The entries in tpm_protected_ordinal_duration are exactly the same as
the first 12 in tpm_ordinal_duration, so we can simply remove this one,
and save some bytes.

This does not change the behavior of the driver.
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

tpm_write calls tpm_transmit without checking the return value and
assigns the return value unconditionally to chip->pending_data, even if
it's an error value.
This causes three bugs.

So if we write to /dev/tpm0 with a tpm_param_size bigger than
TPM_BUFSIZE=0x1000 (e.g. 0x100a)
and a bufsize also bigger than TPM_BUFSIZE (e.g. 0x100a)
tpm_transmit returns -E2BIG which is assigned to chip->pending_data as
-7, but tpm_write returns that TPM_BUFSIZE bytes have been successfully
been written to the TPM, altough this is not true (bug #1).

As we did write more than than TPM_BUFSIZE bytes but tpm_write reports
that only TPM_BUFSIZE bytes have been written the vfs tries to write
the remaining bytes (in this case 10 bytes) to the tpm device driver via
tpm_write which then blocks at

 /* cannot perform a write until the read has cleared
 either via tpm_read or a user_read_timer timeout */
 while (atomic_read(&chip->data_pending) != 0)
	 msleep(TPM_TIMEOUT);

for 60 seconds, since data_pending is -7 and nobody is able to
read it (since tpm_read luckily checks if data_pending is greater than
0) (#bug 2).

After that the remaining bytes are written to the TPM which are
interpreted by the tpm as a normal command. (bug #3)
So if the last bytes of the command stream happen to be a e.g.
tpm_force_clear this gets accidentally sent to the TPM.

This patch fixes all three bugs, by propagating the error code of
tpm_write and returning -E2BIG if the input buffer is too big,
since the response from the tpm for a truncated value is bogus anyway.
Moreover it returns -EBUSY to userspace if there is a response ready to be
read.
Signed-off-by: NPeter Huewe <peter.huewe@infineon.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

This patch try to fix the S3 regression https://lkml.org/lkml/2012/10/5/433,
which includes below line:
[ 1554.684638] sysfs: cannot create duplicate filename '/devices/pnp0/00:0c/ppi'

The root cause is that ppi sysfs teardown code is MIA, so while S3 resume,
the ppi kobject will be created again upon existing one.

To make the tear down code simple, change the ppi subfolder creation from
using kobject_create_and_add to just using a named ppi attribute_group. Then
ppi sysfs teardown could be done with a simple sysfs_remove_group call.

Adjusted the name & return type for ppi sysfs init function.
Reported-by: NBen Guthro <ben@guthro.net>
Signed-off-by: NGang Wei <gang.wei@intel.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

This patch declares the internal struct and functions as static to provide
more security.
Signed-off-by: NXiaoyan Zhang <xiaoyan.zhang@intel.com>
Signed-off-by: NFengguang Wu <fengguang.wu@intel.com>
Reviewed-by: NKent Yoder <key@linux.vnet.ibm.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

The Physical Presence Interface enables the OS and the BIOS to cooperate and
provides a simple and straightforward platform user experience for
administering the TPM without sacrificing security.

V2: separate the patch out in a separate source file,
    add #ifdef CONFIG_ACPI so it compiles out on ppc,
    use standard error instead of ACPI error as return code of show/store fns.
V3: move #ifdef CONFIG_ACPI from .c file to .h file.
V4: move tpm_ppi code from tpm module to tpm_bios module.
V5: modify sys_add_ppi() so that ppi_attr_grp doesn't need to be exported
Signed-off-by: NXiaoyan Zhang <xiaoyan.zhang@intel.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

Moved the atomic_set of the data_pending variable until after the
tpm_read has completed processing. The existing code had a window of
time where a second write to the driver could clobber the tpm command
buffer.

