From 225a9be24d799aa16d543c31fb09f0c9ed1d9caa Mon Sep 17 00:00:00 2001 From: Rajiv Andrade Date: Thu, 25 Mar 2010 00:55:32 -0300 Subject: TPM: workaround to enforce PCR updates across suspends Add a workaround for TPM's which fail to flush last written PCR values in a TPM_SaveState, in preparation for suspend. Signed-off-by: David Safford Acked-by: Rajiv Andrade Signed-off-by: James Morris --- drivers/char/tpm/tpm.c | 47 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 7 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c index f06bb37defb1..5c447c991bd5 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -1067,6 +1067,27 @@ void tpm_remove_hardware(struct device *dev) } EXPORT_SYMBOL_GPL(tpm_remove_hardware); +#define TPM_ORD_SAVESTATE cpu_to_be32(152) +#define SAVESTATE_RESULT_SIZE 10 + +static struct tpm_input_header savestate_header = { + .tag = TPM_TAG_RQU_COMMAND, + .length = cpu_to_be32(10), + .ordinal = TPM_ORD_SAVESTATE +}; + +/* Bug workaround - some TPM's don't flush the most + * recently changed pcr on suspend, so force the flush + * with an extend to the selected _unused_ non-volatile pcr. + */ +static int tpm_suspend_pcr; +static int __init tpm_suspend_setup(char *str) +{ + get_option(&str, &tpm_suspend_pcr); + return 1; +} +__setup("tpm_suspend_pcr=", tpm_suspend_setup); + /* * We are about to suspend. Save the TPM state * so that it can be restored. @@ -1074,17 +1095,29 @@ EXPORT_SYMBOL_GPL(tpm_remove_hardware); int tpm_pm_suspend(struct device *dev, pm_message_t pm_state) { struct tpm_chip *chip = dev_get_drvdata(dev); - u8 savestate[] = { - 0, 193, /* TPM_TAG_RQU_COMMAND */ - 0, 0, 0, 10, /* blob length (in bytes) */ - 0, 0, 0, 152 /* TPM_ORD_SaveState */ - }; + struct tpm_cmd_t cmd; + int rc; + + u8 dummy_hash[TPM_DIGEST_SIZE] = { 0 }; if (chip == NULL) return -ENODEV; - tpm_transmit(chip, savestate, sizeof(savestate)); - return 0; + /* for buggy tpm, flush pcrs with extend to selected dummy */ + if (tpm_suspend_pcr) { + cmd.header.in = pcrextend_header; + cmd.params.pcrextend_in.pcr_idx = cpu_to_be32(tpm_suspend_pcr); + memcpy(cmd.params.pcrextend_in.hash, dummy_hash, + TPM_DIGEST_SIZE); + rc = transmit_cmd(chip, &cmd, EXTEND_PCR_RESULT_SIZE, + "extending dummy pcr before suspend"); + } + + /* now do the actual savestate */ + cmd.header.in = savestate_header; + rc = transmit_cmd(chip, &cmd, SAVESTATE_RESULT_SIZE, + "sending savestate before suspend"); + return rc; } EXPORT_SYMBOL_GPL(tpm_pm_suspend); -- cgit v1.2.3 From b89e66e1e396f7b5436af154e58209320cc08aed Mon Sep 17 00:00:00 2001 From: Rajiv Andrade Date: Tue, 4 May 2010 18:49:20 -0300 Subject: TPM: ACPI/PNP dependency removal This patch pushes the ACPI dependency into the device driver code itself. Now, even without ACPI/PNP enabled, the device can be registered using the TIS specified memory space. This will however result in the lack of access to the bios event log, being the only implication of such ACPI removal. Signed-off-by: Rajiv Andrade Acked-by: Mimi Zohar Signed-off-by: James Morris --- drivers/char/tpm/Kconfig | 14 +++++++++++--- drivers/char/tpm/tpm_tis.c | 40 +++++++++++++++++++++------------------- 2 files changed, 32 insertions(+), 22 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index f5fc64f89c5c..bfc2c26780fb 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -17,20 +17,28 @@ menuconfig TCG_TPM obtained at: . To compile this driver as a module, choose M here; the module will be called tpm. If unsure, say N. - Note: For more TPM drivers enable CONFIG_PNP, CONFIG_ACPI - and CONFIG_PNPACPI. + Note: For more TPM drivers and BIOS LOG access enable + CONFIG_PNP, CONFIG_ACPI and CONFIG_PNPACPI. if TCG_TPM config TCG_TIS tristate "TPM Interface Specification 1.2 Interface" - depends on PNP ---help--- If you have a TPM security chip that is compliant with the TCG TIS 1.2 TPM specification say Yes and it will be accessible from within Linux. To compile this driver as a module, choose M here; the module will be called tpm_tis. +config TCG_BIOS_LOG + bool "TPM bios mesurement log" + depends on X86 + select ACPI + ---help--- + ACPI is required for access to bios measurements lists and therefore + to validate the PCR[0] value. So say Yes in case you want this + feature and, consequently, ACPI will be enabled. + config TCG_NSC tristate "National Semiconductor TPM Interface" ---help--- diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c index 2405f17b29dd..04a18bffb730 100644 --- a/drivers/char/tpm/tpm_tis.c +++ b/drivers/char/tpm/tpm_tis.c @@ -597,7 +597,7 @@ out_err: tpm_remove_hardware(chip->dev); return rc; } - +#ifdef CONFIG_PNP static int __devinit tpm_tis_pnp_init(struct pnp_dev *pnp_dev, const struct pnp_device_id *pnp_id) { @@ -662,7 +662,7 @@ static struct pnp_driver tis_pnp_driver = { module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id, sizeof(tpm_pnp_tbl[TIS_HID_USR_IDX].id), 0444); MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe"); - +#endif static int tpm_tis_suspend(struct platform_device *dev, pm_message_t msg) { return tpm_pm_suspend(&dev->dev, msg); @@ -689,21 +689,21 @@ MODULE_PARM_DESC(force, "Force device probe rather than using ACPI entry"); static int __init init_tis(void) { int rc; +#ifdef CONFIG_PNP + if (!force) + return pnp_register_driver(&tis_pnp_driver); +#endif - if (force) { - rc = platform_driver_register(&tis_drv); - if (rc < 0) - return rc; - if (IS_ERR(pdev=platform_device_register_simple("tpm_tis", -1, NULL, 0))) - return PTR_ERR(pdev); - if((rc=tpm_tis_init(&pdev->dev, TIS_MEM_BASE, TIS_MEM_LEN, 0)) != 0) { - platform_device_unregister(pdev); - platform_driver_unregister(&tis_drv); - } + rc = platform_driver_register(&tis_drv); + if (rc < 0) return rc; + if (IS_ERR(pdev=platform_device_register_simple("tpm_tis", -1, NULL, 0))) + return PTR_ERR(pdev); + if((rc=tpm_tis_init(&pdev->dev, TIS_MEM_BASE, TIS_MEM_LEN, 0)) != 0) { + platform_device_unregister(pdev); + platform_driver_unregister(&tis_drv); } - - return pnp_register_driver(&tis_pnp_driver); + return rc; } static void __exit cleanup_tis(void) @@ -727,12 +727,14 @@ static void __exit cleanup_tis(void) list_del(&i->list); } spin_unlock(&tis_lock); - - if (force) { - platform_device_unregister(pdev); - platform_driver_unregister(&tis_drv); - } else +#ifdef CONFIG_PNP + if (!force) { pnp_unregister_driver(&tis_pnp_driver); + return; + } +#endif + platform_device_unregister(pdev); + platform_driver_unregister(&tis_drv); } module_init(init_tis); -- cgit v1.2.3 From ec4a162af388a2716c5314c4aff7029071d09f57 Mon Sep 17 00:00:00 2001 From: James Morris Date: Fri, 7 May 2010 09:19:29 +1000 Subject: Revert "TPM: ACPI/PNP dependency removal" This reverts commit b89e66e1e396f7b5436af154e58209320cc08aed. > > When CONFIG_PM is not set: > > > > drivers/built-in.o: In function `acpi_init': > > bus.c:(.init.text+0x2d84): undefined reference to `pm_flags' > > bus.c:(.init.text+0x2d91): undefined reference to `pm_flags' > > CONFIG_ACPI depends on CONFIG_PM, > so acpi/bus.c should not be compiled for CONFIG_PM=n > > Hmm, is is somebody doing something strange, like "select ACPI" > without guaranteeing that all of ACPI's dependencies are satisfied? Signed-off-by: James Morris --- drivers/char/tpm/Kconfig | 14 +++----------- drivers/char/tpm/tpm_tis.c | 40 +++++++++++++++++++--------------------- 2 files changed, 22 insertions(+), 32 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index bfc2c26780fb..f5fc64f89c5c 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -17,28 +17,20 @@ menuconfig TCG_TPM obtained at: . To compile this driver as a module, choose M here; the module will be called tpm. If unsure, say N. - Note: For more TPM drivers and BIOS LOG access enable - CONFIG_PNP, CONFIG_ACPI and CONFIG_PNPACPI. + Note: For more TPM drivers enable CONFIG_PNP, CONFIG_ACPI + and CONFIG_PNPACPI. if TCG_TPM config TCG_TIS tristate "TPM Interface Specification 1.2 Interface" + depends on PNP ---help--- If you have a TPM security chip that is compliant with the TCG TIS 1.2 TPM specification say Yes and it will be accessible from within Linux. To compile this driver as a module, choose M here; the module will be called tpm_tis. -config TCG_BIOS_LOG - bool "TPM bios mesurement log" - depends on X86 - select ACPI - ---help--- - ACPI is required for access to bios measurements lists and therefore - to validate the PCR[0] value. So say Yes in case you want this - feature and, consequently, ACPI will be enabled. - config TCG_NSC tristate "National Semiconductor TPM Interface" ---help--- diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c index 24314a9cffe8..94345994f8a6 100644 --- a/drivers/char/tpm/tpm_tis.c +++ b/drivers/char/tpm/tpm_tis.c @@ -598,7 +598,7 @@ out_err: tpm_remove_hardware(chip->dev); return rc; } -#ifdef CONFIG_PNP + static int __devinit tpm_tis_pnp_init(struct pnp_dev *pnp_dev, const struct pnp_device_id *pnp_id) { @@ -663,7 +663,7 @@ static struct pnp_driver tis_pnp_driver = { module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id, sizeof(tpm_pnp_tbl[TIS_HID_USR_IDX].id), 0444); MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe"); -#endif + static int tpm_tis_suspend(struct platform_device *dev, pm_message_t msg) { return tpm_pm_suspend(&dev->dev, msg); @@ -690,21 +690,21 @@ MODULE_PARM_DESC(force, "Force device probe rather than using ACPI entry"); static int __init init_tis(void) { int rc; -#ifdef CONFIG_PNP - if (!force) - return pnp_register_driver(&tis_pnp_driver); -#endif - rc = platform_driver_register(&tis_drv); - if (rc < 0) + if (force) { + rc = platform_driver_register(&tis_drv); + if (rc < 0) + return rc; + if (IS_ERR(pdev=platform_device_register_simple("tpm_tis", -1, NULL, 0))) + return PTR_ERR(pdev); + if((rc=tpm_tis_init(&pdev->dev, TIS_MEM_BASE, TIS_MEM_LEN, 0)) != 0) { + platform_device_unregister(pdev); + platform_driver_unregister(&tis_drv); + } return rc; - if (IS_ERR(pdev=platform_device_register_simple("tpm_tis", -1, NULL, 0))) - return PTR_ERR(pdev); - if((rc=tpm_tis_init(&pdev->dev, TIS_MEM_BASE, TIS_MEM_LEN, 0)) != 0) { - platform_device_unregister(pdev); - platform_driver_unregister(&tis_drv); } - return rc; + + return pnp_register_driver(&tis_pnp_driver); } static void __exit cleanup_tis(void) @@ -728,14 +728,12 @@ static void __exit cleanup_tis(void) list_del(&i->list); } spin_unlock(&tis_lock); -#ifdef CONFIG_PNP - if (!force) { + + if (force) { + platform_device_unregister(pdev); + platform_driver_unregister(&tis_drv); + } else pnp_unregister_driver(&tis_pnp_driver); - return; - } -#endif - platform_device_unregister(pdev); - platform_driver_unregister(&tis_drv); } module_init(init_tis); -- cgit v1.2.3 From 7f2ab000c6f2ae46070807a3bf645c45d8639460 