Re: [RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
On Wed, Sep 18, 2019 at 12:16:26PM -0700, Jerry Snitselaar wrote:
> + if (tbl_size < 0) {
> + pr_err("Failed to parse event in TPM Final Event log\n");
FW_BUG?
> + goto calc_out;
> + }
> +
> memblock_reserve((unsigned long)final_tbl,
>tbl_size + sizeof(*final_tbl));
> - early_memunmap(final_tbl, sizeof(*final_tbl));
> efi_tpm_final_log_size = tbl_size;
>
> +calc_out:
> + early_memunmap(final_tbl, sizeof(*final_tbl));
out_calc
> out:
> early_memunmap(log_tbl, sizeof(*log_tbl));
> return ret;
> --
> 2.23.0
>
/Jarkko
Re: [RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
Any thoughts on this? I know of at least 2 Lenovo models that are running into this problem. In the case of the one I have currently have access to the problem is that the hash algorithm id for an event isn't one that is currently in the TCG registry, and it fails to find a match when walking the digest_sizes array. That seems like an issue for the vendor to fix in the bios, but we should look at the return value of tpm2_calc_event_log_size and not stick a negative value in efi_tpm_final_log_size.
Re: [RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
On 9/18/19 8:23 PM, Jerry Snitselaar wrote:
On Wed Sep 18 19, Jerry Snitselaar wrote:
If __calc_tpm2_event_size fails to parse an event it will return 0,
resulting tpm2_calc_event_log_size returning -1. Currently
there is no check of this return value, and efi_tpm_final_log_size
can end up being set to this negative value resulting
in a panic like the following:
[ 0.774340] BUG: unable to handle page fault for address: bc8fc00866ad
[ 0.774788] #PF: supervisor read access in kernel mode
[ 0.774788] #PF: error_code(0x) - not-present page
[ 0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0
[ 0.774788] Oops: [#1] SMP PTI
[ 0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.3.0-0.rc2.1.elrdy.x86_64 #1
[ 0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30
) 09/14/2018
[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2
07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f
80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286
[ 0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962
[ 0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367
[ 0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063
[ 0.774788] R10: 1000 R11: 000fffe0 R12: 3367
[ 0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002
[ 0.774788] FS: () GS:9b1fce20()
knlGS:
[ 0.774788] CS: 0010 DS: ES: CR0: 80050033
[ 0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0
[ 0.774788] DR0: DR1: DR2:
[ 0.774788] DR3: DR6: fffe0ff0 DR7: 0400
[ 0.774788] Call Trace:
[ 0.774788] tpm_read_log_efi+0x156/0x1a0
[ 0.774788] tpm_bios_log_setup+0xc8/0x190
[ 0.774788] tpm_chip_register+0x50/0x1c0
[ 0.774788] tpm_tis_core_init.cold.9+0x28c/0x466
[ 0.774788] tpm_tis_plat_probe+0xcc/0xea
[ 0.774788] platform_drv_probe+0x35/0x80
[ 0.774788] really_probe+0xef/0x390
[ 0.774788] driver_probe_device+0xb4/0x100
[ 0.774788] device_driver_attach+0x4f/0x60
[ 0.774788] __driver_attach+0x86/0x140
[ 0.774788] ? device_driver_attach+0x60/0x60
[ 0.774788] bus_for_each_dev+0x76/0xc0
[ 0.774788] ? klist_add_tail+0x3b/0x70
[ 0.774788] bus_add_driver+0x14a/0x1e0
[ 0.774788] ? tpm_init+0xea/0xea
[ 0.774788] ? do_early_param+0x8e/0x8e
[ 0.774788] driver_register+0x6b/0xb0
[ 0.774788] ? tpm_init+0xea/0xea
[ 0.774788] init_tis+0x86/0xd8
[ 0.774788] ? do_early_param+0x8e/0x8e
[ 0.774788] ? driver_register+0x94/0xb0
[ 0.774788] do_one_initcall+0x46/0x1e4
[ 0.774788] ? do_early_param+0x8e/0x8e
[ 0.774788] kernel_init_freeable+0x199/0x242
[ 0.774788] ? rest_init+0xaa/0xaa
[ 0.774788] kernel_init+0xa/0x106
[ 0.774788] ret_from_fork+0x35/0x40
[ 0.774788] Modules linked in:
[ 0.774788] CR2: bc8fc00866ad
[ 0.774788] ---[ end trace 42930799f8d6eaea ]---
[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2
07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f
80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286
[ 0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962
[ 0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367
