From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: Jarkko Sakkinen
<jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
open list <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH 1/2] tpm2: add session handle context saving and restoring to the space code
Date: Thu, 26 Jan 2017 08:26:19 -0800 [thread overview]
Message-ID: <1485447979.2457.23.camel@HansenPartnership.com> (raw)
In-Reply-To: <20170126125151.32sky3tajp6zigpd-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
On Thu, 2017-01-26 at 14:51 +0200, Jarkko Sakkinen wrote:
[...]
> > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> > index c48255e..b77fc60 100644
> > --- a/drivers/char/tpm/tpm.h
> > +++ b/drivers/char/tpm/tpm.h
> > @@ -159,6 +159,8 @@ enum tpm2_cc_attrs {
> > struct tpm_space {
> > u32 context_tbl[3];
> > u8 *context_buf;
> > + u32 session_tbl[6];
> > + u8 *session_buf;
> > };
> >
> > enum tpm_chip_flags {
> > @@ -588,4 +590,5 @@ int tpm2_prepare_space(struct tpm_chip *chip,
> > struct tpm_space *space, u32 cc,
> > u8 *cmd);
> > int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space
> > *space,
> > u32 cc, u8 *buf, size_t bufsiz);
> > +void tpm2_flush_space(struct tpm_chip *chip, struct tpm_space
> > *space);
>
> Why the extra parameter?
Because it was called from tpms-dev in release to flush all the
sessions still active. At that point the work space is gone, so we
have to call it with the real space. However, I realised that callsite
didn't hold the tpm_mutex like it should and that we don't need to
flush the contexts because they'll be guaranteed empty, so I added a
new function tpm2_kill_space() that does this.
> > #endif
> > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2
> > -space.c
> > index 7fd2fc5..ba4310a 100644
> > --- a/drivers/char/tpm/tpm2-space.c
> > +++ b/drivers/char/tpm/tpm2-space.c
> > @@ -59,11 +59,16 @@ static int tpm2_load_context(struct tpm_chip
> > *chip, u8 *buf,
> >
> > rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
> > TPM_TRANSMIT_UNLOCKED, NULL);
> > +
>
> cruft
Removed.
[...]
> > @@ -215,17 +265,20 @@ int tpm2_prepare_space(struct tpm_chip *chip,
> > struct tpm_space *space, u32 cc,
> >
> > memcpy(&chip->work_space.context_tbl, &space->context_tbl,
> > sizeof(space->context_tbl));
> > + memcpy(&chip->work_space.session_tbl, &space->session_tbl,
> > + sizeof(space->session_tbl));
> > memcpy(chip->work_space.context_buf, space->context_buf,
> > PAGE_SIZE);
> > + memcpy(chip->work_space.session_buf, space->session_buf,
> > PAGE_SIZE);
>
> For transient objects the rollback is straight forward and totally
> predictable. Given that with sessions you always keep some
> information in the TPM the rollback would be a bit more complicated.
There is basically no rollback unless you really want to understand
what the commands did. If we get a fault on the context save or load
that isn't one we understand, like TPM_RC_HANDLE meaning the session
won't load or TPM_RC_REFERENCE_H0 meaning the session no longer exists,
then I think the only option is flushing everything.
I'd like us to agree on a hard failure model: if we get some
unexplained error during our context loads or saves, we should clear
out the entire space (which would allow us to use pointers instead of
copyring) but we don't. So we follow the soft failure. However,
sessions will mostly fail to load after this with RPM_RC_HANDLE, so we
get the equivalent of soft failure for transients and hard failure for
sessions.
> Now your code seems to just keep the previous session_buf, doesn't
> it? Does that always work or not?
Yes, after tpm_flush_space, the session memory is gone and all the
sessions will refuse to load with RC_HANDLE, so we end up effectively
clearing them out. It seemed better to do it this way than to try to
special case all the session stuff.
> PS. I have a high-level idea of attack vectors that are prevented by
> having meta-data for session inside the TPM but can you point me to
> the correct place in the TPM 2.0 specification that discusses about
> this?
The problem is replay. If I'm snooping your TPM commands and I capture
your session context, if we don't have replay detection, I can re-load
your session HMAC and replay your command because the session has the
authorization or the encryption. The TPM designers thought the only
way to avoid replay was to use a counter which was part of the session
context which increments every time a session is saved. On loading you
check that the counters match and fail if they don't. The only way to
implement this is to keep a memory of the counter in the TPM, hence the
annoying vestigial sessions.
It's note 2 of the architecture Part 1 guide, chapter "15.4 Session
Handles (MSO=02_16 and 03_16 )"
James
>
> /Jarkko
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: tpmdd-devel@lists.sourceforge.net,
open list <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/2] tpm2: add session handle context saving and restoring to the space code
Date: Thu, 26 Jan 2017 08:26:19 -0800 [thread overview]
Message-ID: <1485447979.2457.23.camel@HansenPartnership.com> (raw)
In-Reply-To: <20170126125151.32sky3tajp6zigpd@intel.com>
On Thu, 2017-01-26 at 14:51 +0200, Jarkko Sakkinen wrote:
[...]
> > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> > index c48255e..b77fc60 100644
> > --- a/drivers/char/tpm/tpm.h
> > +++ b/drivers/char/tpm/tpm.h
> > @@ -159,6 +159,8 @@ enum tpm2_cc_attrs {
> > struct tpm_space {
> > u32 context_tbl[3];
> > u8 *context_buf;
> > + u32 session_tbl[6];
> > + u8 *session_buf;
> > };
> >
> > enum tpm_chip_flags {
> > @@ -588,4 +590,5 @@ int tpm2_prepare_space(struct tpm_chip *chip,
> > struct tpm_space *space, u32 cc,
> > u8 *cmd);
> > int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space
> > *space,
> > u32 cc, u8 *buf, size_t bufsiz);
> > +void tpm2_flush_space(struct tpm_chip *chip, struct tpm_space
> > *space);
>
> Why the extra parameter?
Because it was called from tpms-dev in release to flush all the
sessions still active. At that point the work space is gone, so we
have to call it with the real space. However, I realised that callsite
didn't hold the tpm_mutex like it should and that we don't need to
flush the contexts because they'll be guaranteed empty, so I added a
new function tpm2_kill_space() that does this.
> > #endif
> > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2
> > -space.c
> > index 7fd2fc5..ba4310a 100644
> > --- a/drivers/char/tpm/tpm2-space.c
> > +++ b/drivers/char/tpm/tpm2-space.c
> > @@ -59,11 +59,16 @@ static int tpm2_load_context(struct tpm_chip
> > *chip, u8 *buf,
> >
> > rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
> > TPM_TRANSMIT_UNLOCKED, NULL);
> > +
>
> cruft
Removed.
[...]
> > @@ -215,17 +265,20 @@ int tpm2_prepare_space(struct tpm_chip *chip,
> > struct tpm_space *space, u32 cc,
> >
> > memcpy(&chip->work_space.context_tbl, &space->context_tbl,
> > sizeof(space->context_tbl));
> > + memcpy(&chip->work_space.session_tbl, &space->session_tbl,
> > + sizeof(space->session_tbl));
> > memcpy(chip->work_space.context_buf, space->context_buf,
> > PAGE_SIZE);
> > + memcpy(chip->work_space.session_buf, space->session_buf,
> > PAGE_SIZE);
>
> For transient objects the rollback is straight forward and totally
> predictable. Given that with sessions you always keep some
> information in the TPM the rollback would be a bit more complicated.
There is basically no rollback unless you really want to understand
what the commands did. If we get a fault on the context save or load
that isn't one we understand, like TPM_RC_HANDLE meaning the session
won't load or TPM_RC_REFERENCE_H0 meaning the session no longer exists,
then I think the only option is flushing everything.
I'd like us to agree on a hard failure model: if we get some
unexplained error during our context loads or saves, we should clear
out the entire space (which would allow us to use pointers instead of
copyring) but we don't. So we follow the soft failure. However,
sessions will mostly fail to load after this with RPM_RC_HANDLE, so we
get the equivalent of soft failure for transients and hard failure for
sessions.
> Now your code seems to just keep the previous session_buf, doesn't
> it? Does that always work or not?
Yes, after tpm_flush_space, the session memory is gone and all the
sessions will refuse to load with RC_HANDLE, so we end up effectively
clearing them out. It seemed better to do it this way than to try to
special case all the session stuff.
> PS. I have a high-level idea of attack vectors that are prevented by
> having meta-data for session inside the TPM but can you point me to
> the correct place in the TPM 2.0 specification that discusses about
> this?
The problem is replay. If I'm snooping your TPM commands and I capture
your session context, if we don't have replay detection, I can re-load
your session HMAC and replay your command because the session has the
authorization or the encryption. The TPM designers thought the only
way to avoid replay was to use a counter which was part of the session
context which increments every time a session is saved. On loading you
check that the counters match and fail if they don't. The only way to
implement this is to keep a memory of the counter in the TPM, hence the
annoying vestigial sessions.
It's note 2 of the architecture Part 1 guide, chapter "15.4 Session
Handles (MSO=02_16 and 03_16 )"
James
>
> /Jarkko
>
next prev parent reply other threads:[~2017-01-26 16:26 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-24 5:35 [PATCH 0/2] Add session handling to tpm spaces James Bottomley
[not found] ` <1485236113.2534.69.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-24 5:37 ` [PATCH 1/2] tpm2: add session handle context saving and restoring to the space code James Bottomley
2017-01-24 5:37 ` James Bottomley
2017-01-26 12:51 ` Jarkko Sakkinen
[not found] ` <20170126125151.32sky3tajp6zigpd-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-26 15:18 ` James Bottomley
2017-01-26 15:18 ` James Bottomley
[not found] ` <1485443929.2457.5.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-27 6:45 ` Jarkko Sakkinen
2017-01-27 6:45 ` Jarkko Sakkinen
2017-01-27 22:06 ` Ken Goldman
2017-01-26 16:26 ` James Bottomley [this message]
2017-01-26 16:26 ` James Bottomley
[not found] ` <1485447979.2457.23.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-27 6:49 ` Jarkko Sakkinen
2017-01-27 6:49 ` Jarkko Sakkinen
2017-01-24 5:38 ` [PATCH 2/2] tpm2-space: add handling for global session exhaustion James Bottomley
[not found] ` <1485236313.2534.73.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-26 12:56 ` Jarkko Sakkinen
2017-01-26 12:56 ` Jarkko Sakkinen
[not found] ` <20170126125615.dt5hnfbpmtxk7xlq-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-27 0:45 ` James Bottomley
2017-01-27 0:45 ` James Bottomley
[not found] ` <1485477952.2457.55.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-27 6:51 ` Jarkko Sakkinen
2017-01-27 6:51 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1485447979.2457.23.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.