linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	linux-security-module@vger.kernel.org,
	tpmdd-devel@lists.sourceforge.net,
	open list <linux-kernel@vger.kernel.org>
Subject: Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager
Date: Tue, 3 Jan 2017 14:47:02 -0700	[thread overview]
Message-ID: <20170103214702.GC29656@obsidianresearch.com> (raw)
In-Reply-To: <1483461370.2464.19.camel@HansenPartnership.com>

On Tue, Jan 03, 2017 at 08:36:10AM -0800, James Bottomley wrote:

> > I'm not sure about this. Why you couldn't have a very thin daemon 
> > that prepares the file descriptor and sends it through UDS socket to 
> > a client.
> 
> So I'm a bit soured on daemons from the trousers experience: tcsd
> crashed regularly and when it did it took all the TPM connections down
> irrecoverably.  I'm not saying we can't write a stateless daemon to fix
> most of the trousers issues, but I think it's valuable first to ask the
> question, "can we manage without a daemon at all?"  I actually think
> the answer is "yes", so I'm interested in seeing how far that line of
> research gets us.

There is clearly no need for a daemon to be involved when working on
simple tasks like key load and key sign/enc/dec actions, adding such a
thing only increases the complexity.

If we discover a reason to have a daemon down the road then it should
work in some way where the user space can call out to the daemon over
a different path than the kernel. (eg dbus or something)

> Do you have a link to the presentation?  The Plumbers etherpad doesn't
> contain it.  I've been trying to work out whether a properly set up TPM
> actually does need any protections at all.  As far as I can tell, once
> you've set all the hierarchy authorities and the lockout one, you're
> pretty well protected.

I think we should also consider TPM 1.2 support in all of this, it is
still a very popular peice of hardware and it is equally able to
support a RM.

So, in general, I'd prefer to see the unprivileged char dev hard
prevented by the kernel from doing certain things:

- Wipe the TPM
- Manipulate the SRK, nvram, tpm flags, change passwords etc
- Read back the EK
- Write to PCRs
- etc.

Even if TPM 2 has a stronger password based model, I still think the
kernel should hard prevent those sorts of actions even if the user
knows the TPM password.

Realistically people in less senstive environments will want to use
the well known TPM passwords and still have reasonable safety in their
unprivileged accounts.

