From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758207AbdAKLe1 (ORCPT ); Wed, 11 Jan 2017 06:34:27 -0500 Received: from mga06.intel.com ([134.134.136.31]:11989 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756164AbdAKLeZ (ORCPT ); Wed, 11 Jan 2017 06:34:25 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,345,1477983600"; d="scan'208";a="921289259" Date: Wed, 11 Jan 2017 13:34:16 +0200 From: Jarkko Sakkinen To: Jason Gunthorpe Cc: greg@enjellic.com, tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, Ken Goldman , linux-kernel@vger.kernel.org Subject: Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager Message-ID: <20170111113416.4h6ucm5y3hjjnfhv@intel.com> References: <201701041612.v04GCfPK031525@wind.enjellic.com> <20170109231635.6wh25qoy7svcnys6@intel.com> <20170110200558.GA5102@obsidianresearch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170110200558.GA5102@obsidianresearch.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.6.2-neo (2016-08-21) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 10, 2017 at 01:05:58PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 10, 2017 at 01:16:35AM +0200, Jarkko Sakkinen wrote: > > On Wed, Jan 04, 2017 at 10:12:41AM -0600, Dr. Greg Wettstein wrote: > > > The kernel needs a resource manager. Everyone needs to think VERY > > > hard and VERY, VERY carefully about what gets put into the kernel. In > > > making a decision, put the ABSOLUTE smallest amount of code into the > > > kernel which allows various 'TPM2 personalities' to be implemented in > > > userspace and functionally verified and protected by the physical > > > instance. The emergence of commodity TEE's (SGX, et.al) should be in > > > the back of everyone's mind as a factor in the roadmap. > > > > Here's my cuts for the kernel: > > > > - Kernel virtualizes handle areas. It's mechanical. > > - Kernel does not virtualize bodies. It's not mechanical. > > - At least the first version of the RM will not do other than session > > isolation for sessions. > > > > This keeps the core for RM inside the kernel small and tight. > > I think this makes sense. > > In addition the kernel should only permit RM operations that are known > to be 100% correct with the RM. > > I think you should stick with your original design basic design, > except instead of using an ioctl to switch modes, use an ioctl to > execute the operation: > > struct tpm_ioctl_operation { > u16 mode; // == TPM1_RAW,TPM2_RAW,TPM1_RM,TPM2_RM > u16 locality; > u32 txlen; > u32 rxlen; > const void *txbuf; > void *rxbuf; > }; > > The userspace broker would be expected to use a mixture of RM and RAW > operations. > > Let's deal with the idea of another cdev some other day when someone > can figure out a comprehensive way to do that securely for unpriv.. James, what do you think about this proposal? /Jarkko From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jarkko Sakkinen Subject: Re: [PATCH RFC 0/4] RFC: in-kernel resource manager Date: Wed, 11 Jan 2017 13:34:16 +0200 Message-ID: <20170111113416.4h6ucm5y3hjjnfhv@intel.com> References: <201701041612.v04GCfPK031525@wind.enjellic.com> <20170109231635.6wh25qoy7svcnys6@intel.com> <20170110200558.GA5102@obsidianresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20170110200558.GA5102-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Jason Gunthorpe Cc: Ken Goldman , tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, greg-R92VP3DqSWVWk0Htik3J/w@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: tpmdd-devel@lists.sourceforge.net On Tue, Jan 10, 2017 at 01:05:58PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 10, 2017 at 01:16:35AM +0200, Jarkko Sakkinen wrote: > > On Wed, Jan 04, 2017 at 10:12:41AM -0600, Dr. Greg Wettstein wrote: > > > The kernel needs a resource manager. Everyone needs to think VERY > > > hard and VERY, VERY carefully about what gets put into the kernel. In > > > making a decision, put the ABSOLUTE smallest amount of code into the > > > kernel which allows various 'TPM2 personalities' to be implemented in > > > userspace and functionally verified and protected by the physical > > > instance. The emergence of commodity TEE's (SGX, et.al) should be in > > > the back of everyone's mind as a factor in the roadmap. > > > > Here's my cuts for the kernel: > > > > - Kernel virtualizes handle areas. It's mechanical. > > - Kernel does not virtualize bodies. It's not mechanical. > > - At least the first version of the RM will not do other than session > > isolation for sessions. > > > > This keeps the core for RM inside the kernel small and tight. > > I think this makes sense. > > In addition the kernel should only permit RM operations that are known > to be 100% correct with the RM. > > I think you should stick with your original design basic design, > except instead of using an ioctl to switch modes, use an ioctl to > execute the operation: > > struct tpm_ioctl_operation { > u16 mode; // == TPM1_RAW,TPM2_RAW,TPM1_RM,TPM2_RM > u16 locality; > u32 txlen; > u32 rxlen; > const void *txbuf; > void *rxbuf; > }; > > The userspace broker would be expected to use a mixture of RM and RAW > operations. > > Let's deal with the idea of another cdev some other day when someone > can figure out a comprehensive way to do that securely for unpriv.. James, what do you think about this proposal? /Jarkko ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi