From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>,
"Jarkko Sakkinen" <jarkko.sakkinen@iki.fi>,
<openssl-tpm2-engine@groups.io>
Cc: <linux-integrity@vger.kernel.org>
Subject: Re: [PATCH 1/8] tss: Fix handling of TPM_RH_NULL in intel-tss
Date: Sat, 03 Aug 2024 23:43:56 +0300 [thread overview]
Message-ID: <D36KI8TC0600.1OAIM33YQYMLX@kernel.org> (raw)
In-Reply-To: <237c1ed926d926bfddb92a959a27543479b5f0ae.camel@HansenPartnership.com>
On Sat Aug 3, 2024 at 10:47 PM EEST, James Bottomley wrote:
> On Sat, 2024-08-03 at 22:31 +0300, Jarkko Sakkinen wrote:
> > On Sat Aug 3, 2024 at 8:51 PM EEST, James Bottomley wrote:
> > > On Sat, 2024-08-03 at 20:08 +0300, Jarkko Sakkinen wrote:
> > > > On Fri Aug 2, 2024 at 11:25 PM EEST, James Bottomley wrote:
> > > > > Now that we're going to be using the NULL primary to salt
> > > > > sessions, the Intel TSS shim needs fixing to cope with this.
> > > > > In the Intel TSS, there are two internal handles representing
> > > > > NULL: ESYS_TR_NONE and ESYS_TR_RH_NULL. We translate
> > > > > TPM_RH_NULL to ESYS_TR_NONE because
> > > >
> > > > Can you split this into two paragraphs.
> > > >
> > > > I'm lost why it has two representations.
> > >
> > > Well, I actually have no idea why the Intel TSS has two
> > > representations for *every* handle: an internal one (specific to
> > > the TSS) and an external one that everyone uses, like 81000001 or
> > > 40000007. As far as I can see it just adds pointless complexity to
> > > the coding. The IBM TSS only has one, so for code which works with
> > > both, the shim has to transform between internal and external
> > > handle representations before sending the command onward to the
> > > Intel TSS.
> >
> > Is it possible to address this complexity and move into a single
> > representation? I.e. use external presentation all the way.
>
> Yes, that's what the current code does. It began life as pure IBM TSS
> so it used what the Intel TSS would consider as all external handle
> representations. The external to internal shift (and back) happens
> inside the TSS shim.
Ah, right, OK now I'm on page, thank you.
>
> > > Even more mysteriously the Intel TSS has three representations for
> > > the NULL handle: an internal one, an external one (40000007) and
> > > one you use for an empty session (ESYS_TR_NONE). The IBM TSS uses
> > > TPM_RH_NULL for all three so you can't just translate from external
> > > to internal you have to know if you're using the handle for a
> > > session or a hierarchy as well.
> >
> > Same question applies to this too.
>
> Remember this is just fixing the Intel TSS Shim. The fact that we have
> to use three different handles for NULL isn't visible outside the shim,
> so a consumer of these APIs just uses TPM_RH_NULL everywhere. The fix
> is that the Intel TSS Shim was using the wrong handle for some
> operations.
OK, got it, thanks.
BR, Jarkko
next prev parent reply other threads:[~2024-08-03 20:44 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 20:25 [PATCH 0/8] openssl_tpm2_engine: Add attestation functions for primary keys James Bottomley
2024-08-02 20:25 ` [PATCH 1/8] tss: Fix handling of TPM_RH_NULL in intel-tss James Bottomley
2024-08-03 17:08 ` Jarkko Sakkinen
2024-08-03 17:51 ` James Bottomley
2024-08-03 19:31 ` Jarkko Sakkinen
2024-08-03 19:47 ` James Bottomley
2024-08-03 20:43 ` Jarkko Sakkinen [this message]
2024-08-04 13:42 ` [PATCH v2 " James Bottomley
2024-08-04 15:37 ` [openssl-tpm2-engine] " James Bottomley
2024-08-04 21:28 ` Jarkko Sakkinen
2024-08-05 2:48 ` [openssl-tpm2-engine] " James Bottomley
2024-08-05 11:54 ` Jarkko Sakkinen
2024-08-02 20:26 ` [PATCH 2/8] libcommon: add ability to create a signing primary key James Bottomley
2024-08-02 20:26 ` [PATCH 3/8] libcommon: add bin2hex and tmp2_get_hexname James Bottomley
2024-08-03 17:21 ` Jarkko Sakkinen
2024-08-02 20:26 ` [PATCH 4/8] libcommon: add primary creation from template James Bottomley
2024-08-02 20:26 ` [PATCH 5/8] tss: add tpm2_Certify, tpm2_ActivateCredential and tpm2_PolicyOR James Bottomley
2024-08-02 20:26 ` [PATCH 6/8] tools: add new attest_tpm2_primary command James Bottomley
2024-08-02 20:26 ` [PATCH 7/8] attest_tpm2_primary: add man page James Bottomley
2024-08-02 20:26 ` [PATCH 8/8] tests: add tests for attest_tpm2_primary James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D36KI8TC0600.1OAIM33YQYMLX@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=jarkko.sakkinen@iki.fi \
--cc=linux-integrity@vger.kernel.org \
--cc=openssl-tpm2-engine@groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.