Also fixed an issue where if close was called on the tpm device before a
read completed, the tpm command buffer would be returned to the OS,
which could contain sensitive information.
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

Move the tpm_get_random api from the trusted keys code into the TPM
device driver itself so that other callers can make use of it. Also,
change the api slightly so that the number of bytes read is returned in
the call, since the TPM command can potentially return fewer bytes than
requested.
Acked-by: NDavid Safford <safford@linux.vnet.ibm.com>
Reviewed-by: NH. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

Break ACPI-specific pieces of the event log handling into their own file
and create tpm_eventlog.[ch] to store common event log handling code.
This will be required to integrate future event log sources on platforms
without ACPI tables.
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

flush[_delayed]_work_sync() are now spurious.  Mark them deprecated
and convert all users to flush[_delayed]_work().

If you're cc'd and wondering what's going on: Now all workqueues are
non-reentrant and the regular flushes guarantee that the work item is
not pending or running on any CPU on return, so there's no reason to
use the sync flushes at all and they're going away.

This patch doesn't make any functional difference.
Signed-off-by: NTejun Heo <tj@kernel.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Mattia Dongili <malattia@linux.it>
Cc: Kent Yoder <key@linux.vnet.ibm.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: Bryan Wu <bryan.wu@canonical.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Alasdair Kergon <agk@redhat.com>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-wireless@vger.kernel.org
Cc: Anton Vorontsov <cbou@mail.ru>
Cc: Sangbeom Kim <sbkim73@samsung.com>
Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Petr Vandrovec <petr@vandrovec.name>
Cc: Mark Fasheh <mfasheh@suse.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Avi Kivity <avi@redhat.com> 

The tpm_pm_suspend()'s second argument of type pm_message_t is not
used, so remove it.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

If a driver calls tpm_dev_vendor_release for a device already released
then the driver will oops.
Signed-off-by: NAndi Shyti <andi.shyti@gmail.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Adding proper kfree() before returning.
Signed-off-by: NWanlong Gao <gaowanlong@cn.fujitsu.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

tpm_do_selftest() attempts to read a PCR in order to
decide if one can rely on the TPM being used or not.
The function that's used by __tpm_pcr_read() does not
expect the TPM to be disabled or deactivated, and if so,
reports an error.

It's fine if the TPM returns this error when trying to
use it for the first time after a power cycle, but it's
definitely not if it already returned success for a
previous attempt to read one of its PCRs.

The tpm_do_selftest() was modified so that the driver only
reports this return code as an error when it really is.
Reported-and-tested-by: NPaul Bolle <pebolle@tiscali.nl>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Commit 3321c07a correctly clears the TPM
buffer if the user specified read length is >= the TPM buffer length. However,
if the user specified read length is < the TPM buffer length, then part of the
TPM buffer is left uncleared.
Reported-by: NSeth Forshee <seth.forshee@canonical.com>
Cc: Debora Velarde <debora@linux.vnet.ibm.com>
Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Marcel Selhorst <m.selhorst@sirrix.com>
Cc: tpmdd-devel@lists.sourceforge.net
Cc: stable@vger.kernel.org
Signed-off-by: NTim Gardner <tim.gardner@canonical.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

This patch fixes an (ACPI S3) suspend regression introduced in commit
68d6e671 ("tpm: Introduce function to poll for result of self test")
and occurring with an Infineon TPM and tpm_tis and tpm_infineon drivers
active.

The suspend problem occurred if the TPM was disabled and/or deactivated
and therefore the TPM_PCRRead checking the result of the (asynchronous)
self test returned an error code which then caused the tpm_tis driver to
become inactive and this then seemed to have negatively influenced the
suspend support by the tpm_infineon driver...  Besides that the tpm_tis
drive may stay active even if the TPM is disabled and/or deactivated.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NRafael J. Wysocki <rjw@sisk.pl>
Acked-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

