On Fri, Nov 11, 2022 at 03:16:28PM -0800, Evan Green wrote:
> Introduce a new Kconfig, TCG_TPM_RESTRICT_PCR, which if enabled
> restricts usermode's ability to extend or reset PCR 23.
TCG_TPM_KERNEL_PCR would be a more descriptive name, and the
description should be less abstract, e.g.
"Introduce TCG_TPM_RESTRICT_PCR to Kconfig. If enabled, filter out
TPM2_CC_PCR_{EXTEND, RESET} concerning PCR 23 in tpm_common_write()."
> Under certain circumstances it might be desirable to enable the creation
> of TPM-backed secrets that are only accessible to the kernel. In an
> ideal world this could be achieved by using TPM localities, but these
> don't appear to be available on consumer systems. An alternative is to
> simply block userland from modifying one of the resettable PCRs, leaving
> it available to the kernel. If the kernel ensures that no userland can
> access the TPM while it is carrying out work, it can reset PCR 23,
> extend it to an arbitrary value, create or load a secret, and then reset
> the PCR again. Even if userland somehow obtains the sealed material, it
> will be unable to unseal it since PCR 23 will never be in the
> appropriate state.
This should be the first paragraph (motivation).
> This Kconfig is only properly supported for systems with TPM2 devices.
> For systems with TPM1 devices, having this Kconfig enabled completely
> restricts usermode's access to the TPM. TPM1 contains support for
> tunnelled transports, which usermode could use to smuggle commands
> through that this Kconfig is attempting to restrict.
>
> Link: https://lore.kernel.org/lkml/20210220013255.1083202-3-matthewgarrett@xxxxxxxxxx/
> Co-developed-by: Matthew Garrett <mjg59@xxxxxxxxxx>
> Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
> Signed-off-by: Evan Green <evgreen@xxxxxxxxxxxx>
>
> ---
>
> Changes in v5:
> - Change tags on RESTRICT_PCR patch (Kees)
> - Rename to TCG_TPM2_RESTRICT_PCR
> - Do nothing on TPM1.2 devices (Jarkko, Doug)
>
> Changes in v4:
> - Augment the commit message (Jarkko)
>
> Changes in v3:
> - Fix up commit message (Jarkko)
> - tpm2_find_and_validate_cc() was split (Jarkko)
> - Simply fully restrict TPM1 since v2 failed to account for tunnelled
> transport sessions (Stefan and Jarkko).
>
> Changes in v2:
> - Fixed sparse warnings
>
> drivers/char/tpm/Kconfig | 12 ++++++++++++
> drivers/char/tpm/tpm-dev-common.c | 6 ++++++
> drivers/char/tpm/tpm.h | 12 ++++++++++++
> drivers/char/tpm/tpm2-cmd.c | 22 ++++++++++++++++++++++
> 4 files changed, 52 insertions(+)
>
> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> index 927088b2c3d3f2..e6d3aa9f6c694f 100644
> --- a/drivers/char/tpm/Kconfig
> +++ b/drivers/char/tpm/Kconfig
> @@ -211,4 +211,16 @@ config TCG_FTPM_TEE
> This driver proxies for firmware TPM running in TEE.
>
> source "drivers/char/tpm/st33zp24/Kconfig"
> +
> +config TCG_TPM2_RESTRICT_PCR
> + bool "Restrict userland access to PCR 23 on TPM2 devices"
> + depends on TCG_TPM
> + help
> + If set, block userland from extending or resetting PCR 23 on TPM2.0
> + and later systems. This allows the PCR to be restricted to in-kernel
> + use, preventing userland from being able to make use of data sealed to
> + the TPM by the kernel. This is required for secure hibernation
> + support, but should be left disabled if any userland may require
> + access to PCR23. This is a TPM2-only feature, enabling this on a TPM1
> + machine is effectively a no-op.
> endif # TCG_TPM
> diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
> index dc4c0a0a512903..66d15a2a967443 100644
> --- a/drivers/char/tpm/tpm-dev-common.c
> +++ b/drivers/char/tpm/tpm-dev-common.c
> @@ -198,6 +198,12 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf,
> priv->response_read = false;
> *off = 0;
>
> + if (priv->chip->flags & TPM_CHIP_FLAG_TPM2) {
> + ret = tpm2_cmd_restricted(priv->chip, priv->data_buffer, size);
> + if (ret)
> + goto out;
> + }
> +
> /*
> * If in nonblocking mode schedule an async job to send
> * the command return the size.
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index f1e0f490176f01..7fb746d210f59d 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -245,4 +245,16 @@ void tpm_bios_log_setup(struct tpm_chip *chip);
> void tpm_bios_log_teardown(struct tpm_chip *chip);
> int tpm_dev_common_init(void);
> void tpm_dev_common_exit(void);
> +
> +#ifdef CONFIG_TCG_TPM2_RESTRICT_PCR
> +#define TPM_RESTRICTED_PCR 23
> +
> +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size);
> +#else
> +static inline int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer,
> + size_t size)
> +{
> + return 0;
> +}
> +#endif
Why do you need to export this? That was not discussed in the commit
message.
The function name is quite undescriptive IMHO.
> #endif
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 303ce2ea02a4b0..3bc5546fddc792 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -778,3 +778,25 @@ int tpm2_find_cc(struct tpm_chip *chip, u32 cc)
>
> return -1;
> }
> +
> +#ifdef CONFIG_TCG_TPM2_RESTRICT_PCR
> +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size)
> +{
> + int cc = tpm2_find_and_validate_cc(chip, NULL, buffer, size);
Please discuss this call in the commit message.
> + __be32 *handle;
> +
> + switch (cc) {
> + case TPM2_CC_PCR_EXTEND:
> + case TPM2_CC_PCR_RESET:
> + if (size < (TPM_HEADER_SIZE + sizeof(u32)))
> + return -EINVAL;
> +
> + handle = (__be32 *)&buffer[TPM_HEADER_SIZE];
> + if (be32_to_cpu(*handle) == TPM_RESTRICTED_PCR)
> + return -EPERM;
> + break;
> + }
> +
> + return 0;
> +}
> +#endif
> --
> 2.38.1.431.g37b22c650d-goog
>
BR, Jarkko
