1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2015, 2016 IBM Corporation 4 * Copyright (C) 2016 Intel Corporation 5 * 6 * Author: Stefan Berger <stefanb@us.ibm.com> 7 * 8 * Maintained by: <tpmdd-devel@lists.sourceforge.net> 9 * 10 * Device driver for vTPM (vTPM proxy driver) 11 */ 12 13 #include <linux/types.h> 14 #include <linux/spinlock.h> 15 #include <linux/uaccess.h> 16 #include <linux/wait.h> 17 #include <linux/miscdevice.h> 18 #include <linux/vtpm_proxy.h> 19 #include <linux/file.h> 20 #include <linux/anon_inodes.h> 21 #include <linux/poll.h> 22 #include <linux/compat.h> 23 24 #include "tpm.h" 25 26 #define VTPM_PROXY_REQ_COMPLETE_FLAG BIT(0) 27 28 struct proxy_dev { 29 struct tpm_chip *chip; 30 31 u32 flags; /* public API flags */ 32 33 wait_queue_head_t wq; 34 35 struct mutex buf_lock; /* protect buffer and flags */ 36 37 long state; /* internal state */ 38 #define STATE_OPENED_FLAG BIT(0) 39 #define STATE_WAIT_RESPONSE_FLAG BIT(1) /* waiting for emulator response */ 40 #define STATE_REGISTERED_FLAG BIT(2) 41 #define STATE_DRIVER_COMMAND BIT(3) /* sending a driver specific command */ 42 43 size_t req_len; /* length of queued TPM request */ 44 size_t resp_len; /* length of queued TPM response */ 45 u8 buffer[TPM_BUFSIZE]; /* request/response buffer */ 46 47 struct work_struct work; /* task that retrieves TPM timeouts */ 48 }; 49 50 /* all supported flags */ 51 #define VTPM_PROXY_FLAGS_ALL (VTPM_PROXY_FLAG_TPM2) 52 53 static struct workqueue_struct *workqueue; 54 55 static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev); 56 57 /* 58 * Functions related to 'server side' 59 */ 60 61 /** 62 * vtpm_proxy_fops_read - Read TPM commands on 'server side' 63 * 64 * @filp: file pointer 65 * @buf: read buffer 66 * @count: number of bytes to read 67 * @off: offset 68 * 69 * Return: 70 * Number of bytes read or negative error code 71 */ 72 static ssize_t vtpm_proxy_fops_read(struct file *filp, char __user *buf, 73 size_t count, loff_t *off) 74 { 75 struct proxy_dev *proxy_dev = filp->private_data; 76 size_t len; 77 int sig, rc; 78 79 sig = wait_event_interruptible(proxy_dev->wq, 80 proxy_dev->req_len != 0 || 81 !(proxy_dev->state & STATE_OPENED_FLAG)); 82 if (sig) 83 return -EINTR; 84 85 mutex_lock(&proxy_dev->buf_lock); 86 87 if (!(proxy_dev->state & STATE_OPENED_FLAG)) { 88 mutex_unlock(&proxy_dev->buf_lock); 89 return -EPIPE; 90 } 91 92 len = proxy_dev->req_len; 93 94 if (count < len || len > sizeof(proxy_dev->buffer)) { 95 mutex_unlock(&proxy_dev->buf_lock); 96 pr_debug("Invalid size in recv: count=%zd, req_len=%zd\n", 97 count, len); 98 return -EIO; 99 } 100 101 rc = copy_to_user(buf, proxy_dev->buffer, len); 102 memset(proxy_dev->buffer, 0, len); 103 proxy_dev->req_len = 0; 104 105 if (!rc) 106 proxy_dev->state |= STATE_WAIT_RESPONSE_FLAG; 107 108 mutex_unlock(&proxy_dev->buf_lock); 109 110 if (rc) 111 return -EFAULT; 112 113 return len; 114 } 115 116 /** 117 * vtpm_proxy_fops_write - Write TPM responses on 'server side' 118 * 119 * @filp: file pointer 120 * @buf: write buffer 121 * @count: number of bytes to write 122 * @off: offset 123 * 124 * Return: 125 * Number of bytes read or negative error value 126 */ 127 static ssize_t vtpm_proxy_fops_write(struct file *filp, const char __user *buf, 128 size_t count, loff_t *off) 129 { 130 struct proxy_dev *proxy_dev = filp->private_data; 131 132 mutex_lock(&proxy_dev->buf_lock); 133 134 if (!