2 * Copyright (C) 2016 Intel Corporation
5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 * Maintained by: <tpmdd-devel@lists.sourceforge.net>
9 * This file contains TPM2 protocol implementations of the commands
10 * used by the kernel internally.
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; version 2
18 #include <linux/gfp.h>
19 #include <asm/unaligned.h>
22 enum tpm2_handle_types {
23 TPM2_HT_HMAC_SESSION = 0x02000000,
24 TPM2_HT_POLICY_SESSION = 0x03000000,
25 TPM2_HT_TRANSIENT = 0x80000000,
35 static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space)
39 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
40 if (space->session_tbl[i])
41 tpm2_flush_context_cmd(chip, space->session_tbl[i],
46 int tpm2_init_space(struct tpm_space *space, unsigned int buf_size)
48 space->context_buf = kzalloc(buf_size, GFP_KERNEL);
49 if (!space->context_buf)
52 space->session_buf = kzalloc(buf_size, GFP_KERNEL);
53 if (space->session_buf == NULL) {
54 kfree(space->context_buf);
55 /* Prevent caller getting a dangling pointer. */
56 space->context_buf = NULL;
60 space->buf_size = buf_size;
64 void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
66 mutex_lock(&chip->tpm_mutex);
67 tpm2_flush_sessions(chip, space);
68 mutex_unlock(&chip->tpm_mutex);
69 kfree(space->context_buf);
70 kfree(space->session_buf);
73 static int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
74 unsigned int *offset, u32 *handle)
77 struct tpm2_context *ctx;
78 unsigned int body_size;
81 rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_LOAD);
85 ctx = (struct tpm2_context *)&buf[*offset];
86 body_size = sizeof(*ctx) + be16_to_cpu(ctx->blob_size);
87 tpm_buf_append(&tbuf, &buf[*offset], body_size);
89 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
90 TPM_TRANSMIT_NESTED, NULL);
92 dev_warn(&chip->dev, "%s: failed with a system error %d\n",
94 tpm_buf_destroy(&tbuf);
96 } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE ||
97 rc == TPM2_RC_REFERENCE_H0) {
99 * TPM_RC_HANDLE means that the session context can't
100 * be loaded because of an internal counter mismatch
101 * that makes the TPM think there might have been a
102 * replay. This might happen if the context was saved
103 * and loaded outside the space.
105 * TPM_RC_REFERENCE_H0 means the session has been
106 * flushed outside the space
109 tpm_buf_destroy(&tbuf);
112 dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
114 tpm_buf_destroy(&tbuf);
118 *handle = be32_to_cpup((__be32 *)&tbuf.data[TPM_HEADER_SIZE]);
119 *offset += body_size;
121 tpm_buf_destroy(&tbuf);
125 static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf,
126 unsigned int buf_size, unsigned int *offset)
129 unsigned int body_size;
132 rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_SAVE);
136 tpm_buf_append_u32(&tbuf, handle);
138 rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0,
139 TPM_TRANSMIT_NESTED, NULL);
141 dev_warn(&chip->dev, "%s: failed with a system error %d\n",
143 tpm_buf_destroy(&tbuf);
145 } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
146 tpm_buf_destroy(&tbuf);
149 dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
151 tpm_buf_destroy(&tbuf);
155 body_size = tpm_buf_length(&tbuf) - TPM_HEADER_SIZE;
156 if ((*offset + body_size) > buf_size) {
157 dev_warn(&chip->dev, "%s: out of backing storage\n", __func__);
158 tpm_buf_destroy(&tbuf);
162 memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size);
163 *offset += body_size;
164 tpm_buf_destroy(&tbuf);
168 static void tpm2_flush_space(struct tpm_chip *chip)
170 struct tpm_space *space = &chip->work_space;
173 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
174 if (space->context_tbl[i] && ~space->context_tbl[i])
175 tpm2_flush_context_cmd(chip, space->context_tbl[i],
176 TPM_TRANSMIT_NESTED);
178 tpm2_flush_sessions(chip, space);
181 static int tpm2_load_space(struct tpm_chip *chip)
