tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org --- drivers/char/tpm/tpm2-sessions.c | 34 ++++++++++++++++---------------- include/linux/tpm.h | 1 + 2 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..1ed23375e4cb 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@ * * These are the usage functions: * - * tpm2_start_auth_session() which allocates the opaque auth structure - * and gets a session from the TPM. This must be called before - * any of the following functions. The session is protected by a - * session_key which is derived from a random salt value - * encrypted to the NULL seed. * tpm2_end_auth_session() kills the session and frees the resources. * Under normal operation this function is done by * tpm_buf_check_hmac_response(), so this is only to be used on @@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/** - * tpm2_start_auth_session() - create a HMAC authentication session with the TPM - * @chip: the TPM chip structure to create the session with + * tpm2_start_auth_session() - Create an a HMAC authentication session + * @chip: A TPM chip * - * This function loads the NULL seed from its saved context and starts - * an authentication session on the null seed, fills in the - * @chip->auth structure to contain all the session details necessary - * for performing the HMAC, encrypt and decrypt operations and - * returns. The NULL seed is flushed before this function returns. + * Loads the ephemeral key (null seed), and starts an HMAC authenticated + * session. The null seed is flushed before the return. * - * Return: zero on success or actual error encountered. + * Returns zero on success, or a POSIX error code. */ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,11 +1016,19 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); + rc = tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"); tpm2_flush_context(chip, null_key); - - if (rc == TPM2_RC_SUCCESS) - rc = tpm2_parse_start_auth_session(auth, &buf); + switch (rc) { + case TPM2_RC_SUCCESS: + break; + case TPM2_RC_SESSION_MEMORY: + rc = -ENOMEM; + goto out; + default: + rc = -EFAULT; + goto out; + } + rc = tpm2_parse_start_auth_session(auth, &buf);
tpm_buf_destroy(&buf);
diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c1d3d60b416f 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,6 +257,7 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922, + TPM2_RC_SESSION_MEMORY = 0x0903, };
enum tpm2_command_codes {
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org --- v2: - Investigate TPM rc only after destroying tpm_buf. --- drivers/char/tpm/tpm2-sessions.c | 29 +++++++++++++++-------------- include/linux/tpm.h | 1 + 2 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..da382b86dc41 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@ * * These are the usage functions: * - * tpm2_start_auth_session() which allocates the opaque auth structure - * and gets a session from the TPM. This must be called before - * any of the following functions. The session is protected by a - * session_key which is derived from a random salt value - * encrypted to the NULL seed. * tpm2_end_auth_session() kills the session and frees the resources. * Under normal operation this function is done by * tpm_buf_check_hmac_response(), so this is only to be used on @@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/** - * tpm2_start_auth_session() - create a HMAC authentication session with the TPM - * @chip: the TPM chip structure to create the session with + * tpm2_start_auth_session() - Create an a HMAC authentication session + * @chip: A TPM chip * - * This function loads the NULL seed from its saved context and starts - * an authentication session on the null seed, fills in the - * @chip->auth structure to contain all the session details necessary - * for performing the HMAC, encrypt and decrypt operations and - * returns. The NULL seed is flushed before this function returns. + * Loads the ephemeral key (null seed), and starts an HMAC authenticated + * session. The null seed is flushed before the return. * - * Return: zero on success or actual error encountered. + * Returns zero on success, or a POSIX error code. */ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); + rc = tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS) @@ -1032,6 +1024,15 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
tpm_buf_destroy(&buf);
+ switch (rc) { + case TPM2_RC_SESSION_MEMORY: + rc = -ENOMEM; + goto out; + default: + rc = -EFAULT; + goto out; + } + if (rc == TPM2_RC_SUCCESS) { chip->auth = auth; return 0; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c1d3d60b416f 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,6 +257,7 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922, + TPM2_RC_SESSION_MEMORY = 0x0903, };
enum tpm2_command_codes {
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org --- v3: - rc > 0 v2: - Investigate TPM rc only after destroying tpm_buf. --- drivers/char/tpm/tpm2-sessions.c | 31 +++++++++++++++++-------------- include/linux/tpm.h | 1 + 2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..abd54fb0a45a 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@ * * These are the usage functions: * - * tpm2_start_auth_session() which allocates the opaque auth structure - * and gets a session from the TPM. This must be called before - * any of the following functions. The session is protected by a - * session_key which is derived from a random salt value - * encrypted to the NULL seed. * tpm2_end_auth_session() kills the session and frees the resources. * Under normal operation this function is done by * tpm_buf_check_hmac_response(), so this is only to be used on @@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/** - * tpm2_start_auth_session() - create a HMAC authentication session with the TPM - * @chip: the TPM chip structure to create the session with + * tpm2_start_auth_session() - Create an a HMAC authentication session + * @chip: A TPM chip * - * This function loads the NULL seed from its saved context and starts - * an authentication session on the null seed, fills in the - * @chip->auth structure to contain all the session details necessary - * for performing the HMAC, encrypt and decrypt operations and - * returns. The NULL seed is flushed before this function returns. + * Loads the ephemeral key (null seed), and starts an HMAC authenticated + * session. The null seed is flushed before the return. * - * Return: zero on success or actual error encountered. + * Returns zero on success, or a POSIX error code. */ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); + rc = tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS) @@ -1032,6 +1024,17 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
tpm_buf_destroy(&buf);
+ if (rc > 0) { + switch (rc) { + case TPM2_RC_SESSION_MEMORY: + rc = -ENOMEM; + goto out; + default: + rc = -EFAULT; + goto out; + } + } + if (rc == TPM2_RC_SUCCESS) { chip->auth = auth; return 0; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c1d3d60b416f 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,6 +257,7 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922, + TPM2_RC_SESSION_MEMORY = 0x0903, };
enum tpm2_command_codes {
On Mon, Apr 07, 2025 at 10:20:57AM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 31 +++++++++++++++++-------------- include/linux/tpm.h | 1 + 2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..abd54fb0a45a 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
- Returns zero on success, or a POSIX error code.
