On Tue, Sep 27, 2022 at 09:49:14AM -0700, Evan Green wrote: > From: Matthew Garrett <matthewgarrett@xxxxxxxxxx> > > Under certain circumstances it might be desirable to enable the creation > of TPM-backed secrets that are only accessible to the kernel. In an > ideal world this could be achieved by using TPM localities, but these > don't appear to be available on consumer systems. An alternative is to > simply block userland from modifying one of the resettable PCRs, leaving > it available to the kernel. If the kernel ensures that no userland can > access the TPM while it is carrying out work, it can reset PCR 23, > extend it to an arbitrary value, create or load a secret, and then reset > the PCR again. Even if userland somehow obtains the sealed material, it > will be unable to unseal it since PCR 23 will never be in the > appropriate state. This lacks any sort of description what the patch does in concrete. The most critical thing it lacks is the addition of a new config flag, which really should documented. It e.g. helps when searching with git log, once this is in the mainline. The current contents is a perfect "motivation" part. > > Link: https://lore.kernel.org/lkml/20210220013255.1083202-3-matthewgarrett@xxxxxxxxxx/ > Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> > Signed-off-by: Evan Green <evgreen@xxxxxxxxxxxx> > --- > > Changes in v3: > - Fix up commit message (Jarkko) > - tpm2_find_and_validate_cc() was split (Jarkko) > - Simply fully restrict TPM1 since v2 failed to account for tunnelled > transport sessions (Stefan and Jarkko). > > Changes in v2: > - Fixed sparse warnings > > drivers/char/tpm/Kconfig | 12 ++++++++++++ > drivers/char/tpm/tpm-dev-common.c | 8 ++++++++ > drivers/char/tpm/tpm.h | 19 +++++++++++++++++++ > drivers/char/tpm/tpm1-cmd.c | 13 +++++++++++++ > drivers/char/tpm/tpm2-cmd.c | 22 ++++++++++++++++++++++ > 5 files changed, 74 insertions(+) > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig > index 927088b2c3d3f2..c8ed54c66e399a 100644 > --- a/drivers/char/tpm/Kconfig > +++ b/drivers/char/tpm/Kconfig > @@ -211,4 +211,16 @@ config TCG_FTPM_TEE > This driver proxies for firmware TPM running in TEE. > > source "drivers/char/tpm/st33zp24/Kconfig" > + > +config TCG_TPM_RESTRICT_PCR > + bool "Restrict userland access to PCR 23" > + depends on TCG_TPM > + help > + If set, block userland from extending or resetting PCR 23. This allows it > + to be restricted to in-kernel use, preventing userland from being able to > + make use of data sealed to the TPM by the kernel. This is required for > + secure hibernation support, but should be left disabled if any userland > + may require access to PCR23. This is a TPM2-only feature, and if enabled > + on a TPM1 machine will cause all usermode TPM commands to return EPERM due > + to the complications introduced by tunnelled sessions in TPM1.2. > endif # TCG_TPM > diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c > index dc4c0a0a512903..7a4e618c7d1942 100644 > --- a/drivers/char/tpm/tpm-dev-common.c > +++ b/drivers/char/tpm/tpm-dev-common.c > @@ -198,6 +198,14 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, > priv->response_read = false; > *off = 0; > > + if (priv->chip->flags & TPM_CHIP_FLAG_TPM2) > + ret = tpm2_cmd_restricted(priv->chip, priv->data_buffer, size); > + else > + ret = tpm1_cmd_restricted(priv->chip, priv->data_buffer, size); > + > + if (ret) > + goto out; > + > /* > * If in nonblocking mode schedule an async job to send > * the command return the size. > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h > index 9c9e5d75b37c78..9f4e64e22807a2 100644 > --- a/drivers/char/tpm/tpm.h > +++ b/drivers/char/tpm/tpm.h > @@ -246,4 +246,23 @@ void tpm_bios_log_setup(struct tpm_chip *chip); > void tpm_bios_log_teardown(struct tpm_chip *chip); > int tpm_dev_common_init(void); > void tpm_dev_common_exit(void); > + > +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR > +#define TPM_RESTRICTED_PCR 23 > + > +int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size); > +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size); > +#else > +static inline int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, > + size_t size) > +{ > + return 0; > +} > + > +static inline int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, > + size_t size) > +{ > + return 0; > +} > +#endif > #endif > diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c > index cf64c738510529..1869e89215fcb9 100644 > --- a/drivers/char/tpm/tpm1-cmd.c > +++ b/drivers/char/tpm/tpm1-cmd.c > @@ -811,3 +811,16 @@ int tpm1_get_pcr_allocation(struct tpm_chip *chip) > > return 0; > } > + > +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR > +int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size) > +{ > + /* > + * Restrict all usermode commands on TPM1.2. Ideally we'd just restrict > + * TPM_ORD_PCR_EXTEND and TPM_ORD_PCR_RESET, but TPM1.2 also supports > + * tunnelled transport sessions where the kernel would be unable to filter > + * commands. > + */ > + return -EPERM; > +} > +#endif > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index 69126a6770386e..9c92a3e1e3f463 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -821,3 +821,25 @@ int tpm2_find_cc(struct tpm_chip *chip, u32 cc) > > return -1; > } > + > +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR > +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size) > +{ > + int cc = tpm2_find_and_validate_cc(chip, NULL, buffer, size); > + __be32 *handle; > + > + switch (cc) { > + case TPM2_CC_PCR_EXTEND: > + case TPM2_CC_PCR_RESET: > + if (size < (TPM_HEADER_SIZE + sizeof(u32))) > + return -EINVAL; > + > + handle = (__be32 *)&buffer[TPM_HEADER_SIZE]; > + if (be32_to_cpu(*handle) == TPM_RESTRICTED_PCR) > + return -EPERM; > + break; > + } > + > + return 0; > +} > +#endif > -- > 2.31.0 > BR, Jarkko