linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Sumit Garg <sumit.garg@linaro.org>,
	jarkko.sakkinen@linux.intel.com, jejb@linux.ibm.com,
	Elaine Palmer <erpalmer@us.ibm.com>
Cc: dhowells@redhat.com, jens.wiklander@linaro.org, corbet@lwn.net,
	jmorris@namei.org, serge@hallyn.com, casey@schaufler-ca.com,
	janne.karhunen@gmail.com, daniel.thompson@linaro.org,
	Markus.Wamser@mixed-mode.de, lhinds@redhat.com,
	keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	op-tee@lists.trustedfirmware.org,
	George Wilson <gcwilson@us.ibm.com>
Subject: Re: [PATCH v8 3/4] doc: trusted-encrypted: updates with TEE as a new trust source
Date: Tue, 08 Dec 2020 12:07:13 -0500	[thread overview]
Message-ID: <6c0428647fc83c2220e15e62dc1b566d250b7968.camel@linux.ibm.com> (raw)
In-Reply-To: <f00c8c7dd1e184e139e6cb5aba2b4a1c5fc68363.camel@linux.ibm.com>

Hi Sumit, Jarkko,

On Tue, 2020-12-08 at 10:55 -0500, Mimi Zohar wrote:
> Re-posting Elaine Palmer's comments, inline below, trimmed and properly
> formatted.

Continued ...

Thank you for the detailed descriptions and examples of trust sources
for Trusted Keys.  A group of us in IBM (Stefan Berger, Ken Goldman,
Zhongshu Gu, Nayna Jain, Elaine Palmer, George Wilson, Mimi Zohar) have
some concerns with extending trusted keys to new sources without
providing a threat model.   The following is based on our internal
discussions.

> * Threat model
> 
> The strength and appropriateness of TPMs and TEEs for a given purpose
> must be assessed when using them to protect security-relevant data.

The original Trusted Keys implementation assumed discrete physical TPMs
for key protection[1].  However, even physical TPMs themselves vary
based on the manufacturer and systems in which they are placed.  The
embedded chipset, firmware load, algorithms, packaging, pins, and
countermeasures vary.  (Threats and mitigations on physical TPMs are
well documented, e.g., "Threat Model of a Scenario Based on Trusted
Platform Module 2.0 Specification” (http://ceur-ws.org/Vol-1011/6.pdf).

Extending Trusted Keys to support new trust sources needs to provide
consumers of these new sources enough information so that they can
create their own threat models tailored to their use cases.

Just as each new LSM needs to comply with Documentation/security/lsm-
development.rst, we recommend each new source should provide a high-
level threat model.  We suggest documenting environmental assumptions
and dependencies in a high-level threat model for each additional trust
source.  An example of a high-level threat model is "Common Security
Threats v1.0” (
https://www.opencompute.org/documents/common-security-threats-notes-1-pdf
 ).

Thank you,

Elaine (and Mimi)


[1] Specific to Trusted Keys and TPMs, there is some discussion of
threats and mitigations in the Integrity_overview.pdf on the IMA wiki:

"The trusted key component does two things to help with secure key management on Linux. First, it provides a kernel key ring service in which the symmetric encryption keys are never visible in plain text to userspace. The keys are created in the kernel, and sealed by a hardware device such as a TPM, with userspace seeing only the sealed blobs. Malicious or compromised applications cannot steal a trusted key, since only the kernel can see the unsealed blobs. Secondly, the trusted keys can tie key unsealing to the integrity measurements, so that keys cannot be stolen in an offline attack, such as by booting an unlocked Linux image from CD or USB.  As the measurements will be different, the TPM chip will refuse to unseal the keys, even for the kernel."


