<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/drivers/char/tpm, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-21T01:25:28+00:00</updated>
<entry>
<title>tpm: fix event_size output in tpm1_binary_bios_measurements_show</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Thorsten Blum</name>
<email>thorsten.blum@linux.dev</email>
</author>
<published>2026-06-15T12:02:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1a58f6115bfb34eabcc7de8a3a9745b219179781'/>
<id>urn:sha1:1a58f6115bfb34eabcc7de8a3a9745b219179781</id>
<content type='text'>
Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
split the output to write the endian-converted event header first and
then the variable-length event data.

However, the split was at sizeof(struct tcpa_event) - 1, even though
event_data was a zero-length array, and later a flexible array member,
both of which already excluded the event data.

Therefore, the current code writes the first three bytes of event_size
from the endian-converted header and then the last byte from the raw
header, which can emit a corrupted event_size on PPC64, where
do_endian_conversion() maps to be32_to_cpu().

Split one byte later to write the full endian-converted header first,
followed by the variable-length event-&gt;event_data.

Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Thorsten Blum &lt;thorsten.blum@linux.dev&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: tpm_crb_ffa: revert defered_probed when tpm_crb_ffa is built-in</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Yeoreum Yun</name>
<email>yeoreum.yun@arm.com</email>
</author>
<published>2026-06-05T14:43:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=677042afb97ac5057e1d2900139f123bb15ba6e6'/>
<id>urn:sha1:677042afb97ac5057e1d2900139f123bb15ba6e6</id>
<content type='text'>
commit 746d9e9f62a6 ("tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's built-in")
probe tpm_crb_ffa forcefully when it's built-in to integrate with IMA.

However, IMA now provides the IMA_INIT_LATE_SYNC build option, which
initialises IMA at the late_initcall_sync level, so this change is no
longer required.

Signed-off-by: Yeoreum Yun &lt;yeoreum.yun@arm.com&gt;
Link: https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux.git/commit/?h=for-next/ffa/updates&amp;id=cc7e8f21b9f0c229d68cf19a837cba82b5ac2d87 [0]
Link: https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux.git/commit/?h=for-next/ffa/updates&amp;id=e659fc8e537c7a21d5d693d6f30d8852f2fa8d91 [1]
Link: https://lore.kernel.org/r/20260605144325.434436-5-yeoreum.yun@arm.com
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: tpm2-sessions: wait for async KPP completion in tpm_buf_append_salt</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-05-31T12:44:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=73851a7c43dfa52d2ed9415889b33daf85da0ed9'/>
<id>urn:sha1:73851a7c43dfa52d2ed9415889b33daf85da0ed9</id>
<content type='text'>
tpm_buf_append_salt() in drivers/char/tpm/tpm2-sessions.c calls
crypto_kpp_generate_public_key() and crypto_kpp_compute_shared_secret()
without installing a completion callback, discards both return values,
and immediately frees the kpp_request via kpp_request_free(). When the
resolved ecdh-nist-p256 KPP backend is asynchronous (atmel-ecc, HPRE,
keembay-ocs), either operation returns -EINPROGRESS and the deferred
completion worker dereferences the freed request.

The path fires automatically from the hwrng_fillfn kernel thread via
tpm_get_random -&gt; tpm2_get_random -&gt; tpm2_start_auth_session -&gt;
tpm_buf_append_salt on every entropy poll, without any userland action.

Install crypto_req_done as the completion callback, wrap both KPP
operations in crypto_wait_req(), and propagate errors to the caller.
The wait is a no-op for synchronous backends.

Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
Cc: stable@vger.kernel.org # v6.10+
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Assisted-by: Claude:claude-opus-4-7
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: tpm_tis: Add settle time for some TPMs</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Jim Broadus</name>
<email>jbroadus@gmail.com</email>
</author>
<published>2026-05-26T23:22:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=661f4d304960e3b093fae5211504e0e8c9fd4f23'/>
<id>urn:sha1:661f4d304960e3b093fae5211504e0e8c9fd4f23</id>
<content type='text'>
Some TPMs fail to grant locality when requested immediately after being
relinquished. In this case, the TPM_ACCESS_REQUEST_USE bit of the
TPM_ACCESS register is cleared immediately without setting
TPM_ACCESS_ACTIVE_LOCALITY.

This issue can be seen at boot since tpm_chip_start, called right
after locality is relinquished, will fail. This causes the probe to
fail:

tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -1

This occurs on some older Dell Latitudes. For the Nuvoton TPM used in
these machines, add a delay after locality is relinquished.

Signed-off-by: Jim Broadus &lt;jbroadus@gmail.com&gt;
Link: https://lore.kernel.org/r/20260526232245.5409-3-jbroadus@gmail.com
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: tpm_tis: store entire did_vid</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Jim Broadus</name>
<email>jbroadus@gmail.com</email>
</author>
<published>2026-05-26T23:22:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c4d52950536bb421eaf11d83c0ba8612c443bb20'/>
<id>urn:sha1:c4d52950536bb421eaf11d83c0ba8612c443bb20</id>
<content type='text'>
The entire 32 bit did_vid is read from the device, but only the 16 bit
vendor id portion was stored in the tpm_tis_data structure. Storing the
entire value allows the device id to be used to handle quirks. Printing
the vid and did in the error case also helps identify problem devices.

Signed-off-by: Jim Broadus &lt;jbroadus@gmail.com&gt;
Link: https://lore.kernel.org/r/20260526232245.5409-2-jbroadus@gmail.com
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm_crb: Check ACPI_COMPANION() against NULL during probe</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Rafael J. Wysocki</name>
<email>rafael.j.wysocki@intel.com</email>
</author>
<published>2026-05-12T16:16:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ddd33806b8911fa2ef849e8bbbab1e3fcb26adc0'/>
<id>urn:sha1:ddd33806b8911fa2ef849e8bbbab1e3fcb26adc0</id>
<content type='text'>
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.

