From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: tpmdd-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
Peter Huewe <peterhuewe@gmx.de>,
Marcel Selhorst <tpmdd@selhorst.net>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC] tpm: define a command filter
Date: Thu, 26 Jan 2017 13:14:03 +0200 [thread overview]
Message-ID: <20170126111403.ql6np2qulifxxw3p@intel.com> (raw)
In-Reply-To: <20170125221136.GA713@obsidianresearch.com>
On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote:
> On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote:
>
> > There should be anyway someway to limit what commands can be sent but
> > I understand your point.
>
> What is the filter for?
>
> James and I talked about a filter to create a safer cdev for use by
> users. However tpms0 cannot be that 'safer' cdev - it is now the 'all
> access' path.
What do you mean by "safer cdev"?
> I also suggested a filter in the kernel to ensure that the RM is only
> passing commands it actually knows it handles properly. eg you would
> filter out list handles. That is hardwired into the kernel, and does
> not ge to be configured by user space.
In many cases you would want to limit the set of operations that client
can use. For example, not every client needs NV operations. In general
you might want to have mechanism for limiting privileges. I haven't
really considered this from the perspective that you've been discussing
but more from the "principle of least privilege" perspective.
Are you suggesting that in such cases you could just create daemon for
proxying the traffic (when you want to limit privileges)? You could just
make that daemon a whole lot simpler if it just needs to pass the file
desriptor to the client after defining the set of operations that the
client can use.
This is a high priority decision to make because it's hard to apply
principle of least privilege (with everything disallowed defaultts)
if it is not done in the first place.
/Jarkko
next prev parent reply other threads:[~2017-01-26 11:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-24 0:02 [PATCH RFC] tpm: define a command filter Jarkko Sakkinen
2017-01-24 0:02 ` Jarkko Sakkinen
2017-01-24 0:19 ` Jason Gunthorpe
2017-01-24 14:36 ` Jarkko Sakkinen
2017-01-24 14:36 ` Jarkko Sakkinen
2017-01-24 19:07 ` Jason Gunthorpe
2017-01-25 20:21 ` Jarkko Sakkinen
2017-01-25 20:21 ` Jarkko Sakkinen
2017-01-25 22:11 ` Jason Gunthorpe
2017-01-25 22:11 ` Jason Gunthorpe
2017-01-26 11:14 ` Jarkko Sakkinen [this message]
2017-01-26 18:05 ` Jason Gunthorpe
2017-01-27 6:42 ` Jarkko Sakkinen
2017-01-27 6:42 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170126111403.ql6np2qulifxxw3p@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.