]> www.infradead.org Git - users/willy/linux.git/log
users/willy/linux.git
9 years agotpm: fix byte-order for the value read by tpm2_get_tpm_pt
apronin@chromium.org [Fri, 15 Jul 2016 01:07:18 +0000 (18:07 -0700)]
tpm: fix byte-order for the value read by tpm2_get_tpm_pt

The result must be converted from BE byte order, which is used by the
TPM2 protocol. This has not popped out because tpm2_get_tpm_pt() has
been only used for probing.

Fixes: 7a1d7e6dd76a ("tpm: TPM 2.0 baseline support")
Change-Id: I7d71cd379b1a3b7659d20a1b6008216762596590
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm_tis_core: convert max timeouts from msec to jiffies
apronin@chromium.org [Fri, 15 Jul 2016 00:29:40 +0000 (17:29 -0700)]
tpm_tis_core: convert max timeouts from msec to jiffies

tpm_tis_core was missing conversion from msec when assigning max
timeouts from constants.

Fixes: aec04cbdf723 ("tpm: TPM 2.0 FIFO Interface")
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agoapparmor: fix arg_size computation for when setprocattr is null terminated
John Johansen [Sun, 10 Jul 2016 06:46:33 +0000 (23:46 -0700)]
apparmor: fix arg_size computation for when setprocattr is null terminated

Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: fix oops, validate buffer size in apparmor_setprocattr()
Vegard Nossum [Thu, 7 Jul 2016 20:41:11 +0000 (13:41 -0700)]
apparmor: fix oops, validate buffer size in apparmor_setprocattr()

When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.

The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.

SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.

Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
modified for the case that apparmor provides null termination.

Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@kernel.org
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
9 years agoapparmor: do not expose kernel stack
Heinrich Schuchardt [Fri, 10 Jun 2016 21:34:26 +0000 (23:34 +0200)]
apparmor: do not expose kernel stack

Do not copy uninitalized fields th.td_hilen, th.td_data.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: fix module parameters can be changed after policy is locked
John Johansen [Thu, 23 Jun 2016 01:01:08 +0000 (18:01 -0700)]
apparmor: fix module parameters can be changed after policy is locked

the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.

split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.

Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: fix oops in profile_unpack() when policy_db is not present
John Johansen [Wed, 15 Jun 2016 07:00:55 +0000 (10:00 +0300)]
apparmor: fix oops in profile_unpack() when policy_db is not present

BugLink: http://bugs.launchpad.net/bugs/1592547
If unpack_dfa() returns NULL due to the dfa not being present,
profile_unpack() is not checking if the dfa is not present (NULL).

Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: don't check for vmalloc_addr if kvzalloc() failed
John Johansen [Wed, 15 Jun 2016 06:57:55 +0000 (09:57 +0300)]
apparmor: don't check for vmalloc_addr if kvzalloc() failed

Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: add missing id bounds check on dfa verification
John Johansen [Thu, 2 Jun 2016 09:37:02 +0000 (02:37 -0700)]
apparmor: add missing id bounds check on dfa verification

Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
Jeff Mahoney [Fri, 6 Nov 2015 20:17:30 +0000 (15:17 -0500)]
apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task

While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
on another task. The only other example of a AppArmor mediating access to
another, already running, task (ignoring fork+exec) is ptrace.

The AppArmor model for ptrace is that one of the following must be true:
1) The tracer is unconfined
2) The tracer is in complain mode
3) The tracer and tracee are confined by the same profile
4) The tracer is confined but has SYS_CAP_PTRACE

1), 2, and 3) are already true for setrlimit.

We can match the ptrace model just by allowing CAP_SYS_RESOURCE.

We still test the values of the rlimit since it can always be overridden
using a value that means unlimited for a particular resource.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: use list_next_entry instead of list_entry_next
Geliang Tang [Mon, 16 Nov 2015 13:46:33 +0000 (21:46 +0800)]
apparmor: use list_next_entry instead of list_entry_next

list_next_entry has been defined in list.h, so I replace list_entry_next
with it.

Signed-off-by: Geliang Tang <geliangtang@163.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
9 years agoapparmor: fix refcount race when finding a child profile
John Johansen [Thu, 17 Dec 2015 02:09:10 +0000 (18:09 -0800)]
apparmor: fix refcount race when finding a child profile

When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.

Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix ref count leak when profile sha1 hash is read
John Johansen [Wed, 18 Nov 2015 19:41:05 +0000 (11:41 -0800)]
apparmor: fix ref count leak when profile sha1 hash is read

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: check that xindex is in trans_table bounds
John Johansen [Thu, 17 Mar 2016 19:02:54 +0000 (12:02 -0700)]
apparmor: check that xindex is in trans_table bounds

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: ensure the target profile name is always audited
John Johansen [Wed, 20 Apr 2016 21:18:18 +0000 (14:18 -0700)]
apparmor: ensure the target profile name is always audited

The target profile name was not being correctly audited in a few
cases because the target variable was not being set and gotos
passed the code to set it at apply:

Since it is always based on new_profile just drop the target var
and conditionally report based on new_profile.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix audit full profile hname on successful load
John Johansen [Sat, 16 Apr 2016 21:19:38 +0000 (14:19 -0700)]
apparmor: fix audit full profile hname on successful load

Currently logging of a successful profile load only logs the basename
of the profile. This can result in confusion when a child profile has
the same name as the another profile in the set. Logging the hname
will ensure there is no confusion.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix log failures for all profiles in a set
John Johansen [Sat, 16 Apr 2016 21:16:50 +0000 (14:16 -0700)]
apparmor: fix log failures for all profiles in a set

currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix put() parent ref after updating the active ref
John Johansen [Sat, 16 Apr 2016 20:59:02 +0000 (13:59 -0700)]
apparmor: fix put() parent ref after updating the active ref