Accordingly, add a requisite ACPI_COMPANION() check against NULL to the
tpm_crb driver.

Fixes: 48fe2cddc85c ("tpm_crb: Convert ACPI driver to a platform one")
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Link: https://lore.kernel.org/r/2848144.mvXUDI8C0e@rafael.j.wysocki
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: tpm_tis_spi: Use wait_woken() in wait_for_tmp_stat()</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Jarkko Sakkinen</name>
<email>jarkko@kernel.org</email>
</author>
<published>2026-05-09T18:51:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c0c9cfb3b75def8bf200a2d4db09015806acfeaf'/>
<id>urn:sha1:c0c9cfb3b75def8bf200a2d4db09015806acfeaf</id>
<content type='text'>
wait_event_interruptible_timeout() evaluates its condition after setting
the current task state to TASK_INTERRUPTIBLE.

With CONFIG_DEBUG_ATOMIC_SLEEP this triggers a warning when the IRQ wait
path is used:

    tpm_tis_status()
      tpm_tis_spi_read_bytes()
        tpm_tis_spi_transfer_full()
          spi_bus_lock()
            mutex_lock()

Address this with the following measures:

1. Call wait_tpm_stat_cond() only while tasking is running.
2. Use wait_woken() to wait for changes.

Cc: stable@vger.kernel.org # v4.19+
Cc: Linus Walleij &lt;linusw@kernel.org&gt;
Reported-by: Stefan Wahren &lt;wahrenst@gmx.net&gt;
Closes: https://lore.kernel.org/linux-integrity/6964bec7-3dbb-453b-89ef-9b990217a8b9@gmx.net/
Fixes: 1a339b658d9d ("tpm_tis_spi: Pass the SPI IRQ down to the driver")
Reviewed-by: Linus Walleij &lt;linusw@kernel.org&gt;
Tested-by: Stefan Wahren &lt;wahrenst@gmx.net&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: Initialize name_size_alg for non-NULL name in tpm_buf_append_name()</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Gunnar Kudrjavets</name>
<email>gunnarku@amazon.com</email>
</author>
<published>2026-05-10T17:11:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=595ca21f797e43da24cb80529fb8b29381ed8716'/>
<id>urn:sha1:595ca21f797e43da24cb80529fb8b29381ed8716</id>
<content type='text'>
tpm_buf_append_name() supports callers passing a pre-computed name
for handles. When name is non-NULL, the code skips the
tpm2_read_public() path but leaves name_size_alg uninitialized
before it is used as the memcpy size argument.

No current in-tree caller passes a non-NULL name, but future use
cases such as name caching would exercise this path. Initialize
name_size_alg by calling name_size() on the caller-provided name,
sharing the error check and assignment with the existing
tpm2_read_public() path. This prevents unmasking a latent bug when
the non-NULL name path is eventually used.

Assisted-by: Kiro:claude-opus-4.6
Reviewed-by: Justinien Bouron &lt;jbouron@amazon.com&gt;
Reviewed-by: Muhammad Hammad Ijaz &lt;mhijaz@amazon.com&gt;
Signed-off-by: Gunnar Kudrjavets &lt;gunnarku@amazon.com&gt;
Link: https://lore.kernel.org/r/20260510171152.4607-1-gunnarku@amazon.com
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: restore timeout for key creation commands</title>
<updated>2026-06-21T01:25:28+00:00</updated>
<author>
<name>Baoli Zhang</name>
<email>baoli.zhang@linux.intel.com</email>
</author>
<published>2026-04-21T00:50:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=de59d78e64039baa5fed455ddb905ba8263e7ede'/>
<id>urn:sha1:de59d78e64039baa5fed455ddb905ba8263e7ede</id>
<content type='text'>
Commit 207696b17f38 ("tpm: use a map for tpm2_calc_ordinal_duration()")
inadvertently reduced the timeout for TPM2 key creation commands
(`CREATE_PRIMARY`, `CREATE`, `CREATE_LOADED`) from 300 seconds to 30
seconds.

This causes intermittent timeout failures, with several failures observed
across hundreds of test runs on some Intel platforms using Infineon
SLB9670 and SLB9672 TPM modules. Restore the timeout to 300 seconds to
avoid spurious failures.

Cc: stable@vger.kernel.org # v6.18+
Fixes: 207696b17f38 ("tpm: use a map for tpm2_calc_ordinal_duration()")
Co-developed-by: Lili Li &lt;lili.li@intel.com&gt;
Signed-off-by: Lili Li &lt;lili.li@intel.com&gt;
Signed-off-by: Baoli Zhang &lt;baoli.zhang@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20260421005021.13765-1-baoli.zhang@linux.intel.com
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
<entry>
<title>tpm: svsm: constify tpm_chip_ops</title>
<updated>2026-06-21T01:25:27+00:00</updated>
<author>
<name>David Windsor</name>
<email>dwindsor@gmail.com</email>
</author>
<published>2026-05-05T20:27:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ebc242f78c52ef9de0e650bf48f64eb110351a4f'/>
<id>urn:sha1:ebc242f78c52ef9de0e650bf48f64eb110351a4f</id>
<content type='text'>
Constify the SVSM vTPM ops. It is statically initialized and never
written to, so let's store it in .rodata.

Every other tpm_class_ops instance in drivers/char/tpm/ is already
const.

Signed-off-by: David Windsor &lt;dwindsor@gmail.com&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Link: https://lore.kernel.org/r/20260505202738.145800-1-dwindsor@gmail.com
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
</entry>
</feed>
