lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YJlyl+Eie/+G3l4S@kernel.org>
Date:   Mon, 10 May 2021 20:51:19 +0300
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     amirmizi6@...il.com
Cc:     Eyal.Cohen@...oton.com, jarkko.sakkinen@...ux.intel.com,
        peterhuewe@....de, jgg@...pe.ca, linux-kernel@...r.kernel.org,
        linux-integrity@...r.kernel.org, Dan.Morav@...oton.com,
        oren.tanami@...oton.com, shmulik.hager@...oton.com,
        amir.mizinski@...oton.com
Subject: Re: [PATCH v1] tpm2: add longer timeout for verify signature command

On Mon, May 10, 2021 at 05:27:19PM +0300, amirmizi6@...il.com wrote:
> From: Amir Mizinski <amirmizi6@...il.com>
> 
> TPM2_CC_VERIFY_SIGNATURE(0x177) Current timeout does not apply to usage with
> RSA 3070-bit keys.

I don't understand what this sentence means.

Better excuse for making the whole change would be to:

1. If possible put a snippet of the klog transcript what happens to you.
2. You probably want rationalize this change for the reason that, since the
   TPM PC Client specification does not specify any specific number, and
   you have a corner case to show, it's best to pick the longest timeout,
   i.e. TPM_LONG_LONG.

> Additional time may be required for usage with RSA 3070-bit keys. Therefore, the
> timeout of TPM2_CC_VERIFY_SIGNATURE is set to 3 minutes (TPM_LONG_LONG).
> 
> Signed-off-by: Amir Mizinski <amirmizi6@...il.com>

Please, re-phrase : "Set duration for TPM2_CC_VERIFY_SIGNATUE to
TPM_LONG_LONG (3 minutes)".  Imperative way to express things is always
better, and "timeout" is a concept of its own, separate from "duration" in
TPM jargon.

> ---
>  drivers/char/tpm/tpm2-cmd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index eff1f12..235a454 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -87,7 +87,7 @@ static u8 tpm2_ordinal_duration_index(u32 ordinal)
>  		return TPM_MEDIUM;
>  
>  	case TPM2_CC_VERIFY_SIGNATURE:        /* 177 */
> -		return TPM_LONG;
> +		return TPM_LONG_LONG;
>  
>  	case TPM2_CC_PCR_EXTEND:              /* 182 */
>  		return TPM_MEDIUM;
> -- 
> 2.7.4
> 
> 

The commit message needs rework because now it makes no sense. With the
correct rationalization this probably would make sense.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