From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jarkko Sakkinen Subject: Re: [PATCH RFC] tpm: define a command filter Date: Fri, 27 Jan 2017 08:42:40 +0200 Message-ID: <20170127064240.5xrf4ddbo2vq3llb@intel.com> References: <20170124000258.16818-1-jarkko.sakkinen@linux.intel.com> <20170124001918.GA29735@obsidianresearch.com> <20170124143600.siyhblj67qaatewi@intel.com> <20170124190707.GA9899@obsidianresearch.com> <20170125202137.7bsv7lptvpzl2fjz@intel.com> <20170125221136.GA713@obsidianresearch.com> <20170126111403.ql6np2qulifxxw3p@intel.com> <20170126180506.GA20330@obsidianresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20170126180506.GA20330-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Jason Gunthorpe Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, open list List-Id: tpmdd-devel@lists.sourceforge.net On Thu, Jan 26, 2017 at 11:05:06AM -0700, Jason Gunthorpe wrote: > On Thu, Jan 26, 2017 at 01:14:03PM +0200, Jarkko Sakkinen wrote: > > On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote: > > > On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote: > > > > > > > There should be anyway someway to limit what commands can be sent but > > > > I understand your point. > > > > > > What is the filter for? > > > > > > James and I talked about a filter to create a safer cdev for use by > > > users. However tpms0 cannot be that 'safer' cdev - it is now the 'all > > > access' path. > > > > What do you mean by "safer cdev"? > > 'safer cdev' is this concept of limiting privileges you are describing > below. > > > > I also suggested a filter in the kernel to ensure that the RM is only > > > passing commands it actually knows it handles properly. eg you would > > > filter out list handles. That is hardwired into the kernel, and does > > > not ge to be configured by user space. > > > > In many cases you would want to limit the set of operations that client > > can use. For example, not every client needs NV operations. In general > > you might want to have mechanism for limiting privileges. I haven't > > really considered this from the perspective that you've been discussing > > but more from the "principle of least privilege" perspective. > > What does that mean? The kernel needs to provide an unrestricted > access path to the TPM and the RM - typically for use by root. I don't > think there is any debate on this point. > > The kernel *could* provide restricted access to the TPM and the RM - > typically for use by a user. > > These are *different* things and they should not both exist at once on > /dev/tpms0 (that is not the unix model). > > IMHO this patch series should focus entirely on the unrestricted > access path. Otherwise the debate is too large and complex. Agreed. We can add more granular access control later on. For the rest of the response I understand your point of view but lets continue after we have basic building blocks in place :-) /Jarkko ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754157AbdA0GqH (ORCPT ); Fri, 27 Jan 2017 01:46:07 -0500 Received: from mga11.intel.com ([192.55.52.93]:29922 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754117AbdA0GqE (ORCPT ); Fri, 27 Jan 2017 01:46:04 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,293,1477983600"; d="scan'208";a="36158109" Date: Fri, 27 Jan 2017 08:42:40 +0200 From: Jarkko Sakkinen To: Jason Gunthorpe Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, Peter Huewe , Marcel Selhorst , open list Subject: Re: [PATCH RFC] tpm: define a command filter Message-ID: <20170127064240.5xrf4ddbo2vq3llb@intel.com> References: <20170124000258.16818-1-jarkko.sakkinen@linux.intel.com> <20170124001918.GA29735@obsidianresearch.com> <20170124143600.siyhblj67qaatewi@intel.com> <20170124190707.GA9899@obsidianresearch.com> <20170125202137.7bsv7lptvpzl2fjz@intel.com> <20170125221136.GA713@obsidianresearch.com> <20170126111403.ql6np2qulifxxw3p@intel.com> <20170126180506.GA20330@obsidianresearch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170126180506.GA20330@obsidianresearch.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.6.2-neo (2016-08-21) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 26, 2017 at 11:05:06AM -0700, Jason Gunthorpe wrote: > On Thu, Jan 26, 2017 at 01:14:03PM +0200, Jarkko Sakkinen wrote: > > On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote: > > > On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote: > > > > > > > There should be anyway someway to limit what commands can be sent but > > > > I understand your point. > > > > > > What is the filter for? > > > > > > James and I talked about a filter to create a safer cdev for use by > > > users. However tpms0 cannot be that 'safer' cdev - it is now the 'all > > > access' path. > > > > What do you mean by "safer cdev"? > > 'safer cdev' is this concept of limiting privileges you are describing > below. > > > > I also suggested a filter in the kernel to ensure that the RM is only > > > passing commands it actually knows it handles properly. eg you would > > > filter out list handles. That is hardwired into the kernel, and does > > > not ge to be configured by user space. > > > > In many cases you would want to limit the set of operations that client > > can use. For example, not every client needs NV operations. In general > > you might want to have mechanism for limiting privileges. I haven't > > really considered this from the perspective that you've been discussing > > but more from the "principle of least privilege" perspective. > > What does that mean? The kernel needs to provide an unrestricted > access path to the TPM and the RM - typically for use by root. I don't > think there is any debate on this point. > > The kernel *could* provide restricted access to the TPM and the RM - > typically for use by a user. > > These are *different* things and they should not both exist at once on > /dev/tpms0 (that is not the unix model). > > IMHO this patch series should focus entirely on the unrestricted > access path. Otherwise the debate is too large and complex. Agreed. We can add more granular access control later on. For the rest of the response I understand your point of view but lets continue after we have basic building blocks in place :-) /Jarkko