[PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[Stefan Berger]

This series of patches resolves an issue with a TPM 2's dictionary attack
lockout logic being triggered upon well-timed VM resets. Normally, the OS
TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before a VM
is reset. However, the OS driver cannot do this when the user resets a VM.
In this case QEMU must send the command because otherwise several well-
timed VM resets will trigger the TPM 2's dictionary attack (DA) logic and
it will then refuse to do certain key-related operations until the DA
logic has timed out.

Regards,
  Stefan

Stefan Berger (2):
  backends/tpm: Record the last command sent to the TPM
  backends/tpm: Send TPM2_Shutdown upon VM reset

 backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
 backends/tpm/tpm_int.h      |  3 +++
 backends/tpm/tpm_util.c     |  9 ++++++++
 backends/tpm/trace-events   |  1 +
 include/sysemu/tpm_util.h   |  3 +++
 5 files changed, 60 insertions(+)

-- 
2.35.3

[PATCH 1/2] backends/tpm: Record the last command sent to the TPM

[Stefan Berger]

Record the last command sent to the TPM. Knowing the last command sent
to a TPM 2 will allow us to determine whether we need to send a
TPM2_Shutdown() command when the VM is reset.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 backends/tpm/tpm_emulator.c | 9 +++++++++
 backends/tpm/tpm_util.c     | 9 +++++++++
 include/sysemu/tpm_util.h   | 3 +++
 3 files changed, 21 insertions(+)

diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
index 87d061e9bb..89ecb04a2a 100644
--- a/backends/tpm/tpm_emulator.c
+++ b/backends/tpm/tpm_emulator.c
@@ -81,6 +81,8 @@ struct TPMEmulator {
     unsigned int established_flag_cached:1;
 
     TPMBlobBuffers state_blobs;
+
+    uint32_t last_command; /* last command sent to TPM */
 };
 
 struct tpm_error {
@@ -155,6 +157,12 @@ static int tpm_emulator_unix_tx_bufs(TPMEmulator *tpm_emu,
 {
     ssize_t ret;
     bool is_selftest = false;
+    uint32_t command;
+
+    command = tpm_util_get_ordinal(in, in_len);
+    if (command != TPM_ORDINAL_NONE) {
+        tpm_emu->last_command = command;
+    }
 
     if (selftest_done) {
         *selftest_done = false;
@@ -910,6 +918,7 @@ static void tpm_emulator_inst_init(Object *obj)
 
     tpm_emu->options = g_new0(TPMEmulatorOptions, 1);
     tpm_emu->cur_locty_number = ~0;
+    tpm_emu->last_command = TPM_ORDINAL_NONE;
     qemu_mutex_init(&tpm_emu->mutex);
 
     vmstate_register(NULL, VMSTATE_INSTANCE_ID_ANY,
diff --git a/backends/tpm/tpm_util.c b/backends/tpm/tpm_util.c
index a6e6d3e72f..28284940f0 100644
--- a/backends/tpm/tpm_util.c
+++ b/backends/tpm/tpm_util.c
@@ -103,6 +103,15 @@ bool tpm_util_is_selftest(const uint8_t *in, uint32_t in_len)
     return false;
 }
 
+uint32_t tpm_util_get_ordinal(const uint8_t *in, uint32_t in_len)
+{
+    if (in_len >= sizeof(struct tpm_req_hdr)) {
+        return tpm_cmd_get_ordinal(in);
+    }
+
+    return TPM_ORDINAL_NONE;
+}
+
 /*
  * Send request to a TPM device. We expect a response within one second.
  */
diff --git a/include/sysemu/tpm_util.h b/include/sysemu/tpm_util.h
index 08f05172a7..7fc238b2a0 100644
--- a/include/sysemu/tpm_util.h
+++ b/include/sysemu/tpm_util.h
@@ -29,6 +29,9 @@ void tpm_util_write_fatal_error_response(uint8_t *out, uint32_t out_len);
 
 bool tpm_util_is_selftest(const uint8_t *in, uint32_t in_len);
 
