search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 4.18.10
[linux/fpc-iii.git] / drivers / char / tpm / tpm2-space.c
blob11c85ed8c1136f32a865446b3a6733b223adad09
1 /*
2 * Copyright (C) 2016 Intel Corporation
3 *
4 * Authors:
5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
6 *
7 * Maintained by: <tpmdd-devel@lists.sourceforge.net>
8 *
9 * This file contains TPM2 protocol implementations of the commands
10 * used by the kernel internally.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; version 2
15 * of the License.
16 */
17
18 #include <linux/gfp.h>
19 #include <asm/unaligned.h>
20 #include "tpm.h"
21
22 enum tpm2_handle_types {
23 TPM2_HT_HMAC_SESSION = 0x02000000,
24 TPM2_HT_POLICY_SESSION = 0x03000000,
25 TPM2_HT_TRANSIENT = 0x80000000,
26 };
27
28 struct tpm2_context {
29 __be64 sequence;
30 __be32 saved_handle;
31 __be32 hierarchy;
32 __be16 blob_size;
33 } __packed;
34
35 static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space)
36 {
37 int i;
38
39 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
40 if (space->session_tbl[i])
41 tpm2_flush_context_cmd(chip, space->session_tbl[i],
42 TPM_TRANSMIT_UNLOCKED |
43 TPM_TRANSMIT_RAW);
44 }
45 }
46
47 int tpm2_init_space(struct tpm_space *space)
48 {
49 space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
50 if (!space->context_buf)
51 return -ENOMEM;
52
53 space->session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
54 if (space->session_buf == NULL) {
55 kfree(space->context_buf);
56 return -ENOMEM;
57 }
58
59 return 0;
60 }
61
62 void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
63 {
64 mutex_lock(&chip->tpm_mutex);
65 tpm2_flush_sessions(chip, space);
66 mutex_unlock(&chip->tpm_mutex);
67 kfree(space->context_buf);
68 kfree(space->session_buf);
69 }
70
71 static int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
72 unsigned int *offset, u32 *handle)
73 {
74 struct tpm_buf tbuf;
75 struct tpm2_context *ctx;
76 unsigned int body_size;
77 int rc;
78
79 rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_LOAD);
80 if (rc)
81 return rc;
82
83 ctx = (struct tpm2_context *)&buf[*offset];
84 body_size = sizeof(*ctx) + be16_to_cpu(ctx->blob_size);
85 tpm_buf_append(&tbuf, &buf[*offset], body_size);
86
87 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
88 TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, NULL);
89 if (rc < 0) {
90 dev_warn(&chip->dev, "%s: failed with a system error %d\n",
91 __func__, rc);
92 tpm_buf_destroy(&tbuf);
93 return -EFAULT;
94 } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE ||
95 rc == TPM2_RC_REFERENCE_H0) {
96 /*
97 * TPM_RC_HANDLE means that the session context can't
98 * be loaded because of an internal counter mismatch
99 * that makes the TPM think there might have been a
100 * replay. This might happen if the context was saved
101 * and loaded outside the space.
