Re: [PATCH v10 00/17] Remove nested TPM operations

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Stefan Berger <stefanb@linux.ibm.com>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Peter Huewe <PeterHuewe@gmx.de>, Jason Gunthorpe <jgg@ziepe.ca>,
	Tomas Winkler <tomas.winkler@intel.com>,
	Tadeusz Struk <tadeusz.struk@intel.com>,
	Stefan Berger <stefanb@linux.vnet.ibm.com>,
	Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH v10 00/17] Remove nested TPM operations
Date: Thu, 31 Jan 2019 18:11:55 +0200	[thread overview]
Message-ID: <20190131161155.GF5629@linux.intel.com> (raw)
In-Reply-To: <1548894522.2774.28.camel@HansenPartnership.com>

On Wed, Jan 30, 2019 at 04:28:42PM -0800, James Bottomley wrote:
> On Tue, 2019-01-29 at 14:31 +0200, Jarkko Sakkinen wrote:
> > On Wed, Jan 23, 2019 at 01:53:44PM -0500, Stefan Berger wrote:
> > > On 1/23/19 1:20 PM, Jarkko Sakkinen wrote:
> > > > On Wed, Jan 16, 2019 at 11:23:25PM +0200, Jarkko Sakkinen wrote:
> > > > > Make the changes necessary to detach TPM space code and TPM
> > > > > activation
> > > > > code out of the tpm_transmit() flow because of both of these
> > > > > can cause
> > > > > nested tpm_transmit() calls. The nesteds calls make the whole
> > > > > flow hard
> > > > > to maintain, and thus, it is better to just fix things now
> > > > > before this
> > > > > turns into a bigger mess.
> > > > 
> > > > Any reasons not to merge this soon?
> > > 
> > > I suppose v10 hasn't changed anything signinficat. So, not from my
> > > perspective. Were you waiting for more Reviewed-by's?
> > 
> > Yeah, for example TPM space touching changes would be good to peer
> > check with James. I could have easily forgotten some implementation
> > detail, and it has been very stable piece off code, so don't want
> > to break it. Guess won't yet try to put this v5.1.
> 
> So the implementation detail I was looking for: internal kernel use of
> tpm_transmit_cmd() without tpm_find/try_get_ops() doesn't seem to
> exist, so I think this is all safe.  You can add my
> 
> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Thank you. I'll send a new revision soonish.

> But I've got to say I can't test this yet because you've made a huge
> problem for me in the tpm security patches: they introduce a kernel
> space which now becomes somewhat problematic because the space handling
> moved into the device common code.  To get both these things to work
> together so I can test it, space handling is going to have to come
> slightly down from device common code so the kernel can use it.

Yeah, obviously. I'll apply these patches right after the next PR so
you will have a more stable platform to work on after that. Stefan
has tested these, and then there is one full cycle to fix details
if we find issues.

/Jarkko