From fd3ec3663718e5f89fbcbc18a67885203fd914a1 Mon Sep 17 00:00:00 2001 From: Thiebaud Weksteen Date: Wed, 20 Sep 2017 10:13:36 +0200 Subject: tpm: move tpm_eventlog.h outside of drivers folder The generic definitions of data structures in tpm_eventlog.h are required by other part of the kernel (namely, the EFI stub). Signed-off-by: Thiebaud Weksteen Reviewed-by: Javier Martinez Canillas Tested-by: Javier Martinez Canillas Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- include/linux/tpm_eventlog.h | 121 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 include/linux/tpm_eventlog.h (limited to 'include') diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h new file mode 100644 index 000000000000..a2a86783f974 --- /dev/null +++ b/include/linux/tpm_eventlog.h @@ -0,0 +1,121 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef __LINUX_TPM_EVENTLOG_H__ +#define __LINUX_TPM_EVENTLOG_H__ + +#include + +#define TCG_EVENT_NAME_LEN_MAX 255 +#define MAX_TEXT_EVENT 1000 /* Max event string length */ +#define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ +#define TPM2_ACTIVE_PCR_BANKS 3 + +#ifdef CONFIG_PPC64 +#define do_endian_conversion(x) be32_to_cpu(x) +#else +#define do_endian_conversion(x) x +#endif + +enum bios_platform_class { + BIOS_CLIENT = 0x00, + BIOS_SERVER = 0x01, +}; + +struct tcpa_event { + u32 pcr_index; + u32 event_type; + u8 pcr_value[20]; /* SHA1 */ + u32 event_size; + u8 event_data[0]; +}; + +enum tcpa_event_types { + PREBOOT = 0, + POST_CODE, + UNUSED, + NO_ACTION, + SEPARATOR, + ACTION, + EVENT_TAG, + SCRTM_CONTENTS, + SCRTM_VERSION, + CPU_MICROCODE, + PLATFORM_CONFIG_FLAGS, + TABLE_OF_DEVICES, + COMPACT_HASH, + IPL, + IPL_PARTITION_DATA, + NONHOST_CODE, + NONHOST_CONFIG, + NONHOST_INFO, +}; + +struct tcpa_pc_event { + u32 event_id; + u32 event_size; + u8 event_data[0]; +}; + +enum tcpa_pc_event_ids { + SMBIOS = 1, + BIS_CERT, + POST_BIOS_ROM, + ESCD, + CMOS, + NVRAM, + OPTION_ROM_EXEC, + OPTION_ROM_CONFIG, + OPTION_ROM_MICROCODE = 10, + S_CRTM_VERSION, + S_CRTM_CONTENTS, + POST_CONTENTS, + HOST_TABLE_OF_DEVICES, +}; + +/* http://www.trustedcomputinggroup.org/tcg-efi-protocol-specification/ */ + +struct tcg_efi_specid_event_algs { + u16 alg_id; + u16 digest_size; +} __packed; + +struct tcg_efi_specid_event { + u8 signature[16]; + u32 platform_class; + u8 spec_version_minor; + u8 spec_version_major; + u8 spec_errata; + u8 uintnsize; + u32 num_algs; + struct tcg_efi_specid_event_algs digest_sizes[TPM2_ACTIVE_PCR_BANKS]; + u8 vendor_info_size; + u8 vendor_info[0]; +} __packed; + +struct tcg_pcr_event { + u32 pcr_idx; + u32 event_type; + u8 digest[20]; + u32 event_size; + u8 event[0]; +} __packed; + +struct tcg_event_field { + u32 event_size; + u8 event[0]; +} __packed; + +struct tpm2_digest { + u16 alg_id; + u8 digest[SHA512_DIGEST_SIZE]; +} __packed; + +struct tcg_pcr_event2 { + u32 pcr_idx; + u32 event_type; + u32 count; + struct tpm2_digest digests[TPM2_ACTIVE_PCR_BANKS]; + struct tcg_event_field event; +} __packed; + +#endif -- cgit v1.2.3 From 4d01d29d9307d321149ff5ad66d47bee8e56c012 Mon Sep 17 00:00:00 2001 From: Thiebaud Weksteen Date: Wed, 20 Sep 2017 10:13:38 +0200 Subject: tpm: add event log format version Although defined as part of the TCG EFI specification, we add these definitions here so that any event log provider may reference them. Signed-off-by: Thiebaud Weksteen Reviewed-by: Javier Martinez Canillas Tested-by: Javier Martinez Canillas Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- include/linux/tpm_eventlog.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include') diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index a2a86783f974..20d9da77fc11 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -10,6 +10,9 @@ #define ACPI_TCPA_SIG "TCPA" /* 0x41504354 /'TCPA' */ #define TPM2_ACTIVE_PCR_BANKS 3 +#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2 0x1 +#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 0x2 + #ifdef CONFIG_PPC64 #define do_endian_conversion(x) be32_to_cpu(x) #else -- cgit v1.2.3 From 33b6d03469b2206fb51ecc37f40411a857ad8fff Mon Sep 17 00:00:00 2001 From: Thiebaud Weksteen Date: Wed, 20 Sep 2017 10:13:39 +0200 Subject: efi: call get_event_log before ExitBootServices With TPM 2.0 specification, the event logs may only be accessible by calling an EFI Boot Service. Modify the EFI stub to copy the log area to a new Linux-specific EFI configuration table so it remains accessible once booted. When calling this service, it is possible to specify the expected format of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the first format is retrieved. Signed-off-by: Thiebaud Weksteen Reviewed-by: Javier Martinez Canillas Tested-by: Javier Martinez Canillas Tested-by: Jarkko Sakkinen Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- arch/x86/boot/compressed/eboot.c | 1 + drivers/firmware/efi/Makefile | 2 +- drivers/firmware/efi/efi.c | 4 ++ drivers/firmware/efi/libstub/Makefile | 3 +- drivers/firmware/efi/libstub/tpm.c | 81 +++++++++++++++++++++++++++++++++++ drivers/firmware/efi/tpm.c | 40 +++++++++++++++++ include/linux/efi.h | 46 ++++++++++++++++++++ 7 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 drivers/firmware/efi/tpm.c (limited to 'include') diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index e56dbc67e837..353e20c3f114 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -999,6 +999,7 @@ struct boot_params *efi_main(struct efi_config *c, /* Ask the firmware to clear memory on unclean shutdown */ efi_enable_reset_attack_mitigation(sys_table); + efi_retrieve_tpm2_eventlog(sys_table); setup_graphics(boot_params); diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index 269501dfba53..1d7226fb7d2f 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -11,7 +11,7 @@ KASAN_SANITIZE_runtime-wrappers.o := n obj-$(CONFIG_ACPI_BGRT) += efi-bgrt.o -obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o +obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o tpm.o obj-$(CONFIG_EFI) += capsule.o memmap.o obj-$(CONFIG_EFI_VARS) += efivars.o obj-$(CONFIG_EFI_ESRT) += esrt.o diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 557a47829d03..cfa6fe786ab6 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -52,6 +52,7 @@ struct efi __read_mostly efi = { .properties_table = EFI_INVALID_TABLE_ADDR, .mem_attr_table = EFI_INVALID_TABLE_ADDR, .rng_seed = EFI_INVALID_TABLE_ADDR, + .tpm_log = EFI_INVALID_TABLE_ADDR }; EXPORT_SYMBOL(efi); @@ -464,6 +465,7 @@ static __initdata efi_config_table_type_t common_tables[] = { {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table}, {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table}, {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed}, + {LINUX_EFI_TPM_EVENT_LOG_GUID, "TPMEventLog", &efi.tpm_log}, {NULL_GUID, NULL, NULL}, }; @@ -552,6 +554,8 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz, if (efi_enabled(EFI_MEMMAP)) efi_memattr_init(); + efi_tpm_eventlog_init(); + /* Parse the EFI Properties table if it exists */ if (efi.properties_table != EFI_INVALID_TABLE_ADDR) { efi_properties_table_t *tbl; diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index adaa4a964f0c..7b3ba40f0745 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -30,8 +30,7 @@ OBJECT_FILES_NON_STANDARD := y # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in. KCOV_INSTRUMENT := n -lib-y := efi-stub-helper.o gop.o secureboot.o -lib-$(CONFIG_RESET_ATTACK_MITIGATION) += tpm.o +lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o # include the stub's generic dependencies from lib/ when building for ARM/arm64 arm-deps-y := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c index 6224cdbc9669..da661bf8cb96 100644 --- a/drivers/firmware/efi/libstub/tpm.c +++ b/drivers/firmware/efi/libstub/tpm.c @@ -4,15 +4,18 @@ * Copyright (C) 2016 CoreOS, Inc * Copyright (C) 2017 Google, Inc. * Matthew Garrett + * Thiebaud Weksteen * * This file is part of the Linux kernel, and is made available under the * terms of the GNU General Public License version 2. */ #include +#include #include #include "efistub.h" +#ifdef CONFIG_RESET_ATTACK_MITIGATION static const efi_char16_t efi_MemoryOverWriteRequest_name[] = { 'M', 'e', 'm', 'o', 'r', 'y', 'O', 'v', 'e', 'r', 'w', 'r', 'i', 't', 'e', 'R', 'e', 'q', 'u', 'e', 's', 't', 'C', 'o', 'n', 't', 'r', 'o', @@ -56,3 +59,81 @@ void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), &val); } + +#endif + +void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) +{ + efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID; + efi_guid_t linux_eventlog_guid = LINUX_EFI_TPM_EVENT_LOG_GUID; + efi_status_t status; + efi_physical_addr_t log_location, log_last_entry; + struct linux_efi_tpm_eventlog *log_tbl; + unsigned long first_entry_addr, last_entry_addr; + size_t log_size, last_entry_size; + efi_bool_t truncated; + void *tcg2_protocol; + + status = efi_call_early(locate_protocol, &tcg2_guid, NULL, + &tcg2_protocol); + if (status != EFI_SUCCESS) + return; + + status = efi_call_proto(efi_tcg2_protocol, get_event_log, tcg2_protocol, + EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2, + &log_location, &log_last_entry, &truncated); + if (status != EFI_SUCCESS) + return; + + if (!log_location) + return; + first_entry_addr = (unsigned long) log_location; + + /* + * We populate the EFI table even if the logs are empty. + */ + if (!log_last_entry) { + log_size = 0; + } else { + last_entry_addr = (unsigned long) log_last_entry; + /* + * get_event_log only returns the address of the last entry. + * We need to calculate its size to deduce the full size of + * the logs. + */ + last_entry_size = sizeof(struct tcpa_event) + + ((struct tcpa_event *) last_entry_addr)->event_size; + log_size = log_last_entry - log_location + last_entry_size; + } + + /* Allocate space for the logs and copy them. */ + status = efi_call_early(allocate_pool, EFI_LOADER_DATA, + sizeof(*log_tbl) + log_size, + (void **) &log_tbl); + + if (status != EFI_SUCCESS) { + efi_printk(sys_table_arg, + "Unable to allocate memory for event log\n"); + return; + } + + memset(log_tbl, 0, sizeof(*log_tbl) + log_size); + log_tbl->size = log_size; + log_tbl->version = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; + memcpy(log_tbl->log, (void *) first_entry_addr, log_size); + + status = efi_call_early(install_configuration_table, + &linux_eventlog_guid, log_tbl); + if (status != EFI_SUCCESS) + goto err_free; + return; + +err_free: + efi_call_early(free_pool, log_tbl); +} + +void efi_retrieve_tpm2_eventlog(efi_system_table_t *sys_table_arg) +{ + /* Only try to retrieve the logs in 1.2 format. */ + efi_retrieve_tpm2_eventlog_1_2(sys_table_arg); +} diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c new file mode 100644 index 000000000000..0cbeb3d46b18 --- /dev/null +++ b/drivers/firmware/efi/tpm.c @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2017 Google, Inc. + * Thiebaud Weksteen + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include +#include +#include + +#include + +/* + * Reserve the memory associated with the TPM Event Log configuration table. + */ +int __init efi_tpm_eventlog_init(void) +{ + struct linux_efi_tpm_eventlog *log_tbl; + unsigned int tbl_size; + + if (efi.tpm_log == EFI_INVALID_TABLE_ADDR) + return 0; + + log_tbl = early_memremap(efi.tpm_log, sizeof(*log_tbl)); + if (!log_tbl) { + pr_err("Failed to map TPM Event Log table @ 0x%lx\n", + efi.tpm_log); + efi.tpm_log = EFI_INVALID_TABLE_ADDR; + return -ENOMEM; + } + + tbl_size = sizeof(*log_tbl) + log_tbl->size; + memblock_reserve(efi.tpm_log, tbl_size); + early_memunmap(log_tbl, sizeof(*log_tbl)); + return 0; +} + diff --git a/include/linux/efi.h b/include/linux/efi.h index d813f7b04da7..dcea82dc4b89 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -473,6 +473,39 @@ typedef struct { u64 get_all; } apple_properties_protocol_64_t; +typedef struct { + u32 get_capability; + u32 get_event_log; + u32 hash_log_extend_event; + u32 submit_command; + u32 get_active_pcr_banks; + u32 set_active_pcr_banks; + u32 get_result_of_set_active_pcr_banks; +} efi_tcg2_protocol_32_t; + +typedef struct { + u64 get_capability; + u64 get_event_log; + u64 hash_log_extend_event; + u64 submit_command; + u64 get_active_pcr_banks; + u64 set_active_pcr_banks; + u64 get_result_of_set_active_pcr_banks; +} efi_tcg2_protocol_64_t; + +typedef u32 efi_tcg2_event_log_format; + +typedef struct { + void *get_capability; + efi_status_t (*get_event_log)(efi_handle_t, efi_tcg2_event_log_format, + efi_physical_addr_t *, efi_physical_addr_t *, efi_bool_t *); + void *hash_log_extend_event; + void *submit_command; + void *get_active_pcr_banks; + void *set_active_pcr_banks; + void *get_result_of_set_active_pcr_banks; +} efi_tcg2_protocol_t; + /* * Types and defines for EFI ResetSystem */ @@ -623,6 +656,7 @@ void efi_native_runtime_setup(void); #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20) #define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d) #define APPLE_PROPERTIES_PROTOCOL_GUID EFI_GUID(0x91bd12fe, 0xf6c3, 0x44fb, 0xa5, 0xb7, 0x51, 0x22, 0xab, 0x30, 0x3a, 0xe0) +#define EFI_TCG2_PROTOCOL_GUID EFI_GUID(0x607f766c, 0x7455, 0x42be, 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f) #define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f) #define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23) @@ -635,6 +669,7 @@ void efi_native_runtime_setup(void); #define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95) #define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f) #define LINUX_EFI_RANDOM_SEED_TABLE_GUID EFI_GUID(0x1ce1e5bc, 0x7ceb, 0x42f2, 0x81, 0xe5, 0x8a, 0xad, 0xf1, 0x80, 0xf5, 0x7b) +#define LINUX_EFI_TPM_EVENT_LOG_GUID EFI_GUID(0xb7799cb0, 0xeca2, 0x4943, 0x96, 0x67, 0x1f, 0xae, 0x07, 0xb7, 0x47, 0xfa) typedef struct { efi_guid_t guid; @@ -909,6 +944,7 @@ extern struct efi { unsigned long properties_table; /* properties table */ unsigned long mem_attr_table; /* memory attributes table */ unsigned long rng_seed; /* UEFI firmware random seed */ + unsigned long tpm_log; /* TPM2 Event Log table */ efi_get_time_t *get_time; efi_set_time_t *set_time; efi_get_wakeup_time_t *get_wakeup_time; @@ -1534,6 +1570,8 @@ static inline void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) { } #endif +void efi_retrieve_tpm2_eventlog(efi_system_table_t *sys_table); + /* * Arch code can implement the following three template macros, avoiding * reptition for the void/non-void return cases of {__,}efi_call_virt(): @@ -1601,4 +1639,12 @@ struct linux_efi_random_seed { u8 bits[]; }; +struct linux_efi_tpm_eventlog { + u32 size; + u8 version; + u8 log[]; +}; + +extern int efi_tpm_eventlog_init(void); + #endif /* _LINUX_EFI_H */ -- cgit v1.2.3 From aad887f6641145fec2a801da2ce4ed36cf99c6a5 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Sun, 5 Nov 2017 13:16:26 +0200 Subject: tpm: use struct tpm_chip for tpm_chip_find_get() Device number (the character device index) is not a stable identifier for a TPM chip. That is the reason why every call site passes TPM_ANY_NUM to tpm_chip_find_get(). This commit changes the API in a way that instead a struct tpm_chip instance is given and NULL means the default chip. In addition, this commit refines the documentation to be up to date with the implementation. Suggested-by: Jason Gunthorpe (@chip_num -> @chip part) Signed-off-by: Jarkko Sakkinen Reviewed-by: Jason Gunthorpe Tested-by: PrasannaKumar Muralidharan --- drivers/char/hw_random/tpm-rng.c | 2 +- drivers/char/tpm/tpm-chip.c | 24 ++++--- drivers/char/tpm/tpm-interface.c | 135 +++++++++++++++++++----------------- drivers/char/tpm/tpm.h | 2 +- include/linux/tpm.h | 38 +++++----- security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/trusted.c | 35 +++++----- 9 files changed, 126 insertions(+), 116 deletions(-) (limited to 'include') diff --git a/drivers/char/hw_random/tpm-rng.c b/drivers/char/hw_random/tpm-rng.c index d6d448266f07..c5e363825af0 100644 --- a/drivers/char/hw_random/tpm-rng.c +++ b/drivers/char/hw_random/tpm-rng.c @@ -25,7 +25,7 @@ static int tpm_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) { - return tpm_get_random(TPM_ANY_NUM, data, max); + return tpm_get_random(NULL, data, max); } static struct hwrng tpm_rng = { diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index a114e8f7fb90..bab9c14e040c 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -81,21 +81,26 @@ void tpm_put_ops(struct tpm_chip *chip) EXPORT_SYMBOL_GPL(tpm_put_ops); /** - * tpm_chip_find_get() - return tpm_chip for a given chip number - * @chip_num: id to find + * tpm_chip_find_get() - find and reserve a TPM chip + * @chip: a &struct tpm_chip instance, %NULL for the default chip * - * The return'd chip has been tpm_try_get_ops'd and must be released via - * tpm_put_ops + * Finds a TPM chip and reserves its class device and operations. The chip must + * be released with tpm_chip_put_ops() after use. + * + * Return: + * A reserved &struct tpm_chip instance. + * %NULL if a chip is not found. + * %NULL if the chip is not available. */ -struct tpm_chip *tpm_chip_find_get(int chip_num) +struct tpm_chip *tpm_chip_find_get(struct tpm_chip *chip) { - struct tpm_chip *chip, *res = NULL; + struct tpm_chip *res = NULL; + int chip_num = 0; int chip_prev; mutex_lock(&idr_lock); - if (chip_num == TPM_ANY_NUM) { - chip_num = 0; + if (!chip) { do { chip_prev = chip_num; chip = idr_get_next(&dev_nums_idr, &chip_num); @@ -105,8 +110,7 @@ struct tpm_chip *tpm_chip_find_get(int chip_num) } } while (chip_prev != chip_num); } else { - chip = idr_find(&dev_nums_idr, chip_num); - if (chip && !tpm_try_get_ops(chip)) + if (!tpm_try_get_ops(chip)) res = chip; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index ebe0a1d36d8c..19f820f775b5 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -809,19 +809,20 @@ int tpm_pcr_read_dev(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) } /** - * tpm_is_tpm2 - is the chip a TPM2 chip? - * @chip_num: tpm idx # or ANY + * tpm_is_tpm2 - do we a have a TPM2 chip? + * @chip: a &struct tpm_chip instance, %NULL for the default chip * - * Returns < 0 on error, and 1 or 0 on success depending whether the chip - * is a TPM2 chip. + * Return: + * 1 if we have a TPM2 chip. + * 0 if we don't have a TPM2 chip. + * A negative number for system errors (errno). */ -int tpm_is_tpm2(u32 chip_num) +int tpm_is_tpm2(struct tpm_chip *chip) { - struct tpm_chip *chip; int rc; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL) + chip = tpm_chip_find_get(chip); + if (!chip) return -ENODEV; rc = (chip->flags & TPM_CHIP_FLAG_TPM2) != 0; @@ -833,23 +834,19 @@ int tpm_is_tpm2(u32 chip_num) EXPORT_SYMBOL_GPL(tpm_is_tpm2); /** - * tpm_pcr_read - read a pcr value - * @chip_num: tpm idx # or ANY - * @pcr_idx: pcr idx to retrieve - * @res_buf: TPM_PCR value - * size of res_buf is 20 bytes (or NULL if you don't care) + * tpm_pcr_read - read a PCR value from SHA1 bank + * @chip: a &struct tpm_chip instance, %NULL for the default chip + * @pcr_idx: the PCR to be retrieved + * @res_buf: the value of the PCR * - * The TPM driver should be built-in, but for whatever reason it - * isn't, protect against the chip disappearing, by incrementing - * the module usage count. + * Return: same as with tpm_transmit_cmd() */ -int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) +int tpm_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) { - struct tpm_chip *chip; int rc; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL) + chip = tpm_chip_find_get(chip); + if (!chip) return -ENODEV; if (chip->flags & TPM_CHIP_FLAG_TPM2) rc = tpm2_pcr_read(chip, pcr_idx, res_buf); @@ -889,25 +886,26 @@ static int tpm1_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash, } /** - * tpm_pcr_extend - extend pcr value with hash - * @chip_num: tpm idx # or AN& - * @pcr_idx: pcr idx to extend - * @hash: hash value used to extend pcr value + * tpm_pcr_extend - extend a PCR value in SHA1 bank. + * @chip: a &struct tpm_chip instance, %NULL for the default chip + * @pcr_idx: the PCR to be retrieved + * @hash: the hash value used to extend the PCR value * - * The TPM driver should be built-in, but for whatever reason it - * isn't, protect against the chip disappearing, by incrementing - * the module usage count. + * Note: with TPM 2.0 extends also those banks with a known digest size to the + * cryto subsystem in order to prevent malicious use of those PCR banks. In the + * future we should dynamically determine digest sizes. + * + * Return: same as with tpm_transmit_cmd() */ -int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) +int tpm_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash) { int rc; - struct tpm_chip *chip; struct tpm2_digest digest_list[ARRAY_SIZE(chip->active_banks)]; u32 count = 0; int i; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL) + chip = tpm_chip_find_get(chip); + if (!chip) return -ENODEV; if (chip->flags & TPM_CHIP_FLAG_TPM2) { @@ -1019,17 +1017,24 @@ out: return rc; } -int tpm_send(u32 chip_num, void *cmd, size_t buflen) +/** + * tpm_send - send a TPM command + * @chip: a &struct tpm_chip instance, %NULL for the default chip + * @cmd: a TPM command buffer + * @buflen: the length of the TPM command buffer + * + * Return: same as with tpm_transmit_cmd() + */ +int tpm_send(struct tpm_chip *chip, void *cmd, size_t buflen) { - struct tpm_chip *chip; int rc; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL) + chip = tpm_chip_find_get(chip); + if (!chip) return -ENODEV; rc = tpm_transmit_cmd(chip, NULL, cmd, buflen, 0, 0, - "attempting tpm_cmd"); + "attempting to a send a command"); tpm_put_ops(chip); return rc; } @@ -1127,16 +1132,15 @@ static const struct tpm_input_header tpm_getrandom_header = { }; /** - * tpm_get_random() - Get random bytes from the tpm's RNG - * @chip_num: A specific chip number for the request or TPM_ANY_NUM - * @out: destination buffer for the random bytes - * @max: the max number of bytes to write to @out + * tpm_get_random() - get random bytes from the TPM's RNG + * @chip: a &struct tpm_chip instance, %NULL for the default chip + * @out: destination buffer for the random bytes + * @max: the max number of bytes to write to @out * - * Returns < 0 on error and the number of bytes read on success + * Return: same as with tpm_transmit_cmd() */ -int tpm_get_random(u32 chip_num, u8 *out, size_t max) +int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max) { - struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA), rlength; int err, total = 0, retries = 5; @@ -1145,8 +1149,8 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) if (!out || !num_bytes || max > TPM_MAX_RNG_DATA) return -EINVAL; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL) + chip = tpm_chip_find_get(chip); + if (!chip) return -ENODEV; if (chip->flags & TPM_CHIP_FLAG_TPM2) { @@ -1188,22 +1192,23 