102 *
103 * TPM_RC_REFERENCE_H0 means the session has been
104 * flushed outside the space
105 */
106 *handle = 0;
107 tpm_buf_destroy(&tbuf);
108 return -ENOENT;
109 } else if (rc > 0) {
110 dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
111 __func__, rc);
112 tpm_buf_destroy(&tbuf);
113 return -EFAULT;
114 }
115
116 *handle = be32_to_cpup((__be32 *)&tbuf.data[TPM_HEADER_SIZE]);
117 *offset += body_size;
118
119 tpm_buf_destroy(&tbuf);
120 return 0;
121 }
122
123 static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf,
124 unsigned int buf_size, unsigned int *offset)
125 {
126 struct tpm_buf tbuf;
127 unsigned int body_size;
128 int rc;
129
130 rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_SAVE);
131 if (rc)
132 return rc;
133
134 tpm_buf_append_u32(&tbuf, handle);
135
136 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0,
137 TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, NULL);
138 if (rc < 0) {
139 dev_warn(&chip->dev, "%s: failed with a system error %d\n",
140 __func__, rc);
141 tpm_buf_destroy(&tbuf);
142 return -EFAULT;
143 } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
144 tpm_buf_destroy(&tbuf);
145 return -ENOENT;
146 } else if (rc) {
147 dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
148 __func__, rc);
149 tpm_buf_destroy(&tbuf);
150 return -EFAULT;
151 }
152
153 body_size = tpm_buf_length(&tbuf) - TPM_HEADER_SIZE;
154 if ((*offset + body_size) > buf_size) {
155 dev_warn(&chip->dev, "%s: out of backing storage\n", __func__);
156 tpm_buf_destroy(&tbuf);
157 return -ENOMEM;
158 }
159
160 memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size);
161 *offset += body_size;
162 tpm_buf_destroy(&tbuf);
163 return 0;
164 }
165
166 static void tpm2_flush_space(struct tpm_chip *chip)
167 {
168 struct tpm_space *space = &chip->work_space;
169 int i;
170
171 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
172 if (space->context_tbl[i] && ~space->context_tbl[i])
173 tpm2_flush_context_cmd(chip, space->context_tbl[i],
174 TPM_TRANSMIT_UNLOCKED |
175 TPM_TRANSMIT_RAW);
176
177 tpm2_flush_sessions(chip, space);
178 }
179
180 static int tpm2_load_space(struct tpm_chip *chip)
181 {
182 struct tpm_space *space = &chip->work_space;
183 unsigned int offset;
184 int i;
185 int rc;
186
187 for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
188 if (!space->context_tbl[i])
189 continue;
190
191 /* sanity check, should never happen */
192 if (~space->context_tbl[i]) {
193 dev_err(&chip->dev, "context table is inconsistent");
194 return -EFAULT;
195 }
196
197 rc = tpm2_load_context(chip, space->context_buf, &offset,
198 &space->context_tbl[i]);
199 if (rc)
200 return rc;
201 }
202
203 for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
204 u32 handle;
205
206 if (!space->session_tbl[i])
207 continue;
208
209 rc = tpm2_load_context(chip, space->session_buf,
210 &offset, &handle);
211 if (rc == -ENOENT) {
212 /* load failed, just forget session */
213 space->session_tbl[i] = 0;
214 } else if (rc) {
215 tpm2_flush_space(chip);
216 return rc;
217 }
218 if (handle != space->session_tbl[i]) {
219 dev_warn(&chip->dev, "session restored to wrong handle\n");
220 tpm2_flush_space(chip);
221 return -EFAULT;
222 }
223 }
224
225 return 0;
226 }
227
228 static bool tpm2_map_to_phandle(struct tpm_space *space, void *handle)
229 {
230 u32 vhandle = be32_to_cpup((__be32 *)handle);
231 u32 phandle;
232 int i;
233
234 i = 0xFFFFFF - (vhandle & 0xFFFFFF);
235 if (i >= ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
236 return false;
237
238 phandle = space->context_tbl[i];
