lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D759AB8.4020300@linux.vnet.ibm.com>
Date:	Mon, 07 Mar 2011 23:55:52 -0300
From:	Rajiv Andrade <srajiv@...ux.vnet.ibm.com>
To:	"Ted Ts'o" <tytso@....edu>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org
Subject: Re: [REGRESSION] tpm_tis on Lenovo T410 broken in 2.6.38-rc6

On 03/05/2011 01:48 PM, Ted Ts'o wrote:
> On Fri, Mar 04, 2011 at 11:44:18AM -0300, Rajiv Andrade wrote:
>> The bug was that when running the kernel with IMA, at boot time, it
>> issues 3 TPM commands IIRC, given the 2 min timeout,
>> when the TPM didn't respond due to it not working with interrupts
>> for example, the boot hang for 6 minutes.
> At boot time, why don't you just poll?  Maybe I'm missing something.
Polling is the alternative option there already, in case the TPM doesn't 
get an
IRQ assigned. However, for a reason we've now found out (testing on more
platforms before posting), when such happens, the TPM doesn't issue
the interrupt signals when the device driver expects, to make
wait_event_interruptible_timeout() return before timeout.
> Or you could just simply use a different default timeout during the
> boot sequence, or simply tell your IMA users to disable it, since if
> you are just hacking the TPM to do a fast fail, the IMA is going to be
> broken anyway, right?
>
That's true, but it would be disabled at the bootloader command line, 
same place
the interrupts could be disabled, that causes both to work.
However disabling the interrupts at command line was considered to be a
workaround in the bugzilla it was reported, so I understood it should work
as is for the users.
>> Thanks, it is. HZ isn't enough time for this TPM/setup to have short
>> timeout commands to succeed, including
>> the tpm_get_timeouts(). I was skeptic at first that this would be
>> the reason since I have the same machine,
>> and was working for me, the reason I asked for these parameters
>> setup attempts.
> Yes, but you're probably doing different TPM operations than I am....
> I'm not trying to do IMA, I'm trying to login to a WPA2 protected
> network where the private key needed to authenticate to the enterprise
> wireless network is locked in the TPM.
>
Ah.. completely different story then, I thought you were seeing the 
timeouts for
_any_ command, sorry. Just to confirm, can you issue a tpm_version? I 
believe you
might have them already, but this requires the tpm-tools and trousers 
packages
installed.

Thanks,
Rajiv


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