From: Alexander Steffen <Alexander.Steffen@infineon.com>
To: "Daniel P. Smith" <dpsmith@apertussolutions.com>,
Lino Sanfilippo <l.sanfilippo@kunbus.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
"Jason Gunthorpe" <jgg@ziepe.ca>, Sasha Levin <sashal@kernel.org>,
<linux-integrity@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Cc: Ross Philipson <ross.philipson@oracle.com>,
Kanth Ghatraju <kanth.ghatraju@oracle.com>,
Peter Huewe <peterhuewe@gmx.de>
Subject: Re: [PATCH 1/3] tpm: protect against locality counter underflow
Date: Mon, 26 Feb 2024 13:43:55 +0100 [thread overview]
Message-ID: <fd34e752-b6ce-4880-9ef5-4feda985bf42@infineon.com> (raw)
In-Reply-To: <f52546f1-acca-4915-924c-cdd2018215d5@apertussolutions.com>
On 23.02.2024 02:55, Daniel P. Smith wrote:
> On 2/20/24 13:42, Alexander Steffen wrote:
>> On 02.02.2024 04:08, Lino Sanfilippo wrote:
>>> On 01.02.24 23:21, Jarkko Sakkinen wrote:
>>>
>>>>
>>>> On Wed Jan 31, 2024 at 7:08 PM EET, Daniel P. Smith wrote:
>>>>> Commit 933bfc5ad213 introduced the use of a locality counter to
>>>>> control when a
>>>>> locality request is allowed to be sent to the TPM. In the commit,
>>>>> the counter
>>>>> is indiscriminately decremented. Thus creating a situation for an
>>>>> integer
>>>>> underflow of the counter.
>>>>
>>>> What is the sequence of events that leads to this triggering the
>>>> underflow? This information should be represent in the commit message.
>>>>
>>>
>>> AFAIU this is:
>>>
>>> 1. We start with a locality_counter of 0 and then we call
>>> tpm_tis_request_locality()
>>> for the first time, but since a locality is (unexpectedly) already
>>> active
>>> check_locality() and consequently __tpm_tis_request_locality() return
>>> "true".
>>
>> check_locality() returns true, but __tpm_tis_request_locality() returns
>> the requested locality. Currently, this is always 0, so the check for
>> !ret will always correctly indicate success and increment the
>> locality_count.
>>
>> But since theoretically a locality != 0 could be requested, the correct
>> fix would be to check for something like ret >= 0 or ret == l instead of
>> !ret. Then the counter will also be incremented correctly for localities
>> != 0, and no underflow will happen later on. Therefore, explicitly
>> checking for an underflow is unnecessary and hides the real problem.
>>
>
> My apologies, but I will have to humbly disagree from a fundamental
> level here. If a state variable has bounds, then those bounds should be
> enforced when the variable is being manipulated.
That's fine, but that is not what your proposed fix does.
tpm_tis_request_locality and tpm_tis_relinquish_locality are meant to be
called in pairs: for every (successful) call to tpm_tis_request_locality
there *must* be a corresponding call to tpm_tis_relinquish_locality
afterwards. Unfortunately, in C there is no language construct to
enforce that (nothing like a Python context manager), so instead
locality_count is used to count the number of successful calls to
tpm_tis_request_locality, so that tpm_tis_relinquish_locality can wait
to actually relinquish the locality until the last expected call has
happened (you can think of that as a Python RLock, to stay with the
Python analogies).
So if locality_count ever gets negative, that is certainly a bug
somewhere. But your proposed fix hides this bug, by allowing
tpm_tis_relinquish_locality to be called more often than
tpm_tis_request_locality. You could have added something like
BUG_ON(priv->locality_count == 0) before decrementing the counter. That
would really enforce the bounds, without hiding the bug, and I would be
fine with that.
Of course, that still leaves the actual bug to be fixed. In this case,
there is no mismatch between the calls to tpm_tis_request_locality and
tpm_tis_relinquish_locality. It is just (as I said before) that the
counting of successful calls in tpm_tis_request_locality is broken for
localities != 0, so that is what you need to fix.
> Assuming that every
> path leading to the variable manipulation code has ensured proper
> manipulation is just that, an assumption. When assumptions fail is how
> bugs and vulnerabilities occur.
