From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v3,2/2] usb: misc: xapea00x: perform platform initialization of TPM From: "David R. Bild" Message-Id: Date: Thu, 10 May 2018 09:29:14 -0500 To: Jarkko Sakkinen Cc: James Bottomley , philip.b.tricca@intel.com, Jason Gunthorpe , Greg Kroah-Hartman , Peter Huewe , linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org List-ID: T24gV2VkLCBNYXkgOSwgMjAxOCBhdCA4OjQ0IFBNLCBKYXJra28gU2Fra2luZW4KPGphcmtrby5z YWtraW5lbkBsaW51eC5pbnRlbC5jb20+IHdyb3RlOgo+IE9uIFR1ZSwgTWF5IDA4LCAyMDE4IGF0 IDEwOjI5OjQxQU0gLTA1MDAsIERhdmlkIFIuIEJpbGQgd3JvdGU6Cj4+IE9uIFR1ZSwgTWF5IDgs IDIwMTggYXQgMTA6MjUgQU0sIEphbWVzIEJvdHRvbWxleQo+PiA8SmFtZXMuQm90dG9tbGV5QGhh bnNlbnBhcnRuZXJzaGlwLmNvbT4gd3JvdGU6Cj4+ID4KPj4gPiA+IE9uIEZyaSwgTWF5IDA0LCAy MDE4IGF0IDAyOjU2OjI1UE0gLTA1MDAsIERhdmlkIFIuIEJpbGQgd3JvdGU6Cj4+ID4gWy4uLl0K Pj4gPiA+ID4gSW4gcGFydGljdWxhciwgaXQgc2V0cyB0aGUgY3JlZGVudGlhbHMgZm9yIHRoZSBw bGF0Zm9ybSBoaWVyYXJjaHkuCj4+ID4gPiA+IFRoZSBwbGF0Zm9ybSBoaWVyYXJjaHkgaXMgZXNz ZW50aWFsbHkgdGhlICJyb290IiBhY2NvdW50IG9mIHRoZQo+PiA+ID4gPiBUUE0sIHNvIGl0J3Mg Y3JpdGljYWwgdGhhdCB0aG9zZSBjcmVkZW50aWFscyBiZSBzZXQgYmVmb3JlIHRoZSBUUE0KPj4g PiA+ID4gaXMgZXhwb3NlZCB0byB1c2VyLXNwYWNlLiAgKFRoZSBwbGF0Zm9ybSBjcmVkZW50aWFs cyBhcmVuJ3QKPj4gPiA+ID4gcGVyc2lzdGVkIGluIHRoZSBUUE0gYW5kIG11c3QgYmUgc2V0IGJ5 IHRoZSBwbGF0Zm9ybSBvbiBldmVyeQo+PiA+ID4gPiBib290LikgIElmIHRoZSBkcml2ZXIgcmVn aXN0ZXJzIHRoZSBUUE0gYmVmb3JlIGRvaW5nCj4+ID4gPiA+IGluaXRpYWxpemF0aW9uLCB0aGVy ZSdzIGEgY2hhbmNlIHRoYXQgc29tZXRoaW5nIGVsc2UgY291bGQgYWNjZXNzCj4+ID4gPiA+IHRo ZSBUUE0gYmVmb3JlIHRoZSBwbGF0Zm9ybSBjcmVkZW50aWFscyBnZXQgc2V0Lgo+PiA+Cj4KPiBX aG8gaXMgYWJsZSB0byB0ZXN0IHRoZXNlIGNoYW5nZXMgaWYgd2UgZXZlbiBjb25zaWRlciBwdWxs aW5nIHRoZW0/CgpJIGNhbiBzZW5kIHlvdSBhbmQgdGhlIG90aGVyIG1haW50YWluZXJzIGNhcmRz IHRvIHRlc3Qgd2l0aC4gVGhhdCdzCmRlYWQgc2ltcGxlLiAgKFdpdGggYSBVU0ItQSBwbHVnLCBu b3QgbWluaSBQQ0ktZSwgc28geW91IGNhbiBwbHVnIGl0CmludG8gYW55IGNvbXB1dGVyLikKClRo ZXkgd29uJ3QgaGF2ZSB0aGUgWGFwdHVtIGNyZWRlbnRpYWxzIHByZS1wcm92aXNpb25lZCwgYW5k IHdpbGwganVzdApmdW5jdGlvbiBhcyBub3JtYWwgVFBNcy4KCj4gSSBkbyBub3QgaGF2ZSBzdWNo IGEgY2FyZCBzbyBpdCB3aWxsIGJlIGhhcmQgdG8gYWNjZXB0IGFsc28gZ2l2ZW4KPiB0aGF0IGl0 IGlzIG1vcmUgaW50cnVzaXZlIGNoYW5nZSB0aGFuIHVzdWFsLgoKVGhlIGN1cnJlbnQgYXBwcm9h Y2ggKHRoZSBkcml2ZXIgZG9lcyBhbGwgdGhlIGluaXRpYWxpemF0aW9uKSByZXF1aXJlcwpubyBj aGFuZ2VzIHRvIHRoZSBUUE0gZHJpdmVyLiAgT25seSBzb21lb25lIHdobyBidXlzIG91ciBjYXJk IHdpbGwKZXZlciBydW4gdGhhdCBjb2RlLCBzbyBpdCBkb2Vzbid0IGltcGFjdCBhbnlvbmUgZWxz ZS4KCkJlc3QsCkRhdmlkCi0tLQpUbyB1bnN1YnNjcmliZSBmcm9tIHRoaXMgbGlzdDogc2VuZCB0 aGUgbGluZSAidW5zdWJzY3JpYmUgbGludXgtdXNiIiBpbgp0aGUgYm9keSBvZiBhIG1lc3NhZ2Ug