| Message ID | 20240703003033.19057-1-jarkko@kernel.org (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | tpm: Limit TCG_TPM2_HMAC to known good drivers | expand |
On Wed Jul 3, 2024 at 3:30 AM EEST, Jarkko Sakkinen wrote:
> + depends on TCG_CRB || TCG_TIS_CORE
Needs to be "depends on !TCG_IBMVTPM":
https://lore.kernel.org/linux-integrity/D2FHWYEXITS4.1GNXEB8V6KJM7@kernel.org/
BR, Jarkko
On Wed Jul 3, 2024 at 4:02 AM EEST, Jarkko Sakkinen wrote: > On Wed Jul 3, 2024 at 3:30 AM EEST, Jarkko Sakkinen wrote: > > + depends on TCG_CRB || TCG_TIS_CORE > > Needs to be "depends on !TCG_IBMVTPM": > > https://lore.kernel.org/linux-integrity/D2FHWYEXITS4.1GNXEB8V6KJM7@kernel.org/ This ended up such a mess to fix with any fast path so I made a proper fix for the core issue in the hmac authentication patch set: https://lore.kernel.org/linux-integrity/20240703170815.1494625-1-jarkko@kernel.org/ The problem is that tpm_crb and tpm_tis_core are the *only* drivers, which call tpm_chip_bootstrap() so it is better not to take any possible risks with this. I'm still aiming to get these fixes into 6.10. BR, Jarkko
diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index cf0be8a7939d..c310588a5958 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -30,6 +30,7 @@ if TCG_TPM config TCG_TPM2_HMAC bool "Use HMAC and encrypted transactions on the TPM bus" default X86_64 + depends on TCG_CRB || TCG_TIS_CORE select CRYPTO_ECDH select CRYPTO_LIB_AESCFB select CRYPTO_LIB_SHA256
IBM vTPM driver lacks a call to tpm2_sessions_init() and reports: [ 2.987131] tpm tpm0: tpm2_load_context: failed with a TPM error 0x01C4 [ 2.987140] ima: Error Communicating to TPM chip, result: -14 HMAC encryption code also has a risk of null derefence, given that when uninitialized, chip->auth is a null pointer. Limit TCG_TPM2_HMAC to known good drivers until these issues have been properly fixed. Cc: stable@vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Reported-by: Stefan Berger <stefanb@linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@linux.ibm.com/ Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> --- drivers/char/tpm/Kconfig | 1 + 1 file changed, 1 insertion(+)