| Message ID | 20230105144742.3219571-1-Jason@zx2c4.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp337358wrt;
Thu, 5 Jan 2023 06:53:10 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXsmMpE/krC/gOHBAZfX8Dr5DVd/WJrtXuQ3upXILWOgMxVtnFBtyCzki4o9OzC+1JM5EEpD
X-Received: by 2002:a17:907:2a06:b0:84d:12db:fd23 with SMTP id
fd6-20020a1709072a0600b0084d12dbfd23mr996561ejc.71.1672930390194;
Thu, 05 Jan 2023 06:53:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672930390; cv=none;
d=google.com; s=arc-20160816;
b=zuF8yOcWkiWlnoA9dldq2shzRle2R03JtwrzaPq3eQZYyfCJvZwaglpRyHnAEBgJ4K
Et0JFS+vQRR0Y2AmCbKu/CEzKzR2n6inSaV+bf/9BjMZZofS1zz4oKQkohxZiTKV0Ojd
Ol1RK9oIrOODPiYCHtAiLmlhT4iWXf0kFp6JAmY1mzFhDPtcSPDd4xfZwGdUXoSVAyRo
a/wO91uBQq1FhX+x28HwReRehRKptSAHrHnfq/lQCvVlax+own0i5x26Y9wgmQdeRFR0
mgmA8i2mNzwUXWRUpkpJlUPwZtcPDf0bLdHTCgv45yjbnmYV37a2wag2ROm2zVPjES32
scIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=j0ck3abVJY2ouhKZmMHaxzbj9CCExwJe2tQnda+R1m0=;
b=IIc+8rkLoNpFDvqmMIaTd9RZE8ypLllYWK05v6W86XnltVWACfKO0PyHGsvk7geCrB
wI+9D0K69wBt+cw1IE2I5f+AWNwq8yPdoa79naHWZPxMgbIFg8gDTDZ9C1Q7pTDvdMa+
m5YTVcr/MJrJd7CGoUSTgvkdMsEpvw/FlZjVAjWGq6qcyUTg4A1QLycA1wN0iZJ0BQx8
BGJbyRRV1WjTVEz7AxKeWZB0PiF3grVepiev8XQ17kLWi9iMTcg+3EjPOCTb/0MAdku/
TSlBDAvYx7cZmUagdATE33XIDCSkjf3k5fsJpKy3wdUs+vb2wrBaUKrUGKOfx7WGt2iQ
nVDg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=qGFtc44q;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
va28-20020a17090711dc00b0084d14d255ebsi405660ejb.291.2023.01.05.06.52.45;
Thu, 05 Jan 2023 06:53:10 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=qGFtc44q;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233737AbjAEOsn (ORCPT <rfc822;tmhikaru@gmail.com> + 99 others);
Thu, 5 Jan 2023 09:48:43 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47502 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234204AbjAEOsJ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 5 Jan 2023 09:48:09 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D3B037273;
Thu, 5 Jan 2023 06:48:08 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by dfw.source.kernel.org (Postfix) with ESMTPS id 172E361ADB;
Thu, 5 Jan 2023 14:48:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D78C3C433D2;
Thu, 5 Jan 2023 14:48:05 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com
header.b="qGFtc44q"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
t=1672930083;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=j0ck3abVJY2ouhKZmMHaxzbj9CCExwJe2tQnda+R1m0=;
b=qGFtc44q5akffwi5JVAownpi+dfiyBqRDRp7CQGSrlezApoND+xq4NLG+G6s2V/rWeV/kV
pFTSnVhXlz93c9qkE8tZQ2HQfo4y+ZoxZ50Mr4q9wgUexGWJIWMgHtuaGHYIaJ8tUc35HI
WQMb5q5soEW63quDCcmwK0QcFqMhtwk=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 3ea1ba23
(TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO);
Thu, 5 Jan 2023 14:48:02 +0000 (UTC)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Thorsten Leemhuis <regressions@leemhuis.info>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
Peter Huewe <peterhuewe@gmx.de>,
Jarkko Sakkinen <jarkko@kernel.org>,
Jason Gunthorpe <jgg@ziepe.ca>, Jan Dabros <jsd@semihalf.com>,
regressions@lists.linux.dev, LKML <linux-kernel@vger.kernel.org>,
linux-integrity@vger.kernel.org,
Dominik Brodowski <linux@dominikbrodowski.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Linus Torvalds <torvalds@linux-foundation.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Johannes Altmanninger <aclopte@gmail.com>
Cc: stable@vger.kernel.org
Subject: [PATCH] tpm: Disable hwrng for TPM 1 if PM_SLEEP is enabled
Date: Thu, 5 Jan 2023 15:47:42 +0100
Message-Id: <20230105144742.3219571-1-Jason@zx2c4.com>
In-Reply-To: <370a2808-a19b-b512-4cd3-72dc69dfe8b0@suse.cz>
References: <370a2808-a19b-b512-4cd3-72dc69dfe8b0@suse.cz>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1754194656792090072?=
X-GMAIL-MSGID: =?utf-8?q?1754194656792090072?=
|
| Series |
tpm: Disable hwrng for TPM 1 if PM_SLEEP is enabled
|
|
Commit Message
Jason A. Donenfeld
Jan. 5, 2023, 2:47 p.m. UTC
TPM 1's support for its hardware RNG is broken across system suspends,
due to races or locking issues or something else that haven't been
diagnosed or fixed yet. These issues prevent the system from actually
suspending. So disable the driver in this case. Later, when this is
fixed properly, we can remove this.