It's incorrect to assume that buffers returned by the TPM
10 bytes long are always error reports. This patches
parses the error field in its header instead. The error report
is now being printed using dev_err() instead of dev_dbg(), making
it easier for users to provide more detailed bug reports.
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Moved wait_for_stat to tpm.c so that other drivers can use it.
Also renamed it to avoid future namespace conflicts.
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

This patch introduces a function that runs the TPM_ContinueSelfTest()
function and then polls the TPM to check whether it finished the selftest
and can receive new commands.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Cleanup the tpm_continue_selftest function.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Have the tpm_get_timeouts function return an error code.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: NJames Morris <jmorris@namei.org>

This patch changes the call of tpm_transmit by supplying the size of the
userspace buffer instead of TPM_BUFSIZE.

This got assigned CVE-2011-1161.

[The first hunk didn't make sense given one could expect
 way less data than TPM_BUFSIZE, so added tpm_transmit boundary
 check over bufsiz instead
 The last parameter of tpm_transmit() reflects the amount
 of data expected from the device, and not the buffer size
 being supplied to it. It isn't ideal to parse it directly,
 so we just set it to the maximum the input buffer can handle
 and let the userspace API to do such job.]
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: NJames Morris <jmorris@namei.org>

Suppress the output in the 'durations' sysfs entry if they were not read
during driver initialization. This is similar to other sysfs entries
that return nothing if for some reason sending the commands to the TPM
fails.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

This patch fixes a typo.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

This patch fixes the TPM's pubek sysfs entry that is accessible as long
as the TPM doesn't have an owner. It was necessary to shift the access to the
data by -10 -- the first byte immediately follows the 10 byte header. The
line

 	data = tpm_cmd.params.readpubek_out_buffer;

sets it at the offset '10' in the packet, so we can read the data array
starting at offset '0'.

Before:

Algorithm: 00 0C 00 00
Encscheme: 08 00
Sigscheme: 00 00
Parameters: 00 00 00 00 01 00 AC E2 5E 3C A0 78
Modulus length: -563306801
Modulus:
28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C
43 78 B1 24 EA 52 E2 FE 52 5C 3A 12 3B DC 61 71
[...]

After:

Algorithm: 00 00 00 01
Encscheme: 00 03
Sigscheme: 00 01
Parameters: 00 00 08 00 00 00 00 02 00 00 00 00
Modulus length: 256
Modulus:
AC E2 5E 3C A0 78 DE 6C 9E CF 28 21 08 0F 82 CD
F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52
[...]
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Display the TPM's interface timeouts in a 'timeouts' sysfs entry. Display
the entries as having been adjusted when they were scaled due to their values
being reported in milliseconds rather than microseconds.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Adjust the interface timeouts if they are found to be too small, i.e., if
they are returned in milliseconds rather than microseconds as we heared
from Infineon that some (old) Infineon TPMs do.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

The TPM driver currently discards the interface timeout values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 4 interface timeout indicators of type u32.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Display the TPM's command timeouts in a 'durations' sysfs entry. Display
the entries as having been adjusted when they were scaled due to their values
being reported in milliseconds rather than microseconds.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NGuillaume Chazarain <guichaz@gmail.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Adjust the durations if they are found to be too small, i.e., if they are
returned in milliseconds rather than microseconds as some Infineon TPMs are
reported to do.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

The TPM driver currently discards the durations values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 3 timeout indicators of type u32.

v4:
- sysfs entry 'durations' is now a patch of its own
- the work-around for TPMs reporting durations in milliseconds is now in a
  patch of its own

v3:
- sysfs entry now called 'durations' to resemble TPM-speak (previously
  was called 'timeouts')

v2:
- adjusting all timeouts for TPM devices reporting timeouts in msec rather
  than usec
- also displaying in sysfs whether the timeouts are 'original' or 'adjusted'
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NGuillaume Chazarain <guichaz@gmail.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.
Reported-by: NPeter Huewe <huewe.external@infineon.com>
Signed-off-by: NPeter Huewe <huewe.external@infineon.com>
Signed-off-by: NMarcel Selhorst <m.selhorst@sirrix.com>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This reverts commit c4ff4b82.

