Age | Commit message (Collapse) | Author |
|
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"In this patchset, we finally get an SELinux update, with Paul Moore
taking over as maintainer of that code.
Also a significant update for the Keys subsystem, as well as
maintenance updates to Smack, IMA, TPM, and Apparmor"
and since I wanted to know more about the updates to key handling,
here's the explanation from David Howells on that:
"Okay. There are a number of separate bits. I'll go over the big bits
and the odd important other bit, most of the smaller bits are just
fixes and cleanups. If you want the small bits accounting for, I can
do that too.
(1) Keyring capacity expansion.
KEYS: Consolidate the concept of an 'index key' for key access
KEYS: Introduce a search context structure
KEYS: Search for auth-key by name rather than target key ID
Add a generic associative array implementation.
KEYS: Expand the capacity of a keyring
Several of the patches are providing an expansion of the capacity of a
keyring. Currently, the maximum size of a keyring payload is one page.
Subtract a small header and then divide up into pointers, that only gives
you ~500 pointers on an x86_64 box. However, since the NFS idmapper uses
a keyring to store ID mapping data, that has proven to be insufficient to
the cause.
Whatever data structure I use to handle the keyring payload, it can only
store pointers to keys, not the keys themselves because several keyrings
may point to a single key. This precludes inserting, say, and rb_node
struct into the key struct for this purpose.
I could make an rbtree of records such that each record has an rb_node
and a key pointer, but that would use four words of space per key stored
in the keyring. It would, however, be able to use much existing code.
I selected instead a non-rebalancing radix-tree type approach as that
could have a better space-used/key-pointer ratio. I could have used the
radix tree implementation that we already have and insert keys into it by
their serial numbers, but that means any sort of search must iterate over
the whole radix tree. Further, its nodes are a bit on the capacious side
for what I want - especially given that key serial numbers are randomly
allocated, thus leaving a lot of empty space in the tree.
So what I have is an associative array that internally is a radix-tree
with 16 pointers per node where the index key is constructed from the key
type pointer and the key description. This means that an exact lookup by
type+description is very fast as this tells us how to navigate directly to
the target key.
I made the data structure general in lib/assoc_array.c as far as it is
concerned, its index key is just a sequence of bits that leads to a
pointer. It's possible that someone else will be able to make use of it
also. FS-Cache might, for example.
(2) Mark keys as 'trusted' and keyrings as 'trusted only'.
KEYS: verify a certificate is signed by a 'trusted' key
KEYS: Make the system 'trusted' keyring viewable by userspace
KEYS: Add a 'trusted' flag and a 'trusted only' flag
KEYS: Separate the kernel signature checking keyring from module signing
These patches allow keys carrying asymmetric public keys to be marked as
being 'trusted' and allow keyrings to be marked as only permitting the
addition or linkage of trusted keys.
Keys loaded from hardware during kernel boot or compiled into the kernel
during build are marked as being trusted automatically. New keys can be
loaded at runtime with add_key(). They are checked against the system
keyring contents and if their signatures can be validated with keys that
are already marked trusted, then they are marked trusted also and can
thus be added into the master keyring.
Patches from Mimi Zohar make this usable with the IMA keyrings also.
(3) Remove the date checks on the key used to validate a module signature.
X.509: Remove certificate date checks
It's not reasonable to reject a signature just because the key that it was
generated with is no longer valid datewise - especially if the kernel
hasn't yet managed to set the system clock when the first module is
loaded - so just remove those checks.
(4) Make it simpler to deal with additional X.509 being loaded into the kernel.
KEYS: Load *.x509 files into kernel keyring
KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate
The builder of the kernel now just places files with the extension ".x509"
into the kernel source or build trees and they're concatenated by the
kernel build and stuffed into the appropriate section.
(5) Add support for userspace kerberos to use keyrings.
KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
KEYS: Implement a big key type that can save to tmpfs
Fedora went to, by default, storing kerberos tickets and tokens in tmpfs.
We looked at storing it in keyrings instead as that confers certain
advantages such as tickets being automatically deleted after a certain
amount of time and the ability for the kernel to get at these tokens more
easily.
To make this work, two things were needed:
(a) A way for the tickets to persist beyond the lifetime of all a user's
sessions so that cron-driven processes can still use them.
