From: "Marc-André Lureau" <marcandre.lureau@redhat.com>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout
Date: Fri, 27 May 2022 21:24:42 +0200 [thread overview]
Message-ID: <CAMxuvax1PkLZb+Ms6n1wCyd8hHFsPQwi3xaM+RM0c1x7imQAzA@mail.gmail.com> (raw)
In-Reply-To: <20220527173058.226210-1-stefanb@linux.ibm.com>
Hi
On Fri, May 27, 2022 at 7:36 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> This series of patches resolves an issue with a TPM 2's dictionary attack
> lockout logic being triggered upon well-timed VM resets. Normally, the OS
> TPM driver sends a TPM2_Shutdown to the TPM 2 upon reboot and before a VM
> is reset. However, the OS driver cannot do this when the user resets a VM.
> In this case QEMU must send the command because otherwise several well-
> timed VM resets will trigger the TPM 2's dictionary attack (DA) logic and
> it will then refuse to do certain key-related operations until the DA
> logic has timed out.
How does real hardware deal with that situation? Shouldn't this
"shutdown"/reset logic be implemented on swtpm side instead, when
CMD_INIT is received? (when the VM is restarted)
>
> Regards,
> Stefan
>
> Stefan Berger (2):
> backends/tpm: Record the last command sent to the TPM
> backends/tpm: Send TPM2_Shutdown upon VM reset
>
> backends/tpm/tpm_emulator.c | 44 +++++++++++++++++++++++++++++++++++++
> backends/tpm/tpm_int.h | 3 +++
> backends/tpm/tpm_util.c | 9 ++++++++
> backends/tpm/trace-events | 1 +
> include/sysemu/tpm_util.h | 3 +++
> 5 files changed, 60 insertions(+)
>
> --
> 2.35.3
>
next prev parent reply other threads:[~2022-05-27 20:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-27 17:30 [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout Stefan Berger
2022-05-27 17:30 ` [PATCH 1/2] backends/tpm: Record the last command sent to the TPM Stefan Berger
2022-05-27 17:30 ` [PATCH 2/2] backends/tpm: Send TPM2_Shutdown upon VM reset Stefan Berger
2022-05-27 19:24 ` Marc-André Lureau [this message]
2022-05-27 19:31 ` [PATCH 0/2] backend/tpm: Resolve issue with TPM 2 DA lockout Stefan Berger
2022-05-28 17:23 ` Stefan Berger
2022-05-30 7:49 ` Marc-André Lureau
2022-05-30 16:41 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMxuvax1PkLZb+Ms6n1wCyd8hHFsPQwi3xaM+RM0c1x7imQAzA@mail.gmail.com \
--to=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.