[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1485560933.3229.36.camel@HansenPartnership.com>
Date: Fri, 27 Jan 2017 15:48:53 -0800
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Cc: Ken Goldman <kgoldman@...ibm.com>,
tpmdd-devel@...ts.sourceforge.net,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [tpmdd-devel] [RFC] tpm2-space: add handling for global session
exhaustion
On Fri, 2017-01-27 at 16:35 -0700, Jason Gunthorpe wrote:
> On Fri, Jan 27, 2017 at 02:04:59PM -0800, James Bottomley wrote:
>
> > if I look at the code I've written, I don't know what the session
> > number is, I just save sessionHandle in a variable for later use
> > (lets say to v1). If I got the same session number returned at a
> > later time and placed it in v2, all I'd notice is that an
> > authorization using v1 would fail.
>
> Is there any way that could be used to cause an op thinking it is
> using v1 to authorize something it shouldn't?
Not really: in the parameter or HMAC case, you have to compute based on
the initial nonce given by the TPM when the session was created.
Assuming the initial nonce belonged to the evicted session, the HMAC
will now fail because the nonce of the v2 session is different. There
is a corner case where you track the nonce in a table indexed by
handle, so when v2 is created, its nonce replaces the old v1 nonce in
the table. Now you can use v1 and v2 without error (because use picks
up the correct nonce) and effectively they're interchangeable as the
same session. Even in this case, you're not authorising something you
shouldn't, you're just using one session for the authorisations where
you thought you had two.
James
Powered by blists - more mailing lists