From: Jarkko Sakkinen <jarkko@kernel.org>
To: Evan Green <evgreen@chromium.org>
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
apronin@chromium.org, dlunev@google.com,
Pavel Machek <pavel@ucw.cz>, Ben Boeckel <me@benboeckel.net>,
rjw@rjwysocki.net, corbet@lwn.net, linux-pm@vger.kernel.org,
zohar@linux.ibm.com, Kees Cook <keescook@chromium.org>,
Eric Biggers <ebiggers@kernel.org>,
jejb@linux.ibm.com, gwendal@chromium.org,
Matthew Garrett <mgarrett@aurora.tech>,
Matthew Garrett <matthewgarrett@google.com>,
Matthew Garrett <mjg59@google.com>,
Jason Gunthorpe <jgg@ziepe.ca>, Peter Huewe <peterhuewe@gmx.de>
Subject: Re: [PATCH v3 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use
Date: Fri, 30 Sep 2022 23:57:54 +0300 [thread overview]
Message-ID: <YzdYUpuHfgvt3Q9f@kernel.org> (raw)
In-Reply-To: <20220927094559.v3.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid>
On Tue, Sep 27, 2022 at 09:49:14AM -0700, Evan Green wrote:
> From: Matthew Garrett <matthewgarrett@google.com>
>
> Under certain circumstances it might be desirable to enable the creation
> of TPM-backed secrets that are only accessible to the kernel. In an
> ideal world this could be achieved by using TPM localities, but these
> don't appear to be available on consumer systems. An alternative is to
> simply block userland from modifying one of the resettable PCRs, leaving
> it available to the kernel. If the kernel ensures that no userland can
> access the TPM while it is carrying out work, it can reset PCR 23,
> extend it to an arbitrary value, create or load a secret, and then reset
> the PCR again. Even if userland somehow obtains the sealed material, it
> will be unable to unseal it since PCR 23 will never be in the
> appropriate state.
This lacks any sort of description what the patch does in concrete. The
most critical thing it lacks is the addition of a new config flag, which
really should documented. It e.g. helps when searching with git log, once
this is in the mainline.
The current contents is a perfect "motivation" part.
>
> Link: https://lore.kernel.org/lkml/20210220013255.1083202-3-matthewgarrett@google.com/
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> Signed-off-by: Evan Green <evgreen@chromium.org>
> ---
>
> Changes in v3:
> - Fix up commit message (Jarkko)
> - tpm2_find_and_validate_cc() was split (Jarkko)
> - Simply fully restrict TPM1 since v2 failed to account for tunnelled
> transport sessions (Stefan and Jarkko).
>
> Changes in v2:
> - Fixed sparse warnings
>
> drivers/char/tpm/Kconfig | 12 ++++++++++++
> drivers/char/tpm/tpm-dev-common.c | 8 ++++++++
> drivers/char/tpm/tpm.h | 19 +++++++++++++++++++
> drivers/char/tpm/tpm1-cmd.c | 13 +++++++++++++
> drivers/char/tpm/tpm2-cmd.c | 22 ++++++++++++++++++++++
> 5 files changed, 74 insertions(+)
>
> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> index 927088b2c3d3f2..c8ed54c66e399a 100644
> --- a/drivers/char/tpm/Kconfig
> +++ b/drivers/char/tpm/Kconfig
> @@ -211,4 +211,16 @@ config TCG_FTPM_TEE
> This driver proxies for firmware TPM running in TEE.
>
> source "drivers/char/tpm/st33zp24/Kconfig"
> +
> +config TCG_TPM_RESTRICT_PCR
> + bool "Restrict userland access to PCR 23"
> + depends on TCG_TPM
> + help
> + If set, block userland from extending or resetting PCR 23. This allows it
> + to be restricted to in-kernel use, preventing userland from being able to
> + make use of data sealed to the TPM by the kernel. This is required for
> + secure hibernation support, but should be left disabled if any userland
> + may require access to PCR23. This is a TPM2-only feature, and if enabled
> + on a TPM1 machine will cause all usermode TPM commands to return EPERM due
> + to the complications introduced by tunnelled sessions in TPM1.2.
> endif # TCG_TPM
> diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
> index dc4c0a0a512903..7a4e618c7d1942 100644
> --- a/drivers/char/tpm/tpm-dev-common.c
> +++ b/drivers/char/tpm/tpm-dev-common.c
> @@ -198,6 +198,14 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf,
> priv->response_read = false;
> *off = 0;
>
> + if (priv->chip->flags & TPM_CHIP_FLAG_TPM2)
> + ret = tpm2_cmd_restricted(priv->chip, priv->data_buffer, size);
> + else
> + ret = tpm1_cmd_restricted(priv->chip, priv->data_buffer, size);
> +
> + if (ret)
> + goto out;
> +
> /*
> * If in nonblocking mode schedule an async job to send
> * the command return the size.
