lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Mar 2022 10:58:17 +0000
From:   Jonathan McDowell <noodles@...com>
To:     Greg KH <gregkh@...uxfoundation.org>
CC:     Dmitrii Okunev <xaionaro@...com>,
        Hans de Goede <hdegoede@...hat.com>,
        Mark Gross <markgross@...nel.org>,
        Qiaowei Ren <qiaowei.ren@...el.com>,
        Matthew Garrett <mjg59@...f.ucam.org>,
        Xiaoyan Zhang <xiaoyan.zhang@...el.com>,
        Pavel Machek <pavel@...x.de>,
        "x86@...nel.org" <x86@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "platform-driver-x86@...r.kernel.org" 
        <platform-driver-x86@...r.kernel.org>
Subject: Re: [RFC PATCH] platform/x86: Add sysfs interface for Intel TXT
 status

On Wed, Mar 09, 2022 at 11:48:23AM +0100, Greg KH wrote:
> On Wed, Mar 09, 2022 at 10:40:03AM +0000, Jonathan McDowell wrote:
> > (This is an RFC to see if the approach is generally acceptable; unlike
> > the previous driver this exposes the information purely as read-only
> > status information, so userspace can make an informed decision about the
> > system state without having to poke about in /dev/mem. There are still a
> > few extra registers I'm trying to dig up information for before a proper
> > submission.)
> > 
> > This module provides read-only access to the Intel TXT (Trusted
> > Execution Technology) status registers, allowing userspace to determine
> > the status of measured boot and whether the dynamic root of trust for
> > measurement (DRTM) has been fully enabled.
> > 
> > Tools such as txt-stat from tboot
> > <https://sourceforge.net/projects/tboot/ > can make use of this driver to
> > display state rather than relying on access to /dev/mem.
> > 
> > See Documentation/x86/intel_txt.rst for more information about Intel
> > TXT.
> > 
> > Signed-off-by: Jonathan McDowell <noodles@...com>
> > ---
> >  arch/x86/include/asm/txt.h             |  34 +++++
> >  drivers/platform/x86/intel/Kconfig     |  14 ++
> >  drivers/platform/x86/intel/Makefile    |   2 +
> >  drivers/platform/x86/intel/txt_sysfs.c | 185 +++++++++++++++++++++++++
> 
> No Documentation/ABI/ entry for your new sysfs entry?  How can we
> evaluate if this is a good api then?

As a read-only export of configuration registers is a full set of info
in Documentation/ABI/ required? I didn't get a feel for how required
that was from the existing files there.

> Wait, I don't see any sysfs code in here, are you sure you sent a viable
> patch?

The export to sysfs is via securityfs, as that seemed to be the
appropriate route (it fits into a similar area as
/sys/kernel/security/integrity/ima/ or /sys/kernel/security/tpm0/,
providing userspace with some visibility of what the kernel thinks the
state is).

J.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