+uint32_t tpm_util_get_ordinal(const uint8_t *in, uint32_t in_len);
+#define TPM_ORDINAL_NONE 0x0
+
 int tpm_util_test_tpmdev(int tpm_fd, TPMVersion *tpm_version);
 
 static inline uint16_t tpm_cmd_get_tag(const void *b)
-- 
2.35.3

[PATCH 2/2] backends/tpm: Send TPM2_Shutdown upon VM reset

[Stefan Berger]

Send a TPM2_Shutdown(TPM2_SU_CLEAR) command to the TPM emulator when the
VM is reset. However, this is only necessary for a TPM 2 and only if the
TPM2_Shutdown command has not been sent by the VM as the last command as
it would do under normal circumstances. Further, it also doesn't need to
be sent if the VM was just started.

This fixes a bug where well-timed VM resets may trigger the TPM 2's
dictionary attack lockout logic due to the TPM 2 not having received a
TPM2_Shutdown command when it was reset.

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2087538
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 backends/tpm/tpm_emulator.c | 35 +++++++++++++++++++++++++++++++++++
 backends/tpm/tpm_int.h      |  3 +++
 backends/tpm/trace-events   |  1 +
 3 files changed, 39 insertions(+)

diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
index 89ecb04a2a..c928d7abd1 100644
--- a/backends/tpm/tpm_emulator.c
+++ b/backends/tpm/tpm_emulator.c
@@ -389,8 +389,43 @@ err_exit:
     return -1;
 }
 
+static void tpm_emulator_send_tpm2_shutdown(TPMEmulator *tpm_emu)
+{
+    const struct tpm2_shutdown {
+        struct tpm_req_hdr hdr;
+        uint16_t shutdownType;
+    } tpm2_shutdown_clear = {
+        .hdr = {
+            .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS),
+            .len = cpu_to_be32(sizeof(tpm2_shutdown_clear)),
+            .ordinal = cpu_to_be32(TPM2_CC_Shutdown),
+        },
+        .shutdownType = cpu_to_be16(TPM2_SU_CLEAR),
+    };
+    Error *local_err = NULL;
+    uint8_t result[10];
+
+    trace_tpm_emulator_send_tpm2_shutdown(tpm_emu->last_command);
+
+    if (tpm_emulator_unix_tx_bufs(tpm_emu, (uint8_t *)&tpm2_shutdown_clear,
+                                  sizeof(tpm2_shutdown_clear),
+                                  result, sizeof(result),
+                                  NULL, &local_err) < 0) {
+        error_report_err(local_err);
+    }
+}
+
 static int tpm_emulator_startup_tpm(TPMBackend *tb, size_t buffersize)
 {
+    TPMEmulator *tpm_emu = TPM_EMULATOR(tb);
+
+    /* In case of VM reset we may need to send a TPM2_Shutdown command */
+    if (tpm_emu->tpm_version == TPM_VERSION_2_0 &&
+        tpm_emu->last_command != TPM_ORDINAL_NONE &&
+        tpm_emu->last_command != TPM2_CC_Shutdown) {
+        tpm_emulator_send_tpm2_shutdown(tpm_emu);
+    }
+
     return tpm_emulator_startup_tpm_resume(tb, buffersize, false);
 }
 
diff --git a/backends/tpm/tpm_int.h b/backends/tpm/tpm_int.h
index ba6109306e..2730d4ff02 100644
--- a/backends/tpm/tpm_int.h
+++ b/backends/tpm/tpm_int.h
@@ -64,6 +64,7 @@ struct tpm_resp_hdr {
 /* TPM2 defines */
 #define TPM2_ST_NO_SESSIONS       0x8001
 
+#define TPM2_CC_Shutdown          0x00000145
 #define TPM2_CC_ReadClock         0x00000181
 #define TPM2_CC_GetCapability     0x0000017a
 
