From e6ffe09488e2010a04eb11e884cfee630e8c56a6 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski Date: Mon, 16 Feb 2026 12:04:59 +0100 Subject: [PATCH 1/9] tpm: Make tcpci_pm_ops variable static const File-scope 'tcpci_pm_ops' is not used outside of this unit and is not modified anywhere, so make it static const to silence sparse warning: tcpci.c:1002:1: warning: symbol 'tcpci_pm_ops' was not declared. Should it be static? Signed-off-by: Krzysztof Kozlowski Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 3a77be7ebf4a..e00f668f8c84 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -21,7 +21,7 @@ static bool disable_pcr_integrity; module_param(disable_pcr_integrity, bool, 0444); MODULE_PARM_DESC(disable_pcr_integrity, "Disable integrity protection of TPM2_PCR_Extend"); -struct tpm2_hash tpm2_hash_map[] = { +static const struct tpm2_hash tpm2_hash_map[] = { {HASH_ALGO_SHA1, TPM_ALG_SHA1}, {HASH_ALGO_SHA256, TPM_ALG_SHA256}, {HASH_ALGO_SHA384, TPM_ALG_SHA384}, From 48fe2cddc85c7849463bd01ae8b8c6b575ff508b Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" Date: Mon, 23 Feb 2026 16:55:21 +0100 Subject: [PATCH 2/9] tpm_crb: Convert ACPI driver to a platform one In all cases in which a struct acpi_driver is used for binding a driver to an ACPI device object, a corresponding platform device is created by the ACPI core and that device is regarded as a proper representation of underlying hardware. Accordingly, a struct platform_driver should be used by driver code to bind to that device. There are multiple reasons why drivers should not bind directly to ACPI device objects [1]. Overall, it is better to bind drivers to platform devices than to their ACPI companions, so convert the tpm_crb ACPI driver to a platform one. While this is not expected to alter functionality, it changes sysfs layout and so it will be visible to user space. Link: https://lore.kernel.org/all/2396510.ElGaqSPkdT@rafael.j.wysocki/ [1] Signed-off-by: Rafael J. Wysocki Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_crb.c | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 6c25305c256e..7d1377e8e616 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #ifdef CONFIG_ARM64 #include @@ -602,13 +603,13 @@ static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res, return io_res->end - start + 1; } -static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, +static int crb_map_io(struct device *dev, struct crb_priv *priv, struct acpi_table_tpm2 *buf) { + struct acpi_device *device = ACPI_COMPANION(dev); struct list_head acpi_resource_list; struct resource iores_array[TPM_CRB_MAX_RESOURCES + 1] = { {0} }; void __iomem *iobase_array[TPM_CRB_MAX_RESOURCES] = {NULL}; - struct device *dev = &device->dev; struct resource *iores; void __iomem **iobase_ptr; int i; @@ -782,12 +783,13 @@ static int crb_map_pluton(struct device *dev, struct crb_priv *priv, return 0; } -static int crb_acpi_add(struct acpi_device *device) +static int crb_acpi_probe(struct platform_device *pdev) { + struct device *dev = &pdev->dev; + struct acpi_device *device = ACPI_COMPANION(dev); struct acpi_table_tpm2 *buf; struct crb_priv *priv; struct tpm_chip *chip; - struct device *dev = &device->dev; struct tpm2_crb_smc *crb_smc; struct tpm2_crb_ffa *crb_ffa; struct tpm2_crb_pluton *crb_pluton; @@ -867,7 +869,7 @@ static int crb_acpi_add(struct acpi_device *device) priv->sm = sm; priv->hid = acpi_device_hid(device); - rc = crb_map_io(device, priv, buf); + rc = crb_map_io(dev, priv, buf); if (rc) goto out; @@ -901,12 +903,9 @@ out: return rc; } -static void crb_acpi_remove(struct acpi_device *device) +static void crb_acpi_remove(struct platform_device *pdev) { - struct device *dev = &device->dev; - struct tpm_chip *chip = dev_get_drvdata(dev); - - tpm_chip_unregister(chip); + tpm_chip_unregister(platform_get_drvdata(pdev)); } static const struct dev_pm_ops crb_pm = { @@ -919,19 +918,17 @@ static const struct acpi_device_id crb_device_ids[] = { }; MODULE_DEVICE_TABLE(acpi, crb_device_ids); -static struct acpi_driver crb_acpi_driver = { - .name = "tpm_crb", - .ids = crb_device_ids, - .ops = { - .add = crb_acpi_add, - .remove = crb_acpi_remove, - }, - .drv = { +static struct platform_driver crb_acpi_driver = { + .probe = crb_acpi_probe, + .remove = crb_acpi_remove, + .driver = { + .name = "tpm_crb_acpi", + .acpi_match_table = crb_device_ids, .pm = &crb_pm, }, }; -module_acpi_driver(crb_acpi_driver); +module_platform_driver(crb_acpi_driver); MODULE_AUTHOR("Jarkko Sakkinen "); MODULE_DESCRIPTION("TPM2 Driver"); MODULE_VERSION("0.1"); From bb7a4e3b5f96d75756dab6459f073d4b2eedc7a0 Mon Sep 17 00:00:00 2001 From: Ethan Luna Date: Wed, 8 Apr 2026 11:37:47 +0300 Subject: [PATCH 3/9] tpm: i2c: atmel: fix block comment formatting Multiple block comments in tpm_i2c_atmel.c placed the closing '*/' on the same line as the comment text. This violates the kernel's preferred comment style, which requires the closing delimiter to appear on its line. Fix the formatting to improve readability and resolve checkpatch warnings. Signed-off-by: Ethan Luna Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_i2c_atmel.c | 34 +++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c index 4f229656a8e2..9fd73049821f 100644 --- a/drivers/char/tpm/tpm_i2c_atmel.c +++ b/drivers/char/tpm/tpm_i2c_atmel.c @@ -31,9 +31,11 @@ struct priv_data { size_t len; - /* This is the amount we read on the first try. 25 was chosen to fit a + /* + * This is the amount we read on the first try. 25 was chosen to fit a * fair number of read responses in the buffer so a 2nd retry can be - * avoided in small message cases. */ + * avoided in small message cases. + */ u8 buffer[sizeof(struct tpm_header) + 25]; }; @@ -58,7 +60,9 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz, if (status < 0) return status; - /* The upper layer does not support incomplete sends. */ + /* + * The upper layer does not support incomplete sends. + */ if (status != len) return -E2BIG; @@ -76,9 +80,11 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count) if (priv->len == 0) return -EIO; - /* Get the message size from the message header, if we didn't get the + /* + * Get the message size from the message header, if we didn't get the * whole message in read_status then we need to re-read the - * message. */ + * message. + */ expected_len = be32_to_cpu(hdr->length); if (expected_len > count) return -ENOMEM; @@ -111,15 +117,19 @@ static u8 i2c_atmel_read_status(struct tpm_chip *chip) struct i2c_client *client = to_i2c_client(chip->dev.parent); int rc; - /* The TPM fails the I2C read until it is ready, so we do the entire + /* + * The TPM fails the I2C read until it is ready, so we do the entire * transfer here and buffer it locally. This way the common code can - * properly handle the timeouts. */ + * properly handle the timeouts. + */ priv->len = 0; memset(priv->buffer, 0, sizeof(priv->buffer)); - /* Once the TPM has completed the command the command remains readable - * until another command is issued. */ + /* + * Once the TPM has completed the command the command remains readable + * until another command is issued. + */ rc = i2c_master_recv(client, priv->buffer, sizeof(priv->buffer)); dev_dbg(&chip->dev, "%s: sts=%d", __func__, rc); @@ -172,9 +182,11 @@ static int i2c_atmel_probe(struct i2c_client *client) dev_set_drvdata(&chip->dev, priv); - /* There is no known way to probe for this device, and all version + /* + * There is no known way to probe for this device, and all version * information seems to be read via TPM commands. Thus we rely on the - * TPM startup process in the common code to detect the device. */ + * TPM startup process in the common code to detect the device. + */ return tpm_chip_register(chip); } From 666c1a2ca603d8314231200bf8bbb3a81bd64c6b