From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-integrity-owner@vger.kernel.org>
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:50616 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932644AbeEHPZu (ORCPT
        <rfc822;linux-integrity@vger.kernel.org>);
        Tue, 8 May 2018 11:25:50 -0400
Message-ID: <1525793148.3672.8.camel@HansenPartnership.com>
Subject: Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform
 initialization of TPM
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        "David R. Bild" <david.bild@xaptum.com>, philip.b.tricca@intel.com
Cc: Jason Gunthorpe <jgg@ziepe.ca>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Peter Huewe <peterhuewe@gmx.de>, linux-usb@vger.kernel.org,
        linux-integrity@vger.kernel.org
Date: Tue, 08 May 2018 08:25:48 -0700
In-Reply-To: <20180508105515.GB6132@linux.intel.com>
References: <20180430125418.31344-1-david.bild@xaptum.com>
         <20180504130022.5231-3-david.bild@xaptum.com>
         <20180504190638.ikqhdvcqccakzdjd@ziepe.ca>
         <CAAi9uDvyzk1vnQVXkJxRCATy85g4nwMLJjqu6rr1YZn9NV_TYw@mail.gmail.com>
         <20180508105515.GB6132@linux.intel.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Sender: linux-integrity-owner@vger.kernel.org
List-ID: <linux-integrity.vger.kernel.org>

On Tue, 2018-05-08 at 13:55 +0300, Jarkko Sakkinen wrote:
> On Fri, May 04, 2018 at 02:56:25PM -0500, David R. Bild wrote:
[...]
> > In particular, it sets the credentials for the platform hierarchy.
> > The platform hierarchy is essentially the "root" account of the
> > TPM, so it's critical that those credentials be set before the TPM
> > is exposed to user-space.  (The platform credentials aren't
> > persisted in the TPM and must be set by the platform on every
> > boot.)  If the driver registers the TPM before doing
> > initialization, there's a chance that something else could access
> > the TPM before the platform credentials get set.
> 
> Maybe. Not sure yet where to draw the line eg should TSS2 daemon to
> do it for example.
> 
> James? Philip?

I don't see any reason to set an unreachable password for the platform
hierarchy if the UEFI didn't.  If the desire is to disable the platform
hierarchy, then it should be disabled, not have a random password set. 
I'd also say this is probably the job of early boot based on policy.

James

From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Subject: [v3,2/2] usb: misc: xapea00x: perform platform initialization of TPM
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Message-Id: <1525793148.3672.8.camel@HansenPartnership.com>
Date: Tue, 08 May 2018 08:25:48 -0700
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>, "David R. Bild" <david.bild@xaptum.com>, philip.b.tricca@intel.com
Cc: Jason Gunthorpe <jgg@ziepe.ca>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Peter Huewe <peterhuewe@gmx.de>, linux-usb@vger.kernel.org, linux-integrity@vger.kernel.org
List-ID: <linux-usb.vger.kernel.org>

T24gVHVlLCAyMDE4LTA1LTA4IGF0IDEzOjU1ICswMzAwLCBKYXJra28gU2Fra2luZW4gd3JvdGU6
Cj4gT24gRnJpLCBNYXkgMDQsIDIwMTggYXQgMDI6NTY6MjVQTSAtMDUwMCwgRGF2aWQgUi4gQmls
ZCB3cm90ZToKWy4uLl0KPiA+IEluIHBhcnRpY3VsYXIsIGl0IHNldHMgdGhlIGNyZWRlbnRpYWxz
IGZvciB0aGUgcGxhdGZvcm0gaGllcmFyY2h5Lgo+ID4gVGhlIHBsYXRmb3JtIGhpZXJhcmNoeSBp
cyBlc3NlbnRpYWxseSB0aGUgInJvb3QiIGFjY291bnQgb2YgdGhlCj4gPiBUUE0sIHNvIGl0J3Mg
Y3JpdGljYWwgdGhhdCB0aG9zZSBjcmVkZW50aWFscyBiZSBzZXQgYmVmb3JlIHRoZSBUUE0KPiA+
IGlzIGV4cG9zZWQgdG8gdXNlci1zcGFjZS7CoMKgKFRoZSBwbGF0Zm9ybSBjcmVkZW50aWFscyBh
cmVuJ3QKPiA+IHBlcnNpc3RlZCBpbiB0aGUgVFBNIGFuZCBtdXN0IGJlIHNldCBieSB0aGUgcGxh
dGZvcm0gb24gZXZlcnkKPiA+IGJvb3QuKcKgwqBJZiB0aGUgZHJpdmVyIHJlZ2lzdGVycyB0aGUg
VFBNIGJlZm9yZSBkb2luZwo+ID4gaW5pdGlhbGl6YXRpb24sIHRoZXJlJ3MgYSBjaGFuY2UgdGhh
dCBzb21ldGhpbmcgZWxzZSBjb3VsZCBhY2Nlc3MKPiA+IHRoZSBUUE0gYmVmb3JlIHRoZSBwbGF0
Zm9ybSBjcmVkZW50aWFscyBnZXQgc2V0Lgo+IAo+IE1heWJlLiBOb3Qgc3VyZSB5ZXQgd2hlcmUg
dG8gZHJhdyB0aGUgbGluZSBlZyBzaG91bGQgVFNTMiBkYWVtb24gdG8KPiBkbyBpdCBmb3IgZXhh
bXBsZS4KPiAKPiBKYW1lcz8gUGhpbGlwPwoKSSBkb24ndCBzZWUgYW55IHJlYXNvbiB0byBzZXQg
YW4gdW5yZWFjaGFibGUgcGFzc3dvcmQgZm9yIHRoZSBwbGF0Zm9ybQpoaWVyYXJjaHkgaWYgdGhl
IFVFRkkgZGlkbid0LiAgSWYgdGhlIGRlc2lyZSBpcyB0byBkaXNhYmxlIHRoZSBwbGF0Zm9ybQpo
aWVyYXJjaHksIHRoZW4gaXQgc2hvdWxkIGJlIGRpc2FibGVkLCBub3QgaGF2ZSBhIHJhbmRvbSBw
YXNzd29yZCBzZXQuIApJJ2QgYWxzbyBzYXkgdGhpcyBpcyBwcm9iYWJseSB0aGUgam9iIG9mIGVh
cmx5IGJvb3QgYmFzZWQgb24gcG9saWN5LgoKSmFtZXMKLS0tClRvIHVuc3Vic2NyaWJlIGZyb20g
dGhpcyBsaXN0OiBzZW5kIHRoZSBsaW5lICJ1bnN1YnNjcmliZSBsaW51eC11c2IiIGluCnRoZSBi
b2R5IG9mIGEgbWVzc2FnZSB0byBtYWpvcmRvbW9Admdlci5rZXJuZWwub3JnCk1vcmUgbWFqb3Jk
b21vIGluZm8gYXQgIGh0dHA6Ly92Z2VyLmtlcm5lbC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbAo=