From: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
To: James Bottomley
<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
open list <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Subject: Re: [PATCH RFC 0/4] RFC: in-kernel resource manager
Date: Wed, 4 Jan 2017 12:24:23 -0700 [thread overview]
Message-ID: <20170104192423.GA12929@obsidianresearch.com> (raw)
In-Reply-To: <1483556271.2561.50.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
On Wed, Jan 04, 2017 at 10:57:51AM -0800, James Bottomley wrote:
> > You are doing all this work to get the user space side in shape, I'd
> > like to see matching kernel support. To me that means out-of-the-box
> > a user can just use your plugins, the plugins will access /dev/tmps
> > and everything will work fine for RSA key storage.
>
> Actually, not necessarily; you're not considering the setup issue:
> right at the moment users get delivered TPMs mostly in the cleared
I have no problem with users being instructed to do 'sudo
tpm2-provision' or having that happen via GUI using the usual
privilege escalation techniques.
> state (thankfully they no longer have to clear via bios). So the first
> thing a new user has to do is set all the authorizations and create an
> SRK equivalent primary object at 0x81000001. I think in the interests
> of best practice we want to make that as easy as possible; saying they
> have to do this as root and use a different device is problematic.
The device names should never be exposed to the user. The user should
specify a chip number (default to 0) and the tools should select the
correct available device to do what the user is asking.
First try /dev/tpms and elevate filter, then try /dev/tpmX, then fail.
> You can say they don't have to use a different device because the
> filter can be lifted for root, but then how do I lock down root apps
> for this untrusted root setup secure boot has going on?
Presumably the same way you lock down /dev/tpm0 today?
selinux I guess?
> I suppose we could use TPMA_PERMANENT for this. The first three bits
> indicate whether the authorizations are set, so if they're all clear,
> we can assume an unowned TPM and lift the filter? A sort of trust on
> first use model.
I feel tpm provisioning is something that should only be done by the
system owner, and that means root in unix parlance.
I don't want random end-users provisioning the TPM in my server, for
instance.
Jason
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
WARNING: multiple messages have this Message-ID (diff)
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-security-module@vger.kernel.org,
tpmdd-devel@lists.sourceforge.net,
Andy Lutomirski <luto@kernel.org>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager
Date: Wed, 4 Jan 2017 12:24:23 -0700 [thread overview]
Message-ID: <20170104192423.GA12929@obsidianresearch.com> (raw)
In-Reply-To: <1483556271.2561.50.camel@HansenPartnership.com>
On Wed, Jan 04, 2017 at 10:57:51AM -0800, James Bottomley wrote:
> > You are doing all this work to get the user space side in shape, I'd
> > like to see matching kernel support. To me that means out-of-the-box
> > a user can just use your plugins, the plugins will access /dev/tmps
> > and everything will work fine for RSA key storage.
>
> Actually, not necessarily; you're not considering the setup issue:
> right at the moment users get delivered TPMs mostly in the cleared
I have no problem with users being instructed to do 'sudo
tpm2-provision' or having that happen via GUI using the usual
privilege escalation techniques.
> state (thankfully they no longer have to clear via bios). So the first
> thing a new user has to do is set all the authorizations and create an
> SRK equivalent primary object at 0x81000001. I think in the interests
> of best practice we want to make that as easy as possible; saying they
> have to do this as root and use a different device is problematic.
The device names should never be exposed to the user. The user should
specify a chip number (default to 0) and the tools should select the
correct available device to do what the user is asking.
First try /dev/tpms and elevate filter, then try /dev/tpmX, then fail.
> You can say they don't have to use a different device because the
> filter can be lifted for root, but then how do I lock down root apps
> for this untrusted root setup secure boot has going on?
Presumably the same way you lock down /dev/tpm0 today?
selinux I guess?
> I suppose we could use TPMA_PERMANENT for this. The first three bits
> indicate whether the authorizations are set, so if they're all clear,
> we can assume an unowned TPM and lift the filter? A sort of trust on
> first use model.