Mon Sep 17 00:00:00 2001 From: Gunnar Kudrjavets Date: Wed, 8 Apr 2026 12:00:27 +0300 Subject: [PATCH 4/9] tpm: Fix auth session leak in tpm2_get_random() error path When tpm_buf_fill_hmac_session() fails inside the do-while loop in tpm2_get_random(), the function returns directly after destroying the buffer, without ending the auth session via tpm2_end_auth_session(). This leaks the TPM auth session resource. All other error paths within the loop correctly reach the 'out' label which calls both tpm_buf_destroy() and tpm2_end_auth_session(). Fix this by replacing the early return with a goto to the existing 'out' label, which already handles both cleanup operations. The redundant tpm_buf_destroy() call is removed since 'out' takes care of it. Cc: stable@vger.kernel.org # v6.19+ Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size") Signed-off-by: Gunnar Kudrjavets Reviewed-by: Justinien Bouron Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-cmd.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index e00f668f8c84..b11e6fa8b740 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -295,10 +295,8 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) } tpm_buf_append_u16(&buf, num_bytes); err = tpm_buf_fill_hmac_session(chip, &buf); - if (err) { - tpm_buf_destroy(&buf); - return err; - } + if (err) + goto out; err = tpm_transmit_cmd(chip, &buf, offsetof(struct tpm2_get_random_out, From f0f75a3d98b7959a8677b6363e23190f3018636b Mon Sep 17 00:00:00 2001 From: Gunnar Kudrjavets Date: Wed, 15 Apr 2026 03:00:03 +0300 Subject: [PATCH 5/9] tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation: 1. When name_size() returns an error (unrecognized hash algorithm), the function returns directly without destroying the buffer. 2. On the success path, the buffer is never destroyed before returning. All other error paths in the function correctly call tpm_buf_destroy() before returning. Fix both by adding the missing tpm_buf_destroy() calls. Cc: stable@vger.kernel.org # v6.19+ Fixes: bda1cbf73c6e ("tpm2-sessions: Fix tpm2_read_public range checks") Signed-off-by: Gunnar Kudrjavets Reviewed-by: Justinien Bouron Reviewed-by: Paul Menzel Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-sessions.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 3b1cf1ca0420..c4da6fde748f 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -203,8 +203,10 @@ static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name) rc = tpm_buf_read_u16(&buf, &offset); name_size_alg = name_size(&buf.data[offset]); - if (name_size_alg < 0) + if (name_size_alg < 0) { + tpm_buf_destroy(&buf); return name_size_alg; + } if (rc != name_size_alg) { tpm_buf_destroy(&buf); @@ -217,6 +219,7 @@ static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name) } memcpy(name, &buf.data[offset], rc); + tpm_buf_destroy(&buf); return name_size_alg; } #endif /* CONFIG_TCG_TPM2_HMAC */ From c424d2664f08c77f08b4580b5f0cbaabf7c229b2 Mon Sep 17 00:00:00 2001 From: Gunnar Kudrjavets Date: Thu, 9 Apr 2026 17:20:54 +0000 Subject: [PATCH 6/9] tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth). Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten. Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown. Cc: stable@vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Signed-off-by: Gunnar Kudrjavets Reviewed-by: Justinien Bouron Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm-chip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0719577e584d..12b7394b34bd 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -247,7 +247,7 @@ static void tpm_dev_release(struct device *dev) kfree(chip->work_space.context_buf); kfree(chip->work_space.session_buf); #ifdef CONFIG_TCG_TPM2_HMAC - kfree(chip->auth); + kfree_sensitive(chip->auth); #endif kfree(chip); } From 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Fri, 22 Mar 2024 14:22:48 +0100 Subject: [PATCH 