[PATCH v2] KEYS: trusted: allow module init if TPM is inactive or deactivated

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Commit c78719203fc6 ("KEYS: trusted: allow trusted.ko to initialize w/o a
TPM") allows the trusted module to be loaded even a TPM is not found to
avoid module dependency problems.

However, trusted module initialization can still fail if the TPM is
inactive or deactivated. This patch ignores tpm_get_random() errors in
init_digests() and returns -EFAULT in pcrlock() if the TPM didn't return
random data.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
 security/keys/trusted.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 9a94672e7adc..34f04ffcf2e5 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -389,6 +389,10 @@ static int pcrlock(const int pcrnum)
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	/* This happens if the TPM didn't return random data */
+	if (!digests)
+		return -EFAULT;
+
 	return tpm_pcr_extend(chip, pcrnum, digests) ? -EINVAL : 0;
 }
 
@@ -1233,10 +1237,8 @@ static int __init init_digests(void)
 	int i;
 
 	ret = tpm_get_random(chip, digest, TPM_MAX_DIGEST_SIZE);
-	if (ret < 0)
-		return ret;
-	if (ret < TPM_MAX_DIGEST_SIZE)
-		return -EFAULT;
+	if (ret < 0 || ret < TPM_MAX_DIGEST_SIZE)
+		return 0;
 
 	digests = kcalloc(chip->nr_allocated_banks, sizeof(*digests),
 			  GFP_KERNEL);
-- 
2.17.1




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux