From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "William Brown" <wbrown@suse.de>,
"James Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: <linux-integrity@vger.kernel.org>, <peterhuewe@gmx.de>,
<jgg@ziepe.ca>, "Takashi Iwai" <tiwai@suse.de>
Subject: Re: TPM error 0x0901, possibly related to TPM2_PT_CONTEXT_GAP_MAX
Date: Sat, 13 Apr 2024 23:50:47 +0300 [thread overview]
Message-ID: <D0JAIGVZLE9Q.2D0LVWXOE13H0@kernel.org> (raw)
In-Reply-To: <4A174330-E1BB-4160-BD90-EAE6150706B5@suse.de>
On Fri Apr 5, 2024 at 3:24 AM EEST, William Brown wrote:
>
>
> > On 5 Apr 2024, at 01:49, James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
> >
> > The reality is that unless you context save a session, you don't need
> > degapping and pretty much every TSS based use of sessions doesn't need
> > to save them, so people who construct TPM based systems rarely run into
> > this.
>
> This is the odd part - I'm *not* context saving sessions here.
>
> Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoaded, value: 0 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoadedAvail, value: 3 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActive, value: 1 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActiveAvail, value: 63 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ActiveSessionsMax, value: 64 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ContextGapMax, value: 255 }] })
>
> Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoaded, value: 0 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoadedAvail, value: 3 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActive, value: 1 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActiveAvail, value: 63 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ActiveSessionsMax, value: 64 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ContextGapMax, value: 255 }] })
>
> Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoaded, value: 0 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoadedAvail, value: 3 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActive, value: 1 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActiveAvail, value: 63 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ActiveSessionsMax, value: 64 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ContextGapMax, value: 255 }] })
>
>
> I could be completely wrong, but my reading of the specification is that HrActive/HrLoaded are the values of interest here, and we can see they remain at 0/1 for each test as the sessions and loaded objects are removed at the end of each test.
>
> And yet, I'm running into the error 0x0901. So something else is going on that I'm not 100% sure about.
We should catch all TPM2_StartAuthSession commands written to /dev/tpm0.
In practice this means checking the 32-bit value in buf[6] of the second
parameter of tpm_transmit().
This could be e.g. checked with bpftrace by hooking kprobe into the
function and comparing that to 0x00000176. It is in big-endian order.
I can try to bake a script for this if you need help...
That way we can catch all session creations.
>
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer,
> Identity and Access Management
> SUSE Labs, Australia
BR, Jarkko
next prev parent reply other threads:[~2024-04-13 20:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-04 2:19 TPM error 0x0901, possibly related to TPM2_PT_CONTEXT_GAP_MAX William Brown
2024-04-04 15:06 ` Jarkko Sakkinen
2024-04-04 15:09 ` Jarkko Sakkinen
2024-04-04 15:49 ` James Bottomley
2024-04-05 0:24 ` William Brown
2024-04-13 20:50 ` Jarkko Sakkinen [this message]
2024-04-11 22:50 ` Jarkko Sakkinen
2024-04-11 23:21 ` William Brown
2024-04-13 21:43 ` Jarkko Sakkinen
2024-04-05 0:24 ` William Brown
2024-04-13 20:54 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D0JAIGVZLE9Q.2D0LVWXOE13H0@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=jgg@ziepe.ca \
--cc=linux-integrity@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=tiwai@suse.de \
--cc=wbrown@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.