From 4d05e948cebe03974ab9927daee55273207fdc22 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Thu, 9 Apr 2026 19:07:51 +0300 Subject: KEYS: trusted: Debugging as a feature TPM_DEBUG, and other similar flags, are a non-standard way to specify a feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted keys, and use it to replace these ad-hoc feature flags. Given that trusted keys debug dumps can contain sensitive data, harden the feature as follows: 1. In the Kconfig description postulate that pr_debug() statements must be used. 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump. 3. Require trusted.debug=1 on the kernel command line (default: 0) to activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y. Traces, when actually needed, can be easily enabled by providing trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line. Reported-by: Nayna Jain Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/ Reviewed-by: Nayna Jain Tested-by: Srish Srinivasan Signed-off-by: Jarkko Sakkinen --- include/keys/trusted-type.h | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'include') diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h index 03527162613f..9f9940482da4 100644 --- a/include/keys/trusted-type.h +++ b/include/keys/trusted-type.h @@ -83,18 +83,21 @@ struct trusted_key_source { extern struct key_type key_type_trusted; -#define TRUSTED_DEBUG 0 +#ifdef CONFIG_TRUSTED_KEYS_DEBUG +extern bool trusted_debug; -#if TRUSTED_DEBUG static inline void dump_payload(struct trusted_key_payload *p) { - pr_info("key_len %d\n", p->key_len); - print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE, - 16, 1, p->key, p->key_len, 0); - pr_info("bloblen %d\n", p->blob_len); - print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE, - 16, 1, p->blob, p->blob_len, 0); - pr_info("migratable %d\n", p->migratable); + if (!trusted_debug) + return; + + pr_debug("key_len %d\n", p->key_len); + print_hex_dump_debug("key ", DUMP_PREFIX_NONE, + 16, 1, p->key, p->key_len, 0); + pr_debug("bloblen %d\n", p->blob_len); + print_hex_dump_debug("blob ", DUMP_PREFIX_NONE, + 16, 1, p->blob, p->blob_len, 0); + pr_debug("migratable %d\n", p->migratable); } #else static inline void dump_payload(struct trusted_key_payload *p) -- cgit v1.2.3 From fd15b457a86939c38aa12116adabd8ff686c5e51 Mon Sep 17 00:00:00 2001 From: Shaomin Chen Date: Wed, 10 Jun 2026 13:10:05 +0300 Subject: keys: Pin request_key_auth payload in instantiate paths A: request_key() B: KEYCTL_INSTANTIATE_IOV ================ ========================= create auth key store rka in auth key wait for helper get auth key load rka from auth key copy user payload sleep on #PF helper completed detach and free rka destroy auth key wake up use rka->target_key **USE-AFTER-FREE** Give request_key_auth payloads a refcount. Take a payload reference while authkey->sem stabilizes the payload and revocation state. Hold that reference across the instantiate and reject paths. Drop the auth key owning reference from revoke and destroy. [jarkko: Replaced the first two paragraphs of text with an actual concurrency scenario.] Cc: stable@vger.kernel.org # v5.10+ Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys") Reported-by: Shaomin Chen Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com Signed-off-by: Shaomin Chen Signed-off-by: Jarkko Sakkinen --- include/keys/request_key_auth-type.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/keys/request_key_auth-type.h b/include/keys/request_key_auth-type.h index 36b89a933310..01e42ee5f409 100644 --- a/include/keys/request_key_auth-type.h +++ b/include/keys/request_key_auth-type.h @@ -9,12 +9,14 @@ #define _KEYS_REQUEST_KEY_AUTH_TYPE_H #include +#include /* * Authorisation record for request_key(). */ struct request_key_auth { struct rcu_head rcu; + refcount_t usage; struct key *target_key; struct key *dest_keyring; const struct cred *cred; -- cgit v1.2.3