Current breakage amounts to something like:
tpm tpm0: A TPM error (28) occurred continue selftest
...
tpm tpm0: A TPM error (28) occurred attempting get random
...
tpm tpm0: Error (28) sending savestate before suspend
tpm_tis 00:08: PM: __pnp_bus_suspend(): tpm_pm_suspend+0x0/0x80 returns 28
tpm_tis 00:08: PM: dpm_run_callback(): pnp_bus_suspend+0x0/0x10 returns 28
tpm_tis 00:08: PM: failed to suspend: error 28
PM: Some devices failed to suspend, or early wake event detected
This issue was partially fixed by 23393c646142 ("char: tpm: Protect
tpm_pm_suspend with locks"), in a last minute 6.1 commit that Linus took
directly because the TPM maintainers weren't available. However, it
seems like this just addresses the most common cases of the bug, rather
than addressing it entirely. So there are more things to fix still,
apparently.
The hwrng driver appears already to be occasionally disabled due to
other conditions, so this shouldn't be too large of a surprise.
Link: https://lore.kernel.org/lkml/7cbe96cf-e0b5-ba63-d1b4-f63d2e826efa@suse.cz/
Cc: stable@vger.kernel.org # 6.1+
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
drivers/char/tpm/tpm-chip.c | 8 ++++++++
1 file changed, 8 insertions(+)
Comments
On Thu, Jan 05, 2023 at 03:47:42PM +0100, Jason A. Donenfeld wrote: > TPM 1's support for its hardware RNG is broken across system suspends, > due to races or locking issues or something else that haven't been > diagnosed or fixed yet. These issues prevent the system from actually > suspending. So disable the driver in this case. Later, when this is > fixed properly, we can remove this. > > Current breakage amounts to something like: > > tpm tpm0: A TPM error (28) occurred continue selftest > ... > tpm tpm0: A TPM error (28) occurred attempting get random > ... > tpm tpm0: Error (28) sending savestate before suspend > tpm_tis 00:08: PM: __pnp_bus_suspend(): tpm_pm_suspend+0x0/0x80 returns 28 > tpm_tis 00:08: PM: dpm_run_callback(): pnp_bus_suspend+0x0/0x10 returns 28 > tpm_tis 00:08: PM: failed to suspend: error 28 > PM: Some devices failed to suspend, or early wake event detected > > This issue was partially fixed by 23393c646142 ("char: tpm: Protect > tpm_pm_suspend with locks"), in a last minute 6.1 commit that Linus took > directly because the TPM maintainers weren't available. However, it > seems like this just addresses the most common cases of the bug, rather > than addressing it entirely. So there are more things to fix still, > apparently. > > The hwrng driver appears already to be occasionally disabled due to > other conditions, so this shouldn't be too large of a surprise. > > Link: https://lore.kernel.org/lkml/7cbe96cf-e0b5-ba63-d1b4-f63d2e826efa@suse.cz/ > Cc: stable@vger.kernel.org # 6.1+ > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Quoting from my previous email: | I spent a long time working through the TPM code when this came up | during 6.1. I set up the TPM emulator with QEMU and reproduced this and | had a whole test setup and S3 fuzzer. It took a long time, and when I was | done, I paged it all out of my brain. When I found that patch from Jan | that fixed the problem most of the time (but not all the time), I wasted | tons of time trying to get the TPM maintainers to take the patch and | send it to Linus as part of rc7 or rc8. But they all ignored me, and | eventually Linus just took that patch directly. | | So I don't think I want to go down another rabbit hole here, having | experienced the TPM maintainers not really caring much, and that sucking | away the remaining energy I had before to keep looking at the issue and | its edge cases not handled by Jan's patch. | | On the contrary, it'd make a big difference if the TPM maintainers could | actually help analyze the code that they're most familiar with, so that | we can get to the bottom of this. That's a lot better than some random | drive-by