The builtin "ima_appraise_tcb" policy should require file signatures for
at least a few of the hooks (eg. kernel modules, firmware, and the kexec
kernel image), but changing it would break the existing userspace/kernel
ABI.

This patch defines a new builtin policy named "secure_boot", which
can be specified on the "ima_policy=" boot command line, independently
or in conjunction with the "ima_appraise_tcb" policy, by specifing
ima_policy="appraise_tcb | secure_boot".  The new appraisal rules
requiring file signatures will be added prior to the "ima_appraise_tcb"
rules.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Changelog:
- Reference secure boot in the new builtin policy name. (Thiago Bauermann)

Add support for providing multiple builtin policies on the "ima_policy="
boot command line.  Use "|" as the delimitor separating the policy names.
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Remove unnecessary NULL check.
Pointer _chip_ cannot be NULL in this instance.
Signed-off-by: NGustavo A. R. Silva <garsilva@embeddedor.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation)
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Switch to use managed variant of acpi_dev_add_driver_gpios() to simplify
error path and fix potentially wrong assignment if ->probe() fails.
Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation)
Signed-off-by: NJarkko Sakkinen <jarkko.sakkine@linux.intel.com>

To prevent userspace from sending the TPM driver command to set
the locality, we need to check every command that is sent from
user space. To distinguish user space commands from internally
sent commands we introduce an additional state flag
STATE_DRIVER_COMMAND that is set while the driver sends this
command. Similar to the TPM 2 space commands we return an error
code when this command is detected.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Implement the request_locality function. To set the locality on the
backend we define vendor-specific TPM 1.2 and TPM 2 ordinals and send
a command to the backend to set the locality for the next commands.

To avoid recursing into requesting the locality, we set the
TPM_TRANSMIT_RAW flag when calling tpm_transmit_cmd. To avoid recursing
into TPM 2 space related commands, we set the space parameter to NULL.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Introduce the flag TPM_TRANSMIT_RAW that allows us to transmit
a command without recursing into the requesting of locality.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Suppress the error logging when the core TPM driver sends commands
to the VTPM proxy driver and -EPIPE is returned in case the VTPM
proxy driver is 'closed' (closed anonymous file descriptor).  This
error code is only returned by the send function and by tpm_transmit
when the VTPM proxy driver is being used.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

sparse complains that tpmrm_write can be made static, and since it is
right we make it static.
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Removed struct tpm_pcrextend_in as it is not used for anything anymore.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>

The memory copy from rodata to stack is useless.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>

You should not do arithmetic with __be32 or __le32 types because
sometimes it results incorrect results. Calculations must be done only
with integers that are in in the CPU byte order. This commit migrates
tpm_getcap() to struct tpm_buf in order to sort out these issues.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>

When the I2C Infineon part is attached to an I2C adapter that imposes
a size limitation, large requests will fail with -EOPNOTSUPP. Retry
them with a sane minimum size without re-issuing the 0x05 command
as this appears to occasionally put the TPM in a bad state.
Signed-off-by: NBryan Freed <bfreed@chromium.org>
[rework the patch to adapt to the feedback received]
Signed-off-by: NEnric Balletbo i Serra <enric.balletbo@collabora.com>
Acked-by: NAndrew Lunn <andrew@lunn.ch>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Now that the platform device was merged for OF support we can use the
platform device to match ACPI devices as well and run everything
through tpm_tis_init.

pnp_acpi_device is replaced with ACPI_COMPANION, and ACPI_HANDLE is
pushed further down.

platform_get_resource is used instead of acpi_dev_get_resources.

The itpm global module parameter is no longer changed during itpm
detection, instead the phy specific bit is set directly.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0)
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2)
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Replace the open coded IORESOURCE_IRQ with platform_get_irq, which
supports more cases.

Fixes: 00194826 ("tpm_tis: Clean up the force=1 module parameter")
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0)
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2)
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

The test was backwards, triggering IRQ autoprobing if the firmware
did not specify an IRQ, instead of triggering it only when the
module force parameter was specified.

Since autoprobing is not enabled on !x86 and the platform device is
currently only used on !x86, or with force, this has gone unnoticed.

Fixes: 00194826 ("tpm_tis: Clean up the force=1 module parameter")
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0)
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2)
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

In preparation of the modifications to tpm_pcr_extend(), which will
allow callers to supply a digest for each PCR bank of a TPM 2.0,
the TPM 1.2 specific code has been moved to tpm1_pcr_extend().

tpm1_pcr_extend() uses tpm_buf_init() to prepare the command buffer,
which offers protection against buffer overflow. It is called by
tpm_pcr_extend() and tpm_pm_suspend().
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Move CPU native value to big-endian conversion of ordinals to the
tpm_input_header declarations.

With the previous and this patch it will now be possible to modify TPM 1.2
functions to use tpm_buf_init(), which expects CPU native value for the
tag and ordinal arguments.
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

In the long term, TPM 1.2 functions in the driver interface will be
modified to use tpm_buf_init().

However, tag and ordinals cannot be passed directly to tpm_buf_init(),
because this function performs CPU native to big-endian conversion of these
arguments. Since TPM_TAG_RQU_COMMAND and TPM_ORD_ are already converted,
passing them to the function will undo the previous conversion.

This patch moves the conversion of TPM_TAG_RQU_COMMAND from the tpm.h
header file in the driver directory to the tpm_input_header declarations
in the driver interface and tpm-sysfs.c.
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Allow userspace to detect that basic profile policy namespaces are
available.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Update the user interface to support the stacked change_profile transition.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Now that the domain label transition is complete advertise it to
userspace.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

This is a temporary step, towards using the file->ctx for delegation,
and also helps speed up file queries, until the permission lookup
cache is introduced.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The cross check permission helper macros will help simplify code
that does cross task permission checks like ptrace.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>