  reply	other threads:[~2020-12-08 17:09 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-03 16:01 [PATCH v8 0/4] Introduce TEE based Trusted Keys support Sumit Garg
2020-11-03 16:01 ` [PATCH v8 1/4] KEYS: trusted: Add generic trusted keys framework Sumit Garg
2020-11-24  3:42   ` Jarkko Sakkinen
2021-02-15 13:13     ` Sumit Garg
2021-02-10 17:00   ` Jarkko Sakkinen
2021-02-11 10:34     ` Ahmad Fatoum
2021-02-12 12:22       ` Jarkko Sakkinen
2021-02-15 13:15     ` Sumit Garg
2020-11-03 16:01 ` [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys Sumit Garg
2020-11-24  3:46   ` Jarkko Sakkinen
2021-01-11 16:35   ` Jarkko Sakkinen
2021-01-13 11:17     ` Sumit Garg
2021-01-14  2:05       ` Jarkko Sakkinen
2021-01-15  6:02         ` Sumit Garg
2021-01-19 10:30           ` Jarkko Sakkinen
2021-01-20  1:31             ` Jarkko Sakkinen
2021-01-20  7:23               ` Sumit Garg
2021-01-21  0:01                 ` Jarkko Sakkinen
     [not found]                 ` <01000177223f74d3-1eef7685-4a19-40d2-ace6-d4cd7f35579d-000000@email.amazonses.com>
2021-01-21  8:44                   ` Jerome Forissier
2021-01-21 15:07                     ` Jarkko Sakkinen
2021-01-21 15:24                       ` Jarkko Sakkinen
2021-01-21 16:23                         ` Jerome Forissier
2021-01-22 18:12                           ` Jarkko Sakkinen
2021-01-25  9:17                             ` Sumit Garg
2021-01-27 17:14                               ` Jarkko Sakkinen
2021-01-27 17:19                               ` Jarkko Sakkinen
2021-02-04  0:05                               ` Jarkko Sakkinen
2021-02-11 23:34                               ` Jarkko Sakkinen
2021-02-11 23:35                                 ` Jarkko Sakkinen
2021-02-15 13:07                                 ` Sumit Garg
2021-02-16  7:29                                   ` Jarkko Sakkinen
2021-02-22  7:15                                     ` Sumit Garg
2021-02-24 16:58                                       ` Jarkko Sakkinen
2021-01-20 13:36   ` Ahmad Fatoum
2020-11-03 16:01 ` [PATCH v8 3/4] doc: trusted-encrypted: updates with TEE as a new trust source Sumit Garg
2020-12-02 19:34   ` gmail Elaine Palmer
2020-12-04 15:30     ` Jarkko Sakkinen
2020-12-08 15:02       ` Mimi Zohar
2020-12-08 17:49         ` Jarkko Sakkinen
2020-12-09 16:50           ` Mimi Zohar
2020-12-11 10:36             ` Jarkko Sakkinen
2020-12-11 15:29               ` Mimi Zohar
2020-12-06 18:51   ` Randy Dunlap
2020-12-08 15:55   ` Mimi Zohar
2020-12-08 17:07     ` Mimi Zohar [this message]
2020-11-03 16:01 ` [PATCH v8 4/4] MAINTAINERS: Add myself as Trusted Keys co-maintainer Sumit Garg
2020-11-24  3:46   ` Jarkko Sakkinen
2020-11-05  5:07 ` [PATCH v8 0/4] Introduce TEE based Trusted Keys support Jarkko Sakkinen
2020-11-06  9:32   ` Sumit Garg
2020-11-06 14:52     ` Jarkko Sakkinen
2020-12-04  5:16       ` Jarkko Sakkinen
2020-12-08 11:51         ` Sumit Garg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6c0428647fc83c2220e15e62dc1b566d250b7968.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=Markus.Wamser@mixed-mode.de \
    --cc=casey@schaufler-ca.com \
    --cc=corbet@lwn.net \
    --cc=daniel.thompson@linaro.org \
    --cc=dhowells@redhat.com \
    --cc=erpalmer@us.ibm.com \
    --cc=gcwilson@us.ibm.com \
    --cc=janne.karhunen@gmail.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jejb@linux.ibm.com \
    --cc=jens.wiklander@linaro.org \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=lhinds@redhat.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=op-tee@lists.trustedfirmware.org \
    --cc=serge@hallyn.com \
    --cc=sumit.garg@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).