patches from a non-TPM person like me; before the 6.1 bug, I'd | never even looked at these drivers. | | My plan is to therefore be available to help and analyze and test and | maybe even write some code, if the TPM maintainers take the lead on | getting to the bottom of this. But if this hits neglect again like last | time, I'll just send a `depends on BROKEN if PM` patch to the TPM | hw_random driver and see what happens... That's a really awful solution | though, so I hope the maintainers will wake up this cycle. Seeing as there's still no life from the TPM maintainers, here's the patch to make the problem go away until they wake up. When they do wake up, though, I will be available to start looking into this again in whatever capacity I might be useful. Jason
On Thu, Jan 5, 2023 at 6:48 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote: > > TPM 1's support for its hardware RNG is broken across system suspends, > due to races or locking issues or something else that haven't been > diagnosed or fixed yet. These issues prevent the system from actually > suspending. So disable the driver in this case. Later, when this is > fixed properly, we can remove this. How about just keeping it enabled, but not making it a fatal error if the TPM saving doesn't work? IOW, just print the warning, and then "return 0" from the suspend function. I doubt anybody cares, but your patch disables that TPM device just because PM is *enabled*. That's basically "all the time". Imagine being on a desktop with a distro kernel that enables suspend - because that kernel obviously is expected to work on laptops too. You're never actually going to suspend things on that machine, but maybe you still want to register it as a source of hw random data? Linus
On Thu, Jan 05, 2023 at 01:58:48PM -0800, Linus Torvalds wrote: > On Thu, Jan 5, 2023 at 6:48 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote: > > > > TPM 1's support for its hardware RNG is broken across system suspends, > > due to races or locking issues or something else that haven't been > > diagnosed or fixed yet. These issues prevent the system from actually > > suspending. So disable the driver in this case. Later, when this is > > fixed properly, we can remove this. > > How about just keeping it enabled, but not making it a fatal error if > the TPM saving doesn't work? IOW, just print the warning, and then > "return 0" from the suspend function. You're right that returning 0 from the pm notifier would make the problem that users actually care about -- laptop doesn't sleep when you close the lid -- go away. From a random.c perspective, the RNG is already initialized when the driver loads, which will be before suspend bricks the driver. So even if the behavior afterwards is a buggy driver handing all zeros to random.c, it won't really matter much; random.c can deal with that cryptographically. I have no idea if this is actually the case with the driver's error condition. But if it is, it's good that it doesn't matter. So okay, I'll roll a patch to do that when I get home. I'm writing on my phone now, but from memory it's just changing a 'return rc;' into 'return 0;'. Then the TPM folks can fix the underlying issue at their leisure whenever. Jason
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 741d8f3e8fb3..eed67ea8d3a7 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -524,6 +524,14 @@ static int tpm_add_hwrng(struct tpm_chip *chip) if (!IS_ENABLED(CONFIG_HW_RANDOM_TPM) || tpm_is_firmware_upgrade(chip)) return 0; + /* + * This driver's support for using the RNG across suspend is broken on + * TPM1. Until somebody fixes this, just stop registering a HWRNG in + * that case. + */ + if (!(chip->flags & TPM_CHIP_FLAG_TPM2) && IS_ENABLED(CONFIG_PM_SLEEP)) + return 0; + snprintf(chip->hwrng_name, sizeof(chip->hwrng_name), "tpm-rng-%d", chip->dev_num); chip->hwrng.name = chip->hwrng_name;