183 struct tpm_space *space = &chip->work_space;
188 for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
189 if (!space->context_tbl[i])
192 /* sanity check, should never happen */
193 if (~space->context_tbl[i]) {
194 dev_err(&chip->dev, "context table is inconsistent");
198 rc = tpm2_load_context(chip, space->context_buf, &offset,
199 &space->context_tbl[i]);
204 for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
207 if (!space->session_tbl[i])
210 rc = tpm2_load_context(chip, space->session_buf,
213 /* load failed, just forget session */
214 space->session_tbl[i] = 0;
216 tpm2_flush_space(chip);
219 if (handle != space->session_tbl[i]) {
220 dev_warn(&chip->dev, "session restored to wrong handle\n");
221 tpm2_flush_space(chip);
229 static bool tpm2_map_to_phandle(struct tpm_space *space, void *handle)
231 u32 vhandle = be32_to_cpup((__be32 *)handle);
235 i = 0xFFFFFF - (vhandle & 0xFFFFFF);
236 if (i >= ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
239 phandle = space->context_tbl[i];
240 *((__be32 *)handle) = cpu_to_be32(phandle);
244 static int tpm2_map_command(struct tpm_chip *chip, u32 cc, u8 *cmd)
246 struct tpm_space *space = &chip->work_space;
247 unsigned int nr_handles;
252 i = tpm2_find_cc(chip, cc);
256 attrs = chip->cc_attrs_tbl[i];
257 nr_handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0);
259 handle = (__be32 *)&cmd[TPM_HEADER_SIZE];
260 for (i = 0; i < nr_handles; i++, handle++) {
261 if ((be32_to_cpu(*handle) & 0xFF000000) == TPM2_HT_TRANSIENT) {
262 if (!tpm2_map_to_phandle(space, handle))
270 int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc,
278 memcpy(&chip->work_space.context_tbl, &space->context_tbl,
279 sizeof(space->context_tbl));
280 memcpy(&chip->work_space.session_tbl, &space->session_tbl,
281 sizeof(space->session_tbl));
282 memcpy(chip->work_space.context_buf, space->context_buf,
284 memcpy(chip->work_space.session_buf, space->session_buf,
287 rc = tpm2_load_space(chip);
289 tpm2_flush_space(chip);
293 rc = tpm2_map_command(chip, cc, cmd);
295 tpm2_flush_space(chip);
302 static bool tpm2_add_session(struct tpm_chip *chip, u32 handle)
304 struct tpm_space *space = &chip->work_space;
307 for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++)
308 if (space->session_tbl[i] == 0)
311 if (i == ARRAY_SIZE(space->session_tbl))
314 space->session_tbl[i] = handle;
318 static u32 tpm2_map_to_vhandle(struct tpm_space *space, u32 phandle, bool alloc)
322 for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
324 if (!space->context_tbl[i]) {
325 space->context_tbl[i] = phandle;
328 } else if (space->context_tbl[i] == phandle)
332 if (i == ARRAY_SIZE(space->context_tbl))
335 return TPM2_HT_TRANSIENT | (0xFFFFFF - i);
338 static int tpm2_map_response_header(struct tpm_chip *chip, u32 cc, u8 *rsp,
341 struct tpm_space *space = &chip->work_space;
342 struct tpm_output_header *header = (void *)rsp;
349 if (be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS)
352 i = tpm2_find_cc(chip, cc);
353 /* sanity check, should never happen */
357 attrs = chip->cc_attrs_tbl[i];
358 if (!((attrs >> TPM2_CC_ATTR_RHANDLE) & 1))
361 phandle = be32_to_cpup((__be32 *)&rsp[TPM_HEADER_SIZE]);
362 phandle_type = phandle & 0xFF000000;
364 switch (phandle_type) {
365 case TPM2_HT_TRANSIENT:
366 vhandle = tpm2_map_to_vhandle(space, phandle, true);
370 *(__be32 *)&rsp[TPM_HEADER_SIZE] = cpu_to_be32(vhandle);
372 case TPM2_HT_HMAC_SESSION:
373 case TPM2_HT_POLICY_SESSION:
374 if (!tpm2_add_session(chip, phandle))
378 dev_err(&chip->dev, "%s: unknown handle 0x%08X\n",
385 tpm2_flush_context_cmd(chip, phandle, TPM_TRANSMIT_NESTED);
386 dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__,
391 struct tpm2_cap_handles {
398 static int tpm2_map_response_body(struct tpm_chip *chip, u32 cc, u8 *rsp,
401 struct tpm_space *space = &chip->work_space;
