lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 26 Jan 2017 13:14:03 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org,
        Peter Huewe <peterhuewe@....de>,
        Marcel Selhorst <tpmdd@...horst.net>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH RFC] tpm: define a command filter

On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote:
> On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote:
> 
> > There should be anyway someway to limit what commands can be sent but
> > I understand your point.
> 
> What is the filter for?
> 
> James and I talked about a filter to create a safer cdev for use by
> users. However tpms0 cannot be that 'safer' cdev - it is now the 'all
> access' path.

What do you mean by "safer cdev"?

> I also suggested a filter in the kernel to ensure that the RM is only
> passing commands it actually knows it handles properly. eg you would
> filter out list handles. That is hardwired into the kernel, and does
> not ge to be configured by user space.

In many cases you would want to limit the set of operations that client
can use.  For example, not every client needs NV operations. In general
you might want to have mechanism for limiting privileges. I haven't
really considered this from the perspective that you've been discussing
but more from the "principle of least privilege" perspective.

Are you suggesting that in such cases you could just create daemon for
proxying the traffic (when you want to limit privileges)? You could just
make that daemon a whole lot simpler if it just needs to pass the file
desriptor to the client after defining the set of operations that the
client can use.

This is a high priority decision to make because it's hard to apply
principle of least privilege (with everything disallowed defaultts)
if it is not done in the first place.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