| Message ID | 20170329102452.32212-2-roberto.sassu@huawei.com |
|---|---|
| State | New |
| Headers | show |
On Wed, Mar 29, 2017 at 12:24:49PM +0200, Roberto Sassu wrote: > TCG mandates that all PCR banks must be extended during the same operation. > tpm2_pcr_extend() will check whether all digests have been provided. > > The check is necessary because tpm2_pcr_extend() will be called by a new > function, allowing callers to provide a digest for each PCR bank. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> When can this happen? /Jarkko > --- > drivers/char/tpm/tpm2-cmd.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index 881aea9..f4d534c 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -284,6 +284,26 @@ struct tpm2_null_auth_area { > __be16 auth_size; > } __packed; > > +static bool tpm2_digests_all_banks(struct tpm_chip *chip, u32 count, > + struct tpm2_digest *digests) > +{ > + int i, j; > + > + for (i = 0; i < ARRAY_SIZE(chip->active_banks) && > + chip->active_banks[i] != TPM2_ALG_ERROR; i++) { > + for (j = 0; j < count; j++) > + if (digests[j].alg_id == chip->active_banks[i]) > + break; > + if (j == count) { > + pr_err("missing TPM algorithm 0x%x\n", > + chip->active_banks[i]); > + return false; > + } > + } > + > + return true; > +} > + What if 'digests' contains the same 'alg_id' multiple times? > /** > * tpm2_pcr_extend() - extend a PCR value > * > @@ -306,6 +326,9 @@ int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, > if (count > ARRAY_SIZE(chip->active_banks)) > return -EINVAL; > > + if (!tpm2_digests_all_banks(chip, count, digests)) > + return -EINVAL; > + > rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > if (rc) > return rc; > -- > 2.9.3 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > tpmdd-devel mailing list > tpmdd-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tpmdd-devel /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
On 4/5/2017 2:12 PM, Jarkko Sakkinen wrote: > On Wed, Mar 29, 2017 at 12:24:49PM +0200, Roberto Sassu wrote: >> TCG mandates that all PCR banks must be extended during the same operation. >> tpm2_pcr_extend() will check whether all digests have been provided. >> >> The check is necessary because tpm2_pcr_extend() will be called by a new >> function, allowing callers to provide a digest for each PCR bank. >> >> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > When can this happen? Hi Jarkko I'm extending IMA to calculate the event data digest multiple times, for each algorithm selected by the user and supported by the TPM. You can have a look at the cover letter of the patch set: https://sourceforge.net/p/linux-ima/mailman/message/35757172/ and at the patch which calls the functions I added to the TPM driver interface: https://sourceforge.net/p/linux-ima/mailman/message/35757195/ Thanks Roberto ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
On Wed, Apr 05, 2017 at 02:25:17PM +0200, Roberto Sassu wrote: > On 4/5/2017 2:12 PM, Jarkko Sakkinen wrote: > > On Wed, Mar 29, 2017 at 12:24:49PM +0200, Roberto Sassu wrote: > > > TCG mandates that all PCR banks must be extended during the same operation. > > > tpm2_pcr_extend() will check whether all digests have been provided. > > > > > > The check is necessary because tpm2_pcr_extend() will be called by a new > > > function, allowing callers to provide a digest for each PCR bank. > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > When can this happen? > > Hi Jarkko > > I'm extending IMA to calculate the event data digest multiple > times, for each algorithm selected by the user and supported by > the TPM. > > You can have a look at the cover letter of the patch set: > > https://sourceforge.net/p/linux-ima/mailman/message/35757172/ > > > and at the patch which calls the functions I added to the > TPM driver interface: > > https://sourceforge.net/p/linux-ima/mailman/message/35757195/ > > Thanks > > Roberto You should explain this use in these commits. /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 881aea9..f4d534c 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -284,6 +284,26 @@ struct tpm2_null_auth_area { __be16 auth_size; } __packed; +static bool tpm2_digests_all_banks(struct tpm_chip *chip, u32 count, + struct tpm2_digest *digests) +{ + int i, j; + + for (i = 0; i < ARRAY_SIZE(chip->active_banks) && + chip->active_banks[i] != TPM2_ALG_ERROR; i++) { + for (j = 0; j < count; j++) + if (digests[j].alg_id == chip->active_banks[i]) + break; + if (j == count) { + pr_err("missing TPM algorithm 0x%x\n", + chip->active_banks[i]); + return false; + } + } + + return true; +} + /** * tpm2_pcr_extend() - extend a PCR value * @@ -306,6 +326,9 @@ int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count, if (count > ARRAY_SIZE(chip->active_banks)) return -EINVAL; + if (!tpm2_digests_all_banks(chip, count, digests)) + return -EINVAL; + rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); if (rc) return rc;
TCG mandates that all PCR banks must be extended during the same operation. tpm2_pcr_extend() will check whether all digests have been provided. The check is necessary because tpm2_pcr_extend() will be called by a new function, allowing callers to provide a digest for each PCR bank. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- drivers/char/tpm/tpm2-cmd.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)