2 * Copyright (C) 2016 Intel Corporation
5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 * Maintained by: <tpmdd-devel@lists.sourceforge.net>
9 * This file contains TPM2 protocol implementations of the commands
10 * used by the kernel internally.
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; version 2
18 #include <linux/gfp.h>
19 #include <asm/unaligned.h>
22 enum tpm2_handle_types {
23 TPM2_HT_HMAC_SESSION = 0x02000000,
24 TPM2_HT_POLICY_SESSION = 0x03000000,
25 TPM2_HT_TRANSIENT = 0x80000000,
35 static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space)
39 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
40 if (space->session_tbl[i])
41 tpm2_flush_context_cmd(chip, space->session_tbl[i],
42 TPM_TRANSMIT_UNLOCKED |
47 int tpm2_init_space(struct tpm_space *space, unsigned int buf_size)
49 space->context_buf = kzalloc(buf_size, GFP_KERNEL);
50 if (!space->context_buf)
53 space->session_buf = kzalloc(buf_size, GFP_KERNEL);
54 if (space->session_buf == NULL) {
55 kfree(space->context_buf);
56 /* Prevent caller getting a dangling pointer. */
57 space->context_buf = NULL;
61 space->buf_size = buf_size;
65 void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
67 mutex_lock(&chip->tpm_mutex);
68 tpm2_flush_sessions(chip, space);
69 mutex_unlock(&chip->tpm_mutex);
70 kfree(space->context_buf);
71 kfree(space->session_buf);
74 static int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
75 unsigned int *offset, u32 *handle)
78 struct tpm2_context *ctx;
79 unsigned int body_size;
82 rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_LOAD);
86 ctx = (struct tpm2_context *)&buf[*offset];
87 body_size = sizeof(*ctx) + be16_to_cpu(ctx->blob_size);
88 tpm_buf_append(&tbuf, &buf[*offset], body_size);
90 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
91 TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, NULL);
93 dev_warn(&chip->dev, "%s: failed with a system error %d\n",
95 tpm_buf_destroy(&tbuf);
97 } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE ||
98 rc == TPM2_RC_REFERENCE_H0) {
100 * TPM_RC_HANDLE means that the session context can't
101 * be loaded because of an internal counter mismatch
102 * that makes the TPM think there might have been a
103 * replay. This might happen if the context was saved
104 * and loaded outside the space.
106 * TPM_RC_REFERENCE_H0 means the session has been
107 * flushed outside the space
110 tpm_buf_destroy(&tbuf);
113 dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
115 tpm_buf_destroy(&tbuf);
119 *handle = be32_to_cpup((__be32 *)&tbuf.data[TPM_HEADER_SIZE]);
120 *offset += body_size;
122 tpm_buf_destroy(&tbuf);
126 static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf,
127 unsigned int buf_size, unsigned int *offset)
130 unsigned int body_size;
133 rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_SAVE);
137 tpm_buf_append_u32(&tbuf, handle);
139 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0,
140 TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, NULL);
142 dev_warn(&chip->dev, "%s: failed with a system error %d\n",
144 tpm_buf_destroy(&tbuf);
146 } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
147 tpm_buf_destroy(&tbuf);
150 dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
152 tpm_buf_destroy(&tbuf);
156 body_size = tpm_buf_length(&tbuf) - TPM_HEADER_SIZE;
157 if ((*offset + body_size) > buf_size) {
158 dev_warn(&chip->dev, "%s: out of backing storage\n", __func__);
159 tpm_buf_destroy(&tbuf);
163 memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size);
164 *offset += body_size;
165 tpm_buf_destroy(&tbuf);
169 static void tpm2_flush_space(struct tpm_chip *chip)
171 struct tpm_space *space = &chip->work_space;
174 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
175 if (space->context_tbl[i] && ~space->context_tbl[i])
176 tpm2_flush_context_cmd(chip, space->context_tbl[i],
177 TPM_TRANSMIT_UNLOCKED |
180 tpm2_flush_sessions(chip, space);
183 static int tpm2_load_space(struct tpm_chip *chip)
185 struct tpm_space *space = &chip->work_space;
190 for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
191 if (!space->context_tbl[i])
194 /* sanity check, should never happen */
195 if (~space->context_tbl[i]) {
196 dev_err(&chip->dev, "context table is inconsistent");
200 rc = tpm2_load_context(chip, space->context_buf, &offset,
201 &space->context_tbl[i]);
206 for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
209 if (!space->session_tbl[i])
212 rc = tpm2_load_context(chip, space->session_buf,
215 /* load failed, just forget session */
216 space->session_tbl[i] = 0;
218 tpm2_flush_space(chip);
221 if (handle != space->session_tbl[i]) {
222 dev_warn(&chip->dev, "session restored to wrong handle\n");
223 tpm2_flush_space(chip);
231 static bool tpm2_map_to_phandle(struct tpm_space *space, void *handle)
233 u32 vhandle = be32_to_cpup((__be32 *)handle);
237 i = 0xFFFFFF - (vhandle & 0xFFFFFF);
238 if (i >= ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
241 phandle = space->context_tbl[i];
242 *((__be32 *)handle) = cpu_to_be32(phandle);
246 static int tpm2_map_command(struct tpm_chip *chip, u32 cc, u8 *cmd)
248 struct tpm_space *space = &chip->work_space;
249 unsigned int nr_handles;
254 i = tpm2_find_cc(chip, cc);
258 attrs = chip->cc_attrs_tbl[i];
259 nr_handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0);
261 handle = (u32 *)&cmd[TPM_HEADER_SIZE];
262 for (i = 0; i < nr_handles; i++, handle++) {
263 if ((be32_to_cpu(*handle) & 0xFF000000) == TPM2_HT_TRANSIENT) {
264 if (!tpm2_map_to_phandle(space, handle))
272 int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc,
280 memcpy(&chip->work_space.context_tbl, &space->context_tbl,
281 sizeof(space->context_tbl));
282 memcpy(&chip->work_space.session_tbl, &space->session_tbl,
283 sizeof(space->session_tbl));
284 memcpy(chip->work_space.context_buf, space->context_buf,
286 memcpy(chip->work_space.session_buf, space->session_buf,
289 rc = tpm2_load_space(chip);
291 tpm2_flush_space(chip);
295 rc = tpm2_map_command(chip, cc, cmd);
297 tpm2_flush_space(chip);
304 static bool tpm2_add_session(struct tpm_chip *chip, u32 handle)
306 struct tpm_space *space = &chip->work_space;
309 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++)
310 if (space->session_tbl[i] == 0)
313 if (i == ARRAY_SIZE(space->session_tbl))
316 space->session_tbl[i] = handle;
320 static u32 tpm2_map_to_vhandle(struct tpm_space *space, u32 phandle, bool alloc)
324 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
326 if (!space->context_tbl[i]) {
327 space->context_tbl[i] = phandle;
330 } else if (space->context_tbl[i] == phandle)
334 if (i == ARRAY_SIZE(space->context_tbl))
337 return TPM2_HT_TRANSIENT | (0xFFFFFF - i);
340 static int tpm2_map_response_header(struct tpm_chip *chip, u32 cc, u8 *rsp,
343 struct tpm_space *space = &chip->work_space;
344 struct tpm_output_header *header = (void *)rsp;
351 if (be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS)
354 i = tpm2_find_cc(chip, cc);
355 /* sanity check, should never happen */
359 attrs = chip->cc_attrs_tbl[i];
360 if (!((attrs >> TPM2_CC_ATTR_RHANDLE) & 1))
363 phandle = be32_to_cpup((__be32 *)&rsp[TPM_HEADER_SIZE]);
364 phandle_type = phandle & 0xFF000000;
366 switch (phandle_type) {
367 case TPM2_HT_TRANSIENT:
368 vhandle = tpm2_map_to_vhandle(space, phandle, true);
372 *(__be32 *)&rsp[TPM_HEADER_SIZE] = cpu_to_be32(vhandle);
374 case TPM2_HT_HMAC_SESSION:
375 case TPM2_HT_POLICY_SESSION:
376 if (!tpm2_add_session(chip, phandle))
380 dev_err(&chip->dev, "%s: unknown handle 0x%08X\n",
387 tpm2_flush_context_cmd(chip, phandle,
388 TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW);
389 dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__,
394 struct tpm2_cap_handles {
401 static int tpm2_map_response_body(struct tpm_chip *chip, u32 cc, u8 *rsp,
404 struct tpm_space *space = &chip->work_space;