239 *((__be32 *)handle) = cpu_to_be32(phandle);
240 return true;
241 }
242
243 static int tpm2_map_command(struct tpm_chip *chip, u32 cc, u8 *cmd)
244 {
245 struct tpm_space *space = &chip->work_space;
246 unsigned int nr_handles;
247 u32 attrs;
248 __be32 *handle;
249 int i;
250
251 i = tpm2_find_cc(chip, cc);
252 if (i < 0)
253 return -EINVAL;
254
255 attrs = chip->cc_attrs_tbl[i];
256 nr_handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0);
257
258 handle = (__be32 *)&cmd[TPM_HEADER_SIZE];
259 for (i = 0; i < nr_handles; i++, handle++) {
260 if ((be32_to_cpu(*handle) & 0xFF000000) == TPM2_HT_TRANSIENT) {
261 if (!tpm2_map_to_phandle(space, handle))
262 return -EINVAL;
263 }
264 }
265
266 return 0;
267 }
268
269 int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc,
270 u8 *cmd)
271 {
272 int rc;
273
274 if (!space)
275 return 0;
276
277 memcpy(&chip->work_space.context_tbl, &space->context_tbl,
278 sizeof(space->context_tbl));
279 memcpy(&chip->work_space.session_tbl, &space->session_tbl,
280 sizeof(space->session_tbl));
281 memcpy(chip->work_space.context_buf, space->context_buf, PAGE_SIZE);
282 memcpy(chip->work_space.session_buf, space->session_buf, PAGE_SIZE);
283
284 rc = tpm2_load_space(chip);
285 if (rc) {
286 tpm2_flush_space(chip);
287 return rc;
288 }
289
290 rc = tpm2_map_command(chip, cc, cmd);
291 if (rc) {
292 tpm2_flush_space(chip);
293 return rc;
294 }
295
296 return 0;
297 }
298
299 static bool tpm2_add_session(struct tpm_chip *chip, u32 handle)
300 {
301 struct tpm_space *space = &chip->work_space;
302 int i;
303
304 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++)
305 if (space->session_tbl[i] == 0)
306 break;
307
308 if (i == ARRAY_SIZE(space->session_tbl))
309 return false;
310
311 space->session_tbl[i] = handle;
312 return true;
313 }
314
315 static u32 tpm2_map_to_vhandle(struct tpm_space *space, u32 phandle, bool alloc)
316 {
317 int i;
318
319 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
320 if (alloc) {
321 if (!space->context_tbl[i]) {
322 space->context_tbl[i] = phandle;
323 break;
324 }
325 } else if (space->context_tbl[i] == phandle)
326 break;
327 }
328
329 if (i == ARRAY_SIZE(space->context_tbl))
330 return 0;
331
332 return TPM2_HT_TRANSIENT | (0xFFFFFF - i);
333 }
334
335 static int tpm2_map_response_header(struct tpm_chip *chip, u32 cc, u8 *rsp,
336 size_t len)
337 {
338 struct tpm_space *space = &chip->work_space;
339 struct tpm_output_header *header = (void *)rsp;
340 u32 phandle;
341 u32 phandle_type;
342 u32 vhandle;
343 u32 attrs;
344 int i;
345
346 if (be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS)
347 return 0;
348
349 i = tpm2_find_cc(chip, cc);
350 /* sanity check, should never happen */
351 if (i < 0)
352 return -EFAULT;
353
354 attrs = chip->cc_attrs_tbl[i];
355 if (!((attrs >> TPM2_CC_ATTR_RHANDLE) & 1))
356 return 0;
357
358 phandle = be32_to_cpup((__be32 *)&rsp[TPM_HEADER_SIZE]);
359 phandle_type = phandle & 0xFF000000;
360
361 switch (phandle_type) {
362 case TPM2_HT_TRANSIENT:
363 vhandle = tpm2_map_to_vhandle(space, phandle, true);
364 if (!vhandle)
365 goto out_no_slots;
366
367 *(__be32 *)&rsp[TPM_HEADER_SIZE] = cpu_to_be32(vhandle);
368 break;
369 case TPM2_HT_HMAC_SESSION:
370 case TPM2_HT_POLICY_SESSION:
371 if (!tpm2_add_session(chip, phandle))
372 goto out_no_slots;
373 break;
374 default:
375 dev_err(&chip->dev, "%s: unknown handle 0x%08X\n",
376 __func__, phandle);
377 break;
378 };
379
380 return 0;
381 out_no_slots:
382 tpm2_flush_context_cmd(chip, phandle,
383 TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW);
384 dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__,