*/ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
rc = tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
@@ -1032,6 +1024,17 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
tpm_buf_destroy(&buf);
- if (rc > 0) {
To avoid the nesting blocks, can we include `TPM2_RC_SUCCESS` case in the switch or move the `if (rc == TPM2_RC_SUCCESS)` before it?
Thanks, Stefano
switch (rc) {case TPM2_RC_SESSION_MEMORY:rc = -ENOMEM;goto out;default:rc = -EFAULT;goto out;}- }
- if (rc == TPM2_RC_SUCCESS) { chip->auth = auth; return 0;
diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c1d3d60b416f 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,6 +257,7 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922,
- TPM2_RC_SESSION_MEMORY = 0x0903,
};
enum tpm2_command_codes {
2.39.5
On Mon, Apr 07, 2025 at 10:04:09AM +0200, Stefano Garzarella wrote:
On Mon, Apr 07, 2025 at 10:20:57AM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 31 +++++++++++++++++-------------- include/linux/tpm.h | 1 + 2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..abd54fb0a45a 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
- Returns zero on success, or a POSIX error code.
*/ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
rc = tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
@@ -1032,6 +1024,17 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
tpm_buf_destroy(&buf);
- if (rc > 0) {
To avoid the nesting blocks, can we include `TPM2_RC_SUCCESS` case in the switch or move the `if (rc == TPM2_RC_SUCCESS)` before it?
What do you mean by "avoiding nesting blocks"?
Thanks, Stefano
BR, Jarkko
On Mon, Apr 07, 2025 at 02:30:05PM +0300, Jarkko Sakkinen wrote:
On Mon, Apr 07, 2025 at 10:04:09AM +0200, Stefano Garzarella wrote:
On Mon, Apr 07, 2025 at 10:20:57AM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 31 +++++++++++++++++-------------- include/linux/tpm.h | 1 + 2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..abd54fb0a45a 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
- Returns zero on success, or a POSIX error code.
*/ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
rc = tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
@@ -1032,6 +1024,17 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
tpm_buf_destroy(&buf);
- if (rc > 0) {
To avoid the nesting blocks, can we include `TPM2_RC_SUCCESS` case in the switch or move the `if (rc == TPM2_RC_SUCCESS)` before it?
What do you mean by "avoiding nesting blocks"?
Ooops, I thought `rc` was unsigned always returning TPM2_RC_* values, but it looks it's not the case.