@@ -71,6 +72,8 @@ struct tpm_resp_hdr {
 
 #define TPM2_PT_MAX_COMMAND_SIZE  0x11e
 
+#define TPM2_SU_CLEAR             0x0
+
 #define TPM_RC_INSUFFICIENT       0x9a
 #define TPM_RC_FAILURE            0x101
 #define TPM_RC_LOCALITY           0x907
diff --git a/backends/tpm/trace-events b/backends/tpm/trace-events
index 3298766dd7..cd16d41804 100644
--- a/backends/tpm/trace-events
+++ b/backends/tpm/trace-events
@@ -31,3 +31,4 @@ tpm_emulator_set_state_blobs_error(const char *msg) "error while setting state b
 tpm_emulator_set_state_blobs_done(void) "Done setting state blobs"
 tpm_emulator_pre_save(void) ""
 tpm_emulator_inst_init(void) ""
+tpm_emulator_send_tpm2_shutdown(uint32_t ord) "Sending TPM2_Shutdown(TPM2_SU_CLEAR); last ordinal from VM was: 0x%08x"
-- 
2.35.3

Re: [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[Marc-André Lureau]

Hi

On Fri, May 27, 2022 at 7:36 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> This series of patches resolves an issue with a TPM 2's dictionary attack
> lockout logic being triggered upon well-timed VM resets. Normally, the OS
> TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before a VM
> is reset. However, the OS driver cannot do this when the user resets a VM.
> In this case QEMU must send the command because otherwise several well-
> timed VM resets will trigger the TPM 2's dictionary attack (DA) logic and
> it will then refuse to do certain key-related operations until the DA
> logic has timed out.

How does real hardware deal with that situation? Shouldn't this
"shutdown"/reset logic be implemented on swtpm side instead, when
CMD_INIT is received? (when the VM is restarted)

>
> Regards,
>   Stefan
>
> Stefan Berger (2):
>   backends/tpm: Record the last command sent to the TPM
>   backends/tpm: Send TPM2_Shutdown upon VM reset
>
>  backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
>  backends/tpm/tpm_int.h      |  3 +++
>  backends/tpm/tpm_util.c     |  9 ++++++++
>  backends/tpm/trace-events   |  1 +
>  include/sysemu/tpm_util.h   |  3 +++
>  5 files changed, 60 insertions(+)
>
> --
> 2.35.3
>

Re: [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[Stefan Berger]

On 5/27/22 15:24, Marc-André Lureau wrote:
> Hi
> 
> On Fri, May 27, 2022 at 7:36 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>>
>> This series of patches resolves an issue with a TPM 2's dictionary attack
>> lockout logic being triggered upon well-timed VM resets. Normally, the OS
>> TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before a VM
>> is reset. However, the OS driver cannot do this when the user resets a VM.
>> In this case QEMU must send the command because otherwise several well-
>> timed VM resets will trigger the TPM 2's dictionary attack (DA) logic and
>> it will then refuse to do certain key-related operations until the DA
>> logic has timed out.
> 
> How does real hardware deal with that situation? Shouldn't this
> "shutdown"/reset logic be implemented on swtpm side instead, when
> CMD_INIT is received? (when the VM is restarted)
I don't know what real hardware can actually do when the machine is 
reset, presumably via some reset line, or the power is removed. Probably 
it has no way to react to this.

Typically the OS driver has to send the command and since it cannot do 
this I would defer it to the TPM emulator reset handler code, so the 
next layer down.



> 
>>
>> Regards,
>>    Stefan
>>
>> Stefan Berger (2):
>>    backends/tpm: Record the last command sent to the TPM
>>    backends/tpm: Send TPM2_Shutdown upon VM reset
>>
>>   backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
>>   backends/tpm/tpm_int.h      |  3 +++
>>   backends/tpm/tpm_util.c     |  9 ++++++++
>>   backends/tpm/trace-events   |  1 +
>>   include/sysemu/tpm_util.h   |  3 +++
>>   5 files changed, 60 insertions(+)
>>
>> --
>> 2.35.3
>>
> 

Re: [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[Stefan Berger]

