linux/security
Roberto Sassu 879b589210 tpm: retrieve digest size of unknown algorithms with PCR read
Currently, the TPM driver retrieves the digest size from a table mapping
TPM algorithms identifiers to identifiers defined by the crypto subsystem.
If the algorithm is not defined by the latter, the digest size can be
retrieved from the output of the PCR read command.

The patch modifies the definition of tpm_pcr_read() and tpm2_pcr_read() to
pass the desired hash algorithm and obtain the digest size at TPM startup.
Algorithms and corresponding digest sizes are stored in the new structure
tpm_bank_info, member of tpm_chip, so that the information can be used by
other kernel subsystems.

tpm_bank_info contains: the TPM algorithm identifier, necessary to generate
the event log as defined by Trusted Computing Group (TCG); the digest size,
to pad/truncate a digest calculated with a different algorithm; the crypto
subsystem identifier, to calculate the digest of event data.

This patch also protects against data corruption that could happen in the
bus, by checking that the digest size returned by the TPM during a PCR read
matches the size of the algorithm passed to tpm2_pcr_read().

For the initial PCR read, when digest sizes are not yet available, this
patch ensures that the amount of data copied from the output returned by
the TPM does not exceed the size of the array data are copied to.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-02-13 09:48:51 +02:00
..
apparmor apparmor: Adjust offset when accessing task blob. 2019-01-22 14:38:59 -08:00
integrity tpm: retrieve digest size of unknown algorithms with PCR read 2019-02-13 09:48:51 +02:00
keys security: keys: annotate implicit fall throughs 2019-01-22 19:47:47 -08:00
loadpin LoadPin: Initialize as ordered LSM 2019-01-08 13:18:43 -08:00
safesetid LSM: SafeSetID: remove unused include 2019-01-30 12:29:53 -08:00
selinux Linux 5.0-rc3 2019-01-22 14:33:10 -08:00
smack LSM: Make lsm_early_cred() and lsm_early_task() local functions. 2019-01-18 11:44:02 -08:00
tomoyo tomoyo: Allow multiple use_group lines. 2019-01-24 14:50:27 -08:00
yama Linux 5.0-rc3 2019-01-22 14:33:10 -08:00
commoncap.c LSM: generalize flag passing to security_capable 2019-01-10 14:16:06 -08:00
device_cgroup.c docs: fix broken references with multiple hints 2018-06-15 18:10:01 -03:00
inode.c security: fs: make inode explicitly non-modular 2018-12-12 14:58:51 -08:00
Kconfig LSM: add SafeSetID module that gates setid calls 2019-01-25 11:22:45 -08:00
lsm_audit.c audit: use inline function to get audit context 2018-05-14 17:24:18 -04:00
Makefile LSM: add SafeSetID module that gates setid calls 2019-01-25 11:22:45 -08:00
min_addr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
security.c Linux 5.0-rc3 2019-01-22 14:33:10 -08:00