Re: [PATCH] tpm: add vendor flag to command code validation

Jarkko Sakkinen <jarkko@xxxxxxxxxx> · Mon, 13 Feb 2023 09:57:46 +0200

On Fri, Feb 10, 2023 at 10:07:02AM -0800, Julien Gomes wrote:
> On 2023-02-09 4:49 p.m., Jarkko Sakkinen wrote:
> > On Wed, Feb 08, 2023 at 11:58:36AM -0800, Julien Gomes wrote:
> > > Some TPM 2.0 devices have support for additional commands which are not
> > > part of the TPM 2.0 specifications.
> > > These commands are identified with bit 29 of the 32 bits command codes.
> > > Contrarily to other fields of the TPMA_CC spec structure used to list
> > > available commands, the Vendor flag also has to be present in the
> > > command code itself (TPM_CC) when called.
> > > 
> > > Add this flag to tpm_find_cc() mask to prevent blocking vendor command
> > > codes that can actually be supported by the underlying TPM device.
> > > 
> > > Signed-off-by: Julien Gomes <julien@xxxxxxxxxx>
> > > ---
> > >   drivers/char/tpm/tpm2-cmd.c | 4 +++-
> > >   include/linux/tpm.h         | 1 +
> > >   2 files changed, 4 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > > index 65d03867e114..93545be190a5 100644
> > > --- a/drivers/char/tpm/tpm2-cmd.c
> > > +++ b/drivers/char/tpm/tpm2-cmd.c
> > > @@ -777,10 +777,12 @@ int tpm2_auto_startup(struct tpm_chip *chip)
> > >   int tpm2_find_cc(struct tpm_chip *chip, u32 cc)
> > >   {
> > > +	u32 cc_mask;
> > >   	int i;
> > > +	cc_mask = 1 << TPM2_CC_ATTR_VENDOR | GENMASK(15, 0);
> > >   	for (i = 0; i < chip->nr_commands; i++)
> > > -		if (cc == (chip->cc_attrs_tbl[i] & GENMASK(15, 0)))
> > > +		if (cc == (chip->cc_attrs_tbl[i] & cc_mask))
> > >   			return i;
> > >   	return -1;
> > > diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> > > index dfeb25a0362d..4dc97b9f65fb 100644
> > > --- a/include/linux/tpm.h
> > > +++ b/include/linux/tpm.h
> > > @@ -265,6 +265,7 @@ enum tpm2_startup_types {
> > >   enum tpm2_cc_attrs {
> > >   	TPM2_CC_ATTR_CHANDLES	= 25,
> > >   	TPM2_CC_ATTR_RHANDLE	= 28,
> > > +	TPM2_CC_ATTR_VENDOR	= 29,
> > >   };
> > >   #define TPM_VID_INTEL    0x8086
> > > -- 
> > > 2.39.1
> > > 
> > 
> > Just checking: did you run testing/selftests/tpm2?
> > 
> > BR, Jarkko
> 
> I didn't know about these, good call.
> Just ran the three test suites on a vm with a swtpm, as I don't have a
> physical box with TPM 2.0 able to run latest kernels handy, all passed.

Neither broke on my side, thanks.

Tested-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>

BR, Jarkko