From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Alexander.Steffen@infineon.com
Cc: tpmdd-devel@lists.sourceforge.net, dhowells@redhat.com,
linux-kernel@vger.kernel.org,
James.Bottomley@HansenPartnership.com,
linux-security-module@vger.kernel.org, peterhuewe@gmx.de
Subject: Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands
Date: Fri, 17 Mar 2017 22:42:43 +0200 [thread overview]
Message-ID: <20170317204243.5j376svqeky6bhqk@intel.com> (raw)
In-Reply-To: <22e8fa0caf8b4386a12cd93ee7170ed5@MUCSE603.infineon.com>
On Fri, Mar 17, 2017 at 03:40:15PM +0000, Alexander.Steffen@infineon.com wrote:
> > Check for every TPM 2.0 command that the command code is supported and
> > the command buffer has at least the length that can contain the header
> > and the handle area.
>
> This breaks several use cases for me:
Thank you for reporting these. This is really great feedback to get.
> 1. I've got a TPM that implements vendor-specific command codes. Those
> cannot be send to the TPM anymore, but are rejected with EINVAL.
>
> 2. When upgrading the firmware on my TPM, it switches to a
> non-standard communication mode for the upgrade process and does not
> communicate using TPM2.0 commands during this time. Rejecting
> non-TPM2.0 commands means upgrading won't be possible anymore.
>
> 3. I'd like to use the kernel driver to test my TPM implementation. So
> for example, I send an invalid command code to the TPM and expect
> TPM_RC_COMMAND_CODE in response, but now I get EINVAL instead and the
> TPM never sees the command.
>
> From my point of view, the kernel driver should provide a transparent
> communication channel to the TPM. Whatever I write to /dev/tpm<n>
> should arrive at the TPM device, so that the TPM can handle it and
> return the appropriate response. Otherwise, you'll end up
> reimplementing all the command handling logic, that is already part of
> the TPM's job, and as soon as you miss one case and behave differently
> than the TPM, something relying on this behavior will break.
>
> I see two possible solutions:
>
> 1. When the driver does not know a command code, it passes through the
> command unmodified. This bears the risk of unknown side effects
> though, so TPM spaces might not be as independent as they should be.
>
> 2. Since the command code lookup is only really necessary for TPM
> spaces, it only gets activated when space != NULL. So the change will
> not affect /dev/tpm<n>, but only the new /dev/tpmrm<n>. As
> /dev/tpmrm<n> is not meant to be a transparent interface anyway,
> rejecting unknown commands is acceptable.
>
> Alexander
I think the most straight-forward way to sort this out would be to limit
validation to the resource manager. If I send a fix, would you care to
test it? If your issues get sorted, I'll squash it to the existing
commits.
Thanks again!
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: jarkko.sakkinen@linux.intel.com (Jarkko Sakkinen)
To: linux-security-module@vger.kernel.org
Subject: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands
Date: Fri, 17 Mar 2017 22:42:43 +0200 [thread overview]
Message-ID: <20170317204243.5j376svqeky6bhqk@intel.com> (raw)
In-Reply-To: <22e8fa0caf8b4386a12cd93ee7170ed5@MUCSE603.infineon.com>
On Fri, Mar 17, 2017 at 03:40:15PM +0000, Alexander.Steffen at infineon.com wrote:
> > Check for every TPM 2.0 command that the command code is supported and
> > the command buffer has at least the length that can contain the header
> > and the handle area.
>
> This breaks several use cases for me:
Thank you for reporting these. This is really great feedback to get.
> 1. I've got a TPM that implements vendor-specific command codes. Those
> cannot be send to the TPM anymore, but are rejected with EINVAL.
>
> 2. When upgrading the firmware on my TPM, it switches to a
> non-standard communication mode for the upgrade process and does not
> communicate using TPM2.0 commands during this time. Rejecting
> non-TPM2.0 commands means upgrading won't be possible anymore.
>
> 3. I'd like to use the kernel driver to test my TPM implementation. So
> for example, I send an invalid command code to the TPM and expect
> TPM_RC_COMMAND_CODE in response, but now I get EINVAL instead and the
> TPM never sees the command.
>
> From my point of view, the kernel driver should provide a transparent
> communication channel to the TPM. Whatever I write to /dev/tpm<n>
> should arrive at the TPM device, so that the TPM can handle it and
> return the appropriate response. Otherwise, you'll end up
> reimplementing all the command handling logic, that is already part of
> the TPM's job, and as soon as you miss one case and behave differently
> than the TPM, something relying on this behavior will break.
>
> I see two possible solutions:
>
> 1. When the driver does not know a command code, it passes through the
> command unmodified. This bears the risk of unknown side effects
> though, so TPM spaces might not be as independent as they should be.
>
> 2. Since the command code lookup is only really necessary for TPM
> spaces, it only gets activated when space != NULL. So the change will
> not affect /dev/tpm<n>, but only the new /dev/tpmrm<n>. As
> /dev/tpmrm<n> is not meant to be a transparent interface anyway,
> rejecting unknown commands is acceptable.
>
> Alexander
I think the most straight-forward way to sort this out would be to limit
validation to the resource manager. If I send a fix, would you care to
test it? If your issues get sorted, I'll squash it to the existing
commits.
Thanks again!
/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
To: Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w@public.gmane.org
Cc: James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [PATCH v3 2/7] tpm: validate TPM 2.0 commands
Date: Fri, 17 Mar 2017 22:42:43 +0200 [thread overview]
Message-ID: <20170317204243.5j376svqeky6bhqk@intel.com> (raw)
In-Reply-To: <22e8fa0caf8b4386a12cd93ee7170ed5-nFblLGNE8XKJSz+rYg/bSJowlv4uC7bZ@public.gmane.org>
On Fri, Mar 17, 2017 at 03:40:15PM +0000, Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w@public.gmane.org wrote:
> > Check for every TPM 2.0 command that the command code is supported and
> > the command buffer has at least the length that can contain the header
> > and the handle area.
