From: Dan Williams <dan.j.williams@intel.com>
To: James Bottomley <jejb@linux.ibm.com>
Cc: "linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
Roberto Sassu <roberto.sassu@huawei.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Subject: Re: [PATCH] security/keys/trusted: Allow operation without hardware TPM
Date: Tue, 19 Mar 2019 18:55:59 -0700 [thread overview]
Message-ID: <CAPcyv4hXKQcdLnKG6rPNOJr2wjq31uCCr+16S5Yu6S5A_5UGrA@mail.gmail.com> (raw)
In-Reply-To: <1552956989.2785.31.camel@linux.ibm.com>
On Mon, Mar 18, 2019 at 5:56 PM James Bottomley <jejb@linux.ibm.com> wrote:
>
> On Mon, 2019-03-18 at 17:30 -0700, Dan Williams wrote:
> > On Mon, Mar 18, 2019 at 5:24 PM James Bottomley <jejb@linux.ibm.com>
> > wrote:
> > >
> > > On Mon, 2019-03-18 at 16:45 -0700, Dan Williams wrote:
> > > > Rather than fail initialization of the trusted.ko module, arrange
> > > > for the module to load, but rely on trusted_instantiate() to fail
> > > > trusted-key operations.
> > >
> > > What actual problem is this fixing? To me it would seem like an
> > > enhancement to make the trusted module fail at load time if there's
> > > no TPM rather than waiting until first use to find out it can never
> > > work. Is there some piece of user code that depends on the
> > > successful insertion of trusted.ko?
> >
> > The module dependency chain relies on it. If that can be broken that
> > would also be an acceptable fix.
> >
> > I found this through the following dependency chain: libnvdimm.ko ->
> > encrypted_keys.ko -> trusted.ko.
> >
> > "key_type_trusted" is the symbol that encrypted_keys needs regardless
> > of whether the tpm is present.
>
> That's a nasty dependency caused by every key type module exporting a
> symbol for its key type. It really seems that key types should be
> looked up by name not symbol to prevent more of these dependency issues
> from spreading. Something like this (untested and definitely won't
> work without doing an EXPORT_SYMBOL on key_type_lookup).
>
> If it does look acceptable we can also disentangle the nasty module
> dependencies in the encrypted key code around masterkey which alone
> should be a huge improvement because that code is too hacky to live.
>
> James
>
> ---
> diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c
> index dc3d18cae642..b98416f091e2 100644
> --- a/security/keys/encrypted-keys/masterkey_trusted.c
> +++ b/security/keys/encrypted-keys/masterkey_trusted.c
> @@ -19,6 +19,7 @@
> #include <keys/trusted-type.h>
> #include <keys/encrypted-type.h>
> #include "encrypted.h"
> +#include "../internal.h"
>
> /*
> * request_trusted_key - request the trusted key
> @@ -32,8 +33,14 @@ struct key *request_trusted_key(const char *trusted_desc,
> {
> struct trusted_key_payload *tpayload;
> struct key *tkey;
> + struct key_type *type;
>
> - tkey = request_key(&key_type_trusted, trusted_desc, NULL);
> + type = key_type_lookup("trusted");
> + if (IS_ERR(type)) {
> + tkey = (struct key *)type;
> + goto error;
> + }
> + tkey = request_key(type, trusted_desc, NULL);
> if (IS_ERR(tkey))
> goto error;
This falls over with the need to pin the module while any key that
needs service from the hosting key_type operations might be live in
the system.
I could hang a "struct module *" off of the key_type so the host
module can be pinned, but that requires teaching all consumers of the
key_type module lifetime. Not impossible, but I think too big for a
fix, and I'd rather go with this local fixup to drop the dependency on
tpm_default_chip() successfully enumerating a TPM.
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: James Bottomley <jejb@linux.ibm.com>
Cc: "linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
Roberto Sassu <roberto.sassu@huawei.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Subject: Re: [PATCH] security/keys/trusted: Allow operation without hardware TPM
Date: Wed, 20 Mar 2019 01:55:59 +0000 [thread overview]
Message-ID: <CAPcyv4hXKQcdLnKG6rPNOJr2wjq31uCCr+16S5Yu6S5A_5UGrA@mail.gmail.com> (raw)
In-Reply-To: <1552956989.2785.31.camel@linux.ibm.com>
On Mon, Mar 18, 2019 at 5:56 PM James Bottomley <jejb@linux.ibm.com> wrote:
>
> On Mon, 2019-03-18 at 17:30 -0700, Dan Williams wrote:
> > On Mon, Mar 18, 2019 at 5:24 PM James Bottomley <jejb@linux.ibm.com>
> > wrote:
> > >
> > > On Mon, 2019-03-18 at 16:45 -0700, Dan Williams wrote:
> > > > Rather than fail initialization of the trusted.ko module, arrange
> > > > for the module to load, but rely on trusted_instantiate() to fail
> > > > trusted-key operations.
> > >
> > > What actual problem is this fixing? To me it would seem like an
> > > enhancement to make the trusted module fail at load time if there's
> > > no TPM rather than waiting until first use to find out it can never
> > > work. Is there some piece of user code that depends on the
> > > successful insertion of trusted.ko?
> >
> > The module dependency chain relies on it. If that can be broken that
> > would also be an acceptable fix.
> >
> > I found this through the following dependency chain: libnvdimm.ko ->
> > encrypted_keys.ko -> trusted.ko.
> >
> > "key_type_trusted" is the symbol that encrypted_keys needs regardless
> > of whether the tpm is present.
>
> That's a nasty dependency caused by every key type module exporting a
> symbol for its key type. It really seems that key types should be
> looked up by name not symbol to prevent more of these dependency issues
> from spreading. Something like this (untested and definitely won't
> work without doing an EXPORT_SYMBOL on key_type_lookup).
>
> If it does look acceptable we can also disentangle the nasty module
> dependencies in the encrypted key code around masterkey which alone
> should be a huge improvement because that code is too hacky to live.
>
> James
>
> ---
> diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c
> index dc3d18cae642..b98416f091e2 100644
> --- a/security/keys/encrypted-keys/masterkey_trusted.c
> +++ b/security/keys/encrypted-keys/masterkey_trusted.c
> @@ -19,6 +19,7 @@
> #include <keys/trusted-type.h>
> #include <keys/encrypted-type.h>
> #include "encrypted.h"
> +#include "../internal.h"
>
> /*
> * request_trusted_key - request the trusted key
> @@ -32,8 +33,14 @@ struct key *request_trusted_key(const char *trusted_desc,
> {
> struct trusted_key_payload *tpayload;
> struct key *tkey;
> + struct key_type *type;
>
> - tkey = request_key(&key_type_trusted, trusted_desc, NULL);
> + type = key_type_lookup("trusted");
> + if (IS_ERR(type)) {
> + tkey = (struct key *)type;
> + goto error;
> + }
> + tkey = request_key(type, trusted_desc, NULL);
> if (IS_ERR(tkey))
> goto error;
This falls over with the need to pin the module while any key that
needs service from the hosting key_type operations might be live in
the system.
I could hang a "struct module *" off of the key_type so the host
module can be pinned, but that requires teaching all consumers of the
key_type module lifetime. Not impossible, but I think too big for a
fix, and I'd rather go with this local fixup to drop the dependency on
tpm_default_chip() successfully enumerating a TPM.
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: James Bottomley <jejb@linux.ibm.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
"linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
Roberto Sassu <roberto.sassu@huawei.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org
Subject: Re: [PATCH] security/keys/trusted: Allow operation without hardware TPM
Date: Tue, 19 Mar 2019 18:55:59 -0700 [thread overview]
Message-ID: <CAPcyv4hXKQcdLnKG6rPNOJr2wjq31uCCr+16S5Yu6S5A_5UGrA@mail.gmail.com> (raw)
In-Reply-To: <1552956989.2785.31.camel@linux.ibm.com>
On Mon, Mar 18, 2019 at 5:56 PM James Bottomley <jejb@linux.ibm.com> wrote:
>
> On Mon, 2019-03-18 at 17:30 -0700, Dan Williams wrote:
> > On Mon, Mar 18, 2019 at 5:24 PM James Bottomley <jejb@linux.ibm.com>
> > wrote:
> > >
> > > On Mon, 2019-03-18 at 16:45 -0700, Dan Williams wrote:
> > > > Rather than fail initialization of the trusted.ko module, arrange
> > > > for the module to load, but rely on trusted_instantiate() to fail
> > > > trusted-key operations.
> > >
> > > What actual problem is this fixing? To me it would seem like an
> > > enhancement to make the trusted module fail at load time if there's
> > > no TPM rather than waiting until first use to find out it can never
> > > work. Is there some piece of user code that depends on the
> > > successful insertion of trusted.ko?
> >
> > The module dependency chain relies on it. If that can be broken that
> > would also be an acceptable fix.
> >
> > I found this through the following dependency chain: libnvdimm.ko ->
> > encrypted_keys.ko -> trusted.ko.
> >
> > "key_type_trusted" is the symbol that encrypted_keys needs regardless
> > of whether the tpm is present.
>
> That's a nasty dependency caused by every key type module exporting a
> symbol for its key type. It really seems that key types should be
> looked up by name not symbol to prevent more of these dependency issues
> from spreading. Something like this (untested and definitely won't
> work without doing an EXPORT_SYMBOL on key_type_lookup).
>
> If it does look acceptable we can also disentangle the nasty module
> dependencies in the encrypted key code around masterkey which alone
> should be a huge improvement because that code is too hacky to live.
