From patchwork Wed Nov 29 11:08:46 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Martinez Canillas <javierm@redhat.com>
X-Patchwork-Id: 10081885
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A1D0760353 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed, 29 Nov 2017 11:08:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CFE9295DC
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed, 29 Nov 2017 11:08:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9142A2974A; Wed, 29 Nov 2017 11:08:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB80F295DC
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed, 29 Nov 2017 11:08:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754473AbdK2LIy (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Wed, 29 Nov 2017 06:08:54 -0500
Received: from mail-wm0-f66.google.com ([74.125.82.66]:46898 "EHLO
	mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752272AbdK2LIw (ORCPT
	<rfc822;linux-integrity@vger.kernel.org>);
	Wed, 29 Nov 2017 06:08:52 -0500
Received: by mail-wm0-f66.google.com with SMTP id r78so5381754wme.5
	for <linux-integrity@vger.kernel.org>;
	Wed, 29 Nov 2017 03:08:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=KCzkSk/tyf3ARLSPZwqUGjAXjWczSfFJnngfXbBS79w=;
	b=FJ5d/qCYIQpR7YW8aBBPdA9q1JneR89N+YDdcVkGfnUh4OQswxXlmqgmPtNGWXF34z
	5CE91FkJySi8u7FVTdPOYYvPrZDwr/DpnH1edhRQr09X+nVucFNF+LFr/hcBUYWF7QOi
	2xLzzEfzrtsBsMoSMaE7djt5L5W8xwTUsqxMHT/DDvENERuYet+xTYs5OcVT8/748OBk
	yfhjaZh1sITN7D+QWRxrdNNE5vbhxyEnjK6ZGLMjeXnY6h8ZfUS6QvB5YSq6R2SPZnZ9
	8G02AjFl7Smv2FZA1dX+gAiIShNKrnx0AfCTMrDEhZgrNU5xq2D5Le2r0ZgZ2NmQHM58
	Ot7g==
X-Gm-Message-State: AJaThX516gX1kad6BIcHFcFoZIcf4e9KoHERuifvGDBzveRvXL7/EHZF
	3Y3pnT8r2K5RJ9COtXsVzjiCOg==
X-Google-Smtp-Source: 
 AGs4zMYyweVmipRtk9BXUbODls7ivTfmGm88z2UM72JWr/D8XltuKUnRu88jTnSAQKuIEtoJ1A2VAw==
X-Received: by 10.28.5.201 with SMTP id 192mr2232700wmf.142.1511953731288;
	Wed, 29 Nov 2017 03:08:51 -0800 (PST)
Received: from minerva.redhat.com ([90.77.100.34])
	by smtp.gmail.com with ESMTPSA id
	b16sm2462163wrd.69.2017.11.29.03.08.50
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Wed, 29 Nov 2017 03:08:50 -0800 (PST)
From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Javier Martinez Canillas <javierm@redhat.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Peter Huewe <peterhuewe@gmx.de>, Jerry Snitselaar <jsnitsel@redhat.com>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Philip Tricca <philip.b.tricca@intel.com>,
	linux-integrity@vger.kernel.org,
	William Roberts <william.c.roberts@intel.com>,
	James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [PATCH v2] tpm: return a TPM_RC_COMMAND_CODE response if a command
	isn't implemented
Date: Wed, 29 Nov 2017 12:08:46 +0100
Message-Id: <20171129110846.31892-1-javierm@redhat.com>
X-Mailer: git-send-email 2.14.3
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

According to the TPM Library Specification, a TPM device must do a command
header validation before processing and return a TPM_RC_COMMAND_CODE code
if the command is not implemented.

So user-space will expect to handle that response as an error. But if the
in-kernel resource manager is used (/dev/tpmrm?), an -EINVAL errno code is
returned instead if the command isn't implemented. This confuses userspace
since it doesn't expect that error value.

This also isn't consistent with the behavior when not using TPM spaces and
accessing the TPM directly (/dev/tpm?). In this case, the command is sent
to the TPM even when not implemented and the TPM responds with an error.

Instead of returning an -EINVAL errno code when the tpm_validate_command()
function fails, synthesize a TPM command response so user-space can get a
TPM_RC_COMMAND_CODE as expected when a chip doesn't implement the command.

The TPM only sets 12 of the 32 bits in the TPM_RC response, so the TSS and
TAB specifications define that higher layers in the stack should use some
of the unused 20 bits to specify from which level of the stack the error
is coming from.