Ted Ts'o reports:

 "TPM is working for me so I can log into employer's network in 2.6.37.
  It broke when I tried 2.6.38-rc6, with the following relevant lines
  from my dmesg:

  [   11.081627] tpm_tis 00:0b: 1.2 TPM (device-id 0x0, rev-id 78)
  [   25.734114] tpm_tis 00:0b: Operation Timed out
  [   78.040949] tpm_tis 00:0b: Operation Timed out

  This caused me to get suspicious, especially since the _other_ TPM
  commit in 2.6.38 had already been reverted, so I tried reverting
  commit c4ff4b82: "TPM: Long default timeout fix".  With this commit
  reverted, my TPM on my Lenovo T410 is once again working."
Requested-and-tested-by: NTheodore Ts'o <tytso@mit.edu>
Acked-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This reverts commit 9b29050f.

It has caused hibernate regressions, for example Juri Sladby's report:

  "I'm unable to hibernate 2.6.37.1 unless I rmmod tpm_tis:
   [10974.074587] Suspending console(s) (use no_console_suspend to debug)
   [10974.103073] tpm_tis 00:0c: Operation Timed out
   [10974.103089] legacy_suspend(): pnp_bus_suspend+0x0/0xa0 returns -62
   [10974.103095] PM: Device 00:0c failed to freeze: error -62"

and Rafael points out that some of the new conditionals in that commit
seem to make no sense.  This commit needs more work and testing, let's
revert it for now.
Reported-by: NNorbert Preining <preining@logic.at>
Reported-and-requested-by: NJiri Slaby <jirislaby@gmail.com>
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Guillaume Chazarain <guichaz@gmail.com>
Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Acked-by: NRafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The current TPM TIS driver in git discards the timeout values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 3 timeout indicators of type u32.

I am also adding a sysfs entry 'timeouts' showing the timeouts that are
being used.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NGuillaume Chazarain <guichaz@gmail.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

If duration variable value is 0 at this point, it's because
chip->vendor.duration wasn't filled by tpm_get_timeouts() yet.
This patch sets then the lowest timeout just to give enough
time for tpm_get_timeouts() to further succeed.

This fix avoids long boot times in case another entity attempts
to send commands to the TPM when the TPM isn't accessible.
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

flush_scheduled_work() is deprecated and scheduled to be removed.
Directly flush chip->work instead.
Signed-off-by: NTejun Heo <tj@kernel.org>
Cc: Debora Velarde <debora@linux.vnet.ibm.com>
Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>

Add internal kernel tpm_send() command used to seal/unseal keys.

Changelog:
- replaced module_put in tpm_send() with new tpm_chip_put() wrapper
  (suggested by David Howells)
- Make tpm_send() cmd argument a 'void *' (suggested by David Howells)
Signed-off-by: NDavid Safford <safford@watson.ibm.com>
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
Acked-by: NDavid Howells <dhowells@redhat.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@canonical.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

For readability, define a tpm_chip_put() wrapper to call module_put().
Replace existing module_put() calls with the wrapper.

(Change based on trusted/encrypted patchset review by David Howells.)
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
Signed-off-by: NDavid Safford <safford@watson.ibm.com>
Acked-by: NDavid Howells <dhowells@redhat.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@canonical.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

Fix the following warning:

drivers/char/tpm/tpm.c:1085: warning: `tpm_suspend_setup' defined but not used

and make the workaround operable in case when TPM is compiled as a module.
As a side-effect the option will be called tpm.suspend_pcr.
Signed-off-by: NDmitry Torokhov <dtor@mail.ru>
Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: David Safford <safford@watson.ibm.com>
Cc: James Morris <jmorris@namei.org>
Cc: Debora Velarde <debora@linux.vnet.ibm.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NJames Morris <jmorris@namei.org>