Hi,
In order to split the work a bit we've aligned with David Howells more or
less that I take more hardware/firmware aligned keyring patches, and he
takes care more of the framework aligned patches.
For TPM the patches worth of highlighting are the fixes for refcounting
provided by Lino Sanfilippo and James Bottomley.
Eric B. has done a bunch obvious (but important) fixes but there's one a
bit controversial: removal of asym_tpm. It was added in 2018 when TPM1
was already declared as insecure and world had moved on to TPM2. I don't
know how this has passed all the filters but I did not have a chance to
see the patches when they were out. I simply cannot commit on
maintaining this because it was from all angles just wrong to take it in
the first place to the mainline kernel. Nobody should use this module
really for anything.
Finally, there is a new keyring ".machine" to hold MOK keys. In the mok
side MokListTrustedRT UEFI variable can be set, from which kernel knows
that MOK keys are kernel trusted keys and they are populated to the machine
keyring. This keyring linked to the secondary trusted keyring, which means
that can be used like any kernel trusted keys. This keyring of course can
be used to hold other MOK'ish keys in other platforms in future.
BR, Jarkko
The following changes since commit ea4424be16887a37735d6550cfd0611528dbe5d9:
Merge tag 'mtd/fixes-for-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux (2022-03-07 11:43:22 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/ tags/tpmdd-next-v5.18
for you to fetch changes up to f4fe76112c8fbe0a2d2e3ebd94ff2cfe22977e39:
tpm: use try_get_ops() in tpm-space.c (2022-03-08 14:29:25 +0200)
----------------------------------------------------------------
tpmdd updates for Linux v5.18
----------------------------------------------------------------
Andreas Rammhold (1):
KEYS: trusted: Fix trusted key backends when building as module
Dave Kleikamp (1):
KEYS: trusted: Avoid calling null function trusted_key_exit
Eric Biggers (8):
KEYS: fix length validation in keyctl_pkey_params_get_2()
KEYS: x509: clearly distinguish between key and signature algorithms
KEYS: x509: remove unused fields
KEYS: x509: remove never-set ->unsupported_key flag
KEYS: x509: remove dead code that set ->unsupported_sig
KEYS: remove support for asym_tpm keys
KEYS: asymmetric: enforce that sig algo matches key algo
KEYS: asymmetric: properly validate hash_algo and encoding
Eric Snowberg (8):
integrity: Fix warning about missing prototypes
integrity: Introduce a Linux keyring called machine
integrity: add new keyring handler for mok keys
KEYS: store reference to machine keyring
KEYS: Introduce link restriction for machine keys
efi/mokvar: move up init order
integrity: Trust MOK keys if MokListTrustedRT found
integrity: Only use machine keyring when uefi_check_trust_mok_keys is true
Gustavo A. R. Silva (1):
tpm: xen-tpmfront: Use struct_size() helper
James Bottomley (1):
tpm: use try_get_ops() in tpm-space.c
Lino Sanfilippo (1):
tpm: fix reference counting for struct tpm_chip
Stefan Berger (1):
selftests: tpm2: Determine available PCR bank
Tadeusz Struk (2):
tpm: Fix error handling in async work
selftests: tpm: add async space test with noneexisting handle
certs/system_keyring.c | 44 +-
crypto/asymmetric_keys/Kconfig | 21 -
crypto/asymmetric_keys/Makefile | 12 -
crypto/asymmetric_keys/asym_tpm.c | 957 ---------------------
crypto/asymmetric_keys/pkcs7_verify.c | 13 +-
crypto/asymmetric_keys/public_key.c | 126 ++-
crypto/asymmetric_keys/tpm.asn1 | 5 -
crypto/asymmetric_keys/tpm_parser.c | 102 ---
crypto/asymmetric_keys/x509.asn1 | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 34 +-
crypto/asymmetric_keys/x509_parser.h | 1 -
crypto/asymmetric_keys/x509_public_key.c | 24 -
drivers/char/tpm/tpm-chip.c | 46 +-
drivers/char/tpm/tpm-dev-common.c | 8 +-
drivers/char/tpm/tpm.h | 2 +
drivers/char/tpm/tpm2-space.c | 73 +-
drivers/char/tpm/xen-tpmfront.c | 8 +-
drivers/firmware/efi/mokvar-table.c | 2 +-
include/crypto/asym_tpm_subtype.h | 19 -
include/keys/system_keyring.h | 14 +
security/integrity/Kconfig | 13 +
security/integrity/Makefile | 1 +
security/integrity/digsig.c | 15 +-
security/integrity/integrity.h | 17 +-
.../integrity/platform_certs/keyring_handler.c | 18 +-
.../integrity/platform_certs/keyring_handler.h | 5 +
security/integrity/platform_certs/load_uefi.c | 4 +-
.../integrity/platform_certs/machine_keyring.c | 77 ++
security/keys/keyctl_pkey.c | 14 +-
security/keys/trusted-keys/trusted_core.c | 6 +-
tools/testing/selftests/tpm2/tpm2.py | 31 +
tools/testing/selftests/tpm2/tpm2_tests.py | 45 +-
32 files changed, 486 insertions(+), 1273 deletions(-)
delete mode 100644 crypto/asymmetric_keys/asym_tpm.c
delete mode 100644 crypto/asymmetric_keys/tpm.asn1
delete mode 100644 crypto/asymmetric_keys/tpm_parser.c
delete mode 100644 include/crypto/asym_tpm_subtype.h
create mode 100644 security/integrity/platform_certs/machine_keyring.c
