linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v1] add longer timeout for verify signature command
@ 2021-05-10 14:27 amirmizi6
  2021-05-10 14:27 ` [PATCH v1] tpm2: " amirmizi6
  0 siblings, 1 reply; 3+ messages in thread
From: amirmizi6 @ 2021-05-10 14:27 UTC (permalink / raw)
  To: Eyal.Cohen, jarkko.sakkinen, peterhuewe, jgg
  Cc: linux-kernel, linux-integrity, Dan.Morav, oren.tanami,
	shmulik.hager, amir.mizinski, Amir Mizinski

From: Amir Mizinski <amirmizi6@gmail.com>

while testing TPM2_CC_VERIFY_SIGNATURE with usage of RSA 3070-bit keys i
encountered a timeout error. it seems current values do not support this case
as described in ptp 1.05 6.5.1.3:
https://trustedcomputinggroup.org/wp-content/uploads/PC_Client_Specific-Platform_TPM_Profile_for-PTP_2p0-v1p05p_r14_pub.pdf

The patch was tested on Raspberry-Pie 3, using Nuvoton NPCT75X TPM.


Amir Mizinski (1):
  tpm2: add longer timout for verify signature command

 drivers/char/tpm/tpm2-cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.7.4


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH v1] tpm2: add longer timeout for verify signature command
  2021-05-10 14:27 [PATCH v1] add longer timeout for verify signature command amirmizi6
@ 2021-05-10 14:27 ` amirmizi6
  2021-05-10 17:51   ` Jarkko Sakkinen
  0 siblings, 1 reply; 3+ messages in thread
From: amirmizi6 @ 2021-05-10 14:27 UTC (permalink / raw)
  To: Eyal.Cohen, jarkko.sakkinen, peterhuewe, jgg
  Cc: linux-kernel, linux-integrity, Dan.Morav, oren.tanami,
	shmulik.hager, amir.mizinski, Amir Mizinski

From: Amir Mizinski <amirmizi6@gmail.com>

TPM2_CC_VERIFY_SIGNATURE(0x177) Current timeout does not apply to usage with
RSA 3070-bit keys.
Additional time may be required for usage with RSA 3070-bit keys. Therefore, the
timeout of TPM2_CC_VERIFY_SIGNATURE is set to 3 minutes (TPM_LONG_LONG).

Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>
---
 drivers/char/tpm/tpm2-cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index eff1f12..235a454 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -87,7 +87,7 @@ static u8 tpm2_ordinal_duration_index(u32 ordinal)
 		return TPM_MEDIUM;
 
 	case TPM2_CC_VERIFY_SIGNATURE:        /* 177 */
-		return TPM_LONG;
+		return TPM_LONG_LONG;
 
 	case TPM2_CC_PCR_EXTEND:              /* 182 */
 		return TPM_MEDIUM;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v1] tpm2: add longer timeout for verify signature command
  2021-05-10 14:27 ` [PATCH v1] tpm2: " amirmizi6
@ 2021-05-10 17:51   ` Jarkko Sakkinen
  0 siblings, 0 replies; 3+ messages in thread
From: Jarkko Sakkinen @ 2021-05-10 17:51 UTC (permalink / raw)
  To: amirmizi6
  Cc: Eyal.Cohen, jarkko.sakkinen, peterhuewe, jgg, linux-kernel,
	linux-integrity, Dan.Morav, oren.tanami, shmulik.hager,
	amir.mizinski

On Mon, May 10, 2021 at 05:27:19PM +0300, amirmizi6@gmail.com wrote:
> From: Amir Mizinski <amirmizi6@gmail.com>
> 
> TPM2_CC_VERIFY_SIGNATURE(0x177) Current timeout does not apply to usage with
> RSA 3070-bit keys.

I don't understand what this sentence means.

Better excuse for making the whole change would be to:

1. If possible put a snippet of the klog transcript what happens to you.
2. You probably want rationalize this change for the reason that, since the
   TPM PC Client specification does not specify any specific number, and
   you have a corner case to show, it's best to pick the longest timeout,
   i.e. TPM_LONG_LONG.

> Additional time may be required for usage with RSA 3070-bit keys. Therefore, the
> timeout of TPM2_CC_VERIFY_SIGNATURE is set to 3 minutes (TPM_LONG_LONG).
> 
> Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>

Please, re-phrase : "Set duration for TPM2_CC_VERIFY_SIGNATUE to
TPM_LONG_LONG (3 minutes)".  Imperative way to express things is always
better, and "timeout" is a concept of its own, separate from "duration" in
TPM jargon.

> ---
>  drivers/char/tpm/tpm2-cmd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index eff1f12..235a454 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -87,7 +87,7 @@ static u8 tpm2_ordinal_duration_index(u32 ordinal)
>  		return TPM_MEDIUM;
>  
>  	case TPM2_CC_VERIFY_SIGNATURE:        /* 177 */
> -		return TPM_LONG;
> +		return TPM_LONG_LONG;
>  
>  	case TPM2_CC_PCR_EXTEND:              /* 182 */
>  		return TPM_MEDIUM;
> -- 
> 2.7.4
> 
> 

The commit message needs rework because now it makes no sense. With the
correct rationalization this probably would make sense.

/Jarkko

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-10 17:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-10 14:27 [PATCH v1] add longer timeout for verify signature command amirmizi6
2021-05-10 14:27 ` [PATCH v1] tpm2: " amirmizi6
2021-05-10 17:51   ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).