lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190802142721.GA26616@elm>
Date:   Fri, 2 Aug 2019 09:27:22 -0500
From:   Tyler Hicks <tyhicks@...onical.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>,
        Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:     jejb@...ux.ibm.com, zohar@...ux.ibm.com, jgg@...pe.ca,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, crazyt2019+lml@...il.com,
        nayna@...ux.vnet.ibm.com, silviu.vlasceanu@...wei.com
Subject: Re: [PATCH] KEYS: trusted: allow module init if TPM is inactive or
 deactivated

On 2019-08-02 10:21:16, Roberto Sassu wrote:
> On 8/1/2019 6:32 PM, Jarkko Sakkinen wrote:
> > On Mon, Jul 15, 2019 at 06:44:28PM +0200, Roberto Sassu wrote:
> > > According to the bug report at https://bugs.archlinux.org/task/62678,
> > > the trusted module is a dependency of the ecryptfs module. We should
> > > load the trusted module even if the TPM is inactive or deactivated.
> > > 
> > > Given that commit 782779b60faa ("tpm: Actually fail on TPM errors during
> > > "get random"") changes the return code of tpm_get_random(), the patch
> > > should be modified to ignore the -EIO error. I will send a new version.
> > 
> > Do you have information where this dependency comes from?
> 
> ecryptfs retrieves the encryption key from encrypted keys (see
> ecryptfs_get_encrypted_key()).

That has been there for many years with any problems. It was added
in 2011:

 commit 1252cc3b232e582e887623dc5f70979418caaaa2
 Author: Roberto Sassu <roberto.sassu@...ito.it>
 Date:   Mon Jun 27 13:45:45 2011 +0200

     eCryptfs: added support for the encrypted key type

What's recently changed the situation is this patch:

 commit 240730437deb213a58915830884e1a99045624dc
 Author: Roberto Sassu <roberto.sassu@...wei.com>
 Date:   Wed Feb 6 17:24:51 2019 +0100

     KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()

Now eCryptfs has a hard dependency on a TPM chip that's working
as expected even if eCryptfs (or the rest of the system) isn't utilizing
the TPM. If the TPM behaves unexpectedly, you can't access your files.
We need to get this straightened out soon.

Tyler

> 
> Roberto
> 
> -- 
> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> Managing Director: Li Peng, Li Jian, Shi Yanli

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