The problem is that a user's session keyrings are deleted when the
session that spawned them logs out and the user's user keyring is
deleted when the UID is deleted (typically when the last log out
happens), so neither of these places is suitable.
I've added a system keyring into which a 'persistent' keyring is
created for each UID on request. Each time a user requests their
persistent keyring, the expiry time on it is set anew. If the user
doesn't ask for it for, say, three days, the keyring is automatically
expired and garbage collected using the existing gc. All the kerberos
tokens it held are then also gc'd.
(b) A key type that can hold really big tickets (up to 1MB in size).
The problem is that Active Directory can return huge tickets with lots
of auxiliary data attached. We don't, however, want to eat up huge
tracts of unswappable kernel space for this, so if the ticket is
greater than a certain size, we create a swappable shmem file and dump
the contents in there and just live with the fact we then have an
inode and a dentry overhead. If the ticket is smaller than that, we
slap it in a kmalloc()'d buffer"
* 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits)
KEYS: Fix keyring content gc scanner
KEYS: Fix error handling in big_key instantiation
KEYS: Fix UID check in keyctl_get_persistent()
KEYS: The RSA public key algorithm needs to select MPILIB
ima: define '_ima' as a builtin 'trusted' keyring
ima: extend the measurement list to include the file signature
kernel/system_certificate.S: use real contents instead of macro GLOBAL()
KEYS: fix error return code in big_key_instantiate()
KEYS: Fix keyring quota misaccounting on key replacement and unlink
KEYS: Fix a race between negating a key and reading the error set
KEYS: Make BIG_KEYS boolean
apparmor: remove the "task" arg from may_change_ptraced_domain()
apparmor: remove parent task info from audit logging
apparmor: remove tsk field from the apparmor_audit_struct
apparmor: fix capability to not use the current task, during reporting
Smack: Ptrace access check mode
ima: provide hash algo info in the xattr
ima: enable support for larger default filedata hash algorithms
ima: define kernel parameter 'ima_template=' to change configured default
ima: add Kconfig default measurement list template
...
|
|
just like the other entries
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
This patch changes the displayed module name from
tpm_tis_i2c_infineon to its actual name tpm_i2c_infineon.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
This is based on the work of Teddy Reed <teddy@prosauce.org> published
on GitHub:
https://github.com/theopolis/tpm-i2c-atmel.git
34894b988b67e0ae55088d6388e77b0dbf10c07d
That driver was never merged, I have taken it as a starting port,
forward ported, tested and revised the driver:
- Make it broadly textually similar to the Infineon and Nuvoton I2C
driver
- Place everything in a format suitable for mainline inclusion
- Use high level I2C functions i2c_master_send and
i2c_master_recv for data xfer
- Use the timeout system from the core code, by faking out a status
register
- Only I2C transfer the number of bytes in the reply, not a fixed
message size.
- checkpatch cleanups
- Testing on ARM Kirkwood, with this device tree, using a
AT97SC3204T-X1A180
tpm@29 {
compatible = "atmel,at97sc3204t";
reg = <0x29>;
};
Signed-off-by: Teddy Reed <teddy@prosauce.org>
[jgg: revised and tested]
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[phuewe: minor whitespace changes]
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
This chip is/was also branded as a Winbond WPCT301.
Originally written by Dan Morav <dmorav@nuvoton.com> and posted to LKML:
https://lkml.org/lkml/2011/9/7/206
The original posting was not merged, I have taken it as a
starting point, forward ported, tested and revised the driver:
- Rework interrupt handling to work properly with level triggered
interrupts. The old version just locked up.
- Synchronize various items with Peter Huewe's Infineon driver:
* Add durations/timeouts sysfs calls
* Remove I2C device auto-detection
* Don't fiddle with chip->release
* Call tpm_dev_vendor_release in the probe error path
* Use MODULE_DEVICE_TABLE for the I2C ids
* Provide OF compatible strings for DT support
* Use SIMPLE_DEV_PM_OPS
* Use module_i2c_driver
- checkpatch cleanups
- Testing on ARM Kirkwood with GPIO interrupts, with this device tree:
tpm@57 {
compatible = "nuvoton,npct501";
reg = <0x57>;
interrupt-parent = <&gpio1>;
interrupts = <6 IRQ_TYPE_LEVEL_LOW>;
};
Signed-off-by: Dan Morav <dmorav@nuvoton.com>
[jgg: revised and tested]
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[phuewe: minor whitespace changes, fixed module name in kconfig]
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
Now that we can have multiple .c files in the tpm module there is
no reason for tpm-bios.
tpm-bios exported several functions: tpm_bios_log_setup,
tpm_bios_log_teardown, tpm_add_ppi, and tpm_remove_ppi.
They are only used by tpm, and if tpm-bios is built then
tpm will unconditionally require them. Further, tpm-bios does
nothing on its own, it has no module_init function.
Thus we remove the exports and merge the modules to simplify things.
The Makefile conditions are changed slightly to match the code,
tpm_ppi is always required if CONFIG_ACPI is set.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
|
|
This is preparation for making the tpm module multi-file. kbuild does
not like having a .c file with the same name as a module. We wish to
keep the tpm module name so that userspace doesn't see this change.
tpm-interface.c is chosen because the next several commits in the series
migrate items into tpm-sysfs.c, tpm-dev.c and tpm-class.c. All that will
be left is tpm command processing and interfacing code.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
|
|
before we rename the file it might be a good idea to cleanup the long
persisting checkpatch warnings.
Since everything is really trivial, splitting the patch up would only
result in noise.
For the interested reader - here the checkpatch warnings:
(regrouped for easer readability)
ERROR: trailing whitespace
+ * Specifications at www.trustedcomputinggroup.org^I $
+ * $
+^I/* $
+^I parameters (RSA 12->bytes: keybit, #primes, expbit) $
WARNING: unnecessary whitespace before a quoted newline
+ "invalid count value %x %zx \n", count, bufsiz);
ERROR: do not use assignment in if condition
+ if ((rc = chip->vendor.send(chip, (u8 *) buf, count)) < 0) {
ERROR: space required after that ',' (ctx:VxV)
+ len = tpm_transmit(chip,(u8 *) cmd, len);
^
ERROR: "foo * bar" should be "foo *bar"
+ssize_t tpm_show_enabled(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_enabled(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_active(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_active(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_owned(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_owned(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_temp_deactivated(struct device * dev,
+ struct device_attribute * attr, char *buf)
WARNING: please, no space before tabs
+ * @chip_num: ^Itpm idx # or ANY$
+ * @res_buf: ^ITPM_PCR value$
+ * ^I^Isize of res_buf is 20 bytes (or NULL if you don't care)$
+ * @chip_num: ^Itpm idx # or AN&$
+ * @hash: ^Ihash value used to extend pcr value$
ERROR: code indent should use tabs where possible
+^I TPM_ORD_CONTINUE_SELFTEST);$
WARNING: line over 80 characters
+static bool wait_for_tpm_stat_cond(struct tpm_chip *chip, u8 mask, bool check_cancel,
ERROR: trailing whitespace
+ * Called from tpm_<specific>.c probe function only for devices $
total: 16 errors, 7 warnings, 1554 lines checked
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
The version of the TPM should not depend on the bus it is connected
through. 1.1, 1.2 and soon 2.0 TPMS will be all be able to use the
same bus interfaces.
Make tpm_show_caps try the 1.2 capability first. If that fails then
fall back to the 1.1 capability. This effectively auto-detects what
interface the TPM supports at run-time.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
For some reason this driver thinks that chip->data_buffer needs
to be set before it can call tpm_pm_*. This is not true. data_buffer
is used only by /dev/tpmX, which is why it is managed exclusively
by the fops functions.
Cc: Mathias Leblanc <mathias.leblanc@st.com>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
|
|
TPM drivers should not call dev_set_drvdata (or aliases), only the core
code is allowed to call dev_set_drvdata, and it does it during
tpm_register_hardware.
These extra sets are harmless, but are an anti-pattern that many drivers
have copied.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Acked-by: Ashley Lai <adlai@linux.vnet.ibm.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
misc_open sets the file->private_date to the misc_dev when calling
open. We can use container_of to go from the misc_dev back to the
tpm_chip.
