Re: [PATCH v5 14/17] tpm: remove TPM_TRANSMIT_UNLOCKED flag
From: Jarkko Sakkinen
Date: Thu Nov 08 2018 - 14:02:48 EST
On Thu, Nov 08, 2018 at 10:43:46AM -0500, Stefan Berger wrote:
> > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > index f2b0e5c52a57..d6abc964ef66 100644
> > --- a/drivers/char/tpm/tpm2-cmd.c
> > +++ b/drivers/char/tpm/tpm2-cmd.c
> > @@ -652,17 +652,12 @@ int tpm2_unseal_trusted(struct tpm_chip *chip,
> > u32 blob_handle;
> > int rc;
> >
> > - mutex_lock(&chip->tpm_mutex);
> > - rc = tpm2_load_cmd(chip, payload, options, &blob_handle,
> > - TPM_TRANSMIT_UNLOCKED);
> > + rc = tpm2_load_cmd(chip, payload, options, &blob_handle, 0);
> > if (rc)
> > - goto out;
> > + return rc;
> >
> > - rc = tpm2_unseal_cmd(chip, payload, options, blob_handle,
> > - TPM_TRANSMIT_UNLOCKED);
> > - tpm2_flush_context_cmd(chip, blob_handle, TPM_TRANSMIT_UNLOCKED);
> > -out:
> > - mutex_unlock(&chip->tpm_mutex);
> > + rc = tpm2_unseal_cmd(chip, payload, options, blob_handle, 0);
> > + tpm2_flush_context_cmd(chip, blob_handle, 0);
>
>
> This lock was covering quite a few commands from being interfered by others.
> Is this still guaranteed to work after or can different subsystems like
> trusted keys and IMA and /dev/tpm0 users interfere with this previous atomic
> sequence ?
One way to keep this sequence atomic would be to use a TPM space. Then
you can release the lock in-between the sequence.
/Jarkko