linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Piotr Król" <piotr.krol@3mdeb.com>,
	linux-integrity@vger.kernel.org,
	"Ken Goldman" <kgold@linux.ibm.com>
Subject: Re: TPM 2.0 Linux sysfs interface
Date: Wed, 28 Aug 2019 19:15:44 +0200	[thread overview]
Message-ID: <20190828171544.GA20276@dell5510> (raw)
In-Reply-To: <1567004581.6115.33.camel@linux.ibm.com>

Hi Mimi, Piotr,

> [Cc'ing Petr Vorel]
Thanks Mimi.

> Hi Piotr,

> On Tue, 2019-08-27 at 01:24 +0200, Piotr Król wrote:
> > Hi all,
> > I'm moving here discussion that I started with Jarkko and Peter on LinkedIn.

> > I'm preparing for 2 talks during LPC 2019 System Boot MC and one of it
> > will discuss TPM 2.0 sysfs support [1]. This was discussed couple times
> > [2] and explained why it is not done yet by Jarkko [3].

> > Why is this important?
> > - there seem to be no default method to distinguish if we dealing with
> > TPM 1.2 or 2.0 in the system. 

> Agreed, this affects both the LTP IMA tests and ima-evm-utils package,
> which need to support both TPM 1.2 and 2.0 for the forseeable future.
> The LTP IMA tests check different sysfs files to determine if it is
> TPM 1.2 or TPM 2.0 (eg. /sys/class/tpm/tpm0/device/description,
> /sys/class/tpm/tpm0/device/pcrs and /sys/class/misc/tpm0/device/pcrs),
> but the "description" file is not defined by all TPM 2.0's.  It
> shouldn't be that difficult to define a single common sysfs file.
+1. I'd appreciate have simple /sys/class/tpm/tpm0/version file.

> > - distros use various tools to detect TPM based on sysfs (e.g. Qubes OS
> > scripts)
> > - tpm2-software has ton of dependencies, is not easy to build,
> > development is way faster then distros can manage and packages are often
> > out of date or even broken, so using it can be troublesome
> > - for deeply embedded systems adding fully-featured tpm2-software
> > doesn't make sense e.g. if we just need PCRs values

> > Jarkko comment on detecting 1.2 vs 2.0:
> > "Detecting TPM 2.0 is dead easy: send any idempotent TPM 2.0 command and
> > check if the tag field matches 0x8002 (TPM_NO_SESSIONS). The sysfs
> > features for TPM 1.2 are for the large part useless as you can get the
> > same data by using TPM commands."

> > Ok, but doesn't this mean I need TPM2 software stack?
> > Peter mentioned that it can be tricky to invoke such tools early in boot
> > process.

> ima-evm-utils now uses the TPM 2.0 TSS[1] to read the PCRs.  I haven't
> tried using it during boot, but I don't forsee a problem. I guess it
> depends on how early you need to read the PCRs.
I'd prefer using library instead of tsspcrread binary ("tsspcrread -halg sha1
-ha %d -ns 2> /dev/null"; better link to shared lib than depend on presence of
binary), but looking into ibmtpm20tss-tss git the functionality is really
provided only in tsspcrread (utils/pcrread.c).
I'd expect it'd be in libibmtss.so.0 or libibmtssutils.so.0, but it's not :(.

> Mimi

> [1] https://git.code.sf.net/p/ibmtpm20tss/tss

Kind regards,
Petr

  reply	other threads:[~2019-08-28 17:15 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-26 23:24 TPM 2.0 Linux sysfs interface Piotr Król
2019-08-27  1:05 ` Jason Gunthorpe
2019-08-28 15:53   ` Mimi Zohar
2019-08-28 16:15     ` Jason Gunthorpe
2019-08-30 21:20       ` Tadeusz Struk
2019-09-02 19:26         ` Jason Gunthorpe
2019-09-02 21:35           ` Mimi Zohar
2019-09-03  5:55             ` Jason Gunthorpe
2019-09-03 11:49               ` Mimi Zohar
2019-09-03 13:07                 ` Jason Gunthorpe
2019-09-03 13:23                   ` Mimi Zohar
2019-09-03 16:21                     ` Jarkko Sakkinen
2019-09-03 16:23               ` Tadeusz Struk
2019-09-03 22:40                 ` Jordan Hand
2019-09-03 23:29                   ` Mimi Zohar
2019-09-04  5:58                     ` Jason Gunthorpe
2019-09-04 11:30                       ` Mimi Zohar
2019-09-04 19:43                         ` Jason Gunthorpe
2019-09-04 20:26                           ` Mimi Zohar
2019-09-06 17:53                           ` Serge E. Hallyn
2019-08-28 15:03 ` Mimi Zohar
2019-08-28 17:15   ` Petr Vorel [this message]
2019-08-28 23:22   ` Piotr Król
2019-08-29  7:32     ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190828171544.GA20276@dell5510 \
    --to=pvorel@suse.cz \
    --cc=kgold@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=piotr.krol@3mdeb.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).