From: Jarkko Sakkinen <jarkko@kernel.org>
To: Evan Green <evgreen@chromium.org>
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
apronin@chromium.org, dlunev@google.com,
Pavel Machek <pavel@ucw.cz>, Ben Boeckel <me@benboeckel.net>,
rjw@rjwysocki.net, corbet@lwn.net, linux-pm@vger.kernel.org,
zohar@linux.ibm.com, Kees Cook <keescook@chromium.org>,
Eric Biggers <ebiggers@kernel.org>,
jejb@linux.ibm.com, gwendal@chromium.org,
Matthew Garrett <mgarrett@aurora.tech>,
Matthew Garrett <matthewgarrett@google.com>,
Matthew Garrett <mjg59@google.com>,
Jason Gunthorpe <jgg@ziepe.ca>, Peter Huewe <peterhuewe@gmx.de>
Subject: Re: [PATCH v3 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use
Date: Fri, 30 Sep 2022 23:57:54 +0300 [thread overview]
Message-ID: <YzdYUpuHfgvt3Q9f@kernel.org> (raw)
In-Reply-To: <20220927094559.v3.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid>
On Tue, Sep 27, 2022 at 09:49:14AM -0700, Evan Green wrote:
> From: Matthew Garrett <matthewgarrett@google.com>
>
> Under certain circumstances it might be desirable to enable the creation
> of TPM-backed secrets that are only accessible to the kernel. In an
> ideal world this could be achieved by using TPM localities, but these
> don't appear to be available on consumer systems. An alternative is to
> simply block userland from modifying one of the resettable PCRs, leaving
> it available to the kernel. If the kernel ensures that no userland can
> access the TPM while it is carrying out work, it can reset PCR 23,
> extend it to an arbitrary value, create or load a secret, and then reset
> the PCR again. Even if userland somehow obtains the sealed material, it
> will be unable to unseal it since PCR 23 will never be in the
> appropriate state.
This lacks any sort of description what the patch does in concrete. The
most critical thing it lacks is the addition of a new config flag, which
really should documented. It e.g. helps when searching with git log, once
this is in the mainline.
The current contents is a perfect "motivation" part.
>
> Link: https://lore.kernel.org/lkml/20210220013255.1083202-3-matthewgarrett@google.com/
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> Signed-off-by: Evan Green <evgreen@chromium.org>
> ---
>
> Changes in v3:
> - Fix up commit message (Jarkko)
> - tpm2_find_and_validate_cc() was split (Jarkko)
> - Simply fully restrict TPM1 since v2 failed to account for tunnelled
> transport sessions (Stefan and Jarkko).
>
> Changes in v2:
> - Fixed sparse warnings
>
> drivers/char/tpm/Kconfig | 12 ++++++++++++
> drivers/char/tpm/tpm-dev-common.c | 8 ++++++++
> drivers/char/tpm/tpm.h | 19 +++++++++++++++++++
> drivers/char/tpm/tpm1-cmd.c | 13 +++++++++++++
> drivers/char/tpm/tpm2-cmd.c | 22 ++++++++++++++++++++++
> 5 files changed, 74 insertions(+)
>
> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> index 927088b2c3d3f2..c8ed54c66e399a 100644
> --- a/drivers/char/tpm/Kconfig
> +++ b/drivers/char/tpm/Kconfig
> @@ -211,4 +211,16 @@ config TCG_FTPM_TEE
> This driver proxies for firmware TPM running in TEE.
>
> source "drivers/char/tpm/st33zp24/Kconfig"
> +
> +config TCG_TPM_RESTRICT_PCR
> + bool "Restrict userland access to PCR 23"
> + depends on TCG_TPM
> + help
> + If set, block userland from extending or resetting PCR 23. This allows it
> + to be restricted to in-kernel use, preventing userland from being able to
> + make use of data sealed to the TPM by the kernel. This is required for
> + secure hibernation support, but should be left disabled if any userland
> + may require access to PCR23. This is a TPM2-only feature, and if enabled
> + on a TPM1 machine will cause all usermode TPM commands to return EPERM due
> + to the complications introduced by tunnelled sessions in TPM1.2.
> endif # TCG_TPM
> diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
> index dc4c0a0a512903..7a4e618c7d1942 100644
> --- a/drivers/char/tpm/tpm-dev-common.c
> +++ b/drivers/char/tpm/tpm-dev-common.c
> @@ -198,6 +198,14 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf,
> priv->response_read = false;
> *off = 0;
>
> + if (priv->chip->flags & TPM_CHIP_FLAG_TPM2)
> + ret = tpm2_cmd_restricted(priv->chip, priv->data_buffer, size);
> + else
> + ret = tpm1_cmd_restricted(priv->chip, priv->data_buffer, size);
> +
> + if (ret)
> + goto out;
> +
> /*
> * If in nonblocking mode schedule an async job to send
> * the command return the size.