I meant the switch "block" inside the if block, at the end exactly what you did in tpm_to_ret() in v4 :-)
Thanks, Stefano
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org --- v4: - tpm_to_ret() v3: - rc > 0 v2: - Investigate TPM rc only after destroying tpm_buf. --- drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- include/linux/tpm.h | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..102e099f22c1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@ * * These are the usage functions: * - * tpm2_start_auth_session() which allocates the opaque auth structure - * and gets a session from the TPM. This must be called before - * any of the following functions. The session is protected by a - * session_key which is derived from a random salt value - * encrypted to the NULL seed. * tpm2_end_auth_session() kills the session and frees the resources. * Under normal operation this function is done by * tpm_buf_check_hmac_response(), so this is only to be used on @@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/** - * tpm2_start_auth_session() - create a HMAC authentication session with the TPM - * @chip: the TPM chip structure to create the session with + * tpm2_start_auth_session() - Create an a HMAC authentication session + * @chip: A TPM chip * - * This function loads the NULL seed from its saved context and starts - * an authentication session on the null seed, fills in the - * @chip->auth structure to contain all the session details necessary - * for performing the HMAC, encrypt and decrypt operations and - * returns. The NULL seed is flushed before this function returns. + * Loads the ephemeral key (null seed), and starts an HMAC authenticated + * session. The null seed is flushed before the return. * - * Return: zero on success or actual error encountered. + * Returns zero on success, or a POSIX error code. */ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); + rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c826d5a9d894 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,8 +257,29 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922, + TPM2_RC_SESSION_MEMORY = 0x0903, };
+/* + * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The + * fallback return value is -EFAULT. + */ +static inline ssize_t tpm_to_ret(ssize_t ret) +{ + /* Already a POSIX error: */ + if (ret < 0) + return ret; + + switch (ret) { + case TPM2_RC_SUCCESS: + return 0; + case TPM2_RC_SESSION_MEMORY: + return -ENOMEM; + default: + return -EFAULT; + } +} + enum tpm2_command_codes { TPM2_CC_FIRST = 0x011F, TPM2_CC_HIERARCHY_CONTROL = 0x0121,
On Mon, Apr 07, 2025 at 03:28:05PM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v4:
- tpm_to_ret()
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- include/linux/tpm.h | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..102e099f22c1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) } /**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
*/
- Returns zero on success, or a POSIX error code.
int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
- rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
The cool thing here is that e.g., in the case of tpm2_start_auth_session, there is two implementation options:
1. tpm_to_ret(tpm2_start_auth_session) 2. tpm_to_ret(tpm_transmit_cmd)
Just want to expose this choice..
tpm2_flush_context(chip, null_key); if (rc == TPM2_RC_SUCCESS) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c826d5a9d894 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,8 +257,29 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922,
- TPM2_RC_SESSION_MEMORY = 0x0903,
}; +/*
- Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
- fallback return value is -EFAULT.
- */
+static inline ssize_t tpm_to_ret(ssize_t ret) +{
- /* Already a POSIX error: */
- if (ret < 0)
return ret;- switch (ret) {
- case TPM2_RC_SUCCESS:
return 0;- case TPM2_RC_SESSION_MEMORY:
return -ENOMEM;- default:
return -EFAULT;- }
+}
enum tpm2_command_codes { TPM2_CC_FIRST = 0x011F, TPM2_CC_HIERARCHY_CONTROL = 0x0121, -- 2.39.5
BR, Jarkko
On Mon, Apr 07, 2025 at 03:28:05PM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v4:
- tpm_to_ret()
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- include/linux/tpm.h | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..102e099f22c1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
- Returns zero on success, or a POSIX error code.
*/ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c826d5a9d894 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,8 +257,29 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922,
- TPM2_RC_SESSION_MEMORY = 0x0903,
nit: the other values are in ascending order, should we keep it or is it not important?
(more a question for me than for the patch)
};
+/*
- Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
- fallback return value is -EFAULT.
- */
+static inline ssize_t tpm_to_ret(ssize_t ret) +{
- /* Already a POSIX error: */
- if (ret < 0)
return ret;- switch (ret) {
- case TPM2_RC_SUCCESS:
return 0;- case TPM2_RC_SESSION_MEMORY:
return -ENOMEM;- default:
return -EFAULT;- }
+}
I like this and in the future we could reuse it in different places like tpm2_load_context() and tpm2_save_context().
Reviewed-by: Stefano Garzarella sgarzare@redhat.com
BTW for my understading, looking at that code (sorry if the answer is obvious, but I'm learning) I'm confused about the use of tpm2_rc_value().
For example in tpm2_load_context() we have:
rc = tpm_transmit_cmd(chip, &tbuf, 4, NULL); ... } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE || rc == TPM2_RC_REFERENCE_H0) {
While in tpm2_save_context(), we have:
rc = tpm_transmit_cmd(chip, &tbuf, 0, NULL); ... } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
So to check TPM2_RC_REFERENCE_H0 we are using tpm2_rc_value() only sometimes, what's the reason?
Thanks, Stefano
On Mon, Apr 07, 2025 at 03:51:21PM +0200, Stefano Garzarella wrote:
On Mon, Apr 07, 2025 at 03:28:05PM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v4:
- tpm_to_ret()
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- include/linux/tpm.h | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..102e099f22c1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
- Returns zero on success, or a POSIX error code.
*/ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c826d5a9d894 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,8 +257,29 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922,
- TPM2_RC_SESSION_MEMORY = 0x0903,
nit: the other values are in ascending order, should we keep it or is it not important?
(more a question for me than for the patch)
nope
};
+/*
- Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
- fallback return value is -EFAULT.
