Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 683b96f4 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 

Pull security subsystem updates from James Morris:
 "Generally pretty quiet for this release. Highlights:

  Yama:
   - allow ptrace access for original parent after re-parenting

  TPM:
   - add documentation
   - many bugfixes & cleanups
   - define a generic open() method for ascii & bios measurements

  Integrity:
   - Harden against malformed xattrs

  SELinux:
   - bugfixes & cleanups

  Smack:
   - Remove unnecessary smack_known_invalid label
   - Do not apply star label in smack_setprocattr hook
   - parse mnt opts after privileges check (fixes unpriv DoS vuln)"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (56 commits)
  Yama: allow access for the current ptrace parent
  tpm: adjust return value of tpm_read_log
  tpm: vtpm_proxy: conditionally call tpm_chip_unregister
  tpm: Fix handling of missing event log
  tpm: Check the bios_dir entry for NULL before accessing it
  tpm: return -ENODEV if np is not set
  tpm: cleanup of printk error messages
  tpm: replace of_find_node_by_name() with dev of_node property
  tpm: redefine read_log() to handle ACPI/OF at runtime
  tpm: fix the missing .owner in tpm_bios_measurements_ops
  tpm: have event log use the tpm_chip
  tpm: drop tpm1_chip_register(/unregister)
  tpm: replace dynamically allocated bios_dir with a static array
  tpm: replace symbolic permission with octal for securityfs files
  char: tpm: fix kerneldoc tpm2_unseal_trusted name typo
  tpm_tis: Allow tpm_tis to be bound using DT
  tpm, tpm_vtpm_proxy: add kdoc comments for VTPM_PROXY_IOC_NEW_DEV
  tpm: Only call pm_runtime_get_sync if device has a parent
  tpm: define a generic open() method for ascii & bios measurements
  Documentation: tpm: add the Physical TPM device tree binding documentation
  ...
parents 0f1d6dfe 50523a29

Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt

0 → 100644
+41 −0
Original line number Diff line number Diff line 
* Device Tree Bindings for IBM Virtual Trusted Platform Module(vtpm)



Required properties:



- compatible            : property name that conveys the platform architecture

                          identifiers, as 'IBM,vtpm'

- device_type           : specifies type of virtual device

- interrupts            : property specifying the interrupt source number and

                          sense code associated with this virtual I/O Adapters

- ibm,my-drc-index      : integer index for the connector between the device

                          and its parent - present only if Dynamic

                          Reconfiguration(DR) Connector is enabled

- ibm,#dma-address-cells: specifies the number of cells that are used to

                          encode the physical address field of dma-window

                          properties

- ibm,#dma-size-cells   : specifies the number of cells that are used to

                          encode the size field of dma-window properties

- ibm,my-dma-window     : specifies DMA window associated with this virtual

                          IOA

- ibm,loc-code          : specifies the unique and persistent location code

                          associated with this virtual I/O Adapters

- linux,sml-base        : 64-bit base address of the reserved memory allocated

                          for the firmware event log

- linux,sml-size        : size of the memory allocated for the firmware event log



Example (IBM Virtual Trusted Platform Module)

---------------------------------------------



                vtpm@30000003 {

                        ibm,#dma-size-cells = <0x2>;

                        compatible = "IBM,vtpm";

                        device_type = "IBM,vtpm";

                        ibm,my-drc-index = <0x30000003>;

                        ibm,#dma-address-cells = <0x2>;

                        linux,sml-base = <0xc60e 0x0>;

                        interrupts = <0xa0003 0x0>;

                        ibm,my-dma-window = <0x10000003 0x0 0x0 0x0 0x10000000>;

                        ibm,loc-code = "U8286.41A.10082DV-V3-C3";

                        reg = <0x30000003>;

                        linux,sml-size = <0xbce10200>;

                };

Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt

0 → 100644
+21 −0
Original line number Diff line number Diff line 
* Device Tree Bindings for I2C based Trusted Platform Module(TPM)



Required properties:



- compatible     : 'manufacturer,model', eg. nuvoton,npct650

- label          : human readable string describing the device, eg. "tpm"

- linux,sml-base : 64-bit base address of the reserved memory allocated for

                   the firmware event log

- linux,sml-size : size of the memory allocated for the firmware event log



Example (for OpenPower Systems with Nuvoton TPM 2.0 on I2C)

----------------------------------------------------------



tpm@57 {

	reg = <0x57>;

	label = "tpm";

	compatible = "nuvoton,npct650", "nuvoton,npct601";

	linux,sml-base = <0x7f 0xfd450000>;

	linux,sml-size = <0x10000>;

	status = "okay";

};

Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt

0 → 100644
+25 −0
Original line number Diff line number Diff line 
Trusted Computing Group MMIO Trusted Platform Module



The TCG defines multi vendor standard for accessing a TPM chip, this

is the standard protocol defined to access the TPM via MMIO. Typically

this interface will be implemented over Intel's LPC bus.



Refer to the 'TCG PC Client Specific TPM Interface Specification (TIS)' TCG

publication for the specification.



Required properties:



- compatible: should contain a string below for the chip, followed by

              "tcg,tpm-tis-mmio". Valid chip strings are:

	          * "atmel,at97sc3204"

- reg: The location of the MMIO registers, should be at least 0x5000 bytes

- interrupt-parent/interrupts: An optional interrupt indicating command completion.



Example:



	tpm_tis@90000 {

				compatible = "atmel,at97sc3204", "tcg,tpm-tis-mmio";

				reg = <0x90000 0x5000>;

				interrupt-parent = <&EIC0>;

				interrupts = <1 2>;

	};

Documentation/security/keys-trusted-encrypted.txt

+0 −2
Original line number Diff line number Diff line
@@ -32,8 +32,6 @@ Usage: 
                     (40 ascii zeros)

       blobauth=     ascii hex auth for sealed data default 0x00...

                     (40 ascii zeros)

       blobauth=     ascii hex auth for sealed data default 0x00...

                     (40 ascii zeros)

       pcrinfo=	     ascii hex of PCR_INFO or PCR_INFO_LONG (no default)

       pcrlock=	     pcr number to be extended to "lock" blob

       migratable=   0|1 indicating permission to reseal to new PCR values,

drivers/char/tpm/Kconfig

+1 −1
Original line number Diff line number Diff line
@@ -32,7 +32,7 @@ config TCG_TIS_CORE 


config TCG_TIS

	tristate "TPM Interface Specification 1.2 Interface / TPM 2.0 FIFO Interface"

	depends on X86

	depends on X86 || OF

	select TCG_TIS_CORE

	---help---

	  If you have a TPM security chip that is compliant with the