7/9] tpm: avoid -Wunused-but-set-variable Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are defined as trivial macros, leading to the mapping_size variable ending up unused: In file included from drivers/char/tpm/tpm-sysfs.c:16: In file included from drivers/char/tpm/tpm.h:28: include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable] 167 | int mapping_size; Turn the stubs into inline functions to avoid this warning. Cc: stable@vger.kernel.org # v5.3+ Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") Signed-off-by: Arnd Bergmann Reviewed-by: Thorsten Blum Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- include/linux/tpm_eventlog.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e82558..aff8ea2fa98e 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -131,11 +131,16 @@ struct tcg_algorithm_info { }; #ifndef TPM_MEMREMAP -#define TPM_MEMREMAP(start, size) NULL +static inline void *TPM_MEMREMAP(unsigned long start, size_t size) +{ + return NULL; +} #endif #ifndef TPM_MEMUNMAP -#define TPM_MEMUNMAP(start, size) do{} while(0) +static inline void TPM_MEMUNMAP(void *mapping, size_t size) +{ +} #endif /** From 0471921e2d1043dcc6de5cffb49dd37709521abe Mon Sep 17 00:00:00 2001 From: Jacqueline Wong Date: Wed, 15 Apr 2026 16:00:05 +0000 Subject: [PATCH 8/9] tpm: tpm_tis: add error logging for data transfer Add logging to more easily determine reason for transmit failure Cc: stable@vger.kernel.org # v6.6+ Fixes: 280db21e153d8 ("tpm_tis: Resend command to recover from data transfer errors") Signed-off-by: Jacqueline Wong Signed-off-by: Jordan Hand Link: https://lore.kernel.org/r/20260415160006.2275325-2-jacqwong@google.com Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index e2a1769081b1..acb91bf1e5f5 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -471,6 +471,8 @@ static int tpm_tis_send_data(struct tpm_chip *chip, const u8 *buf, size_t len) status = tpm_tis_status(chip); if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) { rc = -EIO; + dev_err(&chip->dev, "TPM_STS_DATA_EXPECT should be set. sts = 0x%08x\n", + status); goto out_err; } } @@ -491,6 +493,8 @@ static int tpm_tis_send_data(struct tpm_chip *chip, const u8 *buf, size_t len) status = tpm_tis_status(chip); if (!itpm && (status & TPM_STS_DATA_EXPECT) != 0) { rc = -EIO; + dev_err(&chip->dev, "TPM_STS_DATA_EXPECT should be unset. sts = 0x%08x\n", + status); goto out_err; } From 949692da7211572fac419b2986b6abc0cd1aeb76 Mon Sep 17 00:00:00 2001 From: Jacqueline Wong Date: Wed, 15 Apr 2026 16:00:06 +0000 Subject: [PATCH 9/9] tpm: tpm_tis: stop transmit if retries are exhausted tpm_tis_send_main() will attempt to retry sending data TPM_RETRY times. Currently, if those retries are exhausted, the driver will attempt to call execute. The TPM will be in the wrong state, leading to the operation simply timing out. Instead, if there is still an error after retries are exhausted, return that error immediately. Cc: stable@vger.kernel.org # v6.6+ Fixes: 280db21e153d8 ("tpm_tis: Resend command to recover from data transfer errors") Signed-off-by: Jacqueline Wong Signed-off-by: Jordan Hand Link: https://lore.kernel.org/r/20260415160006.2275325-3-jacqwong@google.com Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_tis_core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index acb91bf1e5f5..21d79ad3b164 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -556,11 +556,16 @@ static int tpm_tis_send_main(struct tpm_chip *chip, const u8 *buf, size_t len) break; else if (rc != -EAGAIN && rc != -EIO) /* Data transfer failed, not recoverable */ - return rc; + goto out_err; usleep_range(priv->timeout_min, priv->timeout_max); } + if (rc == -EAGAIN || rc == -EIO) { + dev_err(&chip->dev, "Exhausted %d tpm_tis_send_data retries\n", TPM_RETRY); + goto out_err; + } + /* go and do it */ rc = tpm_tis_write8(priv, TPM_STS(priv->locality), TPM_STS_GO); if (rc < 0)