(proxy_dev->state & STATE_OPENED_FLAG)) { 135 mutex_unlock(&proxy_dev->buf_lock); 136 return -EPIPE; 137 } 138 139 if (count > sizeof(proxy_dev->buffer) || 140 !(proxy_dev->state & STATE_WAIT_RESPONSE_FLAG)) { 141 mutex_unlock(&proxy_dev->buf_lock); 142 return -EIO; 143 } 144 145 proxy_dev->state &= ~STATE_WAIT_RESPONSE_FLAG; 146 147 proxy_dev->req_len = 0; 148 149 if (copy_from_user(proxy_dev->buffer, buf, count)) { 150 mutex_unlock(&proxy_dev->buf_lock); 151 return -EFAULT; 152 } 153 154 proxy_dev->resp_len = count; 155 156 mutex_unlock(&proxy_dev->buf_lock); 157 158 wake_up_interruptible(&proxy_dev->wq); 159 160 return count; 161 } 162 163 /* 164 * vtpm_proxy_fops_poll - Poll status on 'server side' 165 * 166 * @filp: file pointer 167 * @wait: poll table 168 * 169 * Return: Poll flags 170 */ 171 static __poll_t vtpm_proxy_fops_poll(struct file *filp, poll_table *wait) 172 { 173 struct proxy_dev *proxy_dev = filp->private_data; 174 __poll_t ret; 175 176 poll_wait(filp, &proxy_dev->wq, wait); 177 178 ret = EPOLLOUT; 179 180 mutex_lock(&proxy_dev->buf_lock); 181 182 if (proxy_dev->req_len) 183 ret |= EPOLLIN | EPOLLRDNORM; 184 185 if (!(proxy_dev->state & STATE_OPENED_FLAG)) 186 ret |= EPOLLHUP; 187 188 mutex_unlock(&proxy_dev->buf_lock); 189 190 return ret; 191 } 192 193 /* 194 * vtpm_proxy_fops_open - Open vTPM device on 'server side' 195 * 196 * @filp: file pointer 197 * 198 * Called when setting up the anonymous file descriptor 199 */ 200 static void vtpm_proxy_fops_open(struct file *filp) 201 { 202 struct proxy_dev *proxy_dev = filp->private_data; 203 204 proxy_dev->state |= STATE_OPENED_FLAG; 205 } 206 207 /** 208 * vtpm_proxy_fops_undo_open - counter-part to vtpm_fops_open 209 * Call to undo vtpm_proxy_fops_open 210 * 211 *@proxy_dev: tpm proxy device 212 */ 213 static void vtpm_proxy_fops_undo_open(struct proxy_dev *proxy_dev) 214 { 215 mutex_lock(&proxy_dev->buf_lock); 216 217 proxy_dev->state &= ~STATE_OPENED_FLAG; 218 219 mutex_unlock(&proxy_dev->buf_lock); 220 221 /* no more TPM responses -- wake up anyone waiting for them */ 222 wake_up_interruptible(&proxy_dev->wq); 223 } 224 225 /* 226 * vtpm_proxy_fops_release - Close 'server side' 227 * 228 * @inode: inode 229 * @filp: file pointer 230 * Return: 231 * Always returns 0. 232 */ 233 static int vtpm_proxy_fops_release(struct inode *inode, struct file *filp) 234 { 235 struct proxy_dev *proxy_dev = filp->private_data; 236 237 filp->private_data = NULL; 238 239 vtpm_proxy_delete_device(proxy_dev); 240 241 return 0; 242 } 243 244 static const struct file_operations vtpm_proxy_fops = { 245 .owner = THIS_MODULE, 246 .read = vtpm_proxy_fops_read, 247 .write = vtpm_proxy_fops_write, 248 .poll = vtpm_proxy_fops_poll, 249 .release = vtpm_proxy_fops_release, 250 }; 251 252 /* 253 * Functions invoked by the core TPM driver to send TPM commands to 254 * 'server side' and receive responses from there. 255 */ 256 257 /* 258 * Called when core TPM driver reads TPM responses from 'server side' 259 * 260 * @chip: tpm chip to use 261 * @buf: receive buffer 262 * @count: bytes to read 263 * Return: 264 * Number of TPM response bytes read, negative error value otherwise 265 */ 266 static int vtpm_proxy_tpm_op_recv(struct tpm_chip *chip, u8 *buf, size_t count) 267 { 268 struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev); 269 size_t len; 270 271 /* process gone ? */ 272 mutex_lock(&proxy_dev->buf_lock); 273 274 if (!(proxy_dev->state & STATE_OPENED_FLAG)) { 275 mutex_unlock(&proxy_dev->buf_lock); 276 return -EPIPE; 277 } 278 279 len = proxy_dev->resp_len; 280 if (count < len) { 281 dev_err(&chip->dev, 282 "Invalid size in recv: count=%zd, resp_len=%zd\n", 283 count, len); 284 len = -EIO; 285 goto out; 286 } 287 288 memcpy(buf, proxy_dev->buffer, len); 289 proxy_dev->resp_len = 0; 290 291 out: 292 mutex_unlock(&proxy_dev->buf_lock); 293 294 return len; 295 } 296 297 static int vtpm_proxy_is_driver_command(struct tpm_chip *chip, 298 u8 *buf, size_t count) 299 { 300 struct tpm_header *hdr = (struct tpm_header *)buf; 301 302 if (count < sizeof(struct tpm_header)) 303 return 0; 304 305 if (chip->flags & TPM_CHIP_FLAG_TPM2) { 306 switch (be32_to_cpu(hdr->ordinal)) { 307 case TPM2_CC_SET_LOCALITY: 308 return 1; 309 } 310 } else { 311 switch (be32_to_cpu(hdr->ordinal)) { 312 case TPM_ORD_SET_LOCALITY: 313 return 1; 314 } 315 } 316 return 0; 317 } 318 319 /* 320 * Called when core TPM driver forwards TPM requests to 'server side'. 321 * 322 * @chip: tpm chip to use 323 * @buf: send buffer 324 * @bufsiz: size of the buffer 325 * @count: bytes to send 326 * 327 * Return: 328 * 0 in case of success, negative error value otherwise. 329 */ 330 static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, 331 size_t count) 332 { 333 struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev); 334 335 if (count > sizeof(proxy_dev->buffer)) { 336 dev_err(&chip->dev, 337 "Invalid size in send: count=%zd, buffer size=%zd\n", 338 count, sizeof(proxy_dev->buffer)); 339 return -EIO; 340 } 341 342 if (!(proxy_dev->state & STATE_DRIVER_COMMAND) && 343 vtpm_proxy_is_driver_command(chip, buf, count)) 344 return -EFAULT; 345 346 mutex_lock(&proxy_dev->buf_lock); 347 348 if (!(proxy_dev->state & STATE_OPENED_FLAG)) { 349 mutex_unlock(&proxy_dev->buf_lock); 350 return -EPIPE; 351 } 352 353 proxy_dev->resp_len = 0; 354 355 proxy_dev->req_len = count; 356 memcpy(proxy_dev->buffer, buf, count); 357 358 proxy_dev->state &= ~STATE_WAIT_RESPONSE_FLAG; 359 360 mutex_unlock(&proxy_dev->buf_lock); 361 362 wake_up_interruptible(&proxy_dev->wq); 363 364 return 0; 365 } 366 367 static void vtpm_proxy_tpm_op_cancel(struct tpm_chip *chip) 368 { 369 /* not supported */ 370 } 371 372 static u8 vtpm_proxy_tpm_op_status(struct tpm_chip *chip) 373 { 374 struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev); 375 376 if (proxy_dev->resp_len) 377 return VTPM_PROXY_REQ_COMPLETE_FLAG; 378 379 return 0; 380 } 381 382 static bool vtpm_proxy_tpm_req_canceled(struct tpm_chip *chip, u8 status) 383 { 384 struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev); 385 bool ret; 386 387 mutex_lock(&proxy_dev->buf_lock); 388 389 ret = !(proxy_dev->state & STATE_OPENED_FLAG); 390 391 mutex_unlock(&proxy_dev->buf_lock); 392 393 return ret; 394 } 395 396 static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality) 397 { 398 struct tpm_buf buf; 399 int rc; 400 const struct tpm_header *header; 401 struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev); 402 403 if (chip->flags & TPM_CHIP_FLAG_TPM2) 404 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, 405 TPM2_CC_SET_LOCALITY); 406 else 407 rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, 408 TPM_ORD_SET_LOCALITY); 409 if (rc) 410 return rc; 411 tpm_buf_append_u8(&buf, locality); 412 413 proxy_dev->state |= STATE_DRIVER_COMMAND; 414 415 rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to set locality"); 416 417 proxy_dev->state &= ~STATE_DRIVER_COMMAND; 418 419 if (rc < 0) { 420 locality = rc; 421 goto out; 422 } 423 424 header = (const struct tpm_header *)buf.data; 425 rc = be32_to_cpu(header->return_code); 426 if (rc) 427 locality = -1; 428 429 out: 430 tpm_buf_destroy(&buf); 431 432 return locality; 433 } 434 435 static const struct tpm_class_ops vtpm_proxy_tpm_ops = { 436 .flags = TPM_OPS_AUTO_STARTUP, 437 .recv = vtpm_proxy_tpm_op_recv, 438 .send = vtpm_proxy_tpm_op_send, 439 .cancel = vtpm_proxy_tpm_op_cancel, 440 .status = vtpm_proxy_tpm_op_status, 441 .req_complete_mask = VTPM_PROXY_REQ_COMPLETE_FLAG, 442 .req_complete_val = VTPM_PROXY_REQ_COMPLETE_FLAG, 443 .req_canceled = vtpm_proxy_tpm_req_canceled, 444 .request_locality = vtpm_proxy_request_locality, 445 }; 446 447 /* 448 * Code related to the startup of the TPM 2 and startup of TPM 1.2 + 449 * retrieval of timeouts and durations. 450 */ 451 452 static void vtpm_proxy_work(struct work_struct *work) 453 { 454 struct proxy_dev *proxy_dev = container_of(work, struct proxy_dev, 455 work); 456 int rc; 457 458 rc = tpm_chip_register(proxy_dev->chip); 459 if (rc) 460 vtpm_proxy_fops_undo_open(proxy_dev); 461 else 462 proxy_dev->state |= STATE_REGISTERED_FLAG; 463 } 464 465 /* 466 * vtpm_proxy_work_stop: make sure the work has finished 467 * 468 * This function is useful when user space closed the fd 469 * while the driver still determines timeouts. 470 */ 471 static void vtpm_proxy_work_stop(struct proxy_dev *proxy_dev) 472 { 473 vtpm_proxy_fops_undo_open(proxy_dev); 474 flush_work(&proxy_dev->work); 475 } 476 477 /* 478 * vtpm_proxy_work_start: Schedule the work for TPM 1.2 & 2 initialization 479 */ 480 static inline void vtpm_proxy_work_start(struct proxy_dev *proxy_dev) 481 { 482 queue_work(workqueue, &proxy_dev->work); 483 } 484 485 /* 486 * Code related to creation and deletion of device pairs 487 */ 488 static struct proxy_dev *vtpm_proxy_create_proxy_dev(void) 489 { 490 struct proxy_dev *proxy_dev; 491 struct tpm_chip *chip; 492 int err; 493 494 proxy_dev = kzalloc(sizeof(*proxy_dev), GFP_KERNEL); 495 if (proxy_dev == NULL) 496 return ERR_PTR(-ENOMEM); 497 498 init_waitqueue_head(&proxy_dev->wq); 499 mutex_init(&proxy_dev->buf_lock); 500 INIT_WORK(&proxy_dev->work, vtpm_proxy_work); 501 502 chip = tpm_chip_alloc(NULL, &vtpm_proxy_tpm_ops); 503 if (IS_ERR(chip)) { 504 err = PTR_ERR(chip); 505 goto err_proxy_dev_free; 506 } 507 dev_set_drvdata(&chip->dev, proxy_dev); 508 509 proxy_dev->chip = chip; 510 511 return proxy_dev; 512 513 err_proxy_dev_free: 514 kfree(proxy_dev); 515 516 return ERR_PTR(err); 517 } 518 519 /* 520 * Undo what has been done in vtpm_create_proxy_dev 521 */ 522 static inline void vtpm_proxy_delete_proxy_dev(struct proxy_dev *proxy_dev) 523 { 524 put_device(&proxy_dev->chip->dev); /* frees chip */ 525 kfree(proxy_dev); 526 } 527 528 /* 529 * Create a /dev/tpm%d and 'server side' file descriptor pair 530 * 531 * Return: 532 * Returns file pointer on success, an error value otherwise 533 */ 534 static struct file *vtpm_proxy_create_device( 535 struct vtpm_proxy_new_dev *vtpm_new_dev) 536 { 537 struct proxy_dev *proxy_dev; 538 int rc, fd; 539 struct file *file; 540 541 if (vtpm_new_dev->flags & ~VTPM_PROXY_FLAGS_ALL) 542 return ERR_PTR(-EOPNOTSUPP); 543 544 proxy_dev = vtpm_proxy_create_proxy_dev(); 545 if (IS_ERR(proxy_dev)) 546 return ERR_CAST(proxy_dev); 547 548 proxy_dev->flags = vtpm_new_dev->flags; 549 550 /* setup an anonymous file for the server-side */ 551 fd = get_unused_fd_flags(O_RDWR); 552 if (fd < 0) { 553 rc = fd; 554 goto err_delete_proxy_dev; 555 } 556 557 file = anon_inode_getfile("[vtpms]", &vtpm_proxy_fops, proxy_dev, 558 O_RDWR); 559 if (IS_ERR(file)) { 560 rc = PTR_ERR(file); 561 goto err_put_unused_fd; 562 } 563 564 /* from now on we can unwind with put_unused_fd() + fput() */ 565 /* simulate an open() on the server side */ 566 vtpm_proxy_fops_open(file); 567 568 if (proxy_dev->flags & VTPM_PROXY_FLAG_TPM2) 569 proxy_dev->chip->flags |= TPM_CHIP_FLAG_TPM2; 570 571 vtpm_proxy_work_start(proxy_dev); 572 573 vtpm_new_dev->fd = fd; 574 vtpm_new_dev->major = MAJOR(proxy_dev->chip->dev.devt); 575 vtpm_new_dev->minor = MINOR(proxy_dev->chip->dev.devt); 576 vtpm_new_dev->tpm_num = proxy_dev->chip->dev_num; 577 578 return file; 579 580 err_put_unused_fd: 581 put_unused_fd(fd); 582 583 err_delete_proxy_dev: 584 vtpm_proxy_delete_proxy_dev(proxy_dev); 585 586 return ERR_PTR(rc); 587 } 588 589 /* 590 * Counter part to vtpm_create_device. 