All files matching a "measure" rule must be included in the IMA
measurement list, even when the file hash cannot be calculated.
Similarly, all files matching an "audit" rule must be audited, even when
the file hash can not be calculated.

The file data hash field contained in the IMA measurement list template
data will contain 0's instead of the actual file hash digest.

Note:
In general, adding, deleting or in anyway changing which files are
included in the IMA measurement list is not a good idea, as it might
result in not being able to unseal trusted keys sealed to a specific
TPM PCR value.  This patch not only adds file measurements that were
not previously measured, but specifies that the file hash value for
these files will be 0's.

As the IMA measurement list ordering is not consistent from one boot
to the next, it is unlikely that anyone is sealing keys based on the
IMA measurement list.  Remote attestation servers should be able to
process these new measurement records, but might complain about
these unknown records.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>

The securityfs policy file is removed unless additional rules can be
appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as
to whether the policy is configured so that it can be displayed.

This patch changes this behavior, removing the securityfs policy file,
only if CONFIG_IMA_READ_POLICY is also not enabled.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

The mount i_version flag is not enabled in the new sb_flags.  This patch
adds the missing SB_I_VERSION flag.

Fixes: e462ec50 "VFS: Differentiate mount flags (MS_*) from internal
       superblock flags"
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Update the mailing list information.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Supply the Smack module hooks in support of overlayfs.
Ensure that the Smack label of new files gets the correct
value when a directory is transmuting. Original implementation
by Romanini Daniele, with a few tweaks added.
Signed-off-by: NRomanini Daniele <daniele.romanini@aalto.fi>
Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Emails to David's listed email address bounce, and in the commit log
there's no activity from him within the last 5 years.

Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Tomoyo uses an open-coded version of time_to_tm() to create a timestamp
from the current time as read by get_seconds(). This will overflow and
give wrong results on 32-bit systems in 2038.

To correct this, this changes the code to use ktime_get_real_seconds()
and the generic time64_to_tm() function that are both y2038-safe.
Using the library function avoids adding an expensive 64-bit division
in this code and can benefit from any optimizations we do in common
code.
Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

The existing condition tested for process effective capabilities set by
file attributes but intended to ignore the change if the result was
unsurprisingly an effective full set in the case root is special with a
setuid root executable file and we are root.

Stated again:
- When you execute a setuid root application, it is no surprise and
  expected that it got all capabilities, so we do not want capabilities
  recorded.
        if (pE_grew && !(pE_fullset && (eff_root || real_root) && root_priveleged) )

Now make sure we cover other cases:
- If something prevented a setuid root app getting all capabilities and
  it wound up with one capability only, then it is a surprise and should
  be logged.  When it is a setuid root file, we only want capabilities
  when the process does not get full capabilities..
        root_priveleged && setuid_root && !pE_fullset

- Similarly if a non-setuid program does pick up capabilities due to
  file system based capabilities, then we want to know what capabilities
  were picked up.  When it has file system based capabilities we want
  the capabilities.
        !is_setuid && (has_fcap && pP_gained)

- If it is a non-setuid file and it gets ambient capabilities, we want
  the capabilities.
        !is_setuid && pA_gained

- These last two are combined into one due to the common first parameter.

Related: https://github.com/linux-audit/audit-kernel/issues/16Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Acked-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Now that the logic is inverted, it is much easier to see that both real
root and effective root conditions had to be met to avoid printing the
BPRM_FCAPS record with audit syscalls.  This meant that any setuid root
applications would print a full BPRM_FCAPS record when it wasn't
necessary, cluttering the event output, since the SYSCALL and PATH
records indicated the presence of the setuid bit and effective root user
id.

Require only one of effective root or real root to avoid printing the
unnecessary record.

Ref: commit 3fc689e9 ("Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS")
See: https://github.com/linux-audit/audit-kernel/issues/16Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Acked-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

The way the logic was presented, it was awkward to read and verify.
Invert the logic using DeMorgan's Law to be more easily able to read and
understand.
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Remove a layer of conditional logic to make the use of conditions
easier to read and analyse.
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Move the audit log decision logic to its own function to isolate the
complexity in one place.
Suggested-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Introduce a number of inlines to make the use of the negation of
uid_eq() easier to read and analyse.
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Introduce inline root_privileged() to make use of SECURE_NONROOT
easier to read.
Suggested-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Rename has_cap to has_fcap to clarify it applies to file capabilities
since the entire source file is about capabilities.
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Introduce macros cap_gained, cap_grew, cap_full to make the use of the
negation of is_subset() easier to read and analyse.
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Factor out the case of privileged root from the function
cap_bprm_set_creds() to make the latter easier to read and analyse.
Suggested-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NKees Cook <keescook@chromium.org>
Okay-ished-by: NPaul Moore <paul@paul-moore.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Signed-off-by: NJérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

This commit fixes the duplicate inline declaration specifier in
tpm2_rc_value which caused a warning
Signed-off-by: NRuben Roy <rubenroy2005@gmail.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Use __le32 type for data in that format.

Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>

The local variable 'handle' should have the type __be32 instead of u32.

Fixes: 745b361e ("tpm: infrastructure for TPM spaces")
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>

The local variable 'attrs' should have the type __be32 instead of u32.

Fixes: 58472f5c ("tpm: validate TPM 2.0 commands")
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>

tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.

This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.

Cc: stable@vger.kernel.org
Signed-off-by: NAlexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

The TPM can choose one of two ways to react to the TPM2_SelfTest command.
It can either run all self tests synchronously and then return RC_SUCCESS
once all tests were successful. Or it can choose to run the tests
asynchronously and return RC_TESTING immediately while the self tests still
execute in the background.

The previous implementation apparently was not aware of those possibilities
and attributed RC_TESTING to some prototype chips instead. With this change
the return code of TPM2_SelfTest is interpreted correctly, i.e. the self
test result is polled if and only if RC_TESTING is received.

Unfortunately, the polling cannot be done in the most straightforward way.
If RC_TESTING is received, ideally the code should now poll the
selfTestDone bit in the STS register, as this avoids sending more commands,
that might interrupt self tests executing in the background and thus
prevent them from ever completing. But it cannot be guaranteed that this
bit is correctly implemented for all devices, so the next best thing would
be to use TPM2_GetTestResult to query the test result. But the response to
that command can be very long, and the code currently lacks the
capabilities for efficient unmarshalling, so it is difficult to execute
this command.

Therefore, we simply run the TPM2_SelfTest command in a loop, which should
complete eventually, since we only request the execution of self tests that
have not yet been done.
Signed-off-by: NAlexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

In order to avoid delaying the code longer than necessary while still
giving the TPM enough time to execute the self tests asynchronously, start
with a small delay between two polls and increase it each round.
Signed-off-by: NAlexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

tpm2_do_selftest is only used during initialization of the TPM to ensure
that the device functions correctly. Therefore, it is sufficient to request
only missing self tests (parameter full_test=0), not a reexecution of all
self tests, as was done before. This allows for a faster execution of this
command.
Signed-off-by: NAlexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

The buffers used as tx_buf/rx_buf in a SPI transfer need to be DMA-safe.
This cannot be guaranteed for the buffers passed to tpm_tis_spi_read_bytes
and tpm_tis_spi_write_bytes. Therefore, we need to use our own DMA-safe
buffer and copy the data to/from it.

The buffer needs to be allocated separately, to ensure that it is
cacheline-aligned and not shared with other data, so that DMA can work
correctly.

Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy")
Cc: stable@vger.kernel.org
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NAlexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

This patch gets rid of dealing with intermediate flag for start method
and use start method value from ACPI table directly.

For ARM64, the locality is handled by Trust Zone in FW.  The layout
does not have crb_regs_head.  It is hitting the following line.
dev_warn(dev, FW_BUG "Bad ACPI memory layout");

Current code excludes CRB_FL_ACPI_START for this check.  Now since
ARM64 support for TPM CRB is added, CRB_FL_CRB_SMC_START should also be
excluded from this check.

For goIdle and cmdReady where code was excluding CRB_FL_ACPI_START only
(do nothing for ACPI start method), CRB_FL_CRB_SMC_START was also
excluded as ARM64 SMC start method does not have TPM_CRB_CTRL_REQ.

However with special PPT workaround requiring CRB_FL_CRB_START to be
set in addition to CRB_FL_ACPI_START and the addition flag of SMC
start method CRB_FL_CRB_SMC_START, the code has become difficult to
maintain and undrestand.  It is better to make code deal with start
method value from ACPI table directly.
Signed-off-by: NJiandi An <anjiandi@codeaurora.org>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Making cmd_getticks 'const' introduced a couple of harmless warnings:

drivers/char/tpm/tpm_tis_core.c: In function 'probe_itpm':
drivers/char/tpm/tpm_tis_core.c:469:31: error: passing argument 2 of 'tpm_tis_send_data' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  rc = tpm_tis_send_data(chip, cmd_getticks, len);
drivers/char/tpm/tpm_tis_core.c:477:31: error: passing argument 2 of 'tpm_tis_send_data' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  rc = tpm_tis_send_data(chip, cmd_getticks, len);
drivers/char/tpm/tpm_tis_core.c:255:12: note: expected 'u8 * {aka unsigned char *}' but argument is of type 'const u8 * {aka const unsigned char *}'
 static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len)

This changes the related functions to all take 'const' pointers
so that gcc can see this as being correct. I had to slightly
modify the logic around tpm_tis_spi_transfer() for this to work
without introducing ugly casts.

Cc: stable@vger.kernel.org
Fixes: 5e35bd8e06b9 ("tpm_tis: make array cmd_getticks static const to shink object code size")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Don't populate array cmd_getticks on the stack, instead make it static
const.  Makes the object code smaller by over 160 bytes:

Before:
   text	   data	    bss	    dec	    hex	filename
  18813	   3152	    128	  22093	   564d	drivers/char/tpm/tpm_tis_core.o

After:
   text	   data	    bss	    dec	    hex	filename
  18554	   3248	    128	  21930	   55aa	drivers/char/tpm/tpm_tis_core.o

Cc: stable@vger.kernel.org
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Migrated pubek_show to struct tpm_buf and cleaned up its implementation.
Previously the output parameter structure was declared but left
completely unused. Now it is used to refer different fields of the
output. We can move it to tpm-sysfs.c as it does not have any use
outside of that file.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Linux 4.14-rc2

Sync to v4.14-rc2 for security subsystem developers to track.

Pull DeviceTree fixes from Rob Herring:

 - fix build for !OF providing empty of_find_device_by_node

 - fix Abracon vendor prefix

 - sync dtx_diff include paths (again)

 - a stm32h7 clock binding doc fix

* tag 'devicetree-fixes-for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: clk: stm32h7: fix clock-cell size
  scripts/dtc: dtx_diff - 2nd update of include dts paths to match build
  dt-bindings: fix vendor prefix for Abracon
  of: provide inline helper for of_find_device_by_node

Pull x86 fixes from Ingo Molnar:
 "Another round of CR3/PCID related fixes (I think this addresses all
  but one of the known problems with PCID support), an objtool fix plus
  a Clang fix that (finally) solves all Clang quirks to build a bootable
  x86 kernel as-is"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/asm: Fix inline asm call constraints for Clang
  objtool: Handle another GCC stack pointer adjustment bug
  x86/mm/32: Load a sane CR3 before cpu_init() on secondary CPUs
  x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier
  x86/mm/64: Stop using CR3.PCID == 0 in ASID-aware code
  x86/mm: Factor out CR3-building code

Pull timer fix from Ingo Molnar:
 "A clocksource driver section mismatch fix"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clocksource/integrator: Fix section mismatch warning

Pull irq fixes from Ingo Molnar:
 "Three irqchip driver fixes, and an affinity mask helper function bug
  fix affecting x86"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  Revert "genirq: Restrict effective affinity to interrupts actually using it"
  irqchip.mips-gic: Fix shared interrupt mask writes
  irqchip/gic-v4: Fix building with ancient gcc
  irqchip/gic-v3: Iterate over possible CPUs by for_each_possible_cpu()

Pull address-limit checking fixes from Ingo Molnar:
 "This fixes a number of bugs in the address-limit (USER_DS) checks that
  got introduced in the merge window, (mostly) affecting the ARM and
  ARM64 platforms"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  arm64/syscalls: Move address limit check in loop
  arm/syscalls: Optimize address limit check
  Revert "arm/syscalls: Check address limit on user-mode return"
  syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check

Pull misc security layer update from James Morris:
 "This is the remaining 'general' change in the security tree for v4.14,
  following the direct merging of SELinux (+ TOMOYO), AppArmor, and
  seccomp.

  That's everything now for the security tree except IMA, which will
  follow shortly (I've been traveling for the past week with patchy
  internet)"

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: fix description of values returned by cap_inode_need_killpriv

Pull TPM updates from James Morris:
 "Here are the TPM updates from Jarkko for v4.14, which I've placed in
  their own branch (next-tpm). I ended up cherry-picking them as other
  changes had been made in Jarkko's branch after he sent me his original
  pull request.

  I plan on maintaining a separate branch for TPM (and other security
  subsystems) from now on.

  From Jarkko: 'Not much this time except a few fixes'"

* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  tpm: ibmvtpm: simplify crq initialization and document crq format
  tpm: replace msleep() with  usleep_range() in TPM 1.2/2.0 generic drivers
  Documentation: tpm: add powered-while-suspended binding documentation
  tpm: tpm_crb: constify acpi_device_id.
  tpm: vtpm: constify vio_device_id