Jason

  parent reply	other threads:[~2017-01-03 21:47 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-02 13:22 [PATCH RFC 0/4] RFC: in-kernel resource manager Jarkko Sakkinen
2017-01-02 13:22 ` [PATCH RFC 1/4] tpm: migrate struct tpm_buf to struct tpm_chip Jarkko Sakkinen
2017-01-02 21:01   ` Jason Gunthorpe
2017-01-03  0:57     ` Jarkko Sakkinen
2017-01-03 19:13       ` Jason Gunthorpe
2017-01-04 12:29         ` Jarkko Sakkinen
2017-01-02 13:22 ` [PATCH RFC 2/4] tpm: validate TPM 2.0 commands Jarkko Sakkinen
     [not found]   ` <OF8D508BD2.EAB22BFD-ON0025809E.0062B40C-8525809E.006356C3@notes.na.collabserv.com>
2017-01-04 18:19     ` [tpmdd-devel] " James Bottomley
2017-01-04 18:44     ` Jason Gunthorpe
2017-01-02 13:22 ` [PATCH RFC 3/4] tpm: export tpm2_flush_context_cmd Jarkko Sakkinen
2017-01-02 13:22 ` [PATCH RFC 4/4] tpm: add the infrastructure for TPM space for TPM 2.0 Jarkko Sakkinen
2017-01-02 21:09   ` Jason Gunthorpe
2017-01-03  0:37     ` Jarkko Sakkinen
2017-01-03 18:46       ` Jason Gunthorpe
2017-01-04 12:43         ` Jarkko Sakkinen
2017-01-03 19:16       ` Jason Gunthorpe
2017-01-04 12:45         ` Jarkko Sakkinen
     [not found]   ` <OF9C3EE9AE.65978870-ON0025809E.0061E7AF-8525809E.0061FFDA@notes.na.collabserv.com>
2017-01-09 22:11     ` [tpmdd-devel] " Jarkko Sakkinen
2017-01-02 16:36 ` [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager James Bottomley
2017-01-02 19:33   ` Jarkko Sakkinen
2017-01-02 21:40     ` James Bottomley
2017-01-03  5:26       ` James Bottomley
2017-01-03 13:41         ` Jarkko Sakkinen
2017-01-03 16:14           ` James Bottomley
2017-01-03 18:36             ` Jarkko Sakkinen
2017-01-03 19:14               ` Jarkko Sakkinen
2017-01-03 19:34                 ` James Bottomley
2017-01-03 21:54         ` Jason Gunthorpe
2017-01-04 12:58           ` Jarkko Sakkinen
2017-01-04 16:55             ` Jason Gunthorpe
2017-01-04  5:47         ` Andy Lutomirski
2017-01-04 13:00           ` Jarkko Sakkinen
2017-01-03 13:51       ` Jarkko Sakkinen
2017-01-03 16:36         ` James Bottomley
2017-01-03 18:40           ` Jarkko Sakkinen
2017-01-03 21:47           ` Jason Gunthorpe [this message]
2017-01-03 22:21             ` Ken Goldman
2017-01-03 23:20               ` Jason Gunthorpe
2017-01-03 22:39             ` James Bottomley
2017-01-04  0:17               ` Jason Gunthorpe
2017-01-04  0:29                 ` James Bottomley
2017-01-04  0:56                   ` Jason Gunthorpe
2017-01-04 12:50                 ` Jarkko Sakkinen
2017-01-04 14:53                   ` James Bottomley
2017-01-04 18:31                     ` Jason Gunthorpe
2017-01-04 18:57                       ` James Bottomley
2017-01-04 19:24                         ` Jason Gunthorpe
2017-01-04 12:48             ` Jarkko Sakkinen
2017-01-03 21:32   ` Jason Gunthorpe
2017-01-03 22:03     ` James Bottomley
2017-01-05 15:52 ` Fuchs, Andreas
2017-01-05 17:27   ` Jason Gunthorpe
2017-01-05 18:06     ` James Bottomley
2017-01-06  8:43       ` Andreas Fuchs
2017-01-05 18:33     ` James Bottomley
2017-01-05 19:20       ` Jason Gunthorpe
2017-01-05 19:55         ` James Bottomley
2017-01-05 22:21           ` Jason Gunthorpe
2017-01-05 22:58             ` James Bottomley
2017-01-05 23:50               ` Jason Gunthorpe
2017-01-06  0:36                 ` James Bottomley
2017-01-06  8:59                   ` Andreas Fuchs
2017-01-06 19:10                     ` Jason Gunthorpe
2017-01-06 19:02                   ` Jason Gunthorpe
2017-01-10 19:03         ` Ken Goldman
2017-01-09 22:39   ` [tpmdd-devel] " Jarkko Sakkinen
2017-01-11 10:03     ` Andreas Fuchs
2017-01-04 16:12 Dr. Greg Wettstein
2017-01-09 23:16 ` Jarkko Sakkinen
2017-01-10 19:29   ` Ken Goldman
2017-01-11 11:36     ` Jarkko Sakkinen
2017-01-10 20:05   ` Jason Gunthorpe
2017-01-11 10:00     ` Andreas Fuchs
2017-01-11 18:03       ` Jason Gunthorpe
2017-01-11 18:27         ` Stefan Berger
2017-01-11 19:18           ` Jason Gunthorpe
2017-01-11 11:34     ` Jarkko Sakkinen
2017-01-11 15:39       ` James Bottomley
2017-01-11 17:56         ` Jason Gunthorpe
2017-01-11 18:25           ` James Bottomley
2017-01-11 19:04             ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170103214702.GC29656@obsidianresearch.com \
    --to=jgunthorpe@obsidianresearch.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tpmdd-devel@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).