405 struct tpm_output_header *header = (void *)rsp;
406 struct tpm2_cap_handles *data;
413 if (cc != TPM2_CC_GET_CAPABILITY ||
414 be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS) {
418 if (len < TPM_HEADER_SIZE + 9)
421 data = (void *)&rsp[TPM_HEADER_SIZE];
422 if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES)
425 if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4)
428 if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count))
431 for (i = 0, j = 0; i < be32_to_cpu(data->count); i++) {
432 phandle = be32_to_cpup((__be32 *)&data->handles[i]);
433 phandle_type = phandle & 0xFF000000;
435 switch (phandle_type) {
436 case TPM2_HT_TRANSIENT:
437 vhandle = tpm2_map_to_vhandle(space, phandle, false);
441 data->handles[j] = cpu_to_be32(vhandle);
446 data->handles[j] = cpu_to_be32(phandle);
453 header->length = cpu_to_be32(TPM_HEADER_SIZE + 9 + 4 * j);
454 data->count = cpu_to_be32(j);
458 static int tpm2_save_space(struct tpm_chip *chip)
460 struct tpm_space *space = &chip->work_space;
465 for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
466 if (!(space->context_tbl[i] && ~space->context_tbl[i]))
469 rc = tpm2_save_context(chip, space->context_tbl[i],
470 space->context_buf, space->buf_size,
473 space->context_tbl[i] = 0;
478 tpm2_flush_context_cmd(chip, space->context_tbl[i],
479 TPM_TRANSMIT_UNLOCKED |
481 space->context_tbl[i] = ~0;
484 for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
485 if (!space->session_tbl[i])
488 rc = tpm2_save_context(chip, space->session_tbl[i],
489 space->session_buf, space->buf_size,
492 /* handle error saving session, just forget it */
493 space->session_tbl[i] = 0;
495 tpm2_flush_space(chip);
503 int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
504 u32 cc, u8 *buf, size_t *bufsiz)
506 struct tpm_output_header *header = (void *)buf;
512 rc = tpm2_map_response_header(chip, cc, buf, *bufsiz);
514 tpm2_flush_space(chip);
518 rc = tpm2_map_response_body(chip, cc, buf, *bufsiz);
520 tpm2_flush_space(chip);
524 rc = tpm2_save_space(chip);
526 tpm2_flush_space(chip);
530 *bufsiz = be32_to_cpu(header->length);
532 memcpy(&space->context_tbl, &chip->work_space.context_tbl,
533 sizeof(space->context_tbl));
534 memcpy(&space->session_tbl, &chip->work_space.session_tbl,
535 sizeof(space->session_tbl));
536 memcpy(space->context_buf, chip->work_space.context_buf,
538 memcpy(space->session_buf, chip->work_space.session_buf,
545 * Put the reference to the main device.
547 static void tpm_devs_release(struct device *dev)
549 struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs);
551 /* release the master device reference */
552 put_device(&chip->dev);
556 * Remove the device file for exposed TPM spaces and release the device
557 * reference. This may also release the reference to the master device.
559 void tpm_devs_remove(struct tpm_chip *chip)
561 cdev_device_del(&chip->cdevs, &chip->devs);
562 put_device(&chip->devs);
566 * Add a device file to expose TPM spaces. Also take a reference to the
569 int tpm_devs_add(struct tpm_chip *chip)
573 device_initialize(&chip->devs);
574 chip->devs.parent = chip->dev.parent;
575 chip->devs.class = tpmrm_class;
578 * Get extra reference on main device to hold on behalf of devs.
579 * This holds the chip structure while cdevs is in use. The
580 * corresponding put is in the tpm_devs_release.
582 get_device(&chip->dev);
583 chip->devs.release = tpm_devs_release;
584 chip->devs.devt = MKDEV(MAJOR(tpm_devt), chip->dev_num + TPM_NUM_DEVICES);
585 cdev_init(&chip->cdevs, &tpmrm_fops);
586 chip->cdevs.owner = THIS_MODULE;
588 rc = dev_set_name(&chip->devs, "tpmrm%d", chip->dev_num);
592 rc = cdev_device_add(&chip->cdevs, &chip->devs);
595 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n",
596 dev_name(&chip->devs), MAJOR(chip->devs.devt),
597 MINOR(chip->devs.devt), rc);
604 put_device(&chip->devs);
projects / releases.git / blob