[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Dec 2019 12:49:01 -0800
From: Tadeusz Struk <tadeusz.struk@...el.com>
To: James Bottomley <James.Bottomley@...senPartnership.com>,
jarkko.sakkinen@...ux.intel.com
Cc: peterz@...radead.org, linux-kernel@...r.kernel.org, jgg@...pe.ca,
mingo@...hat.com, jeffrin@...agiritech.edu.in,
linux-integrity@...r.kernel.org, will@...nel.org, peterhuewe@....de
Subject: Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong
auth/policy test
On 12/12/19 11:51 AM, James Bottomley wrote:
> TPM2_Clear reprovisions the SPS ... that would make all currently
> exported TPM keys go invalid. I know these tests should be connected
> to a vTPM, so doing this should be safe, but if this accidentally got
> executed on your laptop all TPM relying functions would be disrupted,
> which doesn't seem to be the best thing to hard wire into a test.
That is true, but it will need to be executed as root, and root
should know what she/he is doing ;)
>
> What about doing a TPM2_DictionaryAttackLockReset instead, which is the
> least invasive route to fixing the problem ... provided you know what
> the lockout authorization is.
I can change tpm2_clear to tpm2_dictionarylockout -c if we want to make
it foolproof. In this case we can assume that the lockout auth is empty.
--
Tadeusz
Powered by blists - more mailing lists