- 27 Sep, 2016 5 commits
-
-
git://git.infradead.org/users/jjs/linux-tpmddJames Morris authored
tpmdd reverts for Linux 4.9 Revert patches mistakenly included. "Hi James, I had a typo in my PR command: git request-pull security/next git://git.infradead.org/users/jjs/linux-tpmdd.git master > tpmdd-next-20160915.txt ^^^^^^ That should have been the signed tag tpmdd-next-20160915. This caused four commits slip into your tree that are not meant for 4.9 release. I created a script to generate the signed tag + PR as a corrective measure. /Jarkko"
-
Jarkko Sakkinen authored
This reverts commit e17acbbb. Signed-off-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Jarkko Sakkinen authored
This reverts commit 9514ff19. Signed-off-by:
-
Jarkko Sakkinen authored
This reverts commit 0c22db43. Signed-off-by:
-
Jarkko Sakkinen authored
This reverts commit e350e246. Signed-off-by:
-
- 21 Sep, 2016 1 commit
-
-
- 19 Sep, 2016 2 commits
-
-
Vivek Goyal authored
Right now LSM_AUDIT_DATA_PATH type contains "struct path" in union "u" of common_audit_data. This information is used to print path of file at the same time it is also used to get to dentry and inode. And this inode information is used to get to superblock and device and print device information. This does not work well for layered filesystems like overlay where dentry contained in path is overlay dentry and not the real dentry of underlying file system. That means inode retrieved from dentry is also overlay inode and not the real inode. SELinux helpers like file_path_has_perm() are doing checks on inode retrieved from file_inode(). This returns the real inode and not the overlay inode. That means we are doing check on real inode but for audit purposes we are printing details of overlay inode and that can be confusing while debugging. Hence, introduce a new type LSM_AUDIT_DATA_FILE which carries file information and inode retrieved is real inode using file_inode(). That way right avc denied information is given to user. For example, following is one example avc before the patch. type=AVC msg=audit(1473360868.399:214): avc: denied { read open } for pid=1765 comm="cat" path="/root/.../overlay/container1/merged/readfile" dev="overlay" ino=21443 scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20 tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0 tclass=file permissive=0 It looks as follows after the patch. type=AVC msg=audit(1473360017.388:282): avc: denied { read open } for pid=2530 comm="cat" path="/root/.../overlay/container1/merged/readfile" dev="dm-0" ino=2377915 scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20 tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0 tclass=file permissive=0 Notice that now dev information points to "dm-0" device instead of "overlay" device. This makes it clear that check failed on underlying inode and not on the overlay inode. Signed-off-by:Vivek Goyal <vgoyal@redhat.com> [PM: slight tweaks to the description to make checkpatch.pl happy] Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
-
- 16 Sep, 2016 4 commits
-
-
Winkler, Tomas authored
Utilize runtime_pm for driving tpm crb idle states. The framework calls cmd_ready from the pm_runtime_resume handler and go idle from the pm_runtime_suspend handler. The TPM framework should wake the device before transmit and receive. In case the runtime_pm framework is not enabled, the device will be in ready state. [jarkko.sakkinen@linux.intel.com: changed pm_runtime_put_sync() to pm_runtime_put()] Signed-off-by:
Tomas Winkler <tomas.winkler@intel.com> Reviewed-by:
-
Winkler, Tomas authored
This is preparation step for implementing tpm crb runtime pm. We need to have tpm chip allocated and populated before we access the runtime handlers. Signed-off-by:
Jarkko Sakkinen <jarkko.sakkinn@linux.intel.com>
-
Winkler, Tomas authored
There is a HW bug in Skylake, and Broxton PCH Intel PTT device, where most of the registers in the control area except START, REQUEST, CANCEL, and LOC_CTRL lost retention when the device is in the idle state. Hence we need to bring the device to ready state before accessing the other registers. The fix brings device to ready state before trying to read command and response buffer addresses in order to remap the for access. Signed-off-by:
-
Winkler, Tomas authored
The register TPM_CRB_CTRL_REQ_x contains bits goIdle and cmdReady for SW to indicate that the device can enter or should exit the idle state. The legacy ACPI-start (SMI + DMA) based devices do not support these bits and the idle state management is not exposed to the host SW. Thus, this functionality only is enabled only for a CRB start (MMIO) based devices. Based on Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> original patch: 'tpm_crb: implement power tpm crb power management' To keep the implementation local to the hw we don't use wait_for_tpm_stat for polling the TPM_CRB_CTRL_REQ. Signed-off-by:
-
- 15 Sep, 2016 19 commits
-
-
Jarkko Sakkinen authored
tpm_transmit() does not check that bufsiz is at least TPM_HEADER_SIZE before accessing data. This commit adds this check and returns -EINVAL if it fails. Signed-off-by: -
Julia Lawall authored
Constify TPM 1.x header structures in order to move them to rodata section as they are meant to be never changed during runtime. Signed-off-by:
Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by:
-
Tomas Winkler authored
Because of the line break in the debug print the chackpatch is not silent on 80 characters limitation. The easiest fix is to straighten the lines, it's also more readable. WARNING: line over 80 characters + FW_BUG "TPM2 ACPI table does not define a memory resource\n"); Signed-off-by:
-
Tomas Winkler authored
Don't apply endianity conversion when writing to the registers this is already handled by the system. Signed-off-by:
-
Tomas Winkler authored
Instead of expensive register access on retrieving cmd_size on each send, save the value during initialization in the private context. The value doesn't change. Signed-off-by:
-
Tomas Winkler authored
The platform device is not used in this driver, drop the include to linux/platform_device.h Signed-off-by:
-
Tomas Winkler authored
Fixes the warning: drivers/char/tpm/tpm_tis_core.c:443:7: warning: variable ‘itpm’ set but not used [-Wunused-but-set-variable] bool itpm; ^~~~ Signed-off-by: -
Jarkko Sakkinen authored
CRB_CTRL_CMD_READY and CRB_CTRL_GO_IDLE have incorrect values. Signed-off-by: -
Jarkko Sakkinen authored
Renamed CRB protocol specific constants to match the TCG PC Client Platform TPM Profile (PTP) Specification and driver status constants to be explicit that they are driver specific. Signed-off-by: -
Jarkko Sakkinen authored
wmb()'s are not needed as iowrite32() is used. Signed-off-by: -
Jarkko Sakkinen authored
The req_canceled() callback is used by tpm_transmit() periodically to check whether the request has been canceled while it is receiving a response from the TPM. The TPM_CRB_CTRL_CANCEL register was cleared already in the crb_cancel callback, which has two consequences: * Cancel might not happen. * req_canceled() always returns zero. A better place to clear the register is when starting to send a new command. The behavior of TPM_CRB_CTRL_CANCEL is described in the section 5.5.3.6 of the PTP specification. CC: stable@vger.kernel.org Fixes: 30fc8d13 ("tpm: TPM 2.0 CRB Interface") Signed-off-by:
-
Jarkko Sakkinen authored
Instead of a ad-hoc protocol message construction it is better to call tpm_pcr_read_dev(). Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
-
Jarkko Sakkinen authored
It is better to tpm_transmit_cmd() in tpm2_probe() in order to get consistent command handling throughout the subsystem. Signed-off-by:
-
Jarkko Sakkinen authored
Since tpm_gen_interrupt() is only used in tpm_tis_core.c this commit replaces it with an internal tpm_tis_gen_interrupt(). The semantics also changed in a way that on a system error the driver initialization is failed. Signed-off-by:
-
Jarkko Sakkinen authored
Removed unnecessary externs from tpm.h. Signed-off-by:
-
Jason Gunthorpe authored
This function should only be called as part of an IRQ probing protocol and st33 does not have any code to detect that the IRQ it tries to generate was not generated and disable the IRQ. Since st33 is primarily a DT binding driver it should not be doing IRQ probing anyhow, so let us just delete this useless call. Signed-off-by:
-
Jarkko Sakkinen authored
Unseal and load operations should be done as an atomic operation. This commit introduces unlocked tpm_transmit() so that tpm2_unseal_trusted() can do the locking by itself. Fixes: 0fe54803 ("keys, trusted: seal/unseal with TPM 2.0 chips") Cc: stable@vger.kernel.org Signed-off-by:
-
Jarkko Sakkinen authored
The driver emits invalid self test error message even though the init succeeds. Signed-off-by:
James Morris <james.l.morris@oracle.com>
-
-
- 13 Sep, 2016 1 commit
-
-
Wei Yongjun authored
Fix to return error code -EINVAL from the error handling case instead of 0 (rc is overwrite to 0 when policyvers >= POLICYDB_VERSION_ROLETRANS), as done elsewhere in this function. Signed-off-by:
Wei Yongjun <weiyongjun1@huawei.com> [PM: normalize "selinux" in patch subject, description line wrap] Signed-off-by:
-
- 08 Sep, 2016 1 commit
-
-
Casey Schaufler authored
Under a strict subject/object security policy delivering a signal or delivering network IPC could be considered either a write or an append operation. The original choice to make both write operations leads to an issue where IPC delivery is desired under policy, but delivery of signals is not. This patch provides the option of making signal delivery an append operation, allowing Smack rules that deny signal delivery while allowing IPC. This was requested for Tizen. Signed-off-by:Casey Schaufler <casey@schaufler-ca.com>
-
- 30 Aug, 2016 1 commit
-
-
William Roberts authored
Throughout the SELinux LSM, values taken from sepolicy are used in places where length == 0 or length == <saturated> matter, find and fix these. Signed-off-by:
William Roberts <william.c.roberts@intel.com> Signed-off-by:
-
- 29 Aug, 2016 2 commits
-
-
William Roberts authored
libsepol pointed out an issue where its possible to have an unitialized jmp and invalid dereference, fix this. While we're here, zero allocate all the *_val_to_struct structures. Signed-off-by:
-
William Roberts authored
When count is 0 and the highbit is not zero, the ebitmap is not valid and the internal node is not allocated. This causes issues when routines, like mls_context_isvalid() attempt to use the ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume a highbit > 0 will have a node allocated. Signed-off-by:
-
- 23 Aug, 2016 1 commit
-
-
Markus Elfring authored
Reuse existing functionality from memdup_user() instead of keeping duplicate source code. This issue was detected by using the Coccinelle software. Signed-off-by:
Markus Elfring <elfring@users.sourceforge.net> Acked-by:
-
- 19 Aug, 2016 1 commit
-
-
William Roberts authored
Remove the SECURITY_SELINUX_POLICYDB_VERSION_MAX Kconfig option Per: https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo This was only needed on Fedora 3 and 4 and just causes issues now, so drop it. The MAX and MIN should just be whatever the kernel can support. Signed-off-by:
-
- 10 Aug, 2016 1 commit
-
-
Vivek Goyal authored
Calculate what would be the label of newly created file and set that secid in the passed creds. Context of the task which is actually creating file is retrieved from set of creds passed in. (old->security). Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
-
- 09 Aug, 2016 1 commit
-
-
Mickaël Salaün authored
Fixes: 8112c4f1 ("seccomp: remove 2-phase API") Signed-off-by:
Mickaël Salaün <mic@digikod.net> Acked-by:
Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> Cc: James Morris <jmorris@namei.org> Signed-off-by:
-