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index 9c9e5d75b37c78..9f4e64e22807a2 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -246,4 +246,23 @@ void tpm_bios_log_setup(struct tpm_chip *chip);
> void tpm_bios_log_teardown(struct tpm_chip *chip);
> int tpm_dev_common_init(void);
> void tpm_dev_common_exit(void);
> +
> +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR
> +#define TPM_RESTRICTED_PCR 23
> +
> +int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size);
> +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size);
> +#else
> +static inline int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer,
> + size_t size)
> +{
> + return 0;
> +}
> +
> +static inline int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer,
> + size_t size)
> +{
> + return 0;
> +}
> +#endif
> #endif
> diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> index cf64c738510529..1869e89215fcb9 100644
> --- a/drivers/char/tpm/tpm1-cmd.c
> +++ b/drivers/char/tpm/tpm1-cmd.c
> @@ -811,3 +811,16 @@ int tpm1_get_pcr_allocation(struct tpm_chip *chip)
>
> return 0;
> }
> +
> +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR
> +int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size)
> +{
> + /*
> + * Restrict all usermode commands on TPM1.2. Ideally we'd just restrict
> + * TPM_ORD_PCR_EXTEND and TPM_ORD_PCR_RESET, but TPM1.2 also supports
> + * tunnelled transport sessions where the kernel would be unable to filter
> + * commands.
> + */
> + return -EPERM;
> +}
> +#endif
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 69126a6770386e..9c92a3e1e3f463 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -821,3 +821,25 @@ int tpm2_find_cc(struct tpm_chip *chip, u32 cc)
>
> return -1;
> }
> +
> +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR
> +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size)
> +{
> + int cc = tpm2_find_and_validate_cc(chip, NULL, buffer, size);
> + __be32 *handle;
> +
> + switch (cc) {
> + case TPM2_CC_PCR_EXTEND:
> + case TPM2_CC_PCR_RESET:
> + if (size < (TPM_HEADER_SIZE + sizeof(u32)))
> + return -EINVAL;
> +
> + handle = (__be32 *)&buffer[TPM_HEADER_SIZE];
> + if (be32_to_cpu(*handle) == TPM_RESTRICTED_PCR)
> + return -EPERM;
> + break;
> + }
> +
> + return 0;
> +}
> +#endif
> --
> 2.31.0
>
BR, Jarkko
next prev parent reply other threads:[~2022-09-30 20:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-27 16:49 [PATCH v3 00/11] Encrypted Hibernation Evan Green
2022-09-27 16:49 ` [PATCH v3 01/11] tpm: Add support for in-kernel resetting of PCRs Evan Green
2022-09-30 20:52 ` Jarkko Sakkinen
2022-09-27 16:49 ` [PATCH v3 02/11] tpm: Export and rename tpm2_find_and_validate_cc() Evan Green
2022-09-27 16:49 ` [PATCH v3 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use Evan Green
2022-09-30 20:57 ` Jarkko Sakkinen [this message]
2022-09-27 16:49 ` [PATCH v3 04/11] security: keys: trusted: Include TPM2 creation data Evan Green
2022-09-27 16:49 ` [PATCH v3 05/11] security: keys: trusted: Allow storage of PCR values in " Evan Green
2022-09-27 16:58 ` Ben Boeckel
2022-09-27 16:49 ` [PATCH v3 06/11] security: keys: trusted: Verify " Evan Green
2022-09-27 16:49 ` [PATCH v3 07/11] PM: hibernate: Add kernel-based encryption Evan Green
2022-09-30 21:30 ` Jarkko Sakkinen
2022-09-27 16:49 ` [PATCH v3 08/11] PM: hibernate: Use TPM-backed keys to encrypt image Evan Green
2022-09-30 21:35 ` Jarkko Sakkinen
2022-10-21 19:56 ` Evan Green
2022-10-23 21:55 ` Jarkko Sakkinen
2022-09-27 16:49 ` [PATCH v3 09/11] PM: hibernate: Mix user key in encrypted hibernate Evan Green
2022-09-27 16:49 ` [PATCH v3 10/11] PM: hibernate: Verify the digest encryption key Evan Green
2022-09-27 16:49 ` [PATCH v3 11/11] PM: hibernate: seal the encryption key with a PCR policy Evan Green
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YzdYUpuHfgvt3Q9f@kernel.org \
--to=jarkko@kernel.org \
--cc=apronin@chromium.org \
--cc=corbet@lwn.net \
--cc=dlunev@google.com \
--cc=ebiggers@kernel.org \
--cc=evgreen@chromium.org \
--cc=gwendal@chromium.org \
--cc=jejb@linux.ibm.com \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=me@benboeckel.net \
--cc=mgarrett@aurora.tech \
--cc=mjg59@google.com \
--cc=pavel@ucw.cz \
--cc=peterhuewe@gmx.de \
--cc=rjw@rjwysocki.net \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.