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: add parameter to control whether policy hashing is used
John Johansen [Fri, 24 Oct 2014 16:16:14 +0000 (09:16 -0700)]
apparmor: add parameter to control whether policy hashing is used

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: internal paths should be treated as disconnected
John Johansen [Fri, 25 Jul 2014 11:02:10 +0000 (04:02 -0700)]
apparmor: internal paths should be treated as disconnected

Internal mounts are not mounted anywhere and as such should be treated
as disconnected paths.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix disconnected bind mnts reconnection
John Johansen [Fri, 25 Jul 2014 11:02:08 +0000 (04:02 -0700)]
apparmor: fix disconnected bind mnts reconnection

Bind mounts can fail to be properly reconnected when PATH_CONNECT is
specified. Ensure that when PATH_CONNECT is specified the path has
a root.

BugLink: http://bugs.launchpad.net/bugs/1319984
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix update the mtime of the profile file on replacement
John Johansen [Fri, 25 Jul 2014 11:01:56 +0000 (04:01 -0700)]
apparmor: fix update the mtime of the profile file on replacement

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: exec should not be returning ENOENT when it denies
John Johansen [Fri, 25 Jul 2014 11:02:03 +0000 (04:02 -0700)]
apparmor: exec should not be returning ENOENT when it denies

The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix uninitialized lsm_audit member
John Johansen [Sun, 8 Jun 2014 18:20:54 +0000 (11:20 -0700)]
apparmor: fix uninitialized lsm_audit member

BugLink: http://bugs.launchpad.net/bugs/1268727
The task field in the lsm_audit struct needs to be initialized if
a change_hat fails, otherwise the following oops will occur

BUG: unable to handle kernel paging request at 0000002fbead7d08
IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
PGD 1e3f35067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF          O 3.13.0-7-generic #25-Ubuntu
Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
RIP: 0010:[<ffffffff8171153e>]  [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
RSP: 0018:ffff880212987b68  EFLAGS: 00010006
RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
FS:  00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
Stack:
 ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
Call Trace:
 [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
 [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
 [<ffffffff81075fee>] send_sig_info+0x1e/0x30
 [<ffffffff8130242d>] aa_audit+0x13d/0x190
 [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
 [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
 [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
 [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
 [<ffffffff812cee56>] security_setprocattr+0x16/0x20
 [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
 [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
 [<ffffffff811b8039>] SyS_write+0x49/0xa0
 [<ffffffff8171a1bf>] tracesys+0xe1/0xe6

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix replacement bug that adds new child to old parent
John Johansen [Mon, 11 Apr 2016 23:57:19 +0000 (16:57 -0700)]
apparmor: fix replacement bug that adds new child to old parent

When set atomic replacement is used and the parent is updated before the
child, and the child did not exist in the old parent so there is no
direct replacement then the new child is incorrectly added to the old
parent. This results in the new parent not having the child(ren) that
it should and the old parent when being destroyed asserting the
following error.

AppArmor: policy_destroy: internal error, policy '<profile/name>' still
contains profiles

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoapparmor: fix refcount bug in profile replacement
John Johansen [Mon, 11 Apr 2016 23:55:10 +0000 (16:55 -0700)]
apparmor: fix refcount bug in profile replacement

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
9 years agoMerge tag 'keys-misc-20160708' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowe...
James Morris [Sat, 9 Jul 2016 02:49:00 +0000 (12:49 +1000)]
Merge tag 'keys-misc-20160708' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next

9 years agoMerge branch 'smack-for-4.8' of https://github.com/cschaufler/smack-next into next
James Morris [Fri, 8 Jul 2016 00:41:15 +0000 (10:41 +1000)]
Merge branch 'smack-for-4.8' of https://github.com/cschaufler/smack-next into next

9 years agoMAINTAINERS - Location of the Smack repository
Casey Schaufler [Thu, 7 Jul 2016 19:39:11 +0000 (12:39 -0700)]
MAINTAINERS - Location of the Smack repository

The Smack working tree has moved from gitorious to github.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
9 years agosamples/seccomp: Add standalone config option
Olof Johansson [Wed, 6 Jul 2016 06:53:19 +0000 (23:53 -0700)]
samples/seccomp: Add standalone config option

Add a separate Kconfig option for SAMPLES_SECCOMP.

Main reason for this is that, just like other samples, it's forced to
be a module.

Without this, since the sample is a target only controlled by
CONFIG_SECCOMP_FILTER, the samples will be built before include files are
put in place properly. For example, from an arm64 allmodconfig built with
"make -sk -j 32" (without specific target), the following happens:

  samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory
  samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory
  samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory
  samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directory

So, just stick to the same format as other samples.

Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
9 years agoMerge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next
James Morris [Thu, 7 Jul 2016 00:15:34 +0000 (10:15 +1000)]
Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next

9 years agoima: extend the measurement entry specific pcr
Eric Richter [Wed, 1 Jun 2016 18:14:07 +0000 (13:14 -0500)]
ima: extend the measurement entry specific pcr

Extend the PCR supplied as a parameter, instead of assuming that the
measurement entry uses the default configured PCR.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agoima: change integrity cache to store measured pcr
Eric Richter [Wed, 1 Jun 2016 18:14:06 +0000 (13:14 -0500)]
ima: change integrity cache to store measured pcr

IMA avoids re-measuring files by storing the current state as a flag in
the integrity cache. It will then skip adding a new measurement log entry
if the cache reports the file as already measured.

