diff options
author | Linus Torvalds | 2016-12-14 22:57:44 +0100 |
---|---|---|
committer | Linus Torvalds | 2016-12-14 22:57:44 +0100 |
commit | 683b96f4d1d132fcefa4a0bd11916649800d7361 (patch) | |
tree | 95ba7e1c1edc15639be080773b4c32d2be60b0a4 /Documentation | |
parent | Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert... (diff) | |
parent | Yama: allow access for the current ptrace parent (diff) | |
download | kernel-qcow2-linux-683b96f4d1d132fcefa4a0bd11916649800d7361.tar.gz kernel-qcow2-linux-683b96f4d1d132fcefa4a0bd11916649800d7361.tar.xz kernel-qcow2-linux-683b96f4d1d132fcefa4a0bd11916649800d7361.zip |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Generally pretty quiet for this release. Highlights:
Yama:
- allow ptrace access for original parent after re-parenting
TPM:
- add documentation
- many bugfixes & cleanups
- define a generic open() method for ascii & bios measurements
Integrity:
- Harden against malformed xattrs
SELinux:
- bugfixes & cleanups
Smack:
- Remove unnecessary smack_known_invalid label
- Do not apply star label in smack_setprocattr hook
- parse mnt opts after privileges check (fixes unpriv DoS vuln)"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (56 commits)
Yama: allow access for the current ptrace parent
tpm: adjust return value of tpm_read_log
tpm: vtpm_proxy: conditionally call tpm_chip_unregister
tpm: Fix handling of missing event log
tpm: Check the bios_dir entry for NULL before accessing it
tpm: return -ENODEV if np is not set
tpm: cleanup of printk error messages
tpm: replace of_find_node_by_name() with dev of_node property
tpm: redefine read_log() to handle ACPI/OF at runtime
tpm: fix the missing .owner in tpm_bios_measurements_ops
tpm: have event log use the tpm_chip
tpm: drop tpm1_chip_register(/unregister)
tpm: replace dynamically allocated bios_dir with a static array
tpm: replace symbolic permission with octal for securityfs files
char: tpm: fix kerneldoc tpm2_unseal_trusted name typo
tpm_tis: Allow tpm_tis to be bound using DT
tpm, tpm_vtpm_proxy: add kdoc comments for VTPM_PROXY_IOC_NEW_DEV
tpm: Only call pm_runtime_get_sync if device has a parent
tpm: define a generic open() method for ascii & bios measurements
Documentation: tpm: add the Physical TPM device tree binding documentation
...
Diffstat (limited to 'Documentation')
4 files changed, 87 insertions, 2 deletions
diff --git a/Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt b/Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt new file mode 100644 index 000000000000..d89f99971368 --- /dev/null +++ b/Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt @@ -0,0 +1,41 @@ +* Device Tree Bindings for IBM Virtual Trusted Platform Module(vtpm) + +Required properties: + +- compatible : property name that conveys the platform architecture + identifiers, as 'IBM,vtpm' +- device_type : specifies type of virtual device +- interrupts : property specifying the interrupt source number and + sense code associated with this virtual I/O Adapters +- ibm,my-drc-index : integer index for the connector between the device + and its parent - present only if Dynamic + Reconfiguration(DR) Connector is enabled +- ibm,#dma-address-cells: specifies the number of cells that are used to + encode the physical address field of dma-window + properties +- ibm,#dma-size-cells : specifies the number of cells that are used to + encode the size field of dma-window properties +- ibm,my-dma-window : specifies DMA window associated with this virtual + IOA +- ibm,loc-code : specifies the unique and persistent location code + associated with this virtual I/O Adapters +- linux,sml-base : 64-bit base address of the reserved memory allocated + for the firmware event log +- linux,sml-size : size of the memory allocated for the firmware event log + +Example (IBM Virtual Trusted Platform Module) +--------------------------------------------- + + vtpm@30000003 { + ibm,#dma-size-cells = <0x2>; + compatible = "IBM,vtpm"; + device_type = "IBM,vtpm"; + ibm,my-drc-index = <0x30000003>; + ibm,#dma-address-cells = <0x2>; + linux,sml-base = <0xc60e 0x0>; + interrupts = <0xa0003 0x0>; + ibm,my-dma-window = <0x10000003 0x0 0x0 0x0 0x10000000>; + ibm,loc-code = "U8286.41A.10082DV-V3-C3"; + reg = <0x30000003>; + linux,sml-size = <0xbce10200>; + }; diff --git a/Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt b/Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt new file mode 100644 index 000000000000..8cb638b7e89c --- /dev/null +++ b/Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt @@ -0,0 +1,21 @@ +* Device Tree Bindings for I2C based Trusted Platform Module(TPM) + +Required properties: + +- compatible : 'manufacturer,model', eg. nuvoton,npct650 +- label : human readable string describing the device, eg. "tpm" +- linux,sml-base : 64-bit base address of the reserved memory allocated for + the firmware event log +- linux,sml-size : size of the memory allocated for the firmware event log + +Example (for OpenPower Systems with Nuvoton TPM 2.0 on I2C) +---------------------------------------------------------- + +tpm@57 { + reg = <0x57>; + label = "tpm"; + compatible = "nuvoton,npct650", "nuvoton,npct601"; + linux,sml-base = <0x7f 0xfd450000>; + linux,sml-size = <0x10000>; + status = "okay"; +}; diff --git a/Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt b/Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt new file mode 100644 index 000000000000..41d740545189 --- /dev/null +++ b/Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt @@ -0,0 +1,25 @@ +Trusted Computing Group MMIO Trusted Platform Module + +The TCG defines multi vendor standard for accessing a TPM chip, this +is the standard protocol defined to access the TPM via MMIO. Typically +this interface will be implemented over Intel's LPC bus. + +Refer to the 'TCG PC Client Specific TPM Interface Specification (TIS)' TCG +publication for the specification. + +Required properties: + +- compatible: should contain a string below for the chip, followed by + "tcg,tpm-tis-mmio". Valid chip strings are: + * "atmel,at97sc3204" +- reg: The location of the MMIO registers, should be at least 0x5000 bytes +- interrupt-parent/interrupts: An optional interrupt indicating command completion. + +Example: + + tpm_tis@90000 { + compatible = "atmel,at97sc3204", "tcg,tpm-tis-mmio"; + reg = <0x90000 0x5000>; + interrupt-parent = <&EIC0>; + interrupts = <1 2>; + }; diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt index 324ddf5223b3..b20a993a32af 100644 --- a/Documentation/security/keys-trusted-encrypted.txt +++ b/Documentation/security/keys-trusted-encrypted.txt @@ -32,8 +32,6 @@ Usage: (40 ascii zeros) blobauth= ascii hex auth for sealed data default 0x00... (40 ascii zeros) - blobauth= ascii hex auth for sealed data default 0x00... - (40 ascii zeros) pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) pcrlock= pcr number to be extended to "lock" blob migratable= 0|1 indicating permission to reseal to new PCR values, |