linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Piotr Król" <piotr.krol@3mdeb.com>, linux-integrity@vger.kernel.org
Cc: Petr Vorel <pvorel@suse.cz>, Ken Goldman <kgold@linux.ibm.com>
Subject: Re: TPM 2.0 Linux sysfs interface
Date: Wed, 28 Aug 2019 11:03:01 -0400	[thread overview]
Message-ID: <1567004581.6115.33.camel@linux.ibm.com> (raw)
In-Reply-To: <3329329f-4bf4-b8cd-dee8-eb36e513c728@3mdeb.com>

[Cc'ing Petr Vorel]

Hi Piotr,

On Tue, 2019-08-27 at 01:24 +0200, Piotr Król wrote:
> Hi all,
> I'm moving here discussion that I started with Jarkko and Peter on LinkedIn.
> 
> I'm preparing for 2 talks during LPC 2019 System Boot MC and one of it
> will discuss TPM 2.0 sysfs support [1]. This was discussed couple times
> [2] and explained why it is not done yet by Jarkko [3].
> 
> Why is this important?
> - there seem to be no default method to distinguish if we dealing with
> TPM 1.2 or 2.0 in the system. 

Agreed, this affects both the LTP IMA tests and ima-evm-utils package,
which need to support both TPM 1.2 and 2.0 for the forseeable future.
The LTP IMA tests check different sysfs files to determine if it is
TPM 1.2 or TPM 2.0 (eg. /sys/class/tpm/tpm0/device/description,
/sys/class/tpm/tpm0/device/pcrs and /sys/class/misc/tpm0/device/pcrs),
but the "description" file is not defined by all TPM 2.0's.  It
shouldn't be that difficult to define a single common sysfs file.

> - distros use various tools to detect TPM based on sysfs (e.g. Qubes OS
> scripts)
> - tpm2-software has ton of dependencies, is not easy to build,
> development is way faster then distros can manage and packages are often
> out of date or even broken, so using it can be troublesome
> - for deeply embedded systems adding fully-featured tpm2-software
> doesn't make sense e.g. if we just need PCRs values
> 
> Jarkko comment on detecting 1.2 vs 2.0:
> "Detecting TPM 2.0 is dead easy: send any idempotent TPM 2.0 command and
> check if the tag field matches 0x8002 (TPM_NO_SESSIONS). The sysfs
> features for TPM 1.2 are for the large part useless as you can get the
> same data by using TPM commands."
> 
> Ok, but doesn't this mean I need TPM2 software stack?
> Peter mentioned that it can be tricky to invoke such tools early in boot
> process.

ima-evm-utils now uses the TPM 2.0 TSS[1] to read the PCRs.  I haven't
tried using it during boot, but I don't forsee a problem. I guess it
depends on how early you need to read the PCRs.

Mimi

[1] https://git.code.sf.net/p/ibmtpm20tss/tss

> 
> Finally, I do not feel expert in the field of Linux integrity and don't
> want to argue for sysfs if it doesn't make sense for TPM 2.0, but if
> that's the situation I would like to know what are the best practices to
> solve above issues. If you think there is something important to be
> discussed in above context please let me know.
> 
> [1] https://linuxplumbersconf.org/event/4/contributions/516/
> [2]
> https://patchwork.kernel.org/project/linux-integrity/list/?series=&submitter=&state=*&q=sysfs&archive=&delegate=
> [3] https://lwn.net/Articles/624241/
> 
> Best Regards,


  parent reply	other threads:[~2019-08-28 15:03 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-26 23:24 TPM 2.0 Linux sysfs interface Piotr Król
2019-08-27  1:05 ` Jason Gunthorpe
2019-08-28 15:53   ` Mimi Zohar
2019-08-28 16:15     ` Jason Gunthorpe
2019-08-30 21:20       ` Tadeusz Struk
2019-09-02 19:26         ` Jason Gunthorpe
2019-09-02 21:35           ` Mimi Zohar
2019-09-03  5:55             ` Jason Gunthorpe
2019-09-03 11:49               ` Mimi Zohar
2019-09-03 13:07                 ` Jason Gunthorpe
2019-09-03 13:23                   ` Mimi Zohar
2019-09-03 16:21                     ` Jarkko Sakkinen
2019-09-03 16:23               ` Tadeusz Struk
2019-09-03 22:40                 ` Jordan Hand
2019-09-03 23:29                   ` Mimi Zohar
2019-09-04  5:58                     ` Jason Gunthorpe
2019-09-04 11:30                       ` Mimi Zohar
2019-09-04 19:43                         ` Jason Gunthorpe
2019-09-04 20:26                           ` Mimi Zohar
2019-09-06 17:53                           ` Serge E. Hallyn
2019-08-28 15:03 ` Mimi Zohar [this message]
2019-08-28 17:15   ` Petr Vorel
2019-08-28 23:22   ` Piotr Król
2019-08-29  7:32     ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1567004581.6115.33.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=kgold@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=piotr.krol@3mdeb.com \
    --cc=pvorel@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).