If a policy measures an already measured file to a new PCR, the measurement
will not be added to the list. This patch implements a new bitfield for
specifying which PCR the file was measured into, rather than if it was
measured.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agoima: redefine duplicate template entries
Eric Richter [Wed, 1 Jun 2016 18:14:05 +0000 (13:14 -0500)]
ima: redefine duplicate template entries

Template entry duplicates are prevented from being added to the
measurement list by checking a hash table that contains the template
entry digests. However, the PCR value is not included in this comparison,
so duplicate template entry digests with differing PCRs may be dropped.

This patch redefines duplicate template entries as template entries with
the same digest and same PCR values.

Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agoima: change ima_measurements_show() to display the entry specific pcr
Eric Richter [Wed, 1 Jun 2016 18:14:04 +0000 (13:14 -0500)]
ima: change ima_measurements_show() to display the entry specific pcr

IMA assumes that the same default Kconfig PCR is extended for each
entry. This patch replaces the default configured PCR with the policy
defined PCR.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agoima: include pcr for each measurement log entry
Eric Richter [Wed, 1 Jun 2016 18:14:03 +0000 (13:14 -0500)]
ima: include pcr for each measurement log entry

The IMA measurement list entries include the Kconfig defined PCR value.
This patch defines a new ima_template_entry field for including the PCR
as specified in the policy rule.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agoima: extend ima_get_action() to return the policy pcr
Eric Richter [Wed, 1 Jun 2016 18:14:02 +0000 (13:14 -0500)]
ima: extend ima_get_action() to return the policy pcr

Different policy rules may extend different PCRs. This patch retrieves
the specific PCR for the matched rule.  Subsequent patches will include
the rule specific PCR in the measurement list and extend the appropriate
PCR.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agoima: add policy support for extending different pcrs
Eric Richter [Wed, 1 Jun 2016 18:14:01 +0000 (13:14 -0500)]
ima: add policy support for extending different pcrs

This patch defines a new IMA measurement policy rule option "pcr=",
which allows extending different PCRs on a per rule basis. For example,
the system independent files could extend the default IMA Kconfig
specified PCR, while the system dependent files could extend a different
PCR.

The following is an example of this usage with an SELinux policy; the
rule would extend PCR 11 with system configuration files:

  measure func=FILE_CHECK mask=MAY_READ obj_type=system_conf_t pcr=11

Changelog v3:
- FIELD_SIZEOF returns bytes, not bits. Fixed INVALID_PCR

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agointegrity: add measured_pcrs field to integrity cache
Eric Richter [Wed, 1 Jun 2016 18:14:00 +0000 (13:14 -0500)]
integrity: add measured_pcrs field to integrity cache

To keep track of which measurements have been extended to which PCRs, this
patch defines a new integrity_iint_cache field named measured_pcrs. This
field is a bitmask of the PCRs measured. Each bit corresponds to a PCR
index. For example, bit 10 corresponds to PCR 10.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
9 years agonetlabel: Implement CALIPSO config functions for SMACK.
Huw Davies [Mon, 27 Jun 2016 19:06:18 +0000 (15:06 -0400)]
netlabel: Implement CALIPSO config functions for SMACK.

SMACK uses similar functions to control CIPSO, these are
the equivalent functions for CALIPSO and follow exactly
the same semantics.

int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
                           struct netlbl_audit *audit_info)
    Adds a CALIPSO doi.

void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
    Removes a CALIPSO doi.

int netlbl_cfg_calipso_map_add(u32 doi, const char *domain,
                               const struct in6_addr *addr,
                               const struct in6_addr *mask,
                               struct netlbl_audit *audit_info)
    Creates a mapping between a domain and a CALIPSO doi.  If
    addr and mask are non-NULL this creates an address-selector
    type mapping.

This also extends netlbl_cfg_map_del() to remove IPv6 address-selector
mappings.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agocalipso: Add a label cache.
Huw Davies [Mon, 27 Jun 2016 19:06:17 +0000 (15:06 -0400)]
calipso: Add a label cache.

This works in exactly the same way as the CIPSO label cache.
The idea is to allow the lsm to cache the result of a secattr
lookup so that it doesn't need to perform the lookup for
every skbuff.

It introduces two sysctl controls:
 calipso_cache_enable - enables/disables the cache.
 calipso_cache_bucket_size - sets the size of a cache bucket.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agocalipso: Add validation of CALIPSO option.
Huw Davies [Mon, 27 Jun 2016 19:06:17 +0000 (15:06 -0400)]
calipso: Add validation of CALIPSO option.

Lengths, checksum and the DOI are checked.  Checking of the
level and categories are left for the socket layer.

CRC validation is performed in the calipso module to avoid
unconditionally linking crc_ccitt() into ipv6.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Pass a family parameter to netlbl_skbuff_err().
Huw Davies [Mon, 27 Jun 2016 19:06:16 +0000 (15:06 -0400)]
netlabel: Pass a family parameter to netlbl_skbuff_err().

This makes it possible to route the error to the appropriate
labelling engine.  CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agocalipso: Allow the lsm to label the skbuff directly.
Huw Davies [Mon, 27 Jun 2016 19:06:15 +0000 (15:06 -0400)]
calipso: Allow the lsm to label the skbuff directly.

In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour.  This allows selinux to label the skbuffs that it requires.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agoipv6: constify the skb pointer of ipv6_find_tlv().
Huw Davies [Mon, 27 Jun 2016 19:06:15 +0000 (15:06 -0400)]
ipv6: constify the skb pointer of ipv6_find_tlv().

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agocalipso: Allow request sockets to be relabelled by the lsm.
Huw Davies [Mon, 27 Jun 2016 19:05:29 +0000 (15:05 -0400)]
calipso: Allow request sockets to be relabelled by the lsm.

Request sockets need to have a label that takes into account the
incoming connection as well as their parent's label.  This is used
for the outgoing SYN-ACK and for their child full-socket.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agoipv6: Allow request socks to contain IPv6 options.
Huw Davies [Mon, 27 Jun 2016 19:05:28 +0000 (15:05 -0400)]
ipv6: Allow request socks to contain IPv6 options.

If set, these will take precedence over the parent's options during
both sending and child creation.  If they're not set, the parent's
options (if any) will be used.

This is to allow the security_inet_conn_request() hook to modify the
IPv6 options in just the same way that it already may do for IPv4.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Prevent setsockopt() from changing the hop-by-hop option.
Huw Davies [Mon, 27 Jun 2016 19:05:27 +0000 (15:05 -0400)]
netlabel: Prevent setsockopt() from changing the hop-by-hop option.

If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option.  This is in the same spirit as
the existing check for IPv4.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agocalipso: Set the calipso socket label to match the secattr.
Huw Davies [Mon, 27 Jun 2016 19:02:51 +0000 (15:02 -0400)]
calipso: Set the calipso socket label to match the secattr.

CALIPSO is a hop-by-hop IPv6 option.  A lot of this patch is based on
the equivalent CISPO code.  The main difference is due to manipulating
the options in the hop-by-hop header.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Move bitmap manipulation functions to the NetLabel core.
Huw Davies [Mon, 27 Jun 2016 19:02:51 +0000 (15:02 -0400)]
netlabel: Move bitmap manipulation functions to the NetLabel core.

This is to allow the CALIPSO labelling engine to use these.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agoipv6: Add ipv6_renew_options_kern() that accepts a kernel mem pointer.
Huw Davies [Mon, 27 Jun 2016 19:02:50 +0000 (15:02 -0400)]
ipv6: Add ipv6_renew_options_kern() that accepts a kernel mem pointer.

The functionality is equivalent to ipv6_renew_options() except
that the newopt pointer is in kernel, not user, memory

The kernel memory implementation will be used by the CALIPSO network
labelling engine, which needs to be able to set IPv6 hop-by-hop
options.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Add support for removing a CALIPSO DOI.
Huw Davies [Mon, 27 Jun 2016 19:02:49 +0000 (15:02 -0400)]
netlabel: Add support for removing a CALIPSO DOI.

Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command.
It requires the attribute:
 NLBL_CALIPSO_A_DOI.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Add support for creating a CALIPSO protocol domain mapping.
Huw Davies [Mon, 27 Jun 2016 19:02:49 +0000 (15:02 -0400)]
netlabel: Add support for creating a CALIPSO protocol domain mapping.

This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
to accept CALIPSO protocol DOIs.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Add support for enumerating the CALIPSO DOI list.
Huw Davies [Mon, 27 Jun 2016 19:02:48 +0000 (15:02 -0400)]
netlabel: Add support for enumerating the CALIPSO DOI list.

Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command.
It takes no attributes.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Add support for querying a CALIPSO DOI.
Huw Davies [Mon, 27 Jun 2016 19:02:47 +0000 (15:02 -0400)]
netlabel: Add support for querying a CALIPSO DOI.

Query a specified DOI through the NLBL_CALIPSO_C_LIST command.
It requires the attribute:
 NLBL_CALIPSO_A_DOI.

The reply will contain:
 NLBL_CALIPSO_A_MTYPE

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Initial support for the CALIPSO netlink protocol.
Huw Davies [Mon, 27 Jun 2016 19:02:46 +0000 (15:02 -0400)]
netlabel: Initial support for the CALIPSO netlink protocol.

CALIPSO is a packet labelling protocol for IPv6 which is very similar
to CIPSO.  It is specified in RFC 5570.  Much of the code is based on
the current CIPSO code.

This adds support for adding passthrough-type CALIPSO DOIs through the
NLBL_CALIPSO_C_ADD command.  It requires attributes:

 NLBL_CALIPSO_A_TYPE which must be CALIPSO_MAP_PASS.
 NLBL_CALIPSO_A_DOI.

In passthrough mode the CALIPSO engine will map MLS secattr levels
and categories directly to the packet label.

At this stage, the major difference between this and the CIPSO
code is that IPv6 may be compiled as a module.  To allow for
this the CALIPSO functions are registered at module init time.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Add an address family to domain hash entries.
Huw Davies [Mon, 27 Jun 2016 19:02:46 +0000 (15:02 -0400)]
netlabel: Add an address family to domain hash entries.

The reason is to allow different labelling protocols for
different address families with the same domain.

This requires the addition of an address family attribute
in the netlink communication protocol.  It is used in several
messages:

NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF take it as an optional
attribute for the unlabelled protocol.  It may be one of AF_INET,
AF_INET6 or AF_UNSPEC (to specify both address families).  If it
is missing, it defaults to AF_UNSPEC.

NLBL_MGMT_C_LISTALL and NLBL_MGMT_C_LISTDEF return it as part of
the enumeration of each item.  Addtionally, it may be sent to
LISTDEF to specify which address family to return.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agonetlabel: Mark rcu pointers with __rcu.
Huw Davies [Mon, 27 Jun 2016 19:02:45 +0000 (15:02 -0400)]
netlabel: Mark rcu pointers with __rcu.

