| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <321c09c7cb2edb113ce9a829d37c0ae5c835e17f.camel@HansenPartnership.com> Date: Fri, 01 Aug 2025 14:53:09 -0400 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Eric Biggers <ebiggers@...nel.org> Cc: Peter Huewe <peterhuewe@....de>, Jarkko Sakkinen <jarkko@...nel.org>, linux-integrity@...r.kernel.org, Jason Gunthorpe <jgg@...pe.ca>, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH 1/2] tpm: Compare HMAC values in constant time On Fri, 2025-08-01 at 11:40 -0700, Eric Biggers wrote: > On Fri, Aug 01, 2025 at 02:03:47PM -0400, James Bottomley wrote: > > On Fri, 2025-08-01 at 10:11 -0700, Eric Biggers wrote: [...] > > > It's true that such attacks don't work with one-time keys. But > > > here it's not necessarily a one-time key. E.g., > > > tpm2_get_random() sets a key, then authenticates multiple > > > messages using that key. > > > > The nonces come one from us and one from the TPM. I think ours > > doesn't change if the session is continued although it could, > > whereas the TPM one does, so the HMAC key is different for every > > communication of a continued session. > > Again, tpm2_get_random() sets a HMAC key once and then uses it > multiple times. No it doesn't. If you actually read the code, you'd find it does what I say above. Specifically tpm_buf_fill_hmac_session() which is called inside that loop recalculates the hmac key from the nonces. This recalculated key is what is used in tpm_buf_check_hmac_response(), and which is where the new tpm nonce is collected for the next iteration. Regards, James
Powered by blists - more mailing lists