lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <524F1450.6060406@linux.vnet.ibm.com>
Date:	Fri, 04 Oct 2013 15:17:36 -0400
From:	Stefan Berger <stefanb@...ux.vnet.ibm.com>
To:	Jason Gunthorpe <jgunthorpe@...idianresearch.com>
CC:	Joel Schopp <jschopp@...ux.vnet.ibm.com>,
	Leonidas Da Silva Barbosa <leosilva@...ux.vnet.ibm.com>,
	linux-kernel@...r.kernel.org, Rajiv Andrade <mail@...jiv.net>,
	tpmdd-devel@...ts.sourceforge.net,
	Richard Maciel Costa <richardm@...ibm.com>,
	"trousers-tech@...ts.sourceforge.net" 
	<trousers-tech@...ts.sourceforge.net>, Sirrix AG <tpmdd@...rix.com>
Subject: Re: [tpmdd-devel] [PATCH 09/13] tpm: Pull everything related to sysfs
 into tpm-sysfs.c

On 10/04/2013 01:08 PM, Jason Gunthorpe wrote:
> On Mon, Sep 30, 2013 at 05:09:51PM -0500, Joel Schopp wrote:
>
>>> So far, nobody I have talked to has offered any strong opinions on
>>> what locality should be used or how it should be set. I think finding
>>> a developer of trousers may be the most useful to talk about how the
>>> ioctl portion of this would need to be set up - if someone is actually
>>> needed.
>> I am a TrouSerS developer and am ccing Richard, another TrouSerS
>> developer, and ccing the trousers-tech list.  It would be good if you
>> could elaborate on the question and context for those not following the
>> entire thread, myself included.
> Two questions:
>
> Is userspace interested in using the TPM Locality feature, and if so
> is there any thoughts on what the interface should be?

In terms of interface it should probably be an ioctl so that whoever 
holds the fd to /dev/tpm0 gets to choose the locality.

Locality allows the resetting of certain PCRs. See section 3.7 in

http://www.trustedcomputinggroup.org/files/static_page_files/8E45D739-1A4B-B294-D06274E7047730FD/TCG_PCClientTPMInterfaceSpecification_TIS__1-3_27_03212013.pdf

Locality 4 can only be used by the hardware (section 2.2).

Locality has an influence on the following TPM commands: 
TSC_ResetEstablishmentBit, Seal, Sealx, CreateWrapKey, UnSeal, 
GetPubKey, CMK_CreateKey, SHA1CompleteExtend, CertifyKey, Extend, 
PCR_Reset, NV_ReadValue, NV_WriteValue, and others.  Some of the 
commands allow operations to succeed if a previously selected locality 
is also currently the chosen one. (If you have control over choosing the 
locality, at least that part won't prevent you from succeeding..)

http://www.trustedcomputinggroup.org/files/static_page_files/72C33D71-1A4B-B294-D02C7DF86630BE7C/TPM%20Main-Part%203%20Commands_v1.2_rev116_01032011.pdf

The worst would probably be if an application was to reset a PCR while 
another one is using that PCR or just for malicious purposes. Not 
providing support for choosing locality would mean that applications 
could still use PCRs 16 and 23 for their own purposes and can compete 
for their exclusive usage while being able to reset only those two.

Are there use case for resetting PCRs from user space? If not I'd not 
support choice for locality from user space.

     Stefan

>
> Is the kernel interested in using the TPM Locality feature? What for?
>
> Jason
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> tpmdd-devel mailing list
> tpmdd-devel@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