>
> To your point, does this full address the situation experienced, I would
> say it does not. IMHO, the situation is really a combination of both
> patch 1 and patch 2, but the request was to split the changes for
> individual discussion. We selected this one as being the fixes for two
> reasons. First, it blocks the underflow such that when the Secure Launch
> series opens Locality 2, it will get incremented at that time and the
> internal locality tracking state variables will end up with the correct
> values. Thus leading to the relinquish succeeding at kernel shutdown.
> Second, it provides a stronger defensive coding practice.
>
> Another reason that this works as a fix is that the TPM specification
> requires the registers to be mirrored across all localities, regardless
> of the active locality. While all the request/relinquishes for Locality
> 0 sent by the early code do not succeed, obtaining the values via the
> Locality 0 registers are still guaranteed to be correct.
>
> v/r,
> dps
next prev parent reply other threads:[~2024-02-26 12:45 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240131170824.6183-1-dpsmith@apertussolutions.com>
2024-01-31 17:08 ` [PATCH 1/3] tpm: protect against locality counter underflow Daniel P. Smith
2024-02-01 22:21 ` Jarkko Sakkinen
2024-02-02 3:08 ` Lino Sanfilippo
2024-02-12 20:05 ` Jarkko Sakkinen
2024-02-19 17:54 ` Daniel P. Smith
2024-02-20 18:42 ` Alexander Steffen
2024-02-20 19:04 ` Jarkko Sakkinen
2024-02-20 20:54 ` Lino Sanfilippo
2024-02-20 22:23 ` Jarkko Sakkinen
2024-02-20 23:19 ` Lino Sanfilippo
2024-02-21 0:40 ` Jarkko Sakkinen
2024-02-23 1:58 ` Daniel P. Smith
2024-02-23 12:58 ` Jarkko Sakkinen
2024-02-25 11:23 ` Daniel P. Smith
2024-02-26 9:39 ` Jarkko Sakkinen
2024-02-20 22:26 ` Jarkko Sakkinen
2024-02-20 22:31 ` Jarkko Sakkinen
2024-02-20 23:26 ` Lino Sanfilippo
2024-02-21 0:42 ` Jarkko Sakkinen
2024-02-21 12:37 ` James Bottomley
2024-02-21 19:43 ` Jarkko Sakkinen
2024-02-21 19:45 ` Jarkko Sakkinen
2024-02-22 9:06 ` James Bottomley
2024-02-22 23:49 ` Jarkko Sakkinen
2024-02-23 1:57 ` Daniel P. Smith
2024-02-23 20:40 ` Jarkko Sakkinen
2024-02-23 20:42 ` Jarkko Sakkinen
2024-02-23 1:57 ` Daniel P. Smith
2024-02-23 20:50 ` Jarkko Sakkinen
2024-02-20 22:57 ` ross.philipson
2024-02-20 23:10 ` Jarkko Sakkinen
2024-02-20 23:13 ` Jarkko Sakkinen
2024-02-23 1:56 ` Daniel P. Smith
2024-02-23 20:44 ` Jarkko Sakkinen
2024-02-24 2:34 ` Lino Sanfilippo
2024-02-26 9:38 ` Jarkko Sakkinen
2024-02-23 1:55 ` Daniel P. Smith
2024-02-26 12:43 ` Alexander Steffen [this message]
2024-02-24 2:06 ` Lino Sanfilippo
2024-02-23 0:01 ` Jarkko Sakkinen
2024-01-31 17:08 ` [PATCH 2/3] tpm: ensure tpm is in known state at startup Daniel P. Smith
2024-02-01 22:33 ` Jarkko Sakkinen
2024-02-19 19:17 ` Daniel P. Smith
2024-02-19 20:17 ` Jarkko Sakkinen
2024-01-31 17:08 ` [PATCH 3/3] tpm: make locality request return value consistent Daniel P. Smith
2024-02-01 22:49 ` Jarkko Sakkinen
2024-02-19 20:29 ` Daniel P. Smith
2024-02-19 20:45 ` Jarkko Sakkinen
2024-02-20 18:57 ` Alexander Steffen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fd34e752-b6ce-4880-9ef5-4feda985bf42@infineon.com \
--to=alexander.steffen@infineon.com \
--cc=dpsmith@apertussolutions.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kanth.ghatraju@oracle.com \
--cc=l.sanfilippo@kunbus.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=ross.philipson@oracle.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).