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) EXPORT_SYMBOL_GPL(tpm_get_random); /** - * tpm_seal_trusted() - seal a trusted key - * @chip_num: A specific chip number for the request or TPM_ANY_NUM - * @options: authentication values and other options - * @payload: the key data in clear and encrypted form + * tpm_seal_trusted() - seal a trusted key payload + * @chip: a &struct tpm_chip instance, %NULL for the default chip + * @options: authentication values and other options + * @payload: the key data in clear and encrypted form + * + * Note: only TPM 2.0 chip are supported. TPM 1.x implementation is located in + * the keyring subsystem. * - * Returns < 0 on error and 0 on success. At the moment, only TPM 2.0 chips - * are supported. + * Return: same as with tpm_transmit_cmd() */ -int tpm_seal_trusted(u32 chip_num, struct trusted_key_payload *payload, +int tpm_seal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, struct trusted_key_options *options) { - struct tpm_chip *chip; int rc; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL || !(chip->flags & TPM_CHIP_FLAG_TPM2)) + chip = tpm_chip_find_get(chip); + if (!chip || !(chip->flags & TPM_CHIP_FLAG_TPM2)) return -ENODEV; rc = tpm2_seal_trusted(chip, payload, options); @@ -1215,21 +1220,23 @@ EXPORT_SYMBOL_GPL(tpm_seal_trusted); /** * tpm_unseal_trusted() - unseal a trusted key - * @chip_num: A specific chip number for the request or TPM_ANY_NUM - * @options: authentication values and other options - * @payload: the key data in clear and encrypted form + * @chip: a &struct tpm_chip instance, %NULL for the default chip + * @options: authentication values and other options + * @payload: the key data in clear and encrypted form + * + * Note: only TPM 2.0 chip are supported. TPM 1.x implementation is located in + * the keyring subsystem. * - * Returns < 0 on error and 0 on success. At the moment, only TPM 2.0 chips - * are supported. + * Return: same as with tpm_transmit_cmd() */ -int tpm_unseal_trusted(u32 chip_num, struct trusted_key_payload *payload, +int tpm_unseal_trusted(struct tpm_chip *chip, + struct trusted_key_payload *payload, struct trusted_key_options *options) { - struct tpm_chip *chip; int rc; - chip = tpm_chip_find_get(chip_num); - if (chip == NULL || !(chip->flags & TPM_CHIP_FLAG_TPM2)) + chip = tpm_chip_find_get(chip); + if (!chip || !(chip->flags & TPM_CHIP_FLAG_TPM2)) return -ENODEV; rc = tpm2_unseal_trusted(chip, payload, options); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index c1866cc02e30..6c189174c0d3 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -516,7 +516,7 @@ static inline void tpm_msleep(unsigned int delay_msec) delay_msec * 1000); }; -struct tpm_chip *tpm_chip_find_get(int chip_num); +struct tpm_chip *tpm_chip_find_get(struct tpm_chip *chip); __must_check int tpm_try_get_ops(struct tpm_chip *chip); void tpm_put_ops(struct tpm_chip *chip); diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 5a090f5ab335..ddc9b88ff6d3 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -24,11 +24,6 @@ #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */ -/* - * Chip num is this value or a valid tpm idx - */ -#define TPM_ANY_NUM 0xFFFF - struct tpm_chip; struct trusted_key_payload; struct trusted_key_options; @@ -54,42 +49,47 @@ struct tpm_class_ops { #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) -extern int tpm_is_tpm2(u32 chip_num); -extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf); -extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash); -extern int tpm_send(u32 chip_num, void *cmd, size_t buflen); -extern int tpm_get_random(u32 chip_num, u8 *data, size_t max); -extern int tpm_seal_trusted(u32 chip_num, +extern int tpm_is_tpm2(struct tpm_chip *chip); +extern int tpm_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); +extern int tpm_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); +extern int tpm_send(struct tpm_chip *chip, void *cmd, size_t buflen); +extern int tpm_get_random(struct tpm_chip *chip, u8 *data, size_t max); +extern int tpm_seal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, struct trusted_key_options *options); -extern int tpm_unseal_trusted(u32 chip_num, +extern int tpm_unseal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, struct trusted_key_options *options); #else -static inline int tpm_is_tpm2(u32 chip_num) +static inline int tpm_is_tpm2(struct tpm_chip *chip) { return -ENODEV; } -static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) { +static inline int tpm_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) +{ return -ENODEV; } -static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) { +static inline int tpm_pcr_extend(struct tpm_chip *chip, int pcr_idx, + const u8 *hash) +{ return -ENODEV; } -static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) { +static inline int tpm_send(struct tpm_chip *chip, void *cmd, size_t buflen) +{ return -ENODEV; } -static inline int tpm_get_random(u32 chip_num, u8 *data, size_t max) { +static inline int tpm_get_random(struct tpm_chip *chip, u8 *data, size_t max) +{ return -ENODEV; } -static inline int tpm_seal_trusted(u32 chip_num, +static inline int tpm_seal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, struct trusted_key_options *options) { return -ENODEV; } -static inline int tpm_unseal_trusted(u32 chip_num, +static inline int tpm_unseal_trusted(struct tpm_chip *chip, struct trusted_key_payload *payload, struct trusted_key_options *options) { diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 9057b163c378..205bc69361ea 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -632,7 +632,7 @@ static void __init ima_pcrread(int idx, u8 *pcr) if (!ima_used_chip) return; - if (tpm_pcr_read(TPM_ANY_NUM, idx, pcr) != 0) + if (tpm_pcr_read(NULL, idx, pcr) != 0) pr_err("Error Communicating to TPM chip\n"); } diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 2967d497a665..29b72cd2502e 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -110,7 +110,7 @@ int __init ima_init(void) int rc; ima_used_chip = 0; - rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i); + rc = tpm_pcr_read(NULL, 0, pcr_i); if (rc == 0) ima_used_chip = 1; diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index a02a86d51102..418f35e38015 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -145,7 +145,7 @@ static int ima_pcr_extend(const u8 *hash, int pcr) if (!ima_used_chip) return result; - result = tpm_pcr_extend(TPM_ANY_NUM, pcr, hash); + result = tpm_pcr_extend(NULL, pcr, hash); if (result != 0) pr_err("Error Communicating to TPM chip, result: %d\n", result); return result; diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 98aa89ff7bfd..423776682025 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -355,13 +355,12 @@ out: * For key specific tpm requests, we will generate and send our * own TPM command packets using the drivers send function. */ -static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd, - size_t buflen) +static int trusted_tpm_send(unsigned char *cmd, size_t buflen) { int rc; dump_tpm_buf(cmd); - rc = tpm_send(chip_num, cmd, buflen); + rc = tpm_send(NULL, cmd, buflen); dump_tpm_buf(cmd); if (rc > 0) /* Can't return positive return codes values to keyctl */ @@ -382,10 +381,10 @@ static int pcrlock(const int pcrnum) if (!capable(CAP_SYS_ADMIN)) return -EPERM; - ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE); + ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); if (ret != SHA1_DIGEST_SIZE) return ret; - return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0; + return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; } /* @@ -398,7 +397,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, unsigned char ononce[TPM_NONCE_SIZE]; int ret; - ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE); + ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) return ret; @@ -410,7 +409,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, store32(tb, handle); storebytes(tb, ononce, TPM_NONCE_SIZE); - ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); + ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); if (ret < 0) return ret; @@ -434,7 +433,7 @@ static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce) store16(tb, TPM_TAG_RQU_COMMAND); store32(tb, TPM_OIAP_SIZE); store32(tb, TPM_ORD_OIAP); - ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); + ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); if (ret < 0) return ret; @@ -493,7 +492,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, if (ret < 0) goto out; - ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE); + ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) goto out; ordinal = htonl(TPM_ORD_SEAL); @@ -542,7 +541,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, store8(tb, cont); storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); - ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); + ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); if (ret < 0) goto out; @@ -603,7 +602,7 @@ static int tpm_unseal(struct tpm_buf *tb, ordinal = htonl(TPM_ORD_UNSEAL); keyhndl = htonl(SRKHANDLE); - ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE); + ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) { pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); return ret; @@ -635,7 +634,7 @@ static int tpm_unseal(struct tpm_buf *tb, store8(tb, cont); storebytes(tb, authdata2, SHA1_DIGEST_SIZE); - ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); + ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE); if (ret < 0) { pr_info("trusted_key: authhmac failed (%d)\n", ret); return ret; @@ -748,7 +747,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, int i; int tpm2; - tpm2 = tpm_is_tpm2(TPM_ANY_NUM); + tpm2 = tpm_is_tpm2(NULL); if (tpm2 < 0) return tpm2; @@ -917,7 +916,7 @@ static struct trusted_key_options *trusted_options_alloc(void) struct trusted_key_options *options; int tpm2; - tpm2 = tpm_is_tpm2(TPM_ANY_NUM); + tpm2 = tpm_is_tpm2(NULL); if (tpm2 < 0) return NULL; @@ -967,7 +966,7 @@ static int trusted_instantiate(struct key *key, size_t key_len; int tpm2; - tpm2 = tpm_is_tpm2(TPM_ANY_NUM); + tpm2 = tpm_is_tpm2(NULL); if (tpm2 < 0) return tpm2; @@ -1008,7 +1007,7 @@ static int trusted_instantiate(struct key *key, switch (key_cmd) { case Opt_load: if (tpm2) - ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options); + ret = tpm_unseal_trusted(NULL, payload, options); else ret = key_unseal(payload, options); dump_payload(payload); @@ -1018,13 +1017,13 @@ static int trusted_instantiate(struct key *key, break; case Opt_new: key_len = payload->key_len; - ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len); + ret = tpm_get_random(NULL, payload->key, key_len); if (ret != key_len) { pr_info("trusted_key: key_create failed (%d)\n", ret); goto out; } if (tpm2) - ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options); + ret = tpm_seal_trusted(NULL, payload, options); else ret = key_seal(payload, options); if (ret < 0) -- cgit v1.2.3 From b3e958ce4c585bf666de249dc794971ebc62d2d3 Mon Sep 17 00:00:00 2001 From: Azhar Shaikh Date: Fri, 22 Dec 2017 12:13:44 -0800 Subject: tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd() Commit 5e572cab92f0bb5 ("tpm: Enable CLKRUN protocol for Braswell systems") disabled CLKRUN protocol during TPM transactions and re-enabled once the transaction is completed. But there were still some