385 phandle);
386 return -ENOMEM;
387 }
388
389 struct tpm2_cap_handles {
390 u8 more_data;
391 __be32 capability;
392 __be32 count;
393 __be32 handles[];
394 } __packed;
395
396 static int tpm2_map_response_body(struct tpm_chip *chip, u32 cc, u8 *rsp,
397 size_t len)
398 {
399 struct tpm_space *space = &chip->work_space;
400 struct tpm_output_header *header = (void *)rsp;
401 struct tpm2_cap_handles *data;
402 u32 phandle;
403 u32 phandle_type;
404 u32 vhandle;
405 int i;
406 int j;
407
408 if (cc != TPM2_CC_GET_CAPABILITY ||
409 be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS) {
410 return 0;
411 }
412
413 if (len < TPM_HEADER_SIZE + 9)
414 return -EFAULT;
415
416 data = (void *)&rsp[TPM_HEADER_SIZE];
417 if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES)
418 return 0;
419
420 if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count))
421 return -EFAULT;
422
423 for (i = 0, j = 0; i < be32_to_cpu(data->count); i++) {
424 phandle = be32_to_cpup((__be32 *)&data->handles[i]);
425 phandle_type = phandle & 0xFF000000;
426
427 switch (phandle_type) {
428 case TPM2_HT_TRANSIENT:
429 vhandle = tpm2_map_to_vhandle(space, phandle, false);
430 if (!vhandle)
431 break;
432
433 data->handles[j] = cpu_to_be32(vhandle);
434 j++;
435 break;
436
437 default:
438 data->handles[j] = cpu_to_be32(phandle);
439 j++;
440 break;
441 }
442
443 }
444
445 header->length = cpu_to_be32(TPM_HEADER_SIZE + 9 + 4 * j);
446 data->count = cpu_to_be32(j);
447 return 0;
448 }
449
450 static int tpm2_save_space(struct tpm_chip *chip)
451 {
452 struct tpm_space *space = &chip->work_space;
453 unsigned int offset;
454 int i;
455 int rc;
456
457 for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
458 if (!(space->context_tbl[i] && ~space->context_tbl[i]))
459 continue;
460
461 rc = tpm2_save_context(chip, space->context_tbl[i],
462 space->context_buf, PAGE_SIZE,
463 &offset);
464 if (rc == -ENOENT) {
465 space->context_tbl[i] = 0;
466 continue;
467 } else if (rc)
468 return rc;
469
470 tpm2_flush_context_cmd(chip, space->context_tbl[i],
471 TPM_TRANSMIT_UNLOCKED |
472 TPM_TRANSMIT_RAW);
473 space->context_tbl[i] = ~0;
474 }
475
476 for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
477 if (!space->session_tbl[i])
478 continue;
479
480 rc = tpm2_save_context(chip, space->session_tbl[i],
481 space->session_buf, PAGE_SIZE,
482 &offset);
483
484 if (rc == -ENOENT) {
485 /* handle error saving session, just forget it */
486 space->session_tbl[i] = 0;
487 } else if (rc < 0) {
488 tpm2_flush_space(chip);
489 return rc;
490 }
491 }
492
493 return 0;
494 }
495
496 int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
497 u32 cc, u8 *buf, size_t *bufsiz)
498 {
499 struct tpm_output_header *header = (void *)buf;
500 int rc;
501
502 if (!space)
503 return 0;
504
505 rc = tpm2_map_response_header(chip, cc, buf, *bufsiz);
506 if (rc) {
507 tpm2_flush_space(chip);
508 return rc;
509 }
510
511 rc = tpm2_map_response_body(chip, cc, buf, *bufsiz);
512 if (rc) {
513 tpm2_flush_space(chip);
514 return rc;
515 }
516
517 rc = tpm2_save_space(chip);
518 if (rc) {
519 tpm2_flush_space(chip);
520 return rc;
521 }
522
523 *bufsiz = be32_to_cpu(header->length);
524
525 memcpy(&space->context_tbl, &chip->work_space.context_tbl,
526 sizeof(space->context_tbl));
527 memcpy(&space->session_tbl, &chip->work_space.session_tbl,
528 sizeof(space->session_tbl));
529 memcpy(space->context_buf, chip->work_space.context_buf, PAGE_SIZE);
530 memcpy(space->session_buf, chip->work_space.session_buf, PAGE_SIZE);
531
532 return 0;
533 }
Linux with added FPC-III support