dG8gbWFqb3Jkb21vQHZnZXIua2VybmVsLm9yZwpNb3JlIG1ham9yZG9tbyBpbmZvIGF0ICBodHRw Oi8vdmdlci5rZXJuZWwub3JnL21ham9yZG9tby1pbmZvLmh0bWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f196.google.com ([209.85.128.196]:40961 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965892AbeEJO3Q (ORCPT ); Thu, 10 May 2018 10:29:16 -0400 Received: by mail-wr0-f196.google.com with SMTP id g21-v6so2221511wrb.8 for ; Thu, 10 May 2018 07:29:15 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20180510014433.GM6190@linux.intel.com> References: <20180430125418.31344-1-david.bild@xaptum.com> <20180504130022.5231-3-david.bild@xaptum.com> <20180504190638.ikqhdvcqccakzdjd@ziepe.ca> <20180508105515.GB6132@linux.intel.com> <1525793148.3672.8.camel@HansenPartnership.com> <20180510014433.GM6190@linux.intel.com> From: "David R. Bild" Date: Thu, 10 May 2018 09:29:14 -0500 Message-ID: Subject: Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform initialization of TPM To: Jarkko Sakkinen Cc: James Bottomley , philip.b.tricca@intel.com, Jason Gunthorpe , Greg Kroah-Hartman , Peter Huewe , linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-integrity-owner@vger.kernel.org List-ID: On Wed, May 9, 2018 at 8:44 PM, Jarkko Sakkinen wrote: > On Tue, May 08, 2018 at 10:29:41AM -0500, David R. Bild wrote: >> On Tue, May 8, 2018 at 10:25 AM, James Bottomley >> wrote: >> > >> > > On Fri, May 04, 2018 at 02:56:25PM -0500, David R. Bild wrote: >> > [...] >> > > > In particular, it sets the credentials for the platform hierarchy. >> > > > The platform hierarchy is essentially the "root" account of the >> > > > TPM, so it's critical that those credentials be set before the TPM >> > > > is exposed to user-space. (The platform credentials aren't >> > > > persisted in the TPM and must be set by the platform on every >> > > > boot.) If the driver registers the TPM before doing >> > > > initialization, there's a chance that something else could access >> > > > the TPM before the platform credentials get set. >> > > > Who is able to test these changes if we even consider pulling them? I can send you and the other maintainers cards to test with. That's dead simple. (With a USB-A plug, not mini PCI-e, so you can plug it into any computer.) They won't have the Xaptum credentials pre-provisioned, and will just function as normal TPMs. > I do not have such a card so it will be hard to accept also given > that it is more intrusive change than usual. The current approach (the driver does all the initialization) requires no changes to the TPM driver. Only someone who buys our card will ever run that code, so it doesn't impact anyone else. Best, David