- */
+static inline ssize_t tpm_to_ret(ssize_t ret) +{
- /* Already a POSIX error: */
- if (ret < 0)
return ret;- switch (ret) {
- case TPM2_RC_SUCCESS:
return 0;- case TPM2_RC_SESSION_MEMORY:
return -ENOMEM;- default:
return -EFAULT;- }
+}
I like this and in the future we could reuse it in different places like tpm2_load_context() and tpm2_save_context().
Reviewed-by: Stefano Garzarella sgarzare@redhat.com
BTW for my understading, looking at that code (sorry if the answer is obvious, but I'm learning) I'm confused about the use of tpm2_rc_value().
For example in tpm2_load_context() we have:
rc = tpm_transmit_cmd(chip, &tbuf, 4, NULL); ...} else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE || rc == TPM2_RC_REFERENCE_H0) {
While in tpm2_save_context(), we have:
rc = tpm_transmit_cmd(chip, &tbuf, 0, NULL); ... } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
So to check TPM2_RC_REFERENCE_H0 we are using tpm2_rc_value() only sometimes, what's the reason?
Good catch, I'll update...
TPM RC is a struct or bitfield.
Thanks, Stefano
BR, Jarkko
On Mon, Apr 07, 2025 at 09:13:37PM +0300, Jarkko Sakkinen wrote:
On Mon, Apr 07, 2025 at 03:51:21PM +0200, Stefano Garzarella wrote:
On Mon, Apr 07, 2025 at 03:28:05PM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX error codes.
Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Reported-by: Herbert Xu herbert@gondor.apana.org.au Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au... Signed-off-by: Jarkko Sakkinen jarkko@kernel.org
v4:
- tpm_to_ret()
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- include/linux/tpm.h | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3f89635ba5e8..102e099f22c1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -40,11 +40,6 @@
- These are the usage functions:
- tpm2_start_auth_session() which allocates the opaque auth structure
- and gets a session from the TPM. This must be called before
- any of the following functions. The session is protected by a
- session_key which is derived from a random salt value
- encrypted to the NULL seed.
- tpm2_end_auth_session() kills the session and frees the resources.
- Under normal operation this function is done by
- tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) }
/**
- tpm2_start_auth_session() - create a HMAC authentication session with the TPM
- @chip: the TPM chip structure to create the session with
- tpm2_start_auth_session() - Create an a HMAC authentication session
- @chip: A TPM chip
- This function loads the NULL seed from its saved context and starts
- an authentication session on the null seed, fills in the
- @chip->auth structure to contain all the session details necessary
- for performing the HMAC, encrypt and decrypt operations and
- returns. The NULL seed is flushed before this function returns.
- Loads the ephemeral key (null seed), and starts an HMAC authenticated
- session. The null seed is flushed before the return.
- Return: zero on success or actual error encountered.
- Returns zero on success, or a POSIX error code.
*/ int tpm2_start_auth_session(struct tpm_chip *chip) { @@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) /* hash algorithm for session */ tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 6c3125300c00..c826d5a9d894 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -257,8 +257,29 @@ enum tpm2_return_codes { TPM2_RC_TESTING = 0x090A, /* RC_WARN */ TPM2_RC_REFERENCE_H0 = 0x0910, TPM2_RC_RETRY = 0x0922,
- TPM2_RC_SESSION_MEMORY = 0x0903,
nit: the other values are in ascending order, should we keep it or is it not important?
(more a question for me than for the patch)
nope
};
+/*
- Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
- fallback return value is -EFAULT.
- */
+static inline ssize_t tpm_to_ret(ssize_t ret) +{
- /* Already a POSIX error: */
- if (ret < 0)
return ret;- switch (ret) {
- case TPM2_RC_SUCCESS:
return 0;- case TPM2_RC_SESSION_MEMORY:
return -ENOMEM;- default:
return -EFAULT;- }
+}
I like this and in the future we could reuse it in different places like tpm2_load_context() and tpm2_save_context().
Reviewed-by: Stefano Garzarella sgarzare@redhat.com
BTW for my understading, looking at that code (sorry if the answer is obvious, but I'm learning) I'm confused about the use of tpm2_rc_value().
For example in tpm2_load_context() we have:
rc = tpm_transmit_cmd(chip, &tbuf, 4, NULL); ...} else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE || rc == TPM2_RC_REFERENCE_H0) {
While in tpm2_save_context(), we have:
rc = tpm_transmit_cmd(chip, &tbuf, 0, NULL); ... } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
So to check TPM2_RC_REFERENCE_H0 we are using tpm2_rc_value() only sometimes, what's the reason?
Good catch, I'll update...
TPM RC is a struct or bitfield.
Applied to my -next: https://web.git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/l...
BR, Jarkko
linux-stable-mirror@lists.linaro.org
-
Jarkko Sakkinen -
Stefano Garzarella