>
> James
>
> ---
> diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c
> index dc3d18cae642..b98416f091e2 100644
> --- a/security/keys/encrypted-keys/masterkey_trusted.c
> +++ b/security/keys/encrypted-keys/masterkey_trusted.c
> @@ -19,6 +19,7 @@
> #include <keys/trusted-type.h>
> #include <keys/encrypted-type.h>
> #include "encrypted.h"
> +#include "../internal.h"
>
> /*
> * request_trusted_key - request the trusted key
> @@ -32,8 +33,14 @@ struct key *request_trusted_key(const char *trusted_desc,
> {
> struct trusted_key_payload *tpayload;
> struct key *tkey;
> + struct key_type *type;
>
> - tkey = request_key(&key_type_trusted, trusted_desc, NULL);
> + type = key_type_lookup("trusted");
> + if (IS_ERR(type)) {
> + tkey = (struct key *)type;
> + goto error;
> + }
> + tkey = request_key(type, trusted_desc, NULL);
> if (IS_ERR(tkey))
> goto error;
This falls over with the need to pin the module while any key that
needs service from the hosting key_type operations might be live in
the system.
I could hang a "struct module *" off of the key_type so the host
module can be pinned, but that requires teaching all consumers of the
key_type module lifetime. Not impossible, but I think too big for a
fix, and I'd rather go with this local fixup to drop the dependency on
tpm_default_chip() successfully enumerating a TPM.
next prev parent reply other threads:[~2019-03-20 1:56 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-18 23:45 [PATCH] security/keys/trusted: Allow operation without hardware TPM Dan Williams
2019-03-18 23:45 ` Dan Williams
2019-03-18 23:45 ` Dan Williams
[not found] ` <155295271345.1945351.6465460744078693578.stgit-p8uTFz9XbKj2zm6wflaqv1nYeNYlB/vhral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2019-03-19 0:24 ` James Bottomley
2019-03-19 0:24 ` James Bottomley
2019-03-19 0:24 ` James Bottomley
2019-03-19 0:30 ` Dan Williams
2019-03-19 0:30 ` Dan Williams
2019-03-19 0:30 ` Dan Williams
[not found] ` <CAA9_cmcOD2zPaaNbkYAaH5DRDRAebPkW+hwPA0zPKY4kU8R-rg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2019-03-19 0:56 ` James Bottomley
2019-03-19 0:56 ` James Bottomley
2019-03-19 0:56 ` James Bottomley
2019-03-19 1:34 ` Dan Williams
2019-03-19 1:34 ` Dan Williams
2019-03-19 1:34 ` Dan Williams
2019-03-20 1:55 ` Dan Williams [this message]
2019-03-20 1:55 ` Dan Williams
2019-03-20 1:55 ` Dan Williams
[not found] ` <CAPcyv4hXKQcdLnKG6rPNOJr2wjq31uCCr+16S5Yu6S5A_5UGrA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2019-03-20 2:19 ` James Bottomley
2019-03-20 2:19 ` James Bottomley
2019-03-20 2:19 ` James Bottomley
2019-03-19 22:56 ` Mimi Zohar
2019-03-19 22:56 ` Mimi Zohar
2019-03-19 22:56 ` Mimi Zohar
2019-03-19 23:01 ` Dan Williams
2019-03-19 23:01 ` Dan Williams
2019-03-19 23:01 ` Dan Williams
2019-03-21 13:54 ` Jarkko Sakkinen
2019-03-21 13:54 ` Jarkko Sakkinen
2019-03-21 13:54 ` Jarkko Sakkinen
2019-03-21 14:26 ` Roberto Sassu
2019-03-21 14:26 ` Roberto Sassu
2019-03-21 14:26 ` Roberto Sassu
2019-03-21 16:30 ` Dan Williams
2019-03-21 16:30 ` Dan Williams
2019-03-21 16:30 ` Dan Williams
[not found] ` <CAPcyv4gc_KWedC12bTcX24KwjKiBCF=yvouRNzCbJKaLrgJdDg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2019-03-21 17:45 ` Roberto Sassu
2019-03-21 17:45 ` Roberto Sassu
2019-03-21 17:45 ` Roberto Sassu
2019-03-22 10:12 ` Jarkko Sakkinen
2019-03-22 10:12 ` Jarkko Sakkinen
2019-03-22 15:24 ` Dan Williams
2019-03-22 15:24 ` Dan Williams
2019-03-22 15:24 ` Dan Williams
2019-03-25 14:12 ` Jarkko Sakkinen
2019-03-25 14:12 ` Jarkko Sakkinen
2019-03-25 14:12 ` Jarkko Sakkinen
2019-03-25 14:50 ` Jarkko Sakkinen
2019-03-25 14:50 ` Jarkko Sakkinen
2019-03-25 14:50 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPcyv4hXKQcdLnKG6rPNOJr2wjq31uCCr+16S5Yu6S5A_5UGrA@mail.gmail.com \
--to=dan.j.williams@intel.com \
--cc=dhowells@redhat.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvdimm@lists.01.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.