lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 07 Oct 2014 14:47:06 -0400
From:	Stefan Berger <stefanb@...ux.vnet.ibm.com>
To:	Jason Gunthorpe <jgunthorpe@...idianresearch.com>
CC:	Andy Lutomirski <luto@...capital.net>,
	Peter Huewe <PeterHuewe@....de>, keyrings@...ux-nfs.org,
	jarkko.sakkinnen@...ux.intel.com,
	"ksummit-discuss@...ts.linuxfoundation.org" 
	<ksummit-discuss@...ts.linuxfoundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	LSM List <linux-security-module@...r.kernel.org>,
	tpmdd-devel@...ts.sourceforge.net,
	James Morris <james.l.morris@...cle.com>,
	linux-ima-devel@...ts.sourceforge.net,
	trousers-tech@...ts.sourceforge.net
Subject: Re: [tpmdd-devel] [TrouSerS-tech] [Ksummit-discuss] TPM MiniSummit
 @ LinuxCon Europe

On 10/07/2014 02:02 PM, Jason Gunthorpe wrote:
> On Tue, Oct 07, 2014 at 01:54:41PM -0400, Stefan Berger wrote:
>
>> Why add the complexity of swapping of authenticated sessions and keys
>> into the kernel if you can handle this in userspace? You need a library
>> that is aware of the number of key slots and slots for sessions in the
>> TPM and swaps them in at out when applications need them. Trousers is
>> such a library that was designed to cope with the limitations of the
>> device and make its functionality available to all applications that
>> want to access it.
> How does trousers work with the kernel when the kernel is also using
> TPM key slots for IMA/keyring/whatever?

IIRC it only uses a single key slot and swaps all keys in and out of 
that one. If the kernel was to fill up all key (and sessions) slots, TSS 
would probably not work anymore.

Another argument for the TSS is that you also wouldn't want applications 
to swap out each others keys and sessions and leave them out or assume 
that they would always cleanup if they do not currently need them.

Regards,
    Stefan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