From: Jarkko Sakkinen <jarkko@kernel.org>
To: Chris Fenner <cfenn@google.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>,
Peter Huewe <peterhuewe@gmx.de>, Jason Gunthorpe <jgg@ziepe.ca>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] tpm: Disable TCG_TPM2_HMAC by default
Date: Fri, 15 Aug 2025 20:52:32 +0300 [thread overview]
Message-ID: <aJ9z4OlwvFdEA2Q_@kernel.org> (raw)
In-Reply-To: <aJ9ySGv0JZ0DiNgf@kernel.org>
On Fri, Aug 15, 2025 at 08:45:48PM +0300, Jarkko Sakkinen wrote:
> On Fri, Aug 15, 2025 at 10:06:36AM -0700, Chris Fenner wrote:
> > On Fri, Aug 15, 2025 at 9:27 AM Jarkko Sakkinen <jarkko.sakkinen@iki.fi> wrote:
> >
> > > I'll with shoot another proposal. Let's delete null primary creation
> > > code and add a parameter 'tpm.integrity_handle', which will refers to
> > > persistent primary handle:
> >
> > I'm not yet sure I understand which handle you mean, or what you're
> > proposing to do with it. Could you elaborate?
>
> Primary key persistent handle.
>
> In tpm2_start_auth_session() there's
>
> /* salt key handle */
> tpm_buf_append_u32(&buf, null_key);
>
> Which would become
>
> /* salt key handle */
> tpm_buf_append_u32(&buf, integrity_handle);
>
> And in beginning of exported functions from tpm2-sessions.c:
>
> if (!integrity_handle)
> return 0;
>
> And delete from same file:
>
> 1. tpm2_create_*()
> 2. tpm2_load_null()
>
> That way the feature makes sense and does not disturb the user who don't
> want it as PCRs and random numbers will be integrity proteced agains an
> unambiguous key that can be certified.
E.g., for example that will unquestionably harden IMA exactly for the
same reasons why some user space software might to choose to use HMAC
based integrity protection.
At data center, there's guards and guns but for appliences, but there
is also the market appliances, home server products etc. They are not
mobile but neither they are protected in the same as e.g., a data
center is.
This is not to admit that right now the feature is no good to anyone
but in a selected set of use cases with this modification it would
make e.g., IMA's security *worse* than it would be with the feature
enabled.
BR, Jarkko
next prev parent reply other threads:[~2025-08-15 17:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 16:22 [PATCH] tpm: Disable TCG_TPM2_HMAC