Future clean ups will move tpm_open into a new file and this change
means we do not have to export the tpm_chip list.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Acked-by: Ashley Lai <adlai@linux.vnet.ibm.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
Just put the memory directly in the chip structure, rather than
in a 2nd dedicated kmalloc.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Acked-by: Ashley Lai <adlai@linux.vnet.ibm.com>
|
|
Commit e0dd03caf20d040a0a86 ("tpm: return chip from
tpm_register_hardware") changed the code path here so that
ateml_get_base_addr no longer directly altered the tpm_vendor_specific
structure, and instead placed the base address on the stack.
The commit missed updating the request_region call, which would have
resulted in request_region being called with 0 as the base address.
I don't know if request_region(0, ..) will fail, if so the
driver has been broken since 2006 and we should remove it
from the tree as it has no users.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
This suppresses compile warnings on 32 bit builds.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Acked-by: Ashley Lai <adlai@linux.vnet.ibm.com>
|
|
xen-tpmfront fails to build on arm64 with the following error:
drivers/char/tpm/xen-tpmfront.c: In function ‘xen_tpmfront_init’:
drivers/char/tpm/xen-tpmfront.c:422:2: error: implicit declaration of function ‘xen_domain’ [-Werror=implicit-function-declaration]
Add include of xen/xen.h to fix this.
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Ashley Lai <adlai@linux.vnet.ibm.com>
Acked-by: Ashley Lai <adlai@linux.vnet.ibm.com>
Cc: Leonidas Da Silva Barbosa <leosilva@linux.vnet.ibm.com>
Cc: Rajiv Andrade <mail@srajiv.net>
Cc: Marcel Selhorst <tpmdd@selhorst.net>
Cc: Sirrix AG <tpmdd@sirrix.com>
Cc: tpmdd-devel@lists.sourceforge.net
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull Xen fixes from Konrad Rzeszutek Wilk:
"Bug-fixes and one update to the kernel-paramters.txt documentation.
- Fix PV spinlocks triggering jump_label code bug
- Remove extraneous code in the tpm front driver
- Fix ballooning out of pages when non-preemptible
- Fix deadlock when using a 32-bit initial domain with large amount
of memory
- Add xen_nopvpsin parameter to the documentation"
* tag 'stable/for-linus-3.12-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen/spinlock: Document the xen_nopvspin parameter.
xen/p2m: check MFN is in range before using the m2p table
xen/balloon: don't alloc page while non-preemptible
xen: Do not enable spinlocks before jump_label_init() has executed
tpm: xen-tpmfront: Remove the locality sysfs attribute
tpm: xen-tpmfront: Fix default durations
|
|
Upon deeper review it was agreed to remove the driver-unique
'locality' sysfs attribute before it is present in a released
kernel.
The attribute was introduced in e2683957fb268c6b29316fd9e7191e13239a30a5
during the 3.12 merge window, so this patch needs to go in before
3.12 is released.
The hope is to have a well defined locality API that all the other
locality aware drivers can use, perhaps in 3.13.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
|
|
All the default durations were being set to 10 minutes which is
way too long for the timeouts. Normal values for the longest
duration are around 5 mins, and short duration ar around .5s.
Further, these are just the default, tpm_get_timeouts will set
them to values from the TPM (or throw an error).
Just remove them.
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
Convert drivers/char/tpm/tpm_tis.c to use dev_pm_ops instead of legacy
pm_ops. This patch depends on pnp driver bus ops change to invoke
pnp_driver dev_pm_ops.
Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
Cc: Matthew Garrett <matthew.garrett@nebula.com>
Cc: Leonidas Da Silva Barbosa <leosilva@linux.vnet.ibm.com>
Cc: Ashley Lai <ashley@ashleylai.com>
Cc: Rajiv Andrade <mail@srajiv.net>
Cc: Marcel Selhorst <tpmdd@selhorst.net>
Cc: Sirrix AG <tpmdd@sirrix.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Grant Likely <grant.likely@linaro.org>
Cc: Rob Herring <rob.herring@calxeda.com>
Cc: Peter Hüwe <PeterHuewe@gmx.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Randy reports:
x86_64:
drivers/built-in.o: In function `xen_tpmfront_init':
xen-tpmfront.c:(.init.text+0x257c): undefined reference to `xenbus_register_frontend'
This is nicely fixed by selecting the XenBus frontend module.