I feel tpm provisioning is something that should only be done by the
system owner, and that means root in unix parlance.
I don't want random end-users provisioning the TPM in my server, for
instance.
Jason
next prev parent reply other threads:[~2017-01-04 19:24 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 13:22 [PATCH RFC 0/4] RFC: in-kernel resource manager Jarkko Sakkinen
2017-01-02 13:22 ` Jarkko Sakkinen
[not found] ` <20170102132213.22880-1-jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2017-01-02 13:22 ` [PATCH RFC 1/4] tpm: migrate struct tpm_buf to struct tpm_chip Jarkko Sakkinen
2017-01-02 13:22 ` Jarkko Sakkinen
[not found] ` <20170102132213.22880-2-jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2017-01-02 21:01 ` Jason Gunthorpe
2017-01-02 21:01 ` Jason Gunthorpe
2017-01-03 0:57 ` Jarkko Sakkinen
[not found] ` <20170103005737.t2qrc32xzdnvqy4b-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-03 19:13 ` Jason Gunthorpe
2017-01-03 19:13 ` Jason Gunthorpe
[not found] ` <20170103191328.GB26706-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 12:29 ` Jarkko Sakkinen
2017-01-04 12:29 ` Jarkko Sakkinen
2017-01-02 13:22 ` [PATCH RFC 2/4] tpm: validate TPM 2.0 commands Jarkko Sakkinen
2017-01-02 13:22 ` Jarkko Sakkinen
[not found] ` <20170102132213.22880-3-jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2017-01-04 18:04 ` Stefan Berger
[not found] ` <OF8D508BD2.EAB22BFD-ON0025809E.0062B40C-8525809E.006356C3-8eTO7WVQ4XIsd+ienQ86orlN3bxYEBpz@public.gmane.org>
2017-01-04 18:19 ` James Bottomley
2017-01-04 18:19 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483553976.2561.38.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-04 18:59 ` Stefan Berger
[not found] ` <OF3FD1DF4F.FB87C3F2-ON0025809E.00682E9B-8525809E.00684A8A-8eTO7WVQ4XIsd+ienQ86orlN3bxYEBpz@public.gmane.org>
2017-01-04 19:05 ` James Bottomley
[not found] ` <1483556735.2561.53.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-04 19:22 ` Stefan Berger
[not found] ` <OFDFABBD23.E5E1F639-ON0025809E.006924C4-8525809E.006A7568-8eTO7WVQ4XIsd+ienQ86orlN3bxYEBpz@public.gmane.org>
2017-01-09 22:17 ` Jarkko Sakkinen
[not found] ` <20170109221700.q7tq362rd6r23d5b-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-09 22:39 ` Stefan Berger
2017-01-04 18:44 ` Jason Gunthorpe
2017-01-04 18:44 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-02 13:22 ` [PATCH RFC 3/4] tpm: export tpm2_flush_context_cmd Jarkko Sakkinen
2017-01-02 13:22 ` Jarkko Sakkinen
2017-01-02 13:22 ` [PATCH RFC 4/4] tpm: add the infrastructure for TPM space for TPM 2.0 Jarkko Sakkinen
2017-01-02 13:22 ` Jarkko Sakkinen
[not found] ` <20170102132213.22880-5-jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2017-01-02 21:09 ` Jason Gunthorpe
2017-01-02 21:09 ` Jason Gunthorpe
2017-01-03 0:37 ` Jarkko Sakkinen
[not found] ` <20170103003730.he32vl55kkta2q64-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-03 18:46 ` Jason Gunthorpe
2017-01-03 18:46 ` Jason Gunthorpe
[not found] ` <20170103184627.GA26706-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 12:43 ` Jarkko Sakkinen
2017-01-04 12:43 ` Jarkko Sakkinen
2017-01-03 19:16 ` Jason Gunthorpe
2017-01-03 19:16 ` Jason Gunthorpe
[not found] ` <20170103191634.GC26706-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 12:45 ` Jarkko Sakkinen
2017-01-04 12:45 ` Jarkko Sakkinen
2017-01-04 17:50 ` Stefan Berger
2017-01-09 22:11 ` [tpmdd-devel] " Jarkko Sakkinen
2017-01-05 15:52 ` [PATCH RFC 0/4] RFC: in-kernel resource manager Fuchs, Andreas
2017-01-05 15:52 ` [tpmdd-devel] " Fuchs, Andreas
[not found] ` <9F48E1A823B03B4790B7E6E69430724DC7C149F6-pTbww/UJF9iZbMGAS439G2SU2VBt9E6NG9Ur7JDdleE@public.gmane.org>