This fixes sparse errors of the form:
  incompatible types in comparison expression (different address spaces)

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
9 years agotpm_crb: fix address space of the return pointer in crb_map_res()
Jarkko Sakkinen [Fri, 17 Jun 2016 14:39:29 +0000 (16:39 +0200)]
tpm_crb: fix address space of the return pointer in crb_map_res()

When running make C=2 M=drivers/char/tpm/

  CHECK   drivers/char/tpm//tpm_crb.c
drivers/char/tpm//tpm_crb.c:248:31: warning: incorrect type in return expression (different address spaces)
drivers/char/tpm//tpm_crb.c:248:31:    expected void [noderef] <asn:2>*
drivers/char/tpm//tpm_crb.c:248:31:    got void *

CC: stable@vger.kernel.org
Fixes: 1bd047be37d9 ("tpm_crb: Use devm_ioremap_resource")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
9 years agotpm_vtpm_proxy: fix address space of a user pointer in vtpmx_fops_ioctl()
Jarkko Sakkinen [Fri, 17 Jun 2016 14:39:28 +0000 (16:39 +0200)]
tpm_vtpm_proxy: fix address space of a user pointer in vtpmx_fops_ioctl()

When running make C=2 M=drivers/char/tpm/

  CC [M]  drivers/char/tpm//tpm_crb.o
  CHECK   drivers/char/tpm//tpm_vtpm_proxy.c
drivers/char/tpm//tpm_vtpm_proxy.c:552:32: warning: incorrect type in assignment (different address spaces)
drivers/char/tpm//tpm_vtpm_proxy.c:552:32:    expected struct vtpm_proxy_new_dev *vtpm_new_dev_p
drivers/char/tpm//tpm_vtpm_proxy.c:552:32:    got void [noderef] <asn:1>*argp
drivers/char/tpm//tpm_vtpm_proxy.c:553:51: warning: incorrect type in argument 2 (different address spaces)
drivers/char/tpm//tpm_vtpm_proxy.c:553:51:    expected void const [noderef] <asn:1>*from
drivers/char/tpm//tpm_vtpm_proxy.c:553:51:    got struct vtpm_proxy_new_dev *vtpm_new_dev_p
drivers/char/tpm//tpm_vtpm_proxy.c:559:34: warning: incorrect type in argument 1 (different address spaces)
drivers/char/tpm//tpm_vtpm_proxy.c:559:34:    expected void [noderef] <asn:1>*to
drivers/char/tpm//tpm_vtpm_proxy.c:559:34:    got struct vtpm_proxy_new_dev *vtpm_new_dev_p

The __user annotation was missing from the corresponding variable.

Fixes: 794c38e01358 ("tpm: Proxy driver for supporting multiple emulated TPMs")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
9 years agotpm/tpm_tis_spi: Add support for spi phy
Christophe Ricard [Wed, 18 May 2016 22:35:53 +0000 (00:35 +0200)]
tpm/tpm_tis_spi: Add support for spi phy

Spi protocol standardized by the TCG is now supported by most of TPM
vendors.

It supports SPI Bit Protocol as describe in the TCG PTP
specification (chapter 6.4.6 SPI Bit Protocol).

Irq mode is not supported.

This commit is based on the initial work by Peter Huewe.

Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm/tpm_tis: Split tpm_tis driver into a core and TCG TIS compliant phy
Christophe Ricard [Wed, 18 May 2016 22:35:52 +0000 (00:35 +0200)]
tpm/tpm_tis: Split tpm_tis driver into a core and TCG TIS compliant phy

To avoid code duplication between the old tpm_tis and the new and future
native tcg tis driver(ie: spi, i2c...), the tpm_tis driver was reworked,
so that all common logic is extracted and can be reused from all drivers.

The core methods can also be used from other TIS like drivers.

itpm workaround is now managed with a specific tis flag
TPM_TIS_ITPM_POSSIBLE.

This commit is based on the initial work by Peter Huewe.

Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agodevicetree: Add Trusted Computing Group to vendor-prefix.txt
Christophe Ricard [Wed, 18 May 2016 22:35:51 +0000 (00:35 +0200)]
devicetree: Add Trusted Computing Group to vendor-prefix.txt

Add missing vendor to vendor-prefix.txt.

Trusted Computing Group design common specifications for
TPM (Trusted Platform Module) vendors.
TCG designates a TPM answering to a public specification.

This commit is based on the initial work by Peter Huewe.

Cc: devicetree@vger.kernel.org
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Acked-by: Rob Herring <robh@kernel.org>
Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agodevicetree: Add infineon to vendor-prefix.txt
Christophe Ricard [Wed, 18 May 2016 22:35:50 +0000 (00:35 +0200)]
devicetree: Add infineon to vendor-prefix.txt

Add missing vendor to vendor-prefix.txt

This commit is based on the initial work by Peter Huewe.

Cc: devicetree@vger.kernel.org
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Acked-by: Rob Herring <robh@kernel.org>
Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm_tis: Introduce intermediate layer for TPM access
Christophe Ricard [Wed, 18 May 2016 22:35:49 +0000 (00:35 +0200)]
tpm_tis: Introduce intermediate layer for TPM access

This splits tpm_tis in a high-level protocol part and a low-level interface
for the actual TPM communication. The low-level interface can then be
implemented by additional drivers to provide access to TPMs using other
mechanisms, for example native I2C or SPI transfers, while still reusing
the same TIS protocol implementation.

Though the ioread/iowrite calls cannot fail, other implementations of this
interface might want to return error codes if their communication fails.

This follows the usual pattern of negative values representing errors and
zero representing success. Positive values are not used (yet).

Errors are passed back to the caller if possible. If the interface of a
function does not allow that, it tries to do the most sensible thing it
can, but this might also mean ignoring the error in this instance.

This commit is based on the initial work by Peter Huewe.

Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: tpm_tis: Share common data between phys
Christophe Ricard [Wed, 18 May 2016 22:35:48 +0000 (00:35 +0200)]
tpm: tpm_tis: Share common data between phys

Split priv_data structure in common and phy specific structures. This will
allow in future patches to reuse the same tis logic on top of new phy such
as spi and i2c. Ultimately, other drivers may reuse this tis logic.
(e.g: st33zp24...)

iobase field is specific to TPM addressed on 0xFED4xxxx on LPC/SPI bus.

This commit is based on the initial work by Peter Huewe.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Add include guards in tpm.h
Christophe Ricard [Wed, 4 May 2016 19:06:22 +0000 (21:06 +0200)]
tpm: Add include guards in tpm.h

Add missing include guards in tpm.h

Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Fix suspend regression
Stefan Berger [Wed, 11 May 2016 15:28:27 +0000 (11:28 -0400)]
tpm: Fix suspend regression

Fix the suspend regression due to the wrong way of retrieving the
chip structure. The suspend functions are attached to the hardware
device, not the chip and thus must rely on drvdata.

Fixes: e89f8b1ade9cc1a ("tpm: Remove all uses of drvdata from the TPM Core")
Reported-by: Jeremiah Mahler <jmmahler@gmail.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: Jeremiah Mahler <jmmahler@gmail.com>
Acked-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
9 years agotpm: fix for typo in tpm/tpm_ibmvtpm.c
Stephen Rothwell [Thu, 28 Apr 2016 05:27:17 +0000 (15:27 +1000)]
tpm: fix for typo in tpm/tpm_ibmvtpm.c

Fixes: 28157164b056 ("tpm: Remove useless priv field in struct tpm_vendor_specific")
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: select ANON_INODES for proxy driver
Arnd Bergmann [Thu, 28 Apr 2016 10:46:13 +0000 (12:46 +0200)]
tpm: select ANON_INODES for proxy driver

The newly added vtpmx driver fails to build if CONFIG_ANON_INODES
is disabled:

drivers/char/built-in.o: In function `vtpmx_fops_ioctl':
(.text+0x97f8): undefined reference to `anon_inode_getfile'

This adds a Kconfig 'select' statement to ensure it's always there
when we need it.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 794c38e01358 ("tpm: Proxy driver for supporting multiple emulated TPMs")
Acked-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Fix IRQ unwind ordering in TIS
Jason Gunthorpe [Wed, 27 Apr 2016 16:58:46 +0000 (10:58 -0600)]
tpm: Fix IRQ unwind ordering in TIS

The devm for the IRQ was placed on the chip, not the pdev. This can
cause the irq to be still callable after the pdev has been cleaned up
(eg priv kfree'd).

Found by CONFIG_DEBUG_SHIRQ=y

Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Add documentation for the tpm_vtpm_proxy device driver
Stefan Berger [Mon, 18 Apr 2016 17:26:16 +0000 (13:26 -0400)]
tpm: Add documentation for the tpm_vtpm_proxy device driver

Add documentation for the tpm_vtpm device driver that implements
support for providing TPM functionality to Linux containers.

Parts of this documentation were recycled from the Xen vTPM
device driver documentation.

Update the documentation for the ioctl numbers.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
CC: linux-kernel@vger.kernel.org
CC: linux-doc@vger.kernel.org
CC: linux-api@vger.kernel.org
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Proxy driver for supporting multiple emulated TPMs
Stefan Berger [Mon, 18 Apr 2016 17:26:15 +0000 (13:26 -0400)]
tpm: Proxy driver for supporting multiple emulated TPMs

This patch implements a proxy driver for supporting multiple emulated TPMs
in a system.

The driver implements a device /dev/vtpmx that is used to created
a client device pair /dev/tpmX (e.g., /dev/tpm10) and a server side that
is accessed using a file descriptor returned by an ioctl.
The device /dev/tpmX is the usual TPM device created by the core TPM
driver. Applications or kernel subsystems can send TPM commands to it
and the corresponding server-side file descriptor receives these
commands and delivers them to an emulated TPM.

The driver retrievs the TPM 1.2 durations and timeouts. Since this requires
the startup of the TPM, we send a startup for TPM 1.2 as well as TPM 2.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
CC: linux-kernel@vger.kernel.org
CC: linux-doc@vger.kernel.org
CC: linux-api@vger.kernel.org
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Introduce TPM_CHIP_FLAG_VIRTUAL
Stefan Berger [Mon, 18 Apr 2016 17:26:14 +0000 (13:26 -0400)]
tpm: Introduce TPM_CHIP_FLAG_VIRTUAL

Introduce TPM_CHIP_FLAG_VIRTUAL to be used when the chip device has no
parent device.

Prevent sysfs entries requiring a parent device from being created.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Remove all uses of drvdata from the TPM Core
Jason Gunthorpe [Mon, 18 Apr 2016 17:26:13 +0000 (13:26 -0400)]
tpm: Remove all uses of drvdata from the TPM Core

The final thing preventing this was the way the sysfs files were
attached to the pdev. Follow the approach developed for ppi and move
the sysfs files to the chip->dev with symlinks from the pdev
for compatibility. Everything in the core now sanely uses container_of
to get the chip.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Remove useless priv field in struct tpm_vendor_specific
Christophe Ricard [Thu, 31 Mar 2016 20:57:00 +0000 (22:57 +0200)]
tpm: Remove useless priv field in struct tpm_vendor_specific

Remove useless priv field in struct tpm_vendor_specific and take benefit
of chip->dev.driver_data.  As priv is the latest field available in
struct tpm_vendor_specific, remove any reference to that structure.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Move tpm_vendor_specific data related with PTP specification to tpm_chip
Christophe Ricard [Thu, 31 Mar 2016 20:56:59 +0000 (22:56 +0200)]
tpm: Move tpm_vendor_specific data related with PTP specification to tpm_chip

Move tpm_vendor_specific data related to TCG PTP specification to tpm_chip.

Move all fields directly linked with well known TCG concepts and used in
TPM drivers (tpm_i2c_atmel, tpm_i2c_infineon, tpm_i2c_nuvoton, tpm_tis
and xen-tpmfront) as well as in TPM core files (tpm-sysfs, tpm-interface
and tpm2-cmd) in tpm_chip.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: drop 'locality' from struct tpm_vendor_specific
Christophe Ricard [Thu, 31 Mar 2016 20:56:58 +0000 (22:56 +0200)]
tpm: drop 'locality' from struct tpm_vendor_specific

Dropped the field 'locality' from struct tpm_vendor_specific migrated it to
the private structures of st33zp24, tpm_i2c_infineon and tpm_tis.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: drop 'read_queue' from struct tpm_vendor_specific
Christophe Ricard [Thu, 31 Mar 2016 20:56:57 +0000 (22:56 +0200)]
tpm: drop 'read_queue' from struct tpm_vendor_specific

Dropped the field 'read_queue' from struct tpm_vendor_specific and make it
available to the various private structures in the drivers.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: drop 'irq' from struct tpm_vendor_specific
Christophe Ricard [Thu, 31 Mar 2016 20:56:56 +0000 (22:56 +0200)]
tpm: drop 'irq' from struct tpm_vendor_specific

Dropped the field 'irq' from struct tpm_vendor_specific and make it
available to the various private structures in the drivers using irqs.

A dedicated flag TPM_CHIP_FLAG_IRQ is added for the upper layers.

In st33zp24, struct st33zp24_dev declaration is moved to st33zp24.h in
order to make accessible irq from other phy's(i2c, spi).

In tpm_i2c_nuvoton, chip->vendor.priv is not directly allocated. We can
access irq field from priv_data in a cleaner way.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: drop 'iobase' from struct tpm_vendor_specific
Christophe Ricard [Thu, 31 Mar 2016 20:56:55 +0000 (22:56 +0200)]
tpm: drop 'iobase' from struct tpm_vendor_specific

Dropped the field 'iobase' from struct tpm_vendor_specific and migrated
it to the private structures of tpm_atmel and tpm_tis.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: drop list from struct tpm_vendor_specific
Christophe Ricard [Wed, 23 Mar 2016 20:17:17 +0000 (21:17 +0100)]
tpm: drop list from struct tpm_vendor_specific

Dropped list from struct tpm_vendor_specific as it is not used in any
place.

It is initialized in tpm_i2c_infineon but not used at all in the code.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: drop the field 'time_expired' from struct tpm_chip
Jarkko Sakkinen [Wed, 23 Mar 2016 06:23:39 +0000 (08:23 +0200)]
tpm: drop the field 'time_expired' from struct tpm_chip

Removed the field because it is not used for anything.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm: drop 'base' from struct tpm_vendor_specific
Jarkko Sakkinen [Wed, 23 Mar 2016 06:16:09 +0000 (08:16 +0200)]
tpm: drop 'base' from struct tpm_vendor_specific

Dropped the field 'base' from struct tpm_vendor_specific and migrated
it to the private structures of tpm_atmel and tpm_nsc.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm: drop manufacturer_id from struct tpm_vendor_specific
Jarkko Sakkinen [Wed, 23 Mar 2016 05:31:56 +0000 (07:31 +0200)]
tpm: drop manufacturer_id from struct tpm_vendor_specific

Dropped manufacturer_id from struct tpm_vendor_specific and redeclared
it in the private struct priv_data that tpm_tis uses because the field
is only used tpm_tis.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm: drop tpm_atmel specific fields from tpm_vendor_specific
Jarkko Sakkinen [Wed, 23 Mar 2016 05:10:22 +0000 (07:10 +0200)]
tpm: drop tpm_atmel specific fields from tpm_vendor_specific

Introduced a private struct tpm_atmel_priv that contains the variables
have_region and region_size that were previously located in struct
tpm_vendor_specific. These fields were only used by tpm_atmel.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm: drop int_queue from tpm_vendor_specific
Jarkko Sakkinen [Tue, 22 Mar 2016 04:20:09 +0000 (06:20 +0200)]
tpm: drop int_queue from tpm_vendor_specific

Drop field int_queue from tpm_vendor_specific as it is used only by
tpm_tis. Probably all of the fields should be eventually dropped and
moved to the private structures of different drivers but it is better to
do this one step at a time in order not to break anything.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm: check for TPM_CHIP_FLAG_TPM2 before calling tpm2_shutdown()
Jarkko Sakkinen [Mon, 25 Apr 2016 09:20:07 +0000 (12:20 +0300)]
tpm: check for TPM_CHIP_FLAG_TPM2 before calling tpm2_shutdown()

Fixes: 20e0152393b41 ("tpm: fix crash in tpm_tis deinitialization")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-By: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm_crb: fix mapping of the buffers
Jarkko Sakkinen [Tue, 19 Apr 2016 09:54:18 +0000 (12:54 +0300)]
tpm_crb: fix mapping of the buffers

On my Lenovo x250 the following situation occurs:

[18697.813871] tpm_crb MSFT0101:00: can't request region for resource
[mem 0xacdff080-0xacdfffff]

The mapping of the control area overlaps the mapping of the command
buffer. The control area is mapped over page, which is not right. It
should mapped over sizeof(struct crb_control_area).

Fixing this issue unmasks another issue. Command and response buffers
can overlap and they do interleave on this machine. According to the PTP
specification the overlapping means that they are mapped to the same
buffer.

The commit has been also on a Haswell NUC where things worked before
applying this fix so that the both code paths for response buffer
initialization are tested.

Cc: stable@vger.kernel.org
Fixes: 1bd047be37d9 ("tpm_crb: Use devm_ioremap_resource")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm/st33zp24: Remove unneeded tpm_reg in get_burstcount
Christophe Ricard [Wed, 23 Mar 2016 07:55:34 +0000 (08:55 +0100)]
tpm/st33zp24: Remove unneeded tpm_reg in get_burstcount

We can get rid of tpm_reg variable in get_burstcount.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm/st33zp24/spi: Drop two useless checks in ACPI probe path
Christophe Ricard [Wed, 23 Mar 2016 07:55:33 +0000 (08:55 +0100)]
tpm/st33zp24/spi: Drop two useless checks in ACPI probe path

When st33zp24_spi_acpi_request_resources() gets called we
already know that the entries in ->acpi_match_table have matched ACPI ID
of the device.
In addition spi_device pointer cannot be NULL in any case (otherwise I2C
core would not call ->probe() for the driver in the first place).

Drop the two useless checks from the driver.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm/st33zp24/i2c: Drop two useless checks in ACPI probe path
Christophe Ricard [Wed, 23 Mar 2016 07:55:32 +0000 (08:55 +0100)]
tpm/st33zp24/i2c: Drop two useless checks in ACPI probe path

When st33zp24_i2c_acpi_request_resources() gets called we
already know that the entries in ->acpi_match_table have matched ACPI ID
of the device.
In addition I2C client pointer cannot be NULL in any case (otherwise I2C
core would not call ->probe() for the driver in the first place).

Drop the two useless checks from the driver.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm_crb: drop struct resource res from struct crb_priv
Jarkko Sakkinen [Tue, 15 Mar 2016 19:41:40 +0000 (21:41 +0200)]
tpm_crb: drop struct resource res from struct crb_priv

The iomem resource is needed only temporarily so it is better to pass
it on instead of storing it permanently. Named the variable as io_res
so that the code better documents itself.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
9 years agotpm: fix crash in tpm_tis deinitialization
Jarkko Sakkinen [Mon, 11 Apr 2016 11:20:57 +0000 (14:20 +0300)]
tpm: fix crash in tpm_tis deinitialization

rmmod crashes the driver because tpm_chip_unregister() already sets ops
to NULL. This commit fixes the issue by moving tpm2_shutdown() to
tpm_chip_unregister(). This commit is also cleanup because it removes
duplicate code from tpm_crb and tpm_tis to the core.

Fixes: 4d3eac5e156a ("tpm: Provide strong locking for device removal")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
9 years agotpm: cleanup tpm_tis_remove()
Jarkko Sakkinen [Thu, 31 Mar 2016 10:05:36 +0000 (13:05 +0300)]
tpm: cleanup tpm_tis_remove()

Created a local variable pointing to the INT_ENABLE_x register. The
expression clearing INT_ENABLE_x.globalIntEnable is unreadable and
hard to modify without surpassing the 80 char boundary.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Christophe Ricard <christophe-h.ricard@st.com>
9 years agotpm: fix tpm_bios_log_setup stub prototype
Arnd Bergmann [Wed, 16 Mar 2016 08:19:48 +0000 (09:19 +0100)]
tpm: fix tpm_bios_log_setup stub prototype

A cleanup patch changed the prototype of the regular tpm_bios_log_setup
function, but not that of the stub that is used when the TPM is disabled,
causing a harmless build warning:

drivers/char/tpm/tpm-chip.c: In function 'tpm1_chip_register':
drivers/char/tpm/tpm-chip.c:287:38: error: passing argument 1 of 'tpm_bios_log_setup' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  chip->bios_dir = tpm_bios_log_setup(dev_name(&chip->dev));
In file included from ../drivers/char/tpm/tpm-chip.c:30:0:
../drivers/char/tpm/tpm_eventlog.h:83:31: note: expected 'char *' but argument is of type 'const char *'
 static inline struct dentry **tpm_bios_log_setup(char *name)

This changes the stub function to match the normal prototype,
avoiding that warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: aca8db8088c3 ("tpm: Get rid of devname")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Replace device number bitmap with IDR
Stefan Berger [Mon, 29 Feb 2016 13:53:02 +0000 (08:53 -0500)]
tpm: Replace device number bitmap with IDR

Replace the device number bitmap with IDR. Extend the number of devices we
can create to 64k.
Since an IDR allows us to associate a pointer with an ID, we use this now
to rewrite tpm_chip_find_get() to simply look up the chip pointer by the
given device ID.

Protect the IDR calls with a mutex.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Split out the devm stuff from tpmm_chip_alloc
Jason Gunthorpe [Thu, 11 Feb 2016 19:45:48 +0000 (12:45 -0700)]
tpm: Split out the devm stuff from tpmm_chip_alloc

tpm_chip_alloc becomes a typical subsystem allocate call.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Get rid of module locking
Stefan Berger [Mon, 29 Feb 2016 13:53:01 +0000 (08:53 -0500)]
tpm: Get rid of module locking

Now that the tpm core has strong locking around 'ops' it is possible
to remove a TPM driver, module and all, even while user space still
has things like /dev/tpmX open. For consistency and simplicity, drop
the module locking entirely.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
9 years agotpm: Provide strong locking for device removal
Jason Gunthorpe [Sat, 13 Feb 2016 03:29:53 +0000 (20:29 -0700)]
tpm: Provide strong locking for device removal

Add a read/write semaphore around the ops function pointers so
ops can be set to null when the driver un-registers.

Previously the tpm core expected module locking to be enough to
ensure that tpm_unregister could not be called during certain times,
however that hasn't been sufficient for a long time.

Introduce a read/write semaphore around 'ops' so the core can set
it to null when unregistering. This provides a strong fence around
the driver callbacks, guaranteeing to the driver that no callbacks
are running or will run again.

For now the ops_lock is placed very high in the call stack, it could
be pushed down and made more granular in future if necessary.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>