lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 12 Dec 2019 14:51:03 -0500
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Tadeusz Struk <tadeusz.struk@...el.com>,
        jarkko.sakkinen@...ux.intel.com
Cc:     peterz@...radead.org, linux-kernel@...r.kernel.org, jgg@...pe.ca,
        mingo@...hat.com, jeffrin@...agiritech.edu.in,
        linux-integrity@...r.kernel.org, will@...nel.org, peterhuewe@....de
Subject: Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong
 auth/policy test

On Thu, 2019-12-12 at 09:48 -0800, Tadeusz Struk wrote:
> Unseal with wrong auth or wrong policy test affects DA lockout
> and eventually causes the tests to fail with:
> "ProtocolError: TPM_RC_LOCKOUT: rc=0x00000921"
> when the tests run multiple times.
> Send tpm clear command after the test to reset the DA counters.
> 
> Signed-off-by: Tadeusz Struk <tadeusz.struk@...el.com>
> ---
>  tools/testing/selftests/tpm2/test_smoke.sh |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/tools/testing/selftests/tpm2/test_smoke.sh
> b/tools/testing/selftests/tpm2/test_smoke.sh
> index cb54ab637ea6..8155c2ea7ccb 100755
> --- a/tools/testing/selftests/tpm2/test_smoke.sh
> +++ b/tools/testing/selftests/tpm2/test_smoke.sh
> @@ -3,3 +3,8 @@
>  
>  python -m unittest -v tpm2_tests.SmokeTest
>  python -m unittest -v tpm2_tests.AsyncTest
> +
> +CLEAR_CMD=$(which tpm2_clear)
> +if [ -n $CLEAR_CMD ]; then
> +	tpm2_clear -T device
> +fi

TPM2_Clear reprovisions the SPS ... that would make all currently
exported TPM keys go invalid.  I know these tests should be connected
to a vTPM, so doing this should be safe, but if this accidentally got
executed on your laptop all TPM relying functions would be disrupted,
which doesn't seem to be the best thing to hard wire into a test.

What about doing a TPM2_DictionaryAttackLockReset instead, which is the
least invasive route to fixing the problem ... provided you know what
the lockout authorization is.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