2017-01-05 17:27 ` Jason Gunthorpe
2017-01-05 17:27 ` [tpmdd-devel] " Jason Gunthorpe
[not found] ` <20170105172726.GA11680-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-05 18:06 ` James Bottomley
2017-01-05 18:06 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483639595.2515.52.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-06 8:43 ` Andreas Fuchs
2017-01-06 8:43 ` [tpmdd-devel] " Andreas Fuchs
[not found] ` <410e3045-58dc-5415-30c1-c86eb916b6c8-iXjGqz/onsDSyEMIgutvibNAH6kLmebB@public.gmane.org>
2017-01-10 18:57 ` Ken Goldman
2017-01-05 18:33 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483641223.2515.62.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-05 19:20 ` Jason Gunthorpe
2017-01-05 19:20 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-05 19:55 ` James Bottomley
[not found] ` <1483646149.2515.83.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-05 22:21 ` Jason Gunthorpe
2017-01-05 22:21 ` [tpmdd-devel] " Jason Gunthorpe
[not found] ` <20170105222118.GC31047-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-05 22:58 ` James Bottomley
2017-01-05 22:58 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483657126.2515.107.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-05 23:50 ` Jason Gunthorpe
2017-01-05 23:50 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-06 0:36 ` James Bottomley
[not found] ` <1483663002.2515.134.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-06 8:59 ` Andreas Fuchs
2017-01-06 8:59 ` [tpmdd-devel] " Andreas Fuchs
[not found] ` <f5c8f4a2-d4ad-a2a0-9443-26589c58f9a7-iXjGqz/onsDSyEMIgutvibNAH6kLmebB@public.gmane.org>
2017-01-06 19:10 ` Jason Gunthorpe
2017-01-06 19:10 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-06 19:02 ` Jason Gunthorpe
[not found] ` <20170105192025.GB12587-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-10 19:03 ` Ken Goldman
2017-01-10 19:03 ` Ken Goldman
2017-01-09 22:39 ` [tpmdd-devel] " Jarkko Sakkinen
2017-01-11 10:03 ` Andreas Fuchs
2017-01-02 16:36 ` James Bottomley
[not found] ` <1483374980.2458.13.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-02 19:33 ` Jarkko Sakkinen
2017-01-02 19:33 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170102193320.trawto65nkjccbao-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-02 21:40 ` James Bottomley
2017-01-02 21:40 ` [tpmdd-devel] " James Bottomley
2017-01-03 5:26 ` James Bottomley
[not found] ` <1483421218.19261.4.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-03 13:41 ` Jarkko Sakkinen
2017-01-03 13:41 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170103134100.stgxkmzbckon4jfb-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-03 16:14 ` James Bottomley
2017-01-03 16:14 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483460095.2464.6.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-03 18:36 ` Jarkko Sakkinen
2017-01-03 18:36 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170103183602.ar5typcvy2rx7cjs-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-03 19:14 ` Jarkko Sakkinen
2017-01-03 19:14 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170103191456.vpl6ny7rbgu3yigx-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-03 19:34 ` James Bottomley
2017-01-03 19:34 ` [tpmdd-devel] " James Bottomley
2017-01-03 21:54 ` Jason Gunthorpe
2017-01-03 21:54 ` [tpmdd-devel] " Jason Gunthorpe
[not found] ` <20170103215445.GD29656-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 12:58 ` Jarkko Sakkinen
2017-01-04 12:58 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170104125810.3qkkfe72cnb76ige-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-04 16:55 ` Jason Gunthorpe
