From: jarkko.sakkinen@linux.intel.com (Jarkko Sakkinen)
To: linux-security-module@vger.kernel.org
Subject: [tpmdd-devel] [PATCH RESEND 3/3] tpm-chip: Export TPM device to user space even when startup failed
Date: Wed, 30 Aug 2017 13:26:30 +0300 [thread overview]
Message-ID: <20170830102630.uvub5aetqbgww5z4@linux.intel.com> (raw)
In-Reply-To: <E1DD9935-818F-456B-98B3-2103A6799E27@gmx.de>
On Tue, Aug 29, 2017 at 03:53:17PM +0200, Peter Huewe wrote:
> Thabks Michal!
>
> Am 29. August 2017 15:17:39 MESZ schrieb "Michal Such?nek" <msuchanek@suse.de>:
> >Hello,
> >
> >On Tue, 29 Aug 2017 15:55:09 +0300
> >Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote:
> >
> >> On Mon, Aug 28, 2017 at 05:15:58PM +0000,
> >> Alexander.Steffen at infineon.com wrote:
> >> > But is that just because nobody bothered to implement the necessary
> >> > logic or for some other reason?
> >>
> >> We do not want user space to access broken hardware. It's a huge risk
> >> for system stability and potentially could be used for evil purposes.
> >>
> >> This is not going to mainline as it is not suitable for general
> >> consumption. You must use a patched kernel if you want this.
> >>
> >> /Jarkko
> >>
> >
> >It has been pointed out that userspace applications that use direct IO
> >access exist for the purpose. So using a kernel driver is an
> >improvement over that if the interface is otherwise sane.
> +1
>
> >
> >What do you expect is the potential for instability or evil use?
> >
> >With a kernel driver arbitrating the bus access as it would in any
> >other case I do not see much potential for instability.
>
> Exactly.
>
>
> >If there are
> >cases when the arbitration fails they can surely be more likely
> >triggered in cases other than userspace sending arbitrary requests to a
> >device which is in a state the kernel does not support but otherwise
> >responsive.
>
> Its the same as with every other device - as long as it communicates like a tpm, talks like a tpm, behaves like a tpm - it's a tpm.
> Even if the kernel does not recognize the tpm's internal state.
>
>
> >If you really think that accessing a device that is in unsupported
> >state at boot (as opposed to getting unto unsupported state during
> >device operation after boot) is a real problem it can be selectable as
> >compile time option so people who do not want the code do not get it.
>
> I would more favor a module option,
> but honestly I don't see a reason to not pull this code in, as it is.
> Maybe mark the kernel as tainted if you think it is an issue.
>
> Adding this as a out of tree patch is far from userfriendly.
> If there is a chance to debug and fix a "unknown" state using the kernel as the communication layer, I would like to use this way.
>
>
> Peter
As I said in previous response it's not a good idea to give all-in
access at this point. You cannot turn back from that once it is in
the mainline.
I would rather suggest scoping lowest common denominator subset of
TPM commands that you need and allow only those commands to pass
through. If the subset turns out to be too limited, you can expand
it later on.
/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Peter Huewe <peterhuewe@gmx.de>, g@linux.intel.com
Cc: tpmdd-devel@lists.sourceforge.net,
"Michal Suchánek" <msuchanek@suse.de>,
linux-security-module@vger.kernel.org
Subject: Re: [tpmdd-devel] [PATCH RESEND 3/3] tpm-chip: Export TPM device to user space even when startup failed
Date: Wed, 30 Aug 2017 13:26:30 +0300 [thread overview]
Message-ID: <20170830102630.uvub5aetqbgww5z4@linux.intel.com> (raw)
In-Reply-To: <E1DD9935-818F-456B-98B3-2103A6799E27@gmx.de>
On Tue, Aug 29, 2017 at 03:53:17PM +0200, Peter Huewe wrote:
> Thabks Michal!
>
> Am 29. August 2017 15:17:39 MESZ schrieb "Michal Suchánek" <msuchanek@suse.de>:
> >Hello,
> >
> >On Tue, 29 Aug 2017 15:55:09 +0300
> >Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote:
> >
> >> On Mon, Aug 28, 2017 at 05:15:58PM +0000,
> >> Alexander.Steffen@infineon.com wrote:
> >> > But is that just because nobody bothered to implement the necessary
> >> > logic or for some other reason?
> >>
> >> We do not want user space to access broken hardware. It's a huge risk
> >> for system stability and potentially could be used for evil purposes.
> >>
> >> This is not going to mainline as it is not suitable for general
> >> consumption. You must use a patched kernel if you want this.
> >>
> >> /Jarkko
> >>
> >
> >It has been pointed out that userspace applications that use direct IO
> >access exist for the purpose. So using a kernel driver is an
> >improvement over that if the interface is otherwise sane.
