linux/security
David Safford 0dcc35c1c2 KEYS: trusted: tpm2: Fix migratable logic
commit dda5384313 upstream.

When creating (sealing) a new trusted key, migratable
trusted keys have the FIXED_TPM and FIXED_PARENT attributes
set, and non-migratable keys don't. This is backwards, and
also causes creation to fail when creating a migratable key
under a migratable parent. (The TPM thinks you are trying to
seal a non-migratable blob under a migratable parent.)

The following simple patch fixes the logic, and has been
tested for all four combinations of migratable and non-migratable
trusted keys and parent storage keys. With this logic, you will
get a proper failure if you try to create a non-migratable
trusted key under a migratable parent storage key, and all other
combinations work correctly.

Cc: stable@vger.kernel.org # v5.13+
Fixes: e5fb5d2c5a ("security: keys: trusted: Make sealed key properly interoperable")
Signed-off-by: David Safford <david.safford@gmail.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-06-14 18:36:25 +02:00
..
apparmor apparmor: fix error check 2021-11-18 19:16:58 +01:00
bpf bpf: Implement task local storage 2020-11-06 08:08:37 -08:00
integrity ima: remove the IMA_TEMPLATE Kconfig option 2022-06-09 10:23:25 +02:00
keys KEYS: trusted: tpm2: Fix migratable logic 2022-06-14 18:36:25 +02:00
landlock landlock: Fix same-layer rule unions 2022-06-09 10:23:24 +02:00
loadpin LSM: Add "contents" flag to kernel_read_file hook 2020-10-05 13:37:03 +02:00
lockdown Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2020-06-02 17:36:24 -07:00
safesetid LSM: SafeSetID: Mark safesetid_initialized as __initdata 2021-06-10 09:52:32 -07:00
selinux selinux: fix bad cleanup on error in hashtab_duplicate() 2022-05-25 09:57:27 +02:00
smack Fix incorrect type in assignment of ipv6 port for audit 2022-04-08 14:23:55 +02:00
tomoyo TOMOYO: fix __setup handlers return values 2022-04-08 14:23:35 +02:00
yama task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
commoncap.c Miscellaneous minor fixes for v5.13. 2021-04-27 19:32:55 -07:00
device_cgroup.c device_cgroup: Fix RCU list debugging warning 2020-08-20 11:25:03 -07:00
inode.c Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
Kconfig fortify: Explicitly disable Clang support 2021-11-21 13:44:13 +01:00
Kconfig.hardening hardening: Clarify Kconfig text for auto-var-init 2021-07-20 23:02:59 -07:00
lsm_audit.c audit: remove unnecessary 'ret' initialization 2021-06-11 13:21:28 -04:00
Makefile security: remove unneeded subdir-$(CONFIG_...) 2021-09-03 08:17:20 +09:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c lockdown: also lock down previous kgdb use 2022-05-25 09:57:37 +02:00