lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 4 May 2017 13:28:17 -0400
From:   Stefan Berger <stefanb@...ux.vnet.ibm.com>
To:     Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org,
        jarkko.sakkinen@...ux.intel.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/3] tpm: vtpm_proxy: Implement new ioctl to get
 supported flags

On 05/04/2017 01:20 PM, Jason Gunthorpe wrote:
> On Thu, May 04, 2017 at 01:13:18PM -0400, Stefan Berger wrote:
>> On 05/04/2017 11:34 AM, Jason Gunthorpe wrote:
>>> On Thu, May 04, 2017 at 10:56:25AM -0400, Stefan Berger wrote:
>>>> Implement VTPM_PROXY_IOC_GET_SUPT_FLAGS ioctl to get the bitmask
>>>> of flags that the vtpm_proxy driver supports in the
>>>> VTPM_PROXY_IOC_NEW_DEV ioctl. This helps user space in deciding
>>>> which flags to set in that ioctl.
>>> you might be better off just having a VTPM_PROXY_IO_ENABLE_FEATURE
>>> .feature = LOCALITY
>> Do you have an example driver that shows how to do this ? Can user space
>> query that feature?
> Try and enable the feature, if it fails then there is no feature in
> the kernel.
>
> This is the usual way to add new syscalls..
>
>>> If that fails then the feature is not supported, no real need for the
>>> query in that case.
>>>
>>> Not sure about Jarkko's point on request/release locality.. Is there a
>>> scenario where the emulator should fail the request locality?
>> We could filter localities 5 and higher on the level of the driver (patch
>> 2/3) since basically there are only 5 localities (0-4) in any TPM interface
>> today. The typical hardware locality 4 would be filtered by the emulator per
>> policy passed via command line, but I would allow it on the level of this
>> driver. An error message would be returned for any command executed in that
>> locality, unless the 'policy' allows it. Localities 0-3 should just be
>> selectable. The TPM TIS (in the hardware) implements some complicated scheme
>> when it comes to allowing the selection of a locality and I would say we
>> need none of that but just tell the vTPM proxy driver the locality (patch
>> 2/3) in which the next command will be executed.
> Well, if TIS hardware has some scheme I feel like the emulator uAPI should
> have enough fidelity to ecompass existing hardware, even if your
> current emulator does not need it.
>
> So allowing request_locality to fail from userspace seems reasonable.

What's the best interface to use for this ?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