> +1
>
> >
> >What do you expect is the potential for instability or evil use?
> >
> >With a kernel driver arbitrating the bus access as it would in any
> >other case I do not see much potential for instability.
>
> Exactly.
>
>
> >If there are
> >cases when the arbitration fails they can surely be more likely
> >triggered in cases other than userspace sending arbitrary requests to a
> >device which is in a state the kernel does not support but otherwise
> >responsive.
>
> Its the same as with every other device - as long as it communicates like a tpm, talks like a tpm, behaves like a tpm - it's a tpm.
> Even if the kernel does not recognize the tpm's internal state.
>
>
> >If you really think that accessing a device that is in unsupported
> >state at boot (as opposed to getting unto unsupported state during
> >device operation after boot) is a real problem it can be selectable as
> >compile time option so people who do not want the code do not get it.
>
> I would more favor a module option,
> but honestly I don't see a reason to not pull this code in, as it is.
> Maybe mark the kernel as tainted if you think it is an issue.
>
> Adding this as a out of tree patch is far from userfriendly.
> If there is a chance to debug and fix a "unknown" state using the kernel as the communication layer, I would like to use this way.
>
>
> Peter
As I said in previous response it's not a good idea to give all-in
access at this point. You cannot turn back from that once it is in
the mainline.
I would rather suggest scoping lowest common denominator subset of
TPM commands that you need and allow only those commands to pass
through. If the subset turns out to be too limited, you can expand
it later on.
/Jarkko
next prev parent reply other threads:[~2017-08-30 10:26 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-24 8:37 [PATCH RESEND 0/3] Export broken TPMs to user space Alexander Steffen
[not found] ` <20170824083714.10016-1-Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w@public.gmane.org>
2017-08-24 8:37 ` [PATCH RESEND 1/3] tpm-chip: Move idr_replace calls to appropriate places Alexander Steffen
2017-08-25 17:25 ` Jarkko Sakkinen
2017-08-25 17:25 ` Jarkko Sakkinen
2017-08-28 17:18 ` Alexander.Steffen at infineon.com
2017-08-28 17:18 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-08-24 8:37 ` [PATCH RESEND 2/3] tpm-chip: Return TPM error codes from auto_startup functions Alexander Steffen
[not found] ` <20170824083714.10016-3-Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w@public.gmane.org>
2017-08-25 17:06 ` Jarkko Sakkinen
[not found] ` <20170825170607.wfnr5y5zres2n42r-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2017-08-29 12:11 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-08-24 8:37 ` [PATCH RESEND 3/3] tpm-chip: Export TPM device to user space even when startup failed Alexander Steffen
2017-08-25 17:20 ` Jarkko Sakkinen
2017-08-25 17:20 ` Jarkko Sakkinen
2017-08-28 17:15 ` Alexander.Steffen at infineon.com
2017-08-28 17:15 ` Alexander.Steffen-d0qZbvYSIPpWk0Htik3J/w
2017-08-29 12:55 ` Jarkko Sakkinen
2017-08-29 12:55 ` Jarkko Sakkinen
2017-08-29 13:17 ` [tpmdd-devel] " Michal Suchánek
2017-08-29 13:17 ` Michal Suchánek
2017-08-29 13:53 ` Peter Huewe
2017-08-29 13:53 ` Peter Huewe
2017-08-30 10:26 ` Jarkko Sakkinen [this message]
2017-08-30 10:26 ` [tpmdd-devel] " Jarkko Sakkinen
2017-08-30 10:15 ` Jarkko Sakkinen
2017-08-30 10:15 ` Jarkko Sakkinen
2017-08-30 10:20 ` [tpmdd-devel] " Jarkko Sakkinen
2017-08-30 10:20 ` Jarkko Sakkinen
2017-08-30 10:34 ` Michal Suchánek
2017-08-30 10:34 ` Michal Suchánek
2017-08-30 11:07 ` Jarkko Sakkinen
2017-08-30 11:07 ` Jarkko Sakkinen
2017-08-31 16:18 ` Alexander.Steffen at infineon.com
2017-08-31 16:18 ` Alexander.Steffen
2017-09-02 10:20 ` Jarkko Sakkinen
2017-09-02 10:20 ` Jarkko Sakkinen
2017-08-30 10:41 ` Peter Huewe
2017-08-30 10:41 ` Peter Huewe
2017-08-30 11:10 ` [tpmdd-devel] " Jarkko Sakkinen
2017-08-30 11:10 ` Jarkko Sakkinen
2017-08-31 16:26 ` Alexander.Steffen at infineon.com
2017-08-31 16:26 ` Alexander.Steffen
2017-09-02 10:24 ` Jarkko Sakkinen
2017-09-02 10:24 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170830102630.uvub5aetqbgww5z4@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.