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
This is a complete rewrite of the Xen TPM frontend driver, taking
advantage of a simplified frontend/backend interface and adding support
for cancellation and timeouts. The backend for this driver is provided
by a vTPM stub domain using the interface in Xen 4.3.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Matthew Fioravante <matthew.fioravante@jhuapl.edu>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Peter Huewe <peterhuewe@gmx.de>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
This driver does not use any module parameters anymore,
so the inclusion of the header file can be removed.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
The I2C client driver is not supposed to modify the client's driver pointer,
this is handled by the I2C core.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
ppc builds
The 8119807 commit reintroduced a regression
(error: __ksymtab_tpm_dev_release causes a section type conflict) that was fixed by commit
cbb2ed4.
Fix it for good by adding the prototype to tpm.h so sparse doesn't
complain about it anymore.
Reported-by: Tony Camuso <tcamuso@redhat.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
|
|
IMA requires access to TPM_DIGEST_SIZE definition. This patch
moves the definition to <linux/tpm.h>.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Add the missing platform_driver_unregister() before return
from init_tis() in the device register error handling case.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
If the TPM has already been sent a SaveState command before the driver
is loaded it may have problems sending that same command again later.
This issue is seen with the Chromebook Pixel due to a firmware bug in
the legacy mode boot path which is sending the SaveState command
before booting the kernel. More information is available at
http://crbug.com/203524
This change introduces a retry of the SaveState command in the suspend
path in order to work around this issue. A future firmware update
should fix this but this is also a trivial workaround in the driver
that has no effect on systems that do not show this problem.
When this does happen the TPM responds with a non-fatal TPM_RETRY code
that is defined in the specification:
The TPM is too busy to respond to the command immediately, but the
command could be resubmitted at a later time. The TPM MAY return
TPM_RETRY for any command at any time.
It can take several seconds before the TPM will respond again. I
measured a typical time between 3 and 4 seconds and the timeout is set
at a safe 5 seconds.
It is also possible to reproduce this with commands via /dev/tpm0.
The bug linked above has a python script attached which can be used to
test for this problem. I tested a variety of TPMs from Infineon,
Nuvoton, Atmel, and STMicro but was only able to reproduce this with
LPC and I2C TPMs from Infineon.
The TPM specification only loosely defines this behavior:
TPM Main Level 2 Part 3 v1.2 r116, section 3.3. TPM_SaveState:
The TPM MAY declare all preserved values invalid in response to any
command other than TPM_Init.
TCG PC Client BIOS Spec 1.21 section 8.3.1.
After issuing a TPM_SaveState command, the OS SHOULD NOT issue TPM
commands before transitioning to S3 without issuing another
TPM_SaveState command.
TCG PC Client TIS 1.21, section 4. Power Management:
The TPM_SaveState command allows a Static OS to indicate to the TPM
that the platform may enter a low power state where the TPM will be
required to enter into the D3 power state. The use of the term "may"
is significant in that there is no requirement for the platform to
actually enter the low power state after sending the TPM_SaveState
command. The software may, in fact, send subsequent commands after
sending the TPM_SaveState command.
Change-Id: I52b41e826412688e5b6c8ddd3bb16409939704e9
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Kent Yoder indicated that the code might be a bit clearer with a comment
here, so this patch adds a small explanation of the code.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
table entries
As the subject says.
It's probably a good idea to have these fields populated.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
module.h and sched.h were included twice.
Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
This driver adds support for Infineon's new SLB 9645 TT 1.2 I2C TPMs,
which supports clockstretching, combined reads and a bus speed of
up to 400khz. The device also has a new device id.
The driver works now also fine with device trees, so you can
instantiate your device by adding:
+ tpm {
+ compatible = "infineon,slb9645tt";
+ reg = <0x20>;
+ };
for SLB 9645 devices or
+ tpm {
+ compatible = "infineon,slb9635tt";
+ reg = <0x20>;
+ };
for SLB 9635 devices
to your device tree.
tpm_i2c_infineon is also retained as a compatible id as a fallback to
slb9635 protocol.
The driver was tested on Beaglebone.
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Convert the struct i2c_msg initialization to C99 format. This makes
maintaining and editing the code simpler. Also helps once other fields
like transferred are added in future.
Thanks to Julia Lawall for automating the conversion.
Signed-off-by: Shubhrajyoti D <shubhrajyoti@ti.com>
Acked-by: Peter Huewe <peter.huewe@infineon.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Ensure that the 'version' string includes a NULL terminator after its
copied out of the acpi table.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Reported-by: Peter Hüwe <peterhuewe@gmx.de>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
We don't need a temporary variable just to store the return value which
gets return in the next statement.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Err is never read before it is assigned again -> remove the dead
assigment.
Found with clang static analyzer
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
With the HOTPLUG changes 3.8 this attribute is going away.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
We don't need to call memcpy for one byte, but assign it directly.
And to make the offset clearer we use the array syntax on the subsequent
call to memset to make the relationship clearer.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Reported-by: Peter Hüwe <PeterHuewe@gmx.de>
Signed-off-by: Peter Hüwe <PeterHuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
The TIS specification (pg 47) says the valid bit must be set, but
the TPM will not set it until it has completed its internal startup.
The driver checks that the valid bit is set during request_locality,
but it issues a TPM_ACCESS_REQUEST_USE without validating the
valid bit is set.
Some TPMs will ignore the TPM_ACCESS_REQUEST_USE, until valid is
set which causes the request_locality to timeout, which breaks the
driver attach.
Wait one timeout unit for valid to assert. If valid does not assert
then assume -ENODEV.
Seen on embedded with a:
1.2 TPM (device-id 0x3204, rev-id 64)
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Support cancellation of TPM commands when driver is used in interrupt
mode.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
On one of my machines the cancellation of TPM commands does not work.
The reason is that by writing into sysfs 'cancel' the tpm_tis_ready
call causes the status flag TPM_STS_VALID to be set in the statusregister.
However, the TIS driver seems to wait for TPM_STS_COMMAND_READY.
Once a 2nd time sysfs 'cancel' is written to, the TPM_STS_COMMAND_READY flag
also gets set, resulting in TPM_STS_VALID|TPM_STS_COMMAND_READY to be
read from the status register.
This patch now converts req_canceled into a function to enable more complex
comparisons against possible cancellation status codes.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
Store the TPM vendor ID for later use.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
We've been testing an alternative TPM for our embedded products and
found random kernel boot failures due to time outs after the continue
self test command.
This was happening randomly, and has been *very* hard to track down, but
it
looks like with this chip there is some kind of race with the
tpm_tis_status()
check of TPM_STS_COMMAND_READY. If things get there 'too fast' then
it sees the chip is ready, or tpm_tis_ready() works. Otherwise it takes
somewhere over 400ms before the chip will return TPM_STS_COMMAND_READY.
Adding some delay after tpm_continue_selftest() makes things reliably
hit the failure path, otherwise it is a crapshot.
The spec says it should be returning TPM_WARN_DOING_SELFTEST, not
holding
off on ready..
Boot log during this event looks like this:
tpm_tis 70030000.tpm_tis: 1.2 TPM (device-id 0x3204, rev-id 64)
tpm_tis 70030000.tpm_tis: Issuing TPM_STARTUP
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
The other TPM vendor we use doesn't show this wonky behaviour:
tpm_tis 70030000.tpm_tis: 1.2 TPM (device-id 0xFE, rev-id 70)
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
When no i2c bus exists, user-space can cause an oops by triggering a
device probe through a message sent to an i2c "new_device" sysfs entry.
Adding a check for a NULL i2c client structure in the probe function
closes the hole.
This patch also fixes accessing the NULL client struct in the print
function call reporting the error.
Reported-by: Peter Hüwe <PeterHuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
This patch converts the suspend and resume functions for
tpm_i2c_stm_st33 to the new dev_pm_ops.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|
|
* STMicroelectronics version 1.2.0, Copyright (C) 2010
* STMicroelectronics comes with ABSOLUTELY NO WARRANTY.
* This is free software, and you are welcome to redistribute it
* under certain conditions.
This is the driver for TPM chip from ST Microelectronics.
If you have a TPM security chip from STMicroelectronics working with
an I2C, in menuconfig or .config choose the tpm driver on
device --> tpm and activate the protocol of your choice before compiling
the kernel.
The driver will be accessible from within Linux.
Tested on linux x86/x64, beagleboard REV B & XM REV C and CHROMIUM OS
Signed-off-by: Mathias Leblanc <mathias.leblanc@st.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
|