lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 8 Oct 2013 09:15:55 +0000
From:	"Fuchs, Andreas" <andreas.fuchs@....fraunhofer.de>
To:	Jason Gunthorpe <jgunthorpe@...idianresearch.com>,
	Joel Schopp <jschopp@...ux.vnet.ibm.com>
CC:	Leonidas Da Silva Barbosa <leosilva@...ux.vnet.ibm.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Rajiv Andrade <mail@...jiv.net>,
	"tpmdd-devel@...ts.sourceforge.net" 
	<tpmdd-devel@...ts.sourceforge.net>,
	Richard Maciel Costa <richardm@...ibm.com>,
	"trousers-tech@...ts.sourceforge.net" 
	<trousers-tech@...ts.sourceforge.net>,
	Daniel De Graaf <dgdegra@...ho.nsa.gov>,
	Sirrix AG <tpmdd@...rix.com>
Subject: AW: [TrouSerS-tech] [tpmdd-devel] [PATCH 09/13] tpm: Pull
 everything related to sysfs into tpm-sysfs.c

Some thoughts on those two questions:

1. Yes, userspace could be interested in setting TPM Localities specifically
for uses of PCR_Reset. For example a Browser could be interested in scheduling
Tabs in a PCR. For this it would reset the PCR and replay the old Extends when
switching a tab. Then the Tab could continue Extending on those pcrs.
Use cases may include any user-application that schedules children's tpm-access
via PCR_Reset...
The problem is, that whilst one process may be allowed to do so, another one may not.

2. This brings us to the problem of differentiating processes' access-rights
on the locality-feature and more specifically how to move this through the tcsd (as
another layer of abstraction). From a tpmdd perspective, if you provide localities,
you will not want to allow for everyone to just randomly set them. They actually
correspond to "capabilities" or access-rights on the TPM...

Random Proposal for discussion:
Rather than an ioctl, why not provide a different tpm-device per locality. This way, the
access to the different localities can be restricted via standard user/group of the device.
i.e. /dev/tpm0l1, /dev/tpm0l2, ... or similar approaches...

A privileged application may access /dev/tpm0l2 whilst another one only gets to l1...

Just some random thoughts, not well thought through though... ;-)

Cheers,
Andreas

________________________________________
Von: Jason Gunthorpe [jgunthorpe@...idianresearch.com]
Gesendet: Freitag, 4. Oktober 2013 19:08
An: Joel Schopp
Cc: Leonidas Da Silva Barbosa; linux-kernel@...r.kernel.org; Rajiv Andrade; tpmdd-devel@...ts.sourceforge.net; Richard Maciel Costa; trousers-tech@...ts.sourceforge.net; Daniel De Graaf; Sirrix AG
Betreff: Re: [TrouSerS-tech] [tpmdd-devel] [PATCH 09/13] tpm: Pull everything related to sysfs into tpm-sysfs.c

On Mon, Sep 30, 2013 at 05:09:51PM -0500, Joel Schopp wrote:

> > So far, nobody I have talked to has offered any strong opinions on
> > what locality should be used or how it should be set. I think finding
> > a developer of trousers may be the most useful to talk about how the
> > ioctl portion of this would need to be set up - if someone is actually
> > needed.

> I am a TrouSerS developer and am ccing Richard, another TrouSerS
> developer, and ccing the trousers-tech list.  It would be good if you
> could elaborate on the question and context for those not following the
> entire thread, myself included.

Two questions:

Is userspace interested in using the TPM Locality feature, and if so
is there any thoughts on what the interface should be?

Is the kernel interested in using the TPM Locality feature? What for?

Jason

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-tech mailing list
TrouSerS-tech@...ts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-tech
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