lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Jan 2017 22:34:52 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     James Morris <jmorris@...ei.org>
Cc:     Kenneth Goldman <kgoldman@...ibm.com>,
        "moderated list:TPM DEVICE DRIVER" 
        <tpmdd-devel@...ts.sourceforge.net>,
        open list <linux-kernel@...r.kernel.org>,
        linux-security-module@...r.kernel.org
Subject: Re: Fwd: Re: [tpmdd-devel] [PATCH v9 2/2] tpm: add securityfs
 support,for TPM 2.0 firmware event log

On Tue, Jan 31, 2017 at 07:46:59PM +0200, Jarkko Sakkinen wrote:
> On Mon, Jan 30, 2017 at 03:08:42PM +0530, Nayna wrote:
> > 
> > > From: "Ken Goldman" <kgold@...ux.vnet.ibm.com
> > > <mailto:kgold@...ux.vnet.ibm.com>>
> > > Date: 26-Jan-2017 2:53 AM
> > > Subject: Re: [tpmdd-devel] [PATCH v9 2/2] tpm: add securityfs
> > > support,for TPM 2.0 firmware event log
> > > To: <linux-kernel@...r.kernel.org
> > > <mailto:linux-kernel@...r.kernel.org>>,
> > > <linux-security-module@...r.kernel.org
> > > <mailto:linux-security-module@...r.kernel.org>>,
> > > <tpmdd-devel@...ts.sourceforge.net
> > > <mailto:tpmdd-devel@...ts.sourceforge.net>>
> > > Cc:
> > > 
> > >     You do not need to send a new patch set version as long as this
> > >     one gets peer tested. And it needs to be tested without hacks
> > >     like plumbing TCPA with TPM 2.0 in QEMU. OF code paths needs to
> > >     be peer tested to be more specific.
> > > 
> > >     For me the code itself looks good but I simply cannot take it in
> > >     in the current situation.
> > > 
> > >     /Jarkko
> > > 
> > > 
> > > Tested-by: Kenneth Goldman <kgold@...ux.vnet.ibm.com
> > > <mailto:kgold@...ux.vnet.ibm.com>>
> > > 
> > > I validated a firmware event log taken from a Power 8 against PCR 0-7
> > > values for the SHA-1 and SHA-256 banks from a Nuvoton TPM 2.0 chip on
> > > that same platform.
> > > 
> > 
> > Thank You Ken.
> > 
> > Jarkko, I hope now these patches can be accepted for 4.11.
> > 
> > Thanks & Regards,
> >    - Nayna
> 
> I already sent my pull request to 4.11 and even today I found something
> fishy. You declared a function local array by using a variable in "tpm:
> enhance TPM 2.0 PCR extend to support multiple banks" (max_active_banks
> or something). And the event log patches have just passed the review. 
> 
> I've applied them to my tree but I'll only include bug fixes for 4.11
> pull requests. You'll have to wait till' 4.12.

James,

The discussion is about two features:

1. Extension to tpm_pcr_extend() (used by IMA) to extend all PCR banks
   instead of just SHA-1 banks. It is recommended by TCG to do so in
   order to prevent malicious use of PCRs.
2. TPM 2.0 event log with backend support for OF device tree (for
   getting address where you can grab it).

These are required as baseline to implement full TPM 2.0 support for
IMA. The commits are fairly well baked and went through many iterations.
I've tested tpm_pcr_extend() patches. I haven't tested event log patches
but have extensively reviewed them and Ken Goldman has tested them with
POWER hardware.

I don't believe that there is major risk to put them already into 4.11
but it is fairly late so I just want a second opinion before putting
them into pull request.

I have some small scoped bug fixes that I will send to you in any case
(unrelated to this work).

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