linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] add longer timeout for verify signature command
@ 2021-05-19 14:00 amirmizi6
  2021-05-19 14:00 ` [PATCH v2] tpm2: " amirmizi6
  0 siblings, 1 reply; 3+ messages in thread
From: amirmizi6 @ 2021-05-19 14:00 UTC (permalink / raw)
  To: Eyal.Cohen, jarkko, peterhuewe, jgg
  Cc: linux-kernel, linux-integrity, Dan.Morav, oren.tanami,
	shmulik.hager, amir.mizinski, Amir Mizinski

From: Amir Mizinski <amirmizi6@gmail.com>

while testing TPM2_CC_VERIFY_SIGNATURE with usage of RSA 3070-bit keys i
encountered a timeout error. it seems current values do not support this case
as described in ptp 1.05 6.5.1.3:
https://trustedcomputinggroup.org/wp-content/uploads/PC_Client_Specific-Platform_TPM_Profile_for-PTP_2p0-v1p05p_r14_pub.pdf

The patch was tested on Raspberry-Pie 3, using Nuvoton NPCT75X TPM.

Changes since version 1:
-"tpm2: add longer timout for verify signature command"
                - Fixed and extended commit description.
Addressed comments from:
 - Jarkko Sakkinen: https://lore.kernel.org/patchwork/patch/1424664/

Amir Mizinski (1):
  tpm2: add longer timeout for verify signature command

 drivers/char/tpm/tpm2-cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.7.4


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH v2] tpm2: add longer timeout for verify signature command
  2021-05-19 14:00 [PATCH v2] add longer timeout for verify signature command amirmizi6
@ 2021-05-19 14:00 ` amirmizi6
  2021-05-20 16:39   ` Jarkko Sakkinen
  0 siblings, 1 reply; 3+ messages in thread
From: amirmizi6 @ 2021-05-19 14:00 UTC (permalink / raw)
  To: Eyal.Cohen, jarkko, peterhuewe, jgg
  Cc: linux-kernel, linux-integrity, Dan.Morav, oren.tanami,
	shmulik.hager, amir.mizinski, Amir Mizinski

From: Amir Mizinski <amirmizi6@gmail.com>

While running a TPM2_CC_VERIFY_SIGNATURE(0x177) operation with RSA 3070-bit
keys the TPM driver fails with the following error:
"kernel: [ 2416.187522] tpm tpm0: Operation Timed out"

Since a) the TPM PC Client specification does not specify a number for
verify signature operation timeout, and b) the duration of
TPM2_CC_VERIFY_SIGNATURE with RSA 3070-bit keys exceeds the current timeout
of TPM_LONG (2 seconds), it is preferable to pick the longest timeout
possible.
Therefore, set the duration for TPM2_CC_VERIFY_SIGNATUE to TPM_LONG_LONG
(5 minutes).

Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>
---
 drivers/char/tpm/tpm2-cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 7603295..e71154b 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -87,7 +87,7 @@ static u8 tpm2_ordinal_duration_index(u32 ordinal)
 		return TPM_MEDIUM;
 
 	case TPM2_CC_VERIFY_SIGNATURE:        /* 177 */
-		return TPM_LONG;
+		return TPM_LONG_LONG;
 
 	case TPM2_CC_PCR_EXTEND:              /* 182 */
 		return TPM_MEDIUM;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] tpm2: add longer timeout for verify signature command
  2021-05-19 14:00 ` [PATCH v2] tpm2: " amirmizi6
@ 2021-05-20 16:39   ` Jarkko Sakkinen
  0 siblings, 0 replies; 3+ messages in thread
From: Jarkko Sakkinen @ 2021-05-20 16:39 UTC (permalink / raw)
  To: amirmizi6
  Cc: Eyal.Cohen, peterhuewe, jgg, linux-kernel, linux-integrity,
	Dan.Morav, oren.tanami, shmulik.hager, amir.mizinski

On Wed, May 19, 2021 at 05:00:59PM +0300, amirmizi6@gmail.com wrote:
> From: Amir Mizinski <amirmizi6@gmail.com>
> 
> While running a TPM2_CC_VERIFY_SIGNATURE(0x177) operation with RSA 3070-bit

The hexcode for the TPM command is absoulutely irrelevant detail.

AFAIK, 3070-bit does not exist. It's 3072-bit.

> keys the TPM driver fails with the following error:

Empty line here.

> "kernel: [ 2416.187522] tpm tpm0: Operation Timed out"
> 
> Since a) the TPM PC Client specification does not specify a number for

Remove "a)".
> verify signature operation timeout, and b) the duration of

Remove "b)".

> TPM2_CC_VERIFY_SIGNATURE with RSA 3070-bit keys exceeds the current timeout
> of TPM_LONG (2 seconds), it is preferable to pick the longest timeout
> possible.

Empty line here.

> Therefore, set the duration for TPM2_CC_VERIFY_SIGNATUE to TPM_LONG_LONG
> (5 minutes).
> 
Add here:

Link: https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/

> Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>


> ---
>  drivers/char/tpm/tpm2-cmd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 7603295..e71154b 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -87,7 +87,7 @@ static u8 tpm2_ordinal_duration_index(u32 ordinal)
>  		return TPM_MEDIUM;
>  
>  	case TPM2_CC_VERIFY_SIGNATURE:        /* 177 */
> -		return TPM_LONG;
> +		return TPM_LONG_LONG;
>  
>  	case TPM2_CC_PCR_EXTEND:              /* 182 */
>  		return TPM_MEDIUM;
> -- 
> 2.7.4
> 
> 

/Jarkko

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-20 16:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-19 14:00 [PATCH v2] add longer timeout for verify signature command amirmizi6
2021-05-19 14:00 ` [PATCH v2] tpm2: " amirmizi6
2021-05-20 16:39   ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).