402 struct tpm_output_header *header = (void *)rsp;
403 struct tpm2_cap_handles *data;
410 if (cc != TPM2_CC_GET_CAPABILITY ||
411 be32_to_cpu(header->return_code) != TPM2_RC_SUCCESS) {
415 if (len < TPM_HEADER_SIZE + 9)
418 data = (void *)&rsp[TPM_HEADER_SIZE];
419 if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES)
422 if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4)
425 if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count))
428 for (i = 0, j = 0; i < be32_to_cpu(data->count); i++) {
429 phandle = be32_to_cpup((__be32 *)&data->handles[i]);
430 phandle_type = phandle & 0xFF000000;
432 switch (phandle_type) {
433 case TPM2_HT_TRANSIENT:
434 vhandle = tpm2_map_to_vhandle(space, phandle, false);
438 data->handles[j] = cpu_to_be32(vhandle);
443 data->handles[j] = cpu_to_be32(phandle);
450 header->length = cpu_to_be32(TPM_HEADER_SIZE + 9 + 4 * j);
451 data->count = cpu_to_be32(j);
455 static int tpm2_save_space(struct tpm_chip *chip)
457 struct tpm_space *space = &chip->work_space;
462 for (i = 0, offset = 0; i < ARRAY_SIZE(space->context_tbl); i++) {
463 if (!(space->context_tbl[i] && ~space->context_tbl[i]))
466 rc = tpm2_save_context(chip, space->context_tbl[i],
467 space->context_buf, space->buf_size,
470 space->context_tbl[i] = 0;
475 tpm2_flush_context_cmd(chip, space->context_tbl[i],
476 TPM_TRANSMIT_NESTED);
477 space->context_tbl[i] = ~0;
480 for (i = 0, offset = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
481 if (!space->session_tbl[i])
484 rc = tpm2_save_context(chip, space->session_tbl[i],
485 space->session_buf, space->buf_size,
488 /* handle error saving session, just forget it */
489 space->session_tbl[i] = 0;
491 tpm2_flush_space(chip);
499 int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
500 u32 cc, u8 *buf, size_t *bufsiz)
502 struct tpm_output_header *header = (void *)buf;
508 rc = tpm2_map_response_header(chip, cc, buf, *bufsiz);
510 tpm2_flush_space(chip);
514 rc = tpm2_map_response_body(chip, cc, buf, *bufsiz);
516 tpm2_flush_space(chip);
520 rc = tpm2_save_space(chip);
522 tpm2_flush_space(chip);
526 *bufsiz = be32_to_cpu(header->length);
528 memcpy(&space->context_tbl, &chip->work_space.context_tbl,
529 sizeof(space->context_tbl));
530 memcpy(&space->session_tbl, &chip->work_space.session_tbl,
531 sizeof(space->session_tbl));
532 memcpy(space->context_buf, chip->work_space.context_buf,
534 memcpy(space->session_buf, chip->work_space.session_buf,
541 * Put the reference to the main device.
543 static void tpm_devs_release(struct device *dev)
545 struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs);
547 /* release the master device reference */
548 put_device(&chip->dev);
552 * Remove the device file for exposed TPM spaces and release the device
553 * reference. This may also release the reference to the master device.
555 void tpm_devs_remove(struct tpm_chip *chip)
557 cdev_device_del(&chip->cdevs, &chip->devs);
558 put_device(&chip->devs);
562 * Add a device file to expose TPM spaces. Also take a reference to the
565 int tpm_devs_add(struct tpm_chip *chip)
569 device_initialize(&chip->devs);
570 chip->devs.parent = chip->dev.parent;
571 chip->devs.class = tpmrm_class;
574 * Get extra reference on main device to hold on behalf of devs.
575 * This holds the chip structure while cdevs is in use. The
576 * corresponding put is in the tpm_devs_release.
578 get_device(&chip->dev);
579 chip->devs.release = tpm_devs_release;
580 chip->devs.devt = MKDEV(MAJOR(tpm_devt), chip->dev_num + TPM_NUM_DEVICES);
581 cdev_init(&chip->cdevs, &tpmrm_fops);
582 chip->cdevs.owner = THIS_MODULE;
584 rc = dev_set_name(&chip->devs, "tpmrm%d", chip->dev_num);
588 rc = cdev_device_add(&chip->cdevs, &chip->devs);
591 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n",
592 dev_name(&chip->devs), MAJOR(chip->devs.devt),
593 MINOR(chip->devs.devt), rc);
600 put_device(&chip->devs);