From patchwork Wed Jun 21 14:29:36 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roberto Sassu <roberto.sassu@huawei.com>
X-Patchwork-Id: 9802031
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DA4126038C
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed, 21 Jun 2017 14:35:11 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB160285C9
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed, 21 Jun 2017 14:35:11 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BEEBF285CF; Wed, 21 Jun 2017 14:35:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 67843285C9
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed, 21 Jun 2017 14:35:11 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751711AbdFUOdw (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Wed, 21 Jun 2017 10:33:52 -0400
Received: from lhrrgout.huawei.com ([194.213.3.17]:29083 "EHLO
	lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751927AbdFUOci (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Wed, 21 Jun 2017 10:32:38 -0400
Received: from 172.18.7.190 (EHLO LHREML711-CAH.china.huawei.com)
	([172.18.7.190])
	by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued)
	with ESMTP id DIY23247; Wed, 21 Jun 2017 14:32:35 +0000 (GMT)
Received: from roberto-HP-EliteDesk-800-G2-DM-65W.huawei.com (10.204.65.245)
	by smtpsuk.huawei.com (10.201.108.34) with Microsoft SMTP Server
	(TLS) id 14.3.301.0; Wed, 21 Jun 2017 15:32:24 +0100
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <tpmdd-devel@lists.sourceforge.net>
CC: <linux-ima-devel@lists.sourceforge.net>,
	<linux-security-module@vger.kernel.org>,
	<keyrings@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v3 1/6] tpm: use tpm_buf functions to perform a PCR read
Date: Wed, 21 Jun 2017 16:29:36 +0200
Message-ID: <20170621142941.32674-2-roberto.sassu@huawei.com>
X-Mailer: git-send-email 2.9.3
In-Reply-To: <20170621142941.32674-1-roberto.sassu@huawei.com>
References: <20170621142941.32674-1-roberto.sassu@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.204.65.245]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
	refid=str=0001.0A020201.594A8383.032A, ss=1, re=0.000, recu=0.000,
	reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0,
	so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: b6e705b68c1581613437862ee1f58501
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

tpm2_pcr_read() now uses tpm_buf functions to build the TPM command
to read a PCR. Those functions are preferred to passing a tpm2_cmd
structure, as they provide protection against buffer overflow.

Also, tpm2_pcr_read() code has been moved to tpm2_pcr_read_tpm_buf().
Callers have to pass a tpm_buf structure, an algorithm supported by
the TPM and call tpm_buf_destroy(). The algorithm still cannot be
passed to the TPM driver interface. This parameter has been introduced
for determining the digest size of a given algorithm.

Moving tpm2_pcr_read() code to tpm2_pcr_read_tpm_buf() is necessary
because callers of the new function obtain different information from
the output buffer: tpm2_pcr_read() gets the digest, tpm2_do_selftest()
will get the command return code and tpm2_get_pcr_allocation() will get
the digest size.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 drivers/char/tpm/tpm2-cmd.c | 54 +++++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 22 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 3a99643..afd1b63 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -231,15 +231,37 @@ static const u8 tpm2_ordinal_duration[TPM2_CC_LAST - TPM2_CC_FIRST + 1] = {
 	(sizeof(struct tpm_input_header) + \
 	 sizeof(struct tpm2_pcr_read_in))
 
-#define TPM2_PCR_READ_RESP_BODY_SIZE \
-	 sizeof(struct tpm2_pcr_read_out)
-
 static const struct tpm_input_header tpm2_pcrread_header = {
 	.tag = cpu_to_be16(TPM2_ST_NO_SESSIONS),
 	.length = cpu_to_be32(TPM2_PCR_READ_IN_SIZE),
 	.ordinal = cpu_to_be32(TPM2_CC_PCR_READ)
 };
 
+static int tpm2_pcr_read_tpm_buf(struct tpm_chip *chip, int pcr_idx,
+				 enum tpm2_algorithms algo, struct tpm_buf *buf,
+				 char *msg)
+{
+	int rc;
+	u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
+
+	if (pcr_idx >= TPM2_PLATFORM_PCR)
+		return -EINVAL;
+
+	rc = tpm_buf_init(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
+	if (rc)
+		return rc;
+
+	pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
+
+	tpm_buf_append_u32(buf, 1);
+	tpm_buf_append_u16(buf, algo);
+	tpm_buf_append_u8(buf, TPM2_PCR_SELECT_MIN);
+	tpm_buf_append(buf, (const unsigned char *)pcr_select,
+		       sizeof(pcr_select));
+
+	return tpm_transmit_cmd(chip, NULL, buf->data, PAGE_SIZE, 0, 0, msg);
+}
+
 /**
  * tpm2_pcr_read() - read a PCR value
  * @chip:	TPM chip to use.
@@ -251,29 +273,17 @@ static const struct tpm_input_header tpm2_pcrread_header = {
 int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf)
 {
 	int rc;
-	struct tpm2_cmd cmd;
-	u8 *buf;
-
-	if (pcr_idx >= TPM2_PLATFORM_PCR)
-		return -EINVAL;
-
-	cmd.header.in = tpm2_pcrread_header;
-	cmd.params.pcrread_in.pcr_selects_cnt = cpu_to_be32(1);
-	cmd.params.pcrread_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1);
-	cmd.params.pcrread_in.pcr_select_size = TPM2_PCR_SELECT_MIN;
-
-	memset(cmd.params.pcrread_in.pcr_select, 0,
-	       sizeof(cmd.params.pcrread_in.pcr_select));
-	cmd.params.pcrread_in.pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
+	struct tpm_buf buf;
+	struct tpm2_pcr_read_out *out;
 
-	rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd),
-			      TPM2_PCR_READ_RESP_BODY_SIZE,
-			      0, "attempting to read a pcr value");
+	rc = tpm2_pcr_read_tpm_buf(chip, pcr_idx, TPM2_ALG_SHA1, &buf,
+				   "attempting to read a pcr value");
 	if (rc == 0) {
-		buf = cmd.params.pcrread_out.digest;
-		memcpy(res_buf, buf, TPM_DIGEST_SIZE);
+		out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
+		memcpy(res_buf, out->digest, TPM_DIGEST_SIZE);
 	}
 
+	tpm_buf_destroy(&buf);
 	return rc;
 }