On 5/27/22 15:31, Stefan Berger wrote:
> 
> 
> On 5/27/22 15:24, Marc-André Lureau wrote:
>> Hi
>>
>> On Fri, May 27, 2022 at 7:36 PM Stefan Berger <stefanb@linux.ibm.com> 
>> wrote:
>>>
>>> This series of patches resolves an issue with a TPM 2's dictionary 
>>> attack
>>> lockout logic being triggered upon well-timed VM resets. Normally, 
>>> the OS
>>> TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before 
>>> a VM
>>> is reset. However, the OS driver cannot do this when the user resets 
>>> a VM.
>>> In this case QEMU must send the command because otherwise several well-
>>> timed VM resets will trigger the TPM 2's dictionary attack (DA) logic 
>>> and
>>> it will then refuse to do certain key-related operations until the DA
>>> logic has timed out.
>>
>> How does real hardware deal with that situation? Shouldn't this
>> "shutdown"/reset logic be implemented on swtpm side instead, when
>> CMD_INIT is received? (when the VM is restarted)
> I don't know what real hardware can actually do when the machine is 
> reset, presumably via some reset line, or the power is removed. Probably 
> it has no way to react to this.
> 
> Typically the OS driver has to send the command and since it cannot do 
> this I would defer it to the TPM emulator reset handler code, so the 
> next layer down.

Also, when this is done in QEMU we don't need to do a data channel 
operation (run TPM2_Shutdown) from within the control channel (upon 
CMD_INIT) inside of swtpm. This way we can deal with it properly. The 
usage model for the TPM 2 prescribes that a TPM2_Shutdown must be sent 
before a shutdown or reset of the system, so let's let QEMU do it if the 
OS cannot do it.

> 
> 
> 
>>
>>>
>>> Regards,
>>>    Stefan
>>>
>>> Stefan Berger (2):
>>>    backends/tpm: Record the last command sent to the TPM
>>>    backends/tpm: Send TPM2_Shutdown upon VM reset
>>>
>>>   backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
>>>   backends/tpm/tpm_int.h      |  3 +++
>>>   backends/tpm/tpm_util.c     |  9 ++++++++
>>>   backends/tpm/trace-events   |  1 +
>>>   include/sysemu/tpm_util.h   |  3 +++
>>>   5 files changed, 60 insertions(+)
>>>
>>> -- 
>>> 2.35.3
>>>
>>

Re: [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[Marc-André Lureau]

Hi

On Sat, May 28, 2022 at 7:23 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
>
>
> On 5/27/22 15:31, Stefan Berger wrote:
> >
> >
> > On 5/27/22 15:24, Marc-André Lureau wrote:
> >> Hi
> >>
> >> On Fri, May 27, 2022 at 7:36 PM Stefan Berger <stefanb@linux.ibm.com>
> >> wrote:
> >>>
> >>> This series of patches resolves an issue with a TPM 2's dictionary
> >>> attack
> >>> lockout logic being triggered upon well-timed VM resets. Normally,
> >>> the OS
> >>> TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before
> >>> a VM
> >>> is reset. However, the OS driver cannot do this when the user resets
> >>> a VM.
> >>> In this case QEMU must send the command because otherwise several well-
> >>> timed VM resets will trigger the TPM 2's dictionary attack (DA) logic
> >>> and
> >>> it will then refuse to do certain key-related operations until the DA
> >>> logic has timed out.
> >>
> >> How does real hardware deal with that situation? Shouldn't this
> >> "shutdown"/reset logic be implemented on swtpm side instead, when
> >> CMD_INIT is received? (when the VM is restarted)
> > I don't know what real hardware can actually do when the machine is
> > reset, presumably via some reset line, or the power is removed. Probably
> > it has no way to react to this.
> >
> > Typically the OS driver has to send the command and since it cannot do
> > this I would defer it to the TPM emulator reset handler code, so the
> > next layer down.
>
> Also, when this is done in QEMU we don't need to do a data channel
> operation (run TPM2_Shutdown) from within the control channel (upon
> CMD_INIT) inside of swtpm. This way we can deal with it properly. The
> usage model for the TPM 2 prescribes that a TPM2_Shutdown must be sent
> before a shutdown or reset of the system, so let's let QEMU do it if the
> OS cannot do it.

What if qemu is killed or crashed, and a new instance is connected to
swtpm? Or more subtle, the VM reboots without qemu help (no reset
handler). It feels like it would be more robust to handle the
situation in swtpm. Why not have the same last operation tracking and
shutdown logic there? If CMD_INIT is received and the last operation
is not shutdown, I'd have a warning and do it (if this is compliant
with the spec, I am trying to find relevant text).