2017-01-04 16:55 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-04 5:47 ` Andy Lutomirski
2017-01-04 13:00 ` Jarkko Sakkinen
[not found] ` <1483393248.2458.32.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-03 13:51 ` Jarkko Sakkinen
2017-01-03 13:51 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170103135121.4kh3jld5gaq3ptj4-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-03 16:36 ` James Bottomley
2017-01-03 16:36 ` [tpmdd-devel] " James Bottomley
2017-01-03 18:40 ` Jarkko Sakkinen
2017-01-03 21:47 ` Jason Gunthorpe
[not found] ` <20170103214702.GC29656-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-03 22:21 ` Ken Goldman
2017-01-03 22:21 ` [tpmdd-devel] " Ken Goldman
2017-01-03 23:20 ` Jason Gunthorpe
2017-01-03 23:20 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-03 22:22 ` Ken Goldman
2017-01-03 22:39 ` James Bottomley
2017-01-03 22:39 ` [tpmdd-devel] " James Bottomley
2017-01-04 0:17 ` Jason Gunthorpe
[not found] ` <20170104001732.GB32185-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 0:29 ` James Bottomley
2017-01-04 0:29 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483489799.2464.79.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-04 0:56 ` Jason Gunthorpe
2017-01-04 0:56 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-04 12:50 ` Jarkko Sakkinen
2017-01-04 12:50 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <20170104125045.7lorpe55drnrqce5-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-04 14:53 ` James Bottomley
2017-01-04 14:53 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483541583.2561.20.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-04 18:31 ` Jason Gunthorpe
2017-01-04 18:31 ` [tpmdd-devel] " Jason Gunthorpe
[not found] ` <20170104183125.GC783-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 18:57 ` James Bottomley
2017-01-04 18:57 ` [tpmdd-devel] " James Bottomley
[not found] ` <1483556271.2561.50.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-04 19:24 ` Jason Gunthorpe [this message]
2017-01-04 19:24 ` Jason Gunthorpe
2017-01-10 18:55 ` Ken Goldman
2017-01-04 12:48 ` Jarkko Sakkinen
2017-01-04 12:48 ` [tpmdd-devel] " Jarkko Sakkinen
[not found] ` <1483461370.2464.19.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-03 22:18 ` Ken Goldman
2017-01-03 21:32 ` Jason Gunthorpe
2017-01-03 21:32 ` [tpmdd-devel] " Jason Gunthorpe
2017-01-03 22:03 ` James Bottomley
[not found] <kgoldman@us.ibm.com>
2017-01-04 16:12 ` Dr. Greg Wettstein
[not found] ` <201701041612.v04GCfPK031525-DHO+NtfOqB5PEDpkEIzg7wC/G2K4zDHf@public.gmane.org>
2017-01-04 18:37 ` Kenneth Goldman
2017-01-09 23:16 ` [tpmdd-devel] " Jarkko Sakkinen
2017-01-10 20:05 ` Jason Gunthorpe
[not found] ` <20170110200558.GA5102-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-11 10:00 ` Andreas Fuchs
[not found] ` <ee6c1e48-e21f-d05e-0939-473001224aba-iXjGqz/onsDSyEMIgutvibNAH6kLmebB@public.gmane.org>
2017-01-11 15:59 ` Ken Goldman
2017-01-11 18:03 ` Jason Gunthorpe
[not found] ` <20170111180328.GB22783-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-11 18:27 ` Stefan Berger
2017-01-11 11:34 ` Jarkko Sakkinen
[not found] ` <20170111113416.4h6ucm5y3hjjnfhv-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-11 15:39 ` James Bottomley
[not found] ` <1484149193.2509.12.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-11 17:56 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170104192423.GA12929@obsidianresearch.com \
--to=jgunthorpe-epgobjl8dl3ta4ec/59zmfatqe2ktcn/@public.gmane.org \
--cc=James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.