[ 0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063
[ 0.774788] R10: 1000 R11: 000fffe0 R12: 3367
[ 0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002
[ 0.774788] FS: () GS:9b1fce20()
knlGS:
[ 0.774788] CS: 0010 DS: ES: CR0: 80050033
[ 0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0
[ 0.774788] DR0: DR1: DR2:
[ 0.774788] DR3: DR6: fffe0ff0 DR7: 0400
[ 0.774788] Kernel panic - not syncing: Fatal exception
[ 0.774788] Kernel Offset: 0x1d00 from 0x8100 (relocation
range: 0x8000-0xbfff)
[ 0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]---
Fixes: c46f3405692de ("tpm: Reserve the TPM final events table")
Cc: Matthew Garrett
Cc: Ard Biesheuvel
Cc: Jarkko Sakkinen
Signed-off-by: Jerry Snitselaar
---
drivers/firmware/efi/tpm.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/efi/tpm.c
Re: [RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
On Wed Sep 18 19, Jerry Snitselaar wrote:
If __calc_tpm2_event_size fails to parse an event it will return 0,
resulting tpm2_calc_event_log_size returning -1. Currently
there is no check of this return value, and efi_tpm_final_log_size
can end up being set to this negative value resulting
in a panic like the following:
[0.774340] BUG: unable to handle page fault for address: bc8fc00866ad
[0.774788] #PF: supervisor read access in kernel mode
[0.774788] #PF: error_code(0x) - not-present page
[0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0
[0.774788] Oops: [#1] SMP PTI
[0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.3.0-0.rc2.1.elrdy.x86_64 #1
[0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30
) 09/14/2018
[0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2
07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f
80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286
[0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962
[0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367
[0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063
[0.774788] R10: 1000 R11: 000fffe0 R12: 3367
[0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002
[0.774788] FS: () GS:9b1fce20()
knlGS:
[0.774788] CS: 0010 DS: ES: CR0: 80050033
[0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0
[0.774788] DR0: DR1: DR2:
[0.774788] DR3: DR6: fffe0ff0 DR7: 0400
[0.774788] Call Trace:
[0.774788] tpm_read_log_efi+0x156/0x1a0
[0.774788] tpm_bios_log_setup+0xc8/0x190
[0.774788] tpm_chip_register+0x50/0x1c0
[0.774788] tpm_tis_core_init.cold.9+0x28c/0x466
[0.774788] tpm_tis_plat_probe+0xcc/0xea
[0.774788] platform_drv_probe+0x35/0x80
[0.774788] really_probe+0xef/0x390
[0.774788] driver_probe_device+0xb4/0x100
[0.774788] device_driver_attach+0x4f/0x60
[0.774788] __driver_attach+0x86/0x140
[0.774788] ? device_driver_attach+0x60/0x60
[0.774788] bus_for_each_dev+0x76/0xc0
[0.774788] ? klist_add_tail+0x3b/0x70
[0.774788] bus_add_driver+0x14a/0x1e0
[0.774788] ? tpm_init+0xea/0xea
[0.774788] ? do_early_param+0x8e/0x8e
[0.774788] driver_register+0x6b/0xb0
[0.774788] ? tpm_init+0xea/0xea
[0.774788] init_tis+0x86/0xd8
[0.774788] ? do_early_param+0x8e/0x8e
[0.774788] ? driver_register+0x94/0xb0
[0.774788] do_one_initcall+0x46/0x1e4
[0.774788] ? do_early_param+0x8e/0x8e
[0.774788] kernel_init_freeable+0x199/0x242
[0.774788] ? rest_init+0xaa/0xaa
[0.774788] kernel_init+0xa/0x106
[0.774788] ret_from_fork+0x35/0x40
[0.774788] Modules linked in:
[0.774788] CR2: bc8fc00866ad
[0.774788] ---[ end trace 42930799f8d6eaea ]---
[0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2
07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f
80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286
[0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962
[0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367
[0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063
[0.774788] R10: 1000 R11: 000fffe0 R12: 3367
[0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002
[0.774788] FS: () GS:9b1fce20()
knlGS:
[0.774788] CS: 0010 DS: ES: CR0: 80050033
[0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0
[0.774788] DR0: DR1: DR2:
[0.774788] DR3: DR6: fffe0ff0 DR7: 0400
[0.774788] Kernel panic - not syncing: Fatal exception
[0.774788] Kernel Offset: 0x1d00 from 0x8100 (relocation
range: 0x8000-0xbfff)
[0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]---
Fixes: c46f3405692de ("tpm: Reserve the TPM final events table")
Cc: Matthew Garrett
Cc: Ard Biesheuvel
Cc: Jarkko Sakkinen
Signed-off-by: Jerry Snitselaar
---
drivers/firmware/efi/tpm.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c
index 1d3f5ca3eaaf..5cd00a7833c2
[RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
If __calc_tpm2_event_size fails to parse an event it will return 0,
resulting tpm2_calc_event_log_size returning -1. Currently
there is no check of this return value, and efi_tpm_final_log_size
can end up being set to this negative value resulting
in a panic like the following:
[0.774340] BUG: unable to handle page fault for address: bc8fc00866ad
[0.774788] #PF: supervisor read access in kernel mode
[0.774788] #PF: error_code(0x) - not-present page
[0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0
[0.774788] Oops: [#1] SMP PTI
[0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.3.0-0.rc2.1.elrdy.x86_64 #1
[0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30
) 09/14/2018
[0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03
83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3
0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286
[0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962
[0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367
[0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063
[0.774788] R10: 1000 R11: 000fffe0 R12: 3367
[0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002
[0.774788] FS: () GS:9b1fce20()
knlGS:
[0.774788] CS: 0010 DS: ES: CR0: 80050033
[0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0
[0.774788] DR0: DR1: DR2:
[0.774788] DR3: DR6: fffe0ff0 DR7: 0400
[0.774788] Call Trace:
[0.774788] tpm_read_log_efi+0x156/0x1a0
[0.774788] tpm_bios_log_setup+0xc8/0x190
[0.774788] tpm_chip_register+0x50/0x1c0
[0.774788] tpm_tis_core_init.cold.9+0x28c/0x466
[0.774788] tpm_tis_plat_probe+0xcc/0xea
[0.774788] platform_drv_probe+0x35/0x80
[0.774788] really_probe+0xef/0x390
[0.774788] driver_probe_device+0xb4/0x100
[0.774788] device_driver_attach+0x4f/0x60
[0.774788] __driver_attach+0x86/0x140
[0.774788] ? device_driver_attach+0x60/0x60
[0.774788] bus_for_each_dev+0x76/0xc0
[0.774788] ? klist_add_tail+0x3b/0x70
[0.774788] bus_add_driver+0x14a/0x1e0
[0.774788] ? tpm_init+0xea/0xea
[0.774788] ? do_early_param+0x8e/0x8e
[0.774788] driver_register+0x6b/0xb0
[0.774788] ? tpm_init+0xea/0xea
[0.774788] init_tis+0x86/0xd8
[0.774788] ? do_early_param+0x8e/0x8e
[0.774788] ? driver_register+0x94/0xb0
[0.774788] do_one_initcall+0x46/0x1e4
[0.774788] ? do_early_param+0x8e/0x8e
[0.774788] kernel_init_freeable+0x199/0x242
[0.774788] ? rest_init+0xaa/0xaa
[0.774788] kernel_init+0xa/0x106
[0.774788] ret_from_fork+0x35/0x40
[0.774788] Modules linked in:
[0.774788] CR2: bc8fc00866ad
[0.774788] ---[ end trace 42930799f8d6eaea ]---
[0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03
83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3
0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286
[0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962
[0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367
[0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063
[0.774788] R10: 1000 R11: 000fffe0 R12: 3367
[0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002
[0.774788] FS: () GS:9b1fce20()
knlGS:
[0.774788] CS: 0010 DS: ES: CR0: 80050033
[0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0
[0.774788] DR0: DR1: DR2:
[0.774788] DR3: DR6: fffe0ff0 DR7: 0400
[0.774788] Kernel panic - not syncing: Fatal exception
[0.774788] Kernel Offset: 0x1d00 from 0x8100 (relocation
range: 0x8000-0xbfff)
[0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]---
Fixes: c46f3405692de ("tpm: Reserve the TPM final events table")
Cc: Matthew Garrett
Cc: Ard Biesheuvel
Cc: Jarkko Sakkinen
Signed-off-by: Jerry Snitselaar
---
drivers/firmware/efi/tpm.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c
index 1d3f5ca3eaaf..5cd00a7833c2 100644
--- a/drivers/firmware/efi/tpm.c
+++
