From: Ken Goldman <kgold@linux.vnet.ibm.com>
To: Javier Martinez Canillas <javierm@redhat.com>,
"Roberts, William C" <william.c.roberts@intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>
Subject: Re: [RFC PATCH] tpm: don't return -EINVAL if TPM command validation fails
Date: Fri, 8 Dec 2017 15:11:22 -0500 [thread overview]
Message-ID: <67662fe4-38f4-7b28-2806-3dbe94870f74@linux.vnet.ibm.com> (raw)
In-Reply-To: <600d6778-f155-ea51-64dc-e0041c6943d3@redhat.com>
On 11/22/2017 4:26 AM, Javier Martinez Canillas wrote:
>
> I still do believe that both interfaces (/dev/tpm and /dev/tpmrm) should be
> consistent if possible though.
Agreed. TPM code is hard enough to debug without inconsistencies
between tpm, tpmrm, and the simulator.
> In other words, I don't see the value of not
> behaving as expected by the spec if this doesn't have security implications
> as is the case with the approach suggested by Jason. And the implementation
> for sending the synthesized response is also trivial.
>
> The other option that's fixing this in user-space will be a workaround, since
> it would either be to check for TPM_RC_SUCCESS instead of TPM_RC_COMMAND_CODE
> or make the SAPI library infer that a -EINVAL error means that a command isn't
> supported and return a TPM_RC_COMMAND_CODE to the caller.
Remember also that SAPI is just one TSS design. There are currently
three others. And SAPI is targeted more as a building block than an end
user library.
Every TSS implementation would have to do this mapping. How would they
even know to do it if they didn't notice this thread? It wouldn't be
documented anywhere other than deep in kernel code.
next prev parent reply other threads:[~2017-12-08 20:11 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-17 10:07 [RFC PATCH] tpm: don't return -EINVAL if TPM command validation fails Javier Martinez Canillas
2017-11-17 16:57 ` Jason Gunthorpe
2017-11-17 17:56 ` Javier Martinez Canillas
2017-11-17 17:58 ` Jason Gunthorpe
2017-11-17 18:10 ` Javier Martinez Canillas
2017-11-17 18:17 ` Jason Gunthorpe
2017-11-17 18:34 ` Javier Martinez Canillas
2017-11-17 19:14 ` Roberts, William C
2017-11-17 19:14 ` Roberts, William C
2017-11-17 23:55 ` Jason Gunthorpe
2017-11-17 23:55 ` Jason Gunthorpe
2017-11-18 0:53 ` Javier Martinez Canillas
2017-11-18 0:53 ` Javier Martinez Canillas
2017-11-19 15:27 ` Jason Gunthorpe
2017-11-20 9:26 ` Javier Martinez Canillas
2017-11-20 16:14 ` Roberts, William C
2017-11-20 18:02 ` Jason Gunthorpe
2017-11-20 18:04 ` Jason Gunthorpe
2017-12-08 20:03 ` Ken Goldman
2017-12-08 20:18 ` Jason Gunthorpe
2017-12-08 19:58 ` Ken Goldman
2017-11-20 23:15 ` Jarkko Sakkinen
2017-11-21 9:07 ` Javier Martinez Canillas
2017-11-21 9:27 ` Javier Martinez Canillas
2017-11-21 12:30 ` Jarkko Sakkinen
2017-11-21 12:49 ` Javier Martinez Canillas
[not found] ` <DB638850A6A2434A93ECADDA0BC838905F09D5D9@ORSMSX103.amr.corp.intel.com>
2017-11-22 17:16 ` FW: " flihp
2017-11-22 19:25 ` Javier Martinez Canillas
2017-11-26 14:21 ` Jarkko Sakkinen
2017-11-29 11:26 ` Javier Martinez Canillas
2017-11-22 20:13 ` Jason Gunthorpe
2017-12-08 20:16 ` Ken Goldman
2017-12-08 20:20 ` Jason Gunthorpe
2017-11-26 14:18 ` Jarkko Sakkinen
2017-11-26 23:23 ` Javier Martinez Canillas
2017-11-26 14:14 ` Jarkko Sakkinen
2017-11-21 20:29 ` Roberts, William C
2017-11-22 9:26 ` Javier Martinez Canillas
2017-11-22 9:26 ` Javier Martinez Canillas
2017-11-26 14:12 ` Jarkko Sakkinen
2017-11-26 23:19 ` Javier Martinez Canillas
2017-12-08 20:11 ` Ken Goldman [this message]
2017-11-26 14:06 ` Jarkko Sakkinen
2017-12-08 20:20 ` Ken Goldman
2017-12-08 21:34 ` Javier Martinez Canillas
2017-12-17 16:47 ` Jarkko Sakkinen
2017-12-17 18:18 ` Javier Martinez Canillas
2017-12-22 17:38 ` Ken Goldman
2017-12-14 13:11 ` Jarkko Sakkinen
2017-12-08 19:51 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67662fe4-38f4-7b28-2806-3dbe94870f74@linux.vnet.ibm.com \
--to=kgold@linux.vnet.ibm.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=javierm@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.