From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Berger Subject: Re: [PATCH] tpm: vtpm_proxy: Introduce flag to prevent sysfs entries Date: Thu, 30 Jun 2016 12:17:02 -0400 Message-ID: <577545FE.5000206@linux.vnet.ibm.com> References: <1466779015-26965-1-git-send-email-stefanb@linux.vnet.ibm.com> <20160624174803.GA14506@obsidianresearch.com> <576D7F34.50201@linux.vnet.ibm.com> <20160627183220.GD7268@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20160627183220.GD7268-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Jarkko Sakkinen Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: tpmdd-devel@lists.sourceforge.net On 06/27/2016 02:32 PM, Jarkko Sakkinen wrote: > On Fri, Jun 24, 2016 at 02:43:00PM -0400, Stefan Berger wrote: >> On 06/24/2016 01:48 PM, Jason Gunthorpe wrote: >>> On Fri, Jun 24, 2016 at 10:36:55AM -0400, Stefan Berger wrote: >>>> Introduce TPM_VTPM_PROXY_NO_SYSFS flag that prevents a vtpm_proxy driver >>>> instance from having the typical sysfs entries that shows the state of the >>>> TPM. The flag is to be set in the ioctl creating the vtpm_proxy device >>>> pair and maps on a new chip flags TPM_CHIP_FLAG_NO_SYSFS. >>> No other subsystem does something so goofy, this really needs to be >>> part of namespace support for TPM. >> And I am not sure how to go about this. TPM2 by the way doesn't have such >> entries, so it's much better from that perspective. >> >>> Why can't you just make the sysfs files unreadable in user space? >> There are actually ways to go about this. Likely bind-mounting over >> /sys/device/virtual/tpm would be one solution to hide all virtual TPM >> device. Another is applying an AppArmor policy to the container denying >> access to tpm directories or entries. SELinux would not be so easy. >> >> The flag in this patch seemed like a 'cheap' way to eliminate that problem >> as well. > Does it have any other qualities that would make this better than bind > mounting? Not sure what to argue with. Maybe setting a bit on an ioctl that needs to be executed would be a good argument. stefan > > /Jarkko > ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932367AbcF3QRf (ORCPT ); Thu, 30 Jun 2016 12:17:35 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60699 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752644AbcF3QRc (ORCPT ); Thu, 30 Jun 2016 12:17:32 -0400 X-IBM-Helo: d03dlp03.boulder.ibm.com X-IBM-MailFrom: stefanb@linux.vnet.ibm.com Subject: Re: [PATCH] tpm: vtpm_proxy: Introduce flag to prevent sysfs entries To: Jarkko Sakkinen References: <1466779015-26965-1-git-send-email-stefanb@linux.vnet.ibm.com> <20160624174803.GA14506@obsidianresearch.com> <576D7F34.50201@linux.vnet.ibm.com> <20160627183220.GD7268@intel.com> Cc: Jason Gunthorpe , tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org From: Stefan Berger Date: Thu, 30 Jun 2016 12:17:02 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: <20160627183220.GD7268@intel.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16063016-0016-0000-0000-0000041470CA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16063016-0017-0000-0000-000030B3FBCC Message-Id: <577545FE.5000206@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-06-30_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1606300154 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/27/2016 02:32 PM, Jarkko Sakkinen wrote: > On Fri, Jun 24, 2016 at 02:43:00PM -0400, Stefan Berger wrote: >> On 06/24/2016 01:48 PM, Jason Gunthorpe wrote: >>> On Fri, Jun 24, 2016 at 10:36:55AM -0400, Stefan Berger wrote: >>>> Introduce TPM_VTPM_PROXY_NO_SYSFS flag that prevents a vtpm_proxy driver >>>> instance from having the typical sysfs entries that shows the state of the >>>> TPM. The flag is to be set in the ioctl creating the vtpm_proxy device >>>> pair and maps on a new chip flags TPM_CHIP_FLAG_NO_SYSFS. >>> No other subsystem does something so goofy, this really needs to be >>> part of namespace support for TPM. >> And I am not sure how to go about this. TPM2 by the way doesn't have such >> entries, so it's much better from that perspective. >> >>> Why can't you just make the sysfs files unreadable in user space? >> There are actually ways to go about this. Likely bind-mounting over >> /sys/device/virtual/tpm would be one solution to hide all virtual TPM >> device. Another is applying an AppArmor policy to the container denying >> access to tpm directories or entries. SELinux would not be so easy. >> >> The flag in this patch seemed like a 'cheap' way to eliminate that problem >> as well. > Does it have any other qualities that would make this better than bind > mounting? Not sure what to argue with. Maybe setting a bit on an ioctl that needs to be executed would be a good argument. stefan > > /Jarkko >