591 */ 592 static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev) 593 { 594 vtpm_proxy_work_stop(proxy_dev); 595 596 /* 597 * A client may hold the 'ops' lock, so let it know that the server 598 * side shuts down before we try to grab the 'ops' lock when 599 * unregistering the chip. 600 */ 601 vtpm_proxy_fops_undo_open(proxy_dev); 602 603 if (proxy_dev->state & STATE_REGISTERED_FLAG) 604 tpm_chip_unregister(proxy_dev->chip); 605 606 vtpm_proxy_delete_proxy_dev(proxy_dev); 607 } 608 609 /* 610 * Code related to the control device /dev/vtpmx 611 */ 612 613 /** 614 * vtpmx_ioc_new_dev - handler for the %VTPM_PROXY_IOC_NEW_DEV ioctl 615 * @file: /dev/vtpmx 616 * @ioctl: the ioctl number 617 * @arg: pointer to the struct vtpmx_proxy_new_dev 618 * 619 * Creates an anonymous file that is used by the process acting as a TPM to 620 * communicate with the client processes. The function will also add a new TPM 621 * device through which data is proxied to this TPM acting process. The caller 622 * will be provided with a file descriptor to communicate with the clients and 623 * major and minor numbers for the TPM device. 624 */ 625 static long vtpmx_ioc_new_dev(struct file *file, unsigned int ioctl, 626 unsigned long arg) 627 { 628 void __user *argp = (void __user *)arg; 629 struct vtpm_proxy_new_dev __user *vtpm_new_dev_p; 630 struct vtpm_proxy_new_dev vtpm_new_dev; 631 struct file *vtpm_file; 632 633 if (!capable(CAP_SYS_ADMIN)) 634 return -EPERM; 635 636 vtpm_new_dev_p = argp; 637 638 if (copy_from_user(&vtpm_new_dev, vtpm_new_dev_p, 639 sizeof(vtpm_new_dev))) 640 return -EFAULT; 641 642 vtpm_file = vtpm_proxy_create_device(&vtpm_new_dev); 643 if (IS_ERR(vtpm_file)) 644 return PTR_ERR(vtpm_file); 645 646 if (copy_to_user(vtpm_new_dev_p, &vtpm_new_dev, 647 sizeof(vtpm_new_dev))) { 648 put_unused_fd(vtpm_new_dev.fd); 649 fput(vtpm_file); 650 return -EFAULT; 651 } 652 653 fd_install(vtpm_new_dev.fd, vtpm_file); 654 return 0; 655 } 656 657 /* 658 * vtpmx_fops_ioctl: ioctl on /dev/vtpmx 659 * 660 * Return: 661 * Returns 0 on success, a negative error code otherwise. 662 */ 663 static long vtpmx_fops_ioctl(struct file *f, unsigned int ioctl, 664 unsigned long arg) 665 { 666 switch (ioctl) { 667 case VTPM_PROXY_IOC_NEW_DEV: 668 return vtpmx_ioc_new_dev(f, ioctl, arg); 669 default: 670 return -ENOIOCTLCMD; 671 } 672 } 673 674 static const struct file_operations vtpmx_fops = { 675 .owner = THIS_MODULE, 676 .unlocked_ioctl = vtpmx_fops_ioctl, 677 .compat_ioctl = compat_ptr_ioctl, 678 .llseek = noop_llseek, 679 }; 680 681 static struct miscdevice vtpmx_miscdev = { 682 .minor = MISC_DYNAMIC_MINOR, 683 .name = "vtpmx", 684 .fops = &vtpmx_fops, 685 }; 686 687 static int __init vtpm_module_init(void) 688 { 689 int rc; 690 691 workqueue = create_workqueue("tpm-vtpm"); 692 if (!workqueue) { 693 pr_err("couldn't create workqueue\n"); 694 return -ENOMEM; 695 } 696 697 rc = misc_register(&vtpmx_miscdev); 698 if (rc) { 699 pr_err("couldn't create vtpmx device\n"); 700 destroy_workqueue(workqueue); 701 } 702 703 return rc; 704 } 705 706 static void __exit vtpm_module_exit(void) 707 { 708 destroy_workqueue(workqueue); 709 misc_deregister(&vtpmx_miscdev); 710 } 711 712 module_init(vtpm_module_init); 713 module_exit(vtpm_module_exit); 714 715 MODULE_AUTHOR("Stefan Berger <stefanb@us.ibm.com>"); 716 MODULE_DESCRIPTION("vTPM Driver"); 717 MODULE_VERSION("0.1"); 718 MODULE_LICENSE("GPL"); 719