From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: tpmdd-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
Peter Huewe <peterhuewe@gmx.de>,
Marcel Selhorst <tpmdd@selhorst.net>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC] tpm: define a command filter
Date: Fri, 27 Jan 2017 08:42:40 +0200 [thread overview]
Message-ID: <20170127064240.5xrf4ddbo2vq3llb@intel.com> (raw)
In-Reply-To: <20170126180506.GA20330@obsidianresearch.com>
On Thu, Jan 26, 2017 at 11:05:06AM -0700, Jason Gunthorpe wrote:
> On Thu, Jan 26, 2017 at 01:14:03PM +0200, Jarkko Sakkinen wrote:
> > On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote:
> > > On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote:
> > >
> > > > There should be anyway someway to limit what commands can be sent but
> > > > I understand your point.
> > >
> > > What is the filter for?
> > >
> > > James and I talked about a filter to create a safer cdev for use by
> > > users. However tpms0 cannot be that 'safer' cdev - it is now the 'all
> > > access' path.
> >
> > What do you mean by "safer cdev"?
>
> 'safer cdev' is this concept of limiting privileges you are describing
> below.
>
> > > I also suggested a filter in the kernel to ensure that the RM is only
> > > passing commands it actually knows it handles properly. eg you would
> > > filter out list handles. That is hardwired into the kernel, and does
> > > not ge to be configured by user space.
> >
> > In many cases you would want to limit the set of operations that client
> > can use. For example, not every client needs NV operations. In general
> > you might want to have mechanism for limiting privileges. I haven't
> > really considered this from the perspective that you've been discussing
> > but more from the "principle of least privilege" perspective.
>
> What does that mean? The kernel needs to provide an unrestricted
> access path to the TPM and the RM - typically for use by root. I don't
> think there is any debate on this point.
>
> The kernel *could* provide restricted access to the TPM and the RM -
> typically for use by a user.
>
> These are *different* things and they should not both exist at once on
> /dev/tpms0 (that is not the unix model).
>
> IMHO this patch series should focus entirely on the unrestricted
> access path. Otherwise the debate is too large and complex.
Agreed. We can add more granular access control later on.
For the rest of the response I understand your point of view but lets
continue after we have basic building blocks in place :-)
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
open list <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH RFC] tpm: define a command filter
Date: Fri, 27 Jan 2017 08:42:40 +0200 [thread overview]
Message-ID: <20170127064240.5xrf4ddbo2vq3llb@intel.com> (raw)
In-Reply-To: <20170126180506.GA20330-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
On Thu, Jan 26, 2017 at 11:05:06AM -0700, Jason Gunthorpe wrote:
> On Thu, Jan 26, 2017 at 01:14:03PM +0200, Jarkko Sakkinen wrote:
> > On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote:
> > > On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote:
> > >
> > > > There should be anyway someway to limit what commands can be sent but
> > > > I understand your point.
> > >
> > > What is the filter for?
> > >
> > > James and I talked about a filter to create a safer cdev for use by
> > > users. However tpms0 cannot be that 'safer' cdev - it is now the 'all
> > > access' path.
> >
> > What do you mean by "safer cdev"?
>
> 'safer cdev' is this concept of limiting privileges you are describing
> below.
>
> > > I also suggested a filter in the kernel to ensure that the RM is only
> > > passing commands it actually knows it handles properly. eg you would
> > > filter out list handles. That is hardwired into the kernel, and does
> > > not ge to be configured by user space.
> >
> > In many cases you would want to limit the set of operations that client
> > can use. For example, not every client needs NV operations. In general
> > you might want to have mechanism for limiting privileges. I haven't
> > really considered this from the perspective that you've been discussing
> > but more from the "principle of least privilege" perspective.
>
> What does that mean? The kernel needs to provide an unrestricted
> access path to the TPM and the RM - typically for use by root. I don't
> think there is any debate on this point.
>
> The kernel *could* provide restricted access to the TPM and the RM -
> typically for use by a user.
>
> These are *different* things and they should not both exist at once on
> /dev/tpms0 (that is not the unix model).
>
> IMHO this patch series should focus entirely on the unrestricted
> access path. Otherwise the debate is too large and complex.
Agreed. We can add more granular access control later on.
For the rest of the response I understand your point of view but lets
continue after we have basic building blocks in place :-)
/Jarkko
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
next prev parent reply other threads:[~2017-01-27 6:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-24 0:02 [PATCH RFC] tpm: define a command filter Jarkko Sakkinen
2017-01-24 0:02 ` Jarkko Sakkinen
2017-01-24 0:19 ` Jason Gunthorpe
2017-01-24 14:36 ` Jarkko Sakkinen
2017-01-24 14:36 ` Jarkko Sakkinen
2017-01-24 19:07 ` Jason Gunthorpe
2017-01-25 20:21 ` Jarkko Sakkinen
2017-01-25 20:21 ` Jarkko Sakkinen
2017-01-25 22:11 ` Jason Gunthorpe
2017-01-25 22:11 ` Jason Gunthorpe
2017-01-26 11:14 ` Jarkko Sakkinen
2017-01-26 18:05 ` Jason Gunthorpe
2017-01-27 6:42 ` Jarkko Sakkinen [this message]
2017-01-27 6:42 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170127064240.5xrf4ddbo2vq3llb@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.