corner cases observed where, reading of TPM header failed for savestate command while going to suspend, which resulted in suspend failure. To fix this issue keep the CLKRUN protocol disabled for the entire duration of a single TPM command and not disabling and re-enabling again for every TPM transaction. For the other TPM accesses outside TPM command flow, add a higher level of disabling and re-enabling the CLKRUN protocol, instead of doing for every TPM transaction. Fixes: 5e572cab92f0bb5 ("tpm: Enable CLKRUN protocol for Braswell systems") Signed-off-by: Azhar Shaikh Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-interface.c | 6 +++ drivers/char/tpm/tpm_tis.c | 92 ++++----------------------------- drivers/char/tpm/tpm_tis_core.c | 108 +++++++++++++++++++++++++++++++++++---- drivers/char/tpm/tpm_tis_core.h | 4 ++ include/linux/tpm.h | 1 + 5 files changed, 119 insertions(+), 92 deletions(-) (limited to 'include') diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index af355bd97bea..76df4fbcf089 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -425,6 +425,9 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, if (chip->dev.parent) pm_runtime_get_sync(chip->dev.parent); + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, true); + /* Store the decision as chip->locality will be changed. */ need_locality = chip->locality == -1; @@ -501,6 +504,9 @@ out: chip->locality = -1; } out_no_locality: + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, false); + if (chip->dev.parent) pm_runtime_put_sync(chip->dev.parent); diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c index 923f8f2cbaca..c847fc69a2fc 100644 --- a/drivers/char/tpm/tpm_tis.c +++ b/drivers/char/tpm/tpm_tis.c @@ -133,79 +133,17 @@ static int check_acpi_tpm2(struct device *dev) } #endif -#ifdef CONFIG_X86 -#define LPC_CNTRL_OFFSET 0x84 -#define LPC_CLKRUN_EN (1 << 2) - -/** - * tpm_platform_begin_xfer() - clear LPC CLKRUN_EN i.e. clocks will be running - */ -static void tpm_platform_begin_xfer(struct tpm_tis_data *data) -{ - u32 clkrun_val; - - if (!is_bsw()) - return; - - clkrun_val = ioread32(data->ilb_base_addr + LPC_CNTRL_OFFSET); - - /* Disable LPC CLKRUN# */ - clkrun_val &= ~LPC_CLKRUN_EN; - iowrite32(clkrun_val, data->ilb_base_addr + LPC_CNTRL_OFFSET); - - /* - * Write any random value on port 0x80 which is on LPC, to make - * sure LPC clock is running before sending any TPM command. - */ - outb(0xCC, 0x80); - -} - -/** - * tpm_platform_end_xfer() - set LPC CLKRUN_EN i.e. clocks can be turned off - */ -static void tpm_platform_end_xfer(struct tpm_tis_data *data) -{ - u32 clkrun_val; - - if (!is_bsw()) - return; - - clkrun_val = ioread32(data->ilb_base_addr + LPC_CNTRL_OFFSET); - - /* Enable LPC CLKRUN# */ - clkrun_val |= LPC_CLKRUN_EN; - iowrite32(clkrun_val, data->ilb_base_addr + LPC_CNTRL_OFFSET); - - /* - * Write any random value on port 0x80 which is on LPC, to make - * sure LPC clock is running before sending any TPM command. - */ - outb(0xCC, 0x80); - -} -#else -static void tpm_platform_begin_xfer(struct tpm_tis_data *data) -{ -} - -static void tpm_platform_end_xfer(struct tpm_tis_data *data) -{ -} -#endif - static int tpm_tcg_read_bytes(struct tpm_tis_data *data, u32 addr, u16 len, u8 *result) { struct tpm_tis_tcg_phy *phy = to_tpm_tis_tcg_phy(data); - tpm_platform_begin_xfer(data); + if (is_bsw() && !(data->flags & TPM_TIS_CLK_ENABLE)) + WARN(1, "CLKRUN not enabled!\n"); while (len--) *result++ = ioread8(phy->iobase + addr); - tpm_platform_end_xfer(data); - return 0; } @@ -214,13 +152,12 @@ static int tpm_tcg_write_bytes(struct tpm_tis_data *data, u32 addr, u16 len, { struct tpm_tis_tcg_phy *phy = to_tpm_tis_tcg_phy(data); - tpm_platform_begin_xfer(data); + if (is_bsw() && !(data->flags & TPM_TIS_CLK_ENABLE)) + WARN(1, "CLKRUN not enabled!\n"); while (len--) iowrite8(*value++, phy->iobase + addr); - tpm_platform_end_xfer(data); - return 0; } @@ -228,12 +165,11 @@ static int tpm_tcg_read16(struct tpm_tis_data *data, u32 addr, u16 *result) { struct tpm_tis_tcg_phy *phy = to_tpm_tis_tcg_phy(data); - tpm_platform_begin_xfer(data); + if (is_bsw() && !(data->flags & TPM_TIS_CLK_ENABLE)) + WARN(1, "CLKRUN not enabled!\n"); *result = ioread16(phy->iobase + addr); - tpm_platform_end_xfer(data); - return 0; } @@ -241,12 +177,11 @@ static int tpm_tcg_read32(struct tpm_tis_data *data, u32 addr, u32 *result) { struct tpm_tis_tcg_phy *phy = to_tpm_tis_tcg_phy(data); - tpm_platform_begin_xfer(data); + if (is_bsw() && !(data->flags & TPM_TIS_CLK_ENABLE)) + WARN(1, "CLKRUN not enabled!\n"); *result = ioread32(phy->iobase + addr); - tpm_platform_end_xfer(data); - return 0; } @@ -254,12 +189,11 @@ static int tpm_tcg_write32(struct tpm_tis_data *data, u32 addr, u32 value) { struct tpm_tis_tcg_phy *phy = to_tpm_tis_tcg_phy(data); - tpm_platform_begin_xfer(data); + if (is_bsw() && !(data->flags & TPM_TIS_CLK_ENABLE)) + WARN(1, "CLKRUN not enabled!\n"); iowrite32(value, phy->iobase + addr); - tpm_platform_end_xfer(data); - return 0; } @@ -341,9 +275,6 @@ static void tpm_tis_pnp_remove(struct pnp_dev *dev) tpm_chip_unregister(chip); tpm_tis_remove(chip); - if (is_bsw()) - iounmap(priv->ilb_base_addr); - } static struct pnp_driver tis_pnp_driver = { @@ -395,9 +326,6 @@ static int tpm_tis_plat_remove(struct platform_device *pdev) tpm_chip_unregister(chip); tpm_tis_remove(chip); - if (is_bsw()) - iounmap(priv->ilb_base_addr); - return 0; } diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index aff567840e50..3238731fdbfd 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -37,6 +37,8 @@ */ #define TPM_POLL_SLEEP 1 /* msec */ +static void tpm_tis_clkrun_enable(struct tpm_chip *chip, bool value); + static bool wait_for_tpm_stat_cond(struct tpm_chip *chip, u8 mask, bool check_cancel, bool *canceled) { @@ -487,19 +489,28 @@ static bool tpm_tis_update_timeouts(struct tpm_chip *chip, int i, rc; u32 did_vid; + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, true); + rc = tpm_tis_read32(priv, TPM_DID_VID(0), &did_vid); if (rc < 0) - return rc; + goto out; for (i = 0; i != ARRAY_SIZE(vendor_timeout_overrides); i++) { if (vendor_timeout_overrides[i].did_vid != did_vid) continue; memcpy(timeout_cap, vendor_timeout_overrides[i].timeout_us, sizeof(vendor_timeout_overrides[i].timeout_us)); - return true; + rc = true; } - return false; + rc = false; + +out: + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, false); + + return rc; } /* @@ -719,14 +730,74 @@ void tpm_tis_remove(struct tpm_chip *chip) u32 interrupt; int rc; + tpm_tis_clkrun_enable(chip, true); + rc = tpm_tis_read32(priv, reg, &interrupt); if (rc < 0) interrupt = 0; tpm_tis_write32(priv, reg, ~TPM_GLOBAL_INT_ENABLE & interrupt); + + tpm_tis_clkrun_enable(chip, false); + + if (priv->ilb_base_addr) + iounmap(priv->ilb_base_addr); } EXPORT_SYMBOL_GPL(tpm_tis_remove); +/** + * tpm_tis_clkrun_enable() - Keep clkrun protocol disabled for entire duration + * of a single TPM command + * @chip: TPM chip to use + * @value: 1 - Disable CLKRUN protocol, so that clocks are free running + * 0 - Enable CLKRUN protocol + * Call this function directly in tpm_tis_remove() in error or driver removal + * path, since the chip->ops is set to NULL in tpm_chip_unregister(). + */ +static void tpm_tis_clkrun_enable(struct tpm_chip *chip, bool value) +{ + struct tpm_tis_data *data = dev_get_drvdata(&chip->dev); + u32 clkrun_val; + + if (!IS_ENABLED(CONFIG_X86) || !is_bsw()) + return; + + if (value) { + data->flags |= TPM_TIS_CLK_ENABLE; + data->clkrun_enabled++; + if (data->clkrun_enabled > 1) + return; + clkrun_val = ioread32(data->ilb_base_addr + LPC_CNTRL_OFFSET); + + /* Disable LPC CLKRUN# */ + clkrun_val &= ~LPC_CLKRUN_EN; + iowrite32(clkrun_val, data->ilb_base_addr + LPC_CNTRL_OFFSET); + + /* + * Write any random value on port 0x80 which is on LPC, to make + * sure LPC clock is running before sending any TPM command. + */ + outb(0xCC, 0x80); + } else { + data->clkrun_enabled--; + if (data->clkrun_enabled) + return; + + clkrun_val = ioread32(data->ilb_base_addr + LPC_CNTRL_OFFSET); + + /* Enable LPC CLKRUN# */ + clkrun_val |= LPC_CLKRUN_EN; + iowrite32(clkrun_val, data->ilb_base_addr + LPC_CNTRL_OFFSET); + + /* + * Write any random value on port 0x80 which is on LPC, to make + * sure LPC clock is running before sending any TPM command. + */ + outb(0xCC, 0x80); + data->flags &= ~TPM_TIS_CLK_ENABLE; + } +} + static const struct tpm_class_ops tpm_tis = { .flags = TPM_OPS_AUTO_STARTUP, .status = tpm_tis_status, @@ -739,6 +810,7 @@ static const struct tpm_class_ops tpm_tis = { .req_canceled = tpm_tis_req_canceled, .request_locality = request_locality, .relinquish_locality = release_locality, + .clk_enable = tpm_tis_clkrun_enable, }; int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, @@ -773,6 +845,9 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, return -ENOMEM; } + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, true); + if (wait_startup(chip, 0) != 0) { rc = -ENODEV; goto out_err; @@ -864,14 +939,18 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, } rc = tpm_chip_register(chip); - if (rc && is_bsw()) - iounmap(priv->ilb_base_addr); + if (rc) + goto out_err; - return rc; + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, false); + + return 0; out_err: + if ((chip->ops != NULL) && (chip->ops->clk_enable != NULL)) + chip->ops->clk_enable(chip, false); + tpm_tis_remove(chip); - if (is_bsw()) - iounmap(priv->ilb_base_addr); return rc; } @@ -884,22 +963,31 @@ static void tpm_tis_reenable_interrupts(struct tpm_chip *chip) u32 intmask; int rc; + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, true); + /* reenable interrupts that device may have lost or * BIOS/firmware may have disabled */ rc = tpm_tis_write8(priv, TPM_INT_VECTOR(priv->locality), priv->irq); if (rc < 0) - return; + goto out; rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask); if (rc < 0) - return; + goto out; intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT | TPM_GLOBAL_INT_ENABLE; tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask); + +out: + if (chip->ops->clk_enable != NULL) + chip->ops->clk_enable(chip, false); + + return; } int tpm_tis_resume(struct device *dev) diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h index 458847f72758..afc50cde1ba6 100644 --- a/drivers/char/tpm/tpm_tis_core.h +++ b/drivers/char/tpm/tpm_tis_core.h @@ -79,11 +79,14 @@ enum tis_defaults { #define TPM_DID_VID(l) (0x0F00 | ((l) << 12)) #define TPM_RID(l) (0x0F04 | ((l) << 12)) +#define LPC_CNTRL_OFFSET 0x84 +#define LPC_CLKRUN_EN (1 << 2) #define INTEL_LEGACY_BLK_BASE_ADDR 0xFED08000 #define ILB_REMAP_SIZE 0x100 enum tpm_tis_flags { TPM_TIS_ITPM_WORKAROUND = BIT(0), + TPM_TIS_CLK_ENABLE = BIT(1), }; struct tpm_tis_data { @@ -93,6 +96,7 @@ struct tpm_tis_data { bool irq_tested; unsigned int flags; void __iomem *ilb_base_addr; + u16 clkrun_enabled; wait_queue_head_t int_queue; wait_queue_head_t read_queue; const struct tpm_tis_phy_ops *phy_ops; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index ddc9b88ff6d3..bcdd3790e94d 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -45,6 +45,7 @@ struct tpm_class_ops { unsigned long *timeout_cap); int (*request_locality)(struct tpm_chip *chip, int loc); void (*relinquish_locality)(struct tpm_chip *chip, int loc); + void (*clk_enable)(struct tpm_chip *chip, bool value); }; #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) -- cgit v1.2.3