>
> This breaks several use cases for me:
Thank you for reporting these. This is really great feedback to get.
> 1. I've got a TPM that implements vendor-specific command codes. Those
> cannot be send to the TPM anymore, but are rejected with EINVAL.
>
> 2. When upgrading the firmware on my TPM, it switches to a
> non-standard communication mode for the upgrade process and does not
> communicate using TPM2.0 commands during this time. Rejecting
> non-TPM2.0 commands means upgrading won't be possible anymore.
>
> 3. I'd like to use the kernel driver to test my TPM implementation. So
> for example, I send an invalid command code to the TPM and expect
> TPM_RC_COMMAND_CODE in response, but now I get EINVAL instead and the
> TPM never sees the command.
>
> From my point of view, the kernel driver should provide a transparent
> communication channel to the TPM. Whatever I write to /dev/tpm<n>
> should arrive at the TPM device, so that the TPM can handle it and
> return the appropriate response. Otherwise, you'll end up
> reimplementing all the command handling logic, that is already part of
> the TPM's job, and as soon as you miss one case and behave differently
> than the TPM, something relying on this behavior will break.
>
> I see two possible solutions:
>
> 1. When the driver does not know a command code, it passes through the
> command unmodified. This bears the risk of unknown side effects
> though, so TPM spaces might not be as independent as they should be.
>
> 2. Since the command code lookup is only really necessary for TPM
> spaces, it only gets activated when space != NULL. So the change will
> not affect /dev/tpm<n>, but only the new /dev/tpmrm<n>. As
> /dev/tpmrm<n> is not meant to be a transparent interface anyway,
> rejecting unknown commands is acceptable.
>
> Alexander
I think the most straight-forward way to sort this out would be to limit
validation to the resource manager. If I send a fix, would you care to
test it? If your issues get sorted, I'll squash it to the existing
commits.
Thanks again!
/Jarkko
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
next prev parent reply other threads:[~2017-03-17 20:47 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-03 15:19 [PATCH v3 0/7] in-kernel resource manager Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 1/7] tpm: move length validation to tpm_transmit() Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 2/7] tpm: validate TPM 2.0 commands Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-17 15:40 ` [tpmdd-devel] " Alexander.Steffen
2017-03-17 15:40 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-03-17 15:40 ` [tpmdd-devel] " Alexander.Steffen at infineon.com
2017-03-17 16:16 ` Jason Gunthorpe
2017-03-17 16:16 ` Jason Gunthorpe
2017-03-17 16:35 ` Peter.Huewe
2017-03-17 16:35 ` Peter.Huewe-d0qZbvYSIPpWk0Htik3J/w
2017-03-17 16:35 ` [tpmdd-devel] " Peter.Huewe at infineon.com
2017-03-20 9:54 ` Alexander.Steffen
2017-03-20 9:54 ` Alexander.Steffen
2017-03-20 9:54 ` Alexander.Steffen at infineon.com
2017-03-20 17:23 ` Jason Gunthorpe
2017-03-20 17:23 ` Jason Gunthorpe
2017-03-20 17:23 ` [tpmdd-devel] " Jason Gunthorpe
2017-03-20 19:42 ` Ken Goldman
2017-03-20 19:42 ` Ken Goldman
2017-03-20 19:42 ` [tpmdd-devel] " Ken Goldman
2017-03-21 15:44 ` Alexander.Steffen
2017-03-21 15:44 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-03-21 15:44 ` [tpmdd-devel] " Alexander.Steffen at infineon.com
2017-03-17 20:42 ` Jarkko Sakkinen [this message]
2017-03-17 20:42 ` Jarkko Sakkinen
2017-03-17 20:42 ` [tpmdd-devel] " Jarkko Sakkinen
2017-03-20 9:56 ` Alexander.Steffen
2017-03-20 9:56 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-03-20 9:56 ` [tpmdd-devel] " Alexander.Steffen at infineon.com
2017-03-27 5:25 ` Jarkko Sakkinen
2017-03-27 5:25 ` Jarkko Sakkinen
2017-03-27 5:25 ` [tpmdd-devel] " Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 3/7] tpm: export tpm2_flush_context_cmd Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 4/7] tpm: infrastructure for TPM spaces Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-17 15:41 ` [tpmdd-devel] " Alexander.Steffen
2017-03-17 15:41 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-03-17 15:41 ` [tpmdd-devel] " Alexander.Steffen at infineon.com
2017-03-17 20:44 ` Jarkko Sakkinen
2017-03-17 20:44 ` Jarkko Sakkinen
2017-03-17 20:44 ` [tpmdd-devel] " Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 5/7] tpm: split out tpm-dev.c into tpm-dev.c and tpm-common-dev.c Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 6/7] tpm: expose spaces via a device link /dev/tpmrm<n> Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-03 15:19 ` [PATCH v3 7/7] tpm2: add session handle context saving and restoring to the space code Jarkko Sakkinen
2017-03-03 15:19 ` Jarkko Sakkinen
2017-03-06 21:07 ` [PATCH v3 0/7] in-kernel resource manager Jarkko Sakkinen
2017-03-06 21:07 ` Jarkko Sakkinen
2017-03-11 8:55 ` Jarkko Sakkinen
2017-03-11 8:55 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170317204243.5j376svqeky6bhqk@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=Alexander.Steffen@infineon.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.