On Mon, Apr 07, 2025 at 03:28:05PM +0300, Jarkko Sakkinen wrote:
tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX
error codes.
Cc: sta...@vger.kernel.org # v6.10+
Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions")
Reported-by: Herbert Xu <herb...@gondor.apana.org.au>
Closes:
https://lore.kernel.org/linux-integrity/z_ngdrhutkp6j...@gondor.apana.org.au/
Signed-off-by: Jarkko Sakkinen <jar...@kernel.org>
---
v4:
- tpm_to_ret()
v3:
- rc > 0
v2:
- Investigate TPM rc only after destroying tpm_buf.
---
drivers/char/tpm/tpm2-sessions.c | 20 ++++++--------------
include/linux/tpm.h | 21 +++++++++++++++++++++
2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
index 3f89635ba5e8..102e099f22c1 100644
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -40,11 +40,6 @@
*
* These are the usage functions:
*
- * tpm2_start_auth_session() which allocates the opaque auth structure
- * and gets a session from the TPM. This must be called before
- * any of the following functions. The session is protected by a
- * session_key which is derived from a random salt value
- * encrypted to the NULL seed.
* tpm2_end_auth_session() kills the session and frees the resources.
* Under normal operation this function is done by
* tpm_buf_check_hmac_response(), so this is only to be used on
@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32
*null_key)
}
/**
- * tpm2_start_auth_session() - create a HMAC authentication session with the
TPM
- * @chip: the TPM chip structure to create the session with
+ * tpm2_start_auth_session() - Create an a HMAC authentication session
+ * @chip: A TPM chip
*
- * This function loads the NULL seed from its saved context and starts
- * an authentication session on the null seed, fills in the
- * @chip->auth structure to contain all the session details necessary
- * for performing the HMAC, encrypt and decrypt operations and
- * returns. The NULL seed is flushed before this function returns.
+ * Loads the ephemeral key (null seed), and starts an HMAC authenticated
+ * session. The null seed is flushed before the return.
*
- * Return: zero on success or actual error encountered.
+ * Returns zero on success, or a POSIX error code.
*/
int tpm2_start_auth_session(struct tpm_chip *chip)
{
@@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
/* hash algorithm for session */
tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
+ rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
tpm2_flush_context(chip, null_key);
if (rc == TPM2_RC_SUCCESS)
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index 6c3125300c00..c826d5a9d894 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -257,8 +257,29 @@ enum tpm2_return_codes {
TPM2_RC_TESTING = 0x090A, /* RC_WARN */
TPM2_RC_REFERENCE_H0 = 0x0910,
TPM2_RC_RETRY = 0x0922,
+ TPM2_RC_SESSION_MEMORY = 0x0903,
nit: the other values are in ascending order, should we keep it or is it
not important?
(more a question for me than for the patch)
};
+/*
+ * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
+ * fallback return value is -EFAULT.
+ */
+static inline ssize_t tpm_to_ret(ssize_t ret)
+{
+ /* Already a POSIX error: */
+ if (ret < 0)
+ return ret;
+
+ switch (ret) {
+ case TPM2_RC_SUCCESS:
+ return 0;
+ case TPM2_RC_SESSION_MEMORY:
+ return -ENOMEM;
+ default:
+ return -EFAULT;
+ }
+}
I like this and in the future we could reuse it in different places like
tpm2_load_context() and tpm2_save_context().
Reviewed-by: Stefano Garzarella <sgarz...@redhat.com>
BTW for my understading, looking at that code (sorry if the answer is
obvious, but I'm learning) I'm confused about the use of
tpm2_rc_value().
For example in tpm2_load_context() we have:
rc = tpm_transmit_cmd(chip, &tbuf, 4, NULL);
...
} else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE ||
rc == TPM2_RC_REFERENCE_H0) {
While in tpm2_save_context(), we have:
rc = tpm_transmit_cmd(chip, &tbuf, 0, NULL);
...
} else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
So to check TPM2_RC_REFERENCE_H0 we are using tpm2_rc_value() only
sometimes, what's the reason?
Thanks,
Stefano