Since the TPM_RC_COMMAND_CODE response code is sent by the kernel resource
manager, set the error level to the TAB/RM layer so user-space is aware of
this.

Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---

Changes since v1:
- Remove the unused macros for the driver and resmgr RC layers (suggested by
  Philip Tricca).
- Use naming conventions from the latest version of the TSS spec (suggested
  by Philip Tricca).

Changes since RFCv2:
- Set the error level to the TAB/RM layer so user-space is aware that the error
  is not coming from the TPM (suggested by Philip Tricca and Jarkko Sakkinen).

Changes since RFCv1:
- Don't pass not validated commands to the TPM, instead return a synthesized
  response with the correct TPM return code (suggested by Jason Gunthorpe).

And example of user-space getting confused by the TPM chardev returning -EINVAL
when sending a not supported TPM command can be seen in this tpm2-tools issue:

https://github.com/intel/tpm2-tools/issues/621

Best regards,
Javier

 drivers/char/tpm/tpm-interface.c | 28 ++++++++++++++++++++--------
 drivers/char/tpm/tpm.h           |  5 +++++
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index 1d6729be4cd6..ac83ad149ec7 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -328,7 +328,7 @@ unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip,
 }
 EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration);
 
-static bool tpm_validate_command(struct tpm_chip *chip,
+static int tpm_validate_command(struct tpm_chip *chip,
 				 struct tpm_space *space,
 				 const u8 *cmd,
 				 size_t len)
@@ -340,10 +340,10 @@ static bool tpm_validate_command(struct tpm_chip *chip,
 	unsigned int nr_handles;
 
 	if (len < TPM_HEADER_SIZE)
-		return false;
+		return -EINVAL;
 
 	if (!space)
-		return true;
+		return 0;
 
 	if (chip->flags & TPM_CHIP_FLAG_TPM2 && chip->nr_commands) {
 		cc = be32_to_cpu(header->ordinal);
@@ -352,7 +352,7 @@ static bool tpm_validate_command(struct tpm_chip *chip,
 		if (i < 0) {
 			dev_dbg(&chip->dev, "0x%04X is an invalid command\n",
 				cc);
-			return false;
+			return -EOPNOTSUPP;
 		}
 
 		attrs = chip->cc_attrs_tbl[i];
@@ -362,11 +362,11 @@ static bool tpm_validate_command(struct tpm_chip *chip,
 			goto err_len;
 	}
 
-	return true;
+	return 0;
 err_len:
 	dev_dbg(&chip->dev,
 		"%s: insufficient command length %zu", __func__, len);
-	return false;
+	return -EINVAL;
 }
 
 /**
@@ -391,8 +391,20 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
 	unsigned long stop;
 	bool need_locality;
 
-	if (!tpm_validate_command(chip, space, buf, bufsiz))
-		return -EINVAL;
+	rc = tpm_validate_command(chip, space, buf, bufsiz);
+	if (rc == -EINVAL)
+		return rc;
+	/*
+	 * If the command is not implemented by the TPM, synthesize a
+	 * response with a TPM2_RC_COMMAND_CODE return for user-space.
+	 */
+	if (rc == -EOPNOTSUPP) {
+		header->length = cpu_to_be32(sizeof(*header));
+		header->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
+		header->return_code = cpu_to_be32(TPM2_RC_COMMAND_CODE |
+						  TPM2_RESMGRTPM_RC_LAYER);
+		return bufsiz;
+	}
 
 	if (bufsiz > TPM_BUFSIZE)
 		bufsiz = TPM_BUFSIZE;
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 2d5466a72e40..55833b7fcc1a 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -93,12 +93,17 @@ enum tpm2_structures {
 	TPM2_ST_SESSIONS	= 0x8002,
 };
 
+/* Indicates from what level of the software stack the error comes from */
+#define TPM2_RC_LAYER_SHIFT	16
+#define TPM2_RESMGRTPM_RC_LAYER (11 << TPM2_RC_LAYER_SHIFT)
+
 enum tpm2_return_codes {
 	TPM2_RC_SUCCESS		= 0x0000,
 	TPM2_RC_HASH		= 0x0083, /* RC_FMT1 */
 	TPM2_RC_HANDLE		= 0x008B,
 	TPM2_RC_INITIALIZE	= 0x0100, /* RC_VER1 */
 	TPM2_RC_DISABLED	= 0x0120,
+	TPM2_RC_COMMAND_CODE    = 0x0143,
 	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */
 	TPM2_RC_REFERENCE_H0	= 0x0910,
 };