lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <56703d75-b238-0bad-386a-5b6963e250a1@linux.vnet.ibm.com>
Date:   Thu, 4 May 2017 13:13:18 -0400
From:   Stefan Berger <stefanb@...ux.vnet.ibm.com>
To:     Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org,
        jarkko.sakkinen@...ux.intel.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/3] tpm: vtpm_proxy: Implement new ioctl to get
 supported flags

On 05/04/2017 11:34 AM, Jason Gunthorpe wrote:
> On Thu, May 04, 2017 at 10:56:25AM -0400, Stefan Berger wrote:
>> Implement VTPM_PROXY_IOC_GET_SUPT_FLAGS ioctl to get the bitmask
>> of flags that the vtpm_proxy driver supports in the
>> VTPM_PROXY_IOC_NEW_DEV ioctl. This helps user space in deciding
>> which flags to set in that ioctl.
> you might be better off just having a VTPM_PROXY_IO_ENABLE_FEATURE
> .feature = LOCALITY

Do you have an example driver that shows how to do this ? Can user space 
query that feature?

>
> If that fails then the feature is not supported, no real need for the
> query in that case.
>
> Not sure about Jarkko's point on request/release locality.. Is there a
> scenario where the emulator should fail the request locality?

We could filter localities 5 and higher on the level of the driver 
(patch 2/3) since basically there are only 5 localities (0-4) in any TPM 
interface today. The typical hardware locality 4 would be filtered by 
the emulator per policy passed via command line, but I would allow it on 
the level of this driver. An error message would be returned for any 
command executed in that locality, unless the 'policy' allows it. 
Localities 0-3 should just be selectable. The TPM TIS (in the hardware) 
implements some complicated scheme when it comes to allowing the 
selection of a locality and I would say we need none of that but just 
tell the vTPM proxy driver the locality (patch 2/3) in which the next 
command will be executed.


>
> Jason
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