should be flushed > so the handles may be re-used by other spaces. > > Note that if we get a session save or load error, all sessions are > effectively flushed. Even though we restore the session buffer, all > the old sessions will refuse to load after the flush and they'll be > purged from our session memory. This means that while transient > context handling is still soft in the face of errors, session handling > is hard (any failure of the model means all sessions are lost). > > Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakk...@linux.intel.com> I'll give Tested-by separately once I've updated tpm2_smoke.py /Jarkko > --- > drivers/char/tpm/tpm-chip.c | 6 +++ > drivers/char/tpm/tpm.h | 4 +- > drivers/char/tpm/tpm2-space.c | 105 > +++++++++++++++++++++++++++++++++++++++++- > drivers/char/tpm/tpms-dev.c | 2 +- > 4 files changed, 113 insertions(+), 4 deletions(-) > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c > index c71c353..e8536ab 100644 > --- a/drivers/char/tpm/tpm-chip.c > +++ b/drivers/char/tpm/tpm-chip.c > @@ -130,6 +130,7 @@ static void tpm_dev_release(struct device *dev) > > kfree(chip->log.bios_event_log); > kfree(chip->work_space.context_buf); > + kfree(chip->work_space.session_buf); > kfree(chip); > } > > @@ -224,6 +225,11 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, > rc = -ENOMEM; > goto out; > } > + chip->work_space.session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); > + if (!chip->work_space.session_buf) { > + rc = -ENOMEM; > + goto out; > + } > > return chip; > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index 822ca67..ffee8b5 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -161,6 +161,8 @@ enum tpm2_cc_attrs { > struct tpm_space { > u32 context_tbl[3]; > u8 *context_buf; > + u32 session_tbl[3]; > + u8 *session_buf; > }; > > enum tpm_chip_flags { > @@ -589,7 +591,7 @@ int tpm2_probe(struct tpm_chip *chip); > ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip); > int tpm2_find_cc(struct tpm_chip *chip, u32 cc); > int tpm2_init_space(struct tpm_space *space); > -void tpm2_del_space(struct tpm_space *space); > +void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space); > int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 > cc, > u8 *cmd); > int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c > index e955548..d36d81e 100644 > --- a/drivers/char/tpm/tpm2-space.c > +++ b/drivers/char/tpm/tpm2-space.c > @@ -32,18 +32,39 @@ struct tpm2_context { > __be16 blob_size; > } __packed; > > +static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space > *space) > +{ > + int i; > + > + for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) { > + if (space->session_tbl[i]) > + tpm2_flush_context_cmd(chip, space->session_tbl[i], > + TPM_TRANSMIT_UNLOCKED); > + } > +} > + > int tpm2_init_space(struct tpm_space *space) > { > space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); > if (!space->context_buf) > return -ENOMEM; > > + space->session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); > + if (space->session_buf == NULL) { > + kfree(space->context_buf); > + return -ENOMEM; > + } > + > return 0; > } > > -void tpm2_del_space(struct tpm_space *space) > +void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) > { > + mutex_lock(&chip->tpm_mutex); > + tpm2_flush_sessions(chip, space); > + mutex_unlock(&chip->tpm_mutex); > kfree(space->context_buf); > + kfree(space->session_buf); > } > > static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, > @@ -69,6 +90,20 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 > *buf, > __func__, rc); > tpm_buf_destroy(&tbuf); > return -EFAULT; > + } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE || > + rc == TPM2_RC_REFERENCE_H0) { > + /* > + * TPM_RC_HANDLE means that the session context can't > + * be loaded because of an internal counter mismatch > + * that makes the TPM think there might have been a > + * replay. This might happen if the context was saved > + * and loaded outside the space. > + * > + * TPM_RC_REFERENCE_H0 means the session has been > + * flushed outside the space > + */ > + rc = -ENOENT; > + tpm_buf_destroy(&tbuf); > } else if (rc > 0) { > dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", > __func__, rc); > @@ -121,7 +156,6 @@ static int tpm2_save_context(struct tpm_chip *chip, u32 > handle, u8 *buf, > } > > memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size); > - tpm2_flush_context_cmd(chip, handle, TPM_TRANSMIT_UNLOCKED); > *offset += body_size; > tpm_buf_destroy(&tbuf); > return 0; > @@ -136,6 +170,8 @@ static void tpm2_flush_space(struct tpm_chip *chip) > if (space->context_tbl[i] && ~space->context_tbl[i]) > tpm2_flush_context_cmd(chip, space->context_tbl[i], > TPM_TRANSMIT_UNLOCKED); > + > + tpm2_flush_sessions(chip, space); > } > > static int tpm2_load_space(struct tpm_chip *chip) > @@ -161,6 +197,28 @@ static int tpm2_load_space(struct tpm_chip *chip) > return rc; > } > > + for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) { > + u32 handle; > + > + if (!space->session_tbl[i]) > + continue; > + > + rc = tpm2_load_context(chip, space->session_buf, > + &offset, &handle); > + if (rc == -ENOENT) { > + /* load failed, just forget session */ > + space->session_tbl[i] = 0; > + } else if (rc) { > + tpm2_flush_space(chip); > + return rc; > + } > + if (handle != space->session_tbl[i]) { > + dev_warn(&chip->dev, "session restored to wrong > handle\n"); > + tpm2_flush_space(chip); > + return -EFAULT; > + } > + } > + > return 0; > } > > @@ -215,7 +273,10 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct > tpm_space *space, u32 cc, > > memcpy(&chip->work_space.context_tbl, &space->context_tbl, > sizeof(space->context_tbl)); > + memcpy(&chip->work_space.session_tbl, &space->session_tbl, > + sizeof(space->session_tbl)); > memcpy(chip->work_space.context_buf, space->context_buf, PAGE_SIZE); > + memcpy(chip->work_space.session_buf, space->session_buf, PAGE_SIZE); > > rc = tpm2_load_space(chip); > if (rc) { > @@ -232,6 +293,22 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct > tpm_space *space, u32 cc, > return 0; > } > > +static bool tpm2_add_session(struct tpm_chip *chip, u32 handle) > +{ > + struct tpm_space *space = &chip->work_space; > + int i; > + > + for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) > + if (space->session_tbl[i] == 0) > + break; > + > + if (i == ARRAY_SIZE(space->session_tbl)) > + return false; > + > + space->session_tbl[i] = handle; > + return true; > +} > + > static u32 tpm2_map_to_vhandle(struct tpm_space *space, u32 phandle, bool > alloc) > { > int i; > @@ -288,6 +365,8 @@ static int tpm2_map_response_header(struct tpm_chip > *chip, u32 cc, u8 *rsp, > break; > case TPM2_HT_HMAC_SESSION: > case TPM2_HT_POLICY_SESSION: > + if (!tpm2_add_session(chip, phandle)) > + goto out_no_slots; > break; > default: > dev_err(&chip->dev, "%s: unknown handle 0x%08X\n", > @@ -388,9 +467,28 @@ static int tpm2_save_space(struct tpm_chip *chip) > } else if (rc) > return rc; > > + tpm2_flush_context_cmd(chip, space->context_tbl[i], > + TPM_TRANSMIT_UNLOCKED); > space->context_tbl[i] = ~0; > } > > + for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) { > + if (!space->session_tbl[i]) > + continue; > + > + rc = tpm2_save_context(chip, space->session_tbl[i], > + space->session_buf, PAGE_SIZE, > + &offset); > + > + if (rc == -ENOENT) { > + /* handle error saving session, just forget it */ > + space->session_tbl[i] = 0; > + } else if (rc < 0) { > + tpm2_flush_space(chip); > + return rc; > + } > + } > + > return 0; > } > > @@ -425,7 +523,10 @@ int tpm2_commit_space(struct tpm_chip *chip, struct > tpm_space *space, > > memcpy(&space->context_tbl, &chip->work_space.context_tbl, > sizeof(space->context_tbl)); > + memcpy(&space->session_tbl, &chip->work_space.session_tbl, > + sizeof(space->session_tbl)); > memcpy(space->context_buf, chip->work_space.context_buf, PAGE_SIZE); > + memcpy(space->session_buf, chip->work_space.session_buf, PAGE_SIZE); > > return 0; > } > diff --git a/drivers/char/tpm/tpms-dev.c b/drivers/char/tpm/tpms-dev.c > index 5720885..4c98db8 100644 > --- a/drivers/char/tpm/tpms-dev.c > +++ b/drivers/char/tpm/tpms-dev.c > @@ -39,7 +39,7 @@ static int tpms_release(struct inode *inode, struct file > *file) > struct tpms_priv *priv = container_of(fpriv, struct tpms_priv, priv); > > tpm_common_release(file, fpriv); > - tpm2_del_space(&priv->space); > + tpm2_del_space(fpriv->chip, &priv->space); > kfree(priv); > > return 0; > -- > 2.9.3 > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ tpmdd-devel mailing list tpmdd-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tpmdd-devel