>
> >
> >
> >
> >>
> >>>
> >>> Regards,
> >>>    Stefan
> >>>
> >>> Stefan Berger (2):
> >>>    backends/tpm: Record the last command sent to the TPM
> >>>    backends/tpm: Send TPM2_Shutdown upon VM reset
> >>>
> >>>   backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
> >>>   backends/tpm/tpm_int.h      |  3 +++
> >>>   backends/tpm/tpm_util.c     |  9 ++++++++
> >>>   backends/tpm/trace-events   |  1 +
> >>>   include/sysemu/tpm_util.h   |  3 +++
> >>>   5 files changed, 60 insertions(+)
> >>>
> >>> --
> >>> 2.35.3
> >>>
> >>
>

Re: [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout

[Stefan Berger]

On 5/30/22 03:49, Marc-André Lureau wrote:
> Hi
> 
> On Sat, May 28, 2022 at 7:23 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>>
>>
>>
>> On 5/27/22 15:31, Stefan Berger wrote:
>>>
>>>
>>> On 5/27/22 15:24, Marc-André Lureau wrote:
>>>> Hi
>>>>
>>>> On Fri, May 27, 2022 at 7:36 PM Stefan Berger <stefanb@linux.ibm.com>
>>>> wrote:
>>>>>
>>>>> This series of patches resolves an issue with a TPM 2's dictionary
>>>>> attack
>>>>> lockout logic being triggered upon well-timed VM resets. Normally,
>>>>> the OS
>>>>> TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before
>>>>> a VM
>>>>> is reset. However, the OS driver cannot do this when the user resets
>>>>> a VM.
>>>>> In this case QEMU must send the command because otherwise several well-
>>>>> timed VM resets will trigger the TPM 2's dictionary attack (DA) logic
>>>>> and
>>>>> it will then refuse to do certain key-related operations until the DA
>>>>> logic has timed out.
>>>>
>>>> How does real hardware deal with that situation? Shouldn't this
>>>> "shutdown"/reset logic be implemented on swtpm side instead, when
>>>> CMD_INIT is received? (when the VM is restarted)
>>> I don't know what real hardware can actually do when the machine is
>>> reset, presumably via some reset line, or the power is removed. Probably
>>> it has no way to react to this.
>>>
>>> Typically the OS driver has to send the command and since it cannot do
>>> this I would defer it to the TPM emulator reset handler code, so the
>>> next layer down.
>>
>> Also, when this is done in QEMU we don't need to do a data channel
>> operation (run TPM2_Shutdown) from within the control channel (upon
>> CMD_INIT) inside of swtpm. This way we can deal with it properly. The
>> usage model for the TPM 2 prescribes that a TPM2_Shutdown must be sent
>> before a shutdown or reset of the system, so let's let QEMU do it if the
>> OS cannot do it.
> 
> What if qemu is killed or crashed, and a new instance is connected to
> swtpm? Or more subtle, the VM reboots without qemu help (no reset
> handler). It feels like it would be more robust to handle the
> situation in swtpm. Why not have the same last operation tracking and
> shutdown logic there? If CMD_INIT is received and the last operation
> is not shutdown, I'd have a warning and do it (if this is compliant
> with the spec, I am trying to find relevant text).

Something to test with:
https://github.com/stefanberger/swtpm/pull/701
> 
> 
>>
>>>
>>>
>>>
>>>>
>>>>>
>>>>> Regards,
>>>>>     Stefan
>>>>>
>>>>> Stefan Berger (2):
>>>>>     backends/tpm: Record the last command sent to the TPM
>>>>>     backends/tpm: Send TPM2_Shutdown upon VM reset
>>>>>
>>>>>    backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
>>>>>    backends/tpm/tpm_int.h      |  3 +++
>>>>>    backends/tpm/tpm_util.c     |  9 ++++++++
>>>>>    backends/tpm/trace-events   |  1 +
>>>>>    include/sysemu/tpm_util.h   |  3 +++
>>>>>    5 files changed, 60 insertions(+)
>>>>>
>>>>> --
>>>>> 2.35.3
>>>>>
>>>>
>>
>