linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ken Goldman <kgold@linux.ibm.com>
To: Linux Integrity <linux-integrity@vger.kernel.org>
Subject: /dev/tpmrm0 session handling
Date: Mon, 28 Jun 2021 18:22:17 -0400	[thread overview]
Message-ID: <4b47a04b-0a1e-15d1-fccc-938e0fdfc19f@linux.ibm.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1086 bytes --]

Two questions:

1 - I create a session in one process and context save it.  In another
process, I flushcontext, and it flushes the saved context.

I would not have expected a process to be able to flush another
process' context.  Is this working as designed?

2 - This is a more basic question.

One process creates a session, context saves it, and then exits -
maliciously or due to a bug.  This saved session will be there
until eventually startauthsession fails due to the context
gap issue.

Or an errant process starts and context saves 64 sessions,
which blocks any process from starting a session.

The new process can recover by picking some session and flushing
it (which works due to #1) but that breaks another process.

What I expected - perhaps worth discussing:

Save and load context would be used solely by the resource manager
to swap.  The RM, upon detecting a close() or an exiting process,
would flush all resources associated with that process, including
active sessions.

(The Windows resource manager blocks context save and load.)


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4490 bytes --]

                 reply	other threads:[~2021-06-28 22:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4b47a04b-0a1e-15d1-fccc-938e0fdfc19f@linux.ibm.com \
    --to=kgold@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).