From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: tpmdd-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
Peter Huewe <peterhuewe@gmx.de>,
Marcel Selhorst <tpmdd@selhorst.net>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC] tpm: define a command filter
Date: Wed, 25 Jan 2017 22:21:37 +0200 [thread overview]
Message-ID: <20170125202137.7bsv7lptvpzl2fjz@intel.com> (raw)
In-Reply-To: <20170124190707.GA9899@obsidianresearch.com>
On Tue, Jan 24, 2017 at 12:07:07PM -0700, Jason Gunthorpe wrote:
> On Tue, Jan 24, 2017 at 04:36:00PM +0200, Jarkko Sakkinen wrote:
> > On Mon, Jan 23, 2017 at 05:19:18PM -0700, Jason Gunthorpe wrote:
> > > On Tue, Jan 24, 2017 at 02:02:52AM +0200, Jarkko Sakkinen wrote:
> > > > This commit adds a command filter for whitelisting a set of commands in
> > > > a TPM space. When a TPM space is created through /dev/tpms0, no
> > > > commands are allowed. The user of the TPM space must explicitly define
> > > > the list of commands allowed before sending any commands. This ioctl is
> > > > a one shot call so that a resource manager daemon can call it before
> > > > sending the file descriptor to the client.
> > >
> > > I don't think it makes sense to have a daemon in user space that
> > > passes an open'd /dev/tpms0 FD directly to a client..
> > >
> > > It is trivial and more powerful to just proxy the messages. Can you
> > > see some reason why passing a FD through a daemon would make sense?
> > >
> > > The earlier discussion with James was to have some way to apply a
> > > global command filter to all tpms0 users with the idea that the
> > > 'right' restricted command set would enable a 0666 cdev node, and no
> > > daemon.
> >
> > Is that a conflicting goal?
> >
> > Maybe the ioctl could be restricted by CAP_MAC_ADMIN in that case?
>
> I think you need to spell out a clear use case for how userspace
> should use this filter feature and why having the kernel involved is a
> necessary element.
>
> Driving userspace from the kernel uAPI design is a bit tricky without
> participation from people writing the user space code.
>
> > How would you propose to change the code below? I guess the "core
> > code" is about right and this is more about API, am I right?
>
> Generally, I'm of the opinion it is better to introduce the minimal
> amount of uAPI at this point and wait until people working on
> userspace figure out basic questions like, will there be a TPM2 daemon
> or not..
>
> I would focus now on getting the RFC series finished up, hook the
> kAPI users into spaces and get it to the point where it does let
> user & kernel safely share the TPM.
>
> Jason
There should be anyway someway to limit what commands can be sent but
I understand your point.
Would it make more sense to have a sysfs file for configuring the
global filter that would get the data in the same format (list of
16-bit words)?
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
open list <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH RFC] tpm: define a command filter
Date: Wed, 25 Jan 2017 22:21:37 +0200 [thread overview]
Message-ID: <20170125202137.7bsv7lptvpzl2fjz@intel.com> (raw)
In-Reply-To: <20170124190707.GA9899-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
On Tue, Jan 24, 2017 at 12:07:07PM -0700, Jason Gunthorpe wrote:
> On Tue, Jan 24, 2017 at 04:36:00PM +0200, Jarkko Sakkinen wrote:
> > On Mon, Jan 23, 2017 at 05:19:18PM -0700, Jason Gunthorpe wrote:
> > > On Tue, Jan 24, 2017 at 02:02:52AM +0200, Jarkko Sakkinen wrote:
> > > > This commit adds a command filter for whitelisting a set of commands in
> > > > a TPM space. When a TPM space is created through /dev/tpms0, no
> > > > commands are allowed. The user of the TPM space must explicitly define
> > > > the list of commands allowed before sending any commands. This ioctl is
> > > > a one shot call so that a resource manager daemon can call it before
> > > > sending the file descriptor to the client.
> > >
> > > I don't think it makes sense to have a daemon in user space that
> > > passes an open'd /dev/tpms0 FD directly to a client..
> > >
> > > It is trivial and more powerful to just proxy the messages. Can you
> > > see some reason why passing a FD through a daemon would make sense?
> > >
> > > The earlier discussion with James was to have some way to apply a
> > > global command filter to all tpms0 users with the idea that the
> > > 'right' restricted command set would enable a 0666 cdev node, and no
> > > daemon.
> >
> > Is that a conflicting goal?
> >
> > Maybe the ioctl could be restricted by CAP_MAC_ADMIN in that case?
>
> I think you need to spell out a clear use case for how userspace
> should use this filter feature and why having the kernel involved is a
> necessary element.
>
> Driving userspace from the kernel uAPI design is a bit tricky without
> participation from people writing the user space code.
>
> > How would you propose to change the code below? I guess the "core
> > code" is about right and this is more about API, am I right?
>
> Generally, I'm of the opinion it is better to introduce the minimal
> amount of uAPI at this point and wait until people working on
> userspace figure out basic questions like, will there be a TPM2 daemon
> or not..
>
> I would focus now on getting the RFC series finished up, hook the
> kAPI users into spaces and get it to the point where it does let
> user & kernel safely share the TPM.
>
> Jason
There should be anyway someway to limit what commands can be sent but
I understand your point.
Would it make more sense to have a sysfs file for configuring the
global filter that would get the data in the same format (list of
16-bit words)?
/Jarkko
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
next prev parent reply other threads:[~2017-01-25 20:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-24 0:02 [PATCH RFC] tpm: define a command filter Jarkko Sakkinen
2017-01-24 0:02 ` Jarkko Sakkinen
2017-01-24 0:19 ` Jason Gunthorpe
2017-01-24 14:36 ` Jarkko Sakkinen
2017-01-24 14:36 ` Jarkko Sakkinen
2017-01-24 19:07 ` Jason Gunthorpe
2017-01-25 20:21 ` Jarkko Sakkinen [this message]
2017-01-25 20:21 ` Jarkko Sakkinen
2017-01-25 22:11 ` Jason Gunthorpe
2017-01-25 22:11 ` Jason Gunthorpe
2017-01-26 11:14 ` Jarkko Sakkinen
2017-01-26 18:05 ` Jason Gunthorpe
2017-01-27 6:42 ` Jarkko Sakkinen
2017-01-27 6:42 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170125202137.7bsv7lptvpzl2fjz@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.