Mon Sep 17 00:00:00 2001 From: Rajiv Andrade Date: Thu, 13 May 2010 17:37:54 -0300 Subject: TPM: ACPI/PNP dependency removal This patch pushes the ACPI dependency into the device driver code itself. Now, even without ACPI/PNP enabled, the device can be registered using the TIS specified memory space. This will however result in the lack of access to the BIOS event log, being the only implication of such ACPI removal. Signed-off-by: Rajiv Andrade Acked-by: Mimi Zohar Signed-off-by: James Morris --- drivers/char/tpm/Kconfig | 6 ++++-- drivers/char/tpm/tpm_tis.c | 40 +++++++++++++++++++++------------------- 2 files changed, 25 insertions(+), 21 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index f5fc64f89c5c..4dc338f3d1aa 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -17,14 +17,16 @@ menuconfig TCG_TPM obtained at: . To compile this driver as a module, choose M here; the module will be called tpm. If unsure, say N. - Note: For more TPM drivers enable CONFIG_PNP, CONFIG_ACPI + Notes: + 1) For more TPM drivers enable CONFIG_PNP, CONFIG_ACPI and CONFIG_PNPACPI. + 2) Without ACPI enabled, the BIOS event log won't be accessible, + which is required to validate the PCR 0-7 values. if TCG_TPM config TCG_TIS tristate "TPM Interface Specification 1.2 Interface" - depends on PNP ---help--- If you have a TPM security chip that is compliant with the TCG TIS 1.2 TPM specification say Yes and it will be accessible diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c index 94345994f8a6..24314a9cffe8 100644 --- a/drivers/char/tpm/tpm_tis.c +++ b/drivers/char/tpm/tpm_tis.c @@ -598,7 +598,7 @@ out_err: tpm_remove_hardware(chip->dev); return rc; } - +#ifdef CONFIG_PNP static int __devinit tpm_tis_pnp_init(struct pnp_dev *pnp_dev, const struct pnp_device_id *pnp_id) { @@ -663,7 +663,7 @@ static struct pnp_driver tis_pnp_driver = { module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id, sizeof(tpm_pnp_tbl[TIS_HID_USR_IDX].id), 0444); MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe"); - +#endif static int tpm_tis_suspend(struct platform_device *dev, pm_message_t msg) { return tpm_pm_suspend(&dev->dev, msg); @@ -690,21 +690,21 @@ MODULE_PARM_DESC(force, "Force device probe rather than using ACPI entry"); static int __init init_tis(void) { int rc; +#ifdef CONFIG_PNP + if (!force) + return pnp_register_driver(&tis_pnp_driver); +#endif - if (force) { - rc = platform_driver_register(&tis_drv); - if (rc < 0) - return rc; - if (IS_ERR(pdev=platform_device_register_simple("tpm_tis", -1, NULL, 0))) - return PTR_ERR(pdev); - if((rc=tpm_tis_init(&pdev->dev, TIS_MEM_BASE, TIS_MEM_LEN, 0)) != 0) { - platform_device_unregister(pdev); - platform_driver_unregister(&tis_drv); - } + rc = platform_driver_register(&tis_drv); + if (rc < 0) return rc; + if (IS_ERR(pdev=platform_device_register_simple("tpm_tis", -1, NULL, 0))) + return PTR_ERR(pdev); + if((rc=tpm_tis_init(&pdev->dev, TIS_MEM_BASE, TIS_MEM_LEN, 0)) != 0) { + platform_device_unregister(pdev); + platform_driver_unregister(&tis_drv); } - - return pnp_register_driver(&tis_pnp_driver); + return rc; } static void __exit cleanup_tis(void) @@ -728,12 +728,14 @@ static void __exit cleanup_tis(void) list_del(&i->list); } spin_unlock(&tis_lock); - - if (force) { - platform_device_unregister(pdev); - platform_driver_unregister(&tis_drv); - } else +#ifdef CONFIG_PNP + if (!force) { pnp_unregister_driver(&tis_pnp_driver); + return; + } +#endif + platform_device_unregister(pdev); + platform_driver_unregister(&tis_drv); } module_init(init_tis); -- cgit v1.2.3