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index 9c9e5d75b37c78..9f4e64e22807a2 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -246,4 +246,23 @@ void tpm_bios_log_setup(struct tpm_chip *chip);
> void tpm_bios_log_teardown(struct tpm_chip *chip);
> int tpm_dev_common_init(void);
> void tpm_dev_common_exit(void);
> +
> +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR
> +#define TPM_RESTRICTED_PCR 23
> +
> +int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size);
> +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size);
> +#else
> +static inline int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer,
> + size_t size)
> +{
> + return 0;
> +}
> +
> +static inline int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer,
> + size_t size)
> +{
> + return 0;
> +}
> +#endif
> #endif
> diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> index cf64c738510529..1869e89215fcb9 100644
> --- a/drivers/char/tpm/tpm1-cmd.c
> +++ b/drivers/char/tpm/tpm1-cmd.c
> @@ -811,3 +811,16 @@ int tpm1_get_pcr_allocation(struct tpm_chip *chip)
>
> return 0;
> }
> +
> +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR
> +int tpm1_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size)
> +{
> + /*
> + * Restrict all usermode commands on TPM1.2. Ideally we'd just restrict
> + * TPM_ORD_PCR_EXTEND and TPM_ORD_PCR_RESET, but TPM1.2 also supports
> + * tunnelled transport sessions where the kernel would be unable to filter
> + * commands.
> + */
> + return -EPERM;
> +}
> +#endif
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 69126a6770386e..9c92a3e1e3f463 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -821,3 +821,25 @@ int tpm2_find_cc(struct tpm_chip *chip, u32 cc)
>
> return -1;
> }
> +
> +#ifdef CONFIG_TCG_TPM_RESTRICT_PCR
> +int tpm2_cmd_restricted(struct tpm_chip *chip, u8 *buffer, size_t size)
> +{
> + int cc = tpm2_find_and_validate_cc(chip, NULL, buffer, size);
> + __be32 *handle;
> +
> + switch (cc) {
> + case TPM2_CC_PCR_EXTEND:
> + case TPM2_CC_PCR_RESET:
> + if (size < (TPM_HEADER_SIZE + sizeof(u32)))
> + return -EINVAL;
> +
> + handle = (__be32 *)&buffer[TPM_HEADER_SIZE];
> + if (be32_to_cpu(*handle) == TPM_RESTRICTED_PCR)
> + return -EPERM;
> + break;
> + }
> +
> + return 0;
> +}
> +#endif
> --
> 2.31.0
>
BR, Jarkko
next prev parent reply other threads:[~2022-09-30 20:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-27 16:49 [PATCH v3 00/11] Encrypted Hibernation Evan Green
2022-09-27 16:49 ` [PATCH v3 01/11] tpm: Add support for in-kernel resetting of PCRs Evan Green
2022-09-30 20:52 ` Jarkko Sakkinen
2022-09-27 16:49 ` [PATCH v3 02/11] tpm: Export and rename tpm2_find_and_validate_cc() Evan Green
2022-09-27 16:49 ` [PATCH v3 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use Evan Green
2022-09-30 20:57 ` Jarkko Sakkinen [this message]
2022-09-27 16:49 ` [PATCH v3 04/11] security: keys: trusted: Include TPM2 creation data Evan Green
2022-09-27 16:49 ` [PATCH v3 05/11] security: keys: trusted: Allow storage of PCR values in " Evan Green
2022-09-27 16:58 ` Ben Boeckel
2022-09-27 16:49 ` [PATCH v3 06/11] security: keys: trusted: Verify " Evan Green
2022-09-27 16:49 ` [PATCH v3 07/11] PM: hibernate: Add kernel-based encryption Evan Green
2022-09-30 21:30 ` Jarkko Sakkinen
2022-09-27 16:49 ` [PATCH v3 08/11] PM: hibernate: Use TPM-backed keys to encrypt image Evan Green
2022-09-30 21:35 ` Jarkko Sakkinen
2022-10-21 19:56 ` Evan Green
2022-10-23 21:55 ` Jarkko Sakkinen
2022-09-27 16:49 ` [PATCH v3 09/11] PM: hibernate: Mix user key in encrypted hibernate Evan Green
2022-09-27 16:49 ` [PATCH v3 10/11] PM: hibernate: Verify the digest encryption key Evan Green
2022-09-27 16:49 ` [PATCH v3 11/11] PM: hibernate: seal the encryption key with a PCR policy Evan Green
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YzdYUpuHfgvt3Q9f@kernel.org \
--to=jarkko@kernel.org \
--cc=apronin@chromium.org \
--cc=corbet@lwn.net \
--cc=dlunev@google.com \
--cc=ebiggers@kernel.org \
--cc=evgreen@chromium.org \
--cc=gwendal@chromium.org \
--cc=jejb@linux.ibm.com \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=me@benboeckel.net \
--cc=mgarrett@aurora.tech \
--cc=mjg59@google.com \
--cc=pavel@ucw.cz \
--cc=peterhuewe@gmx.de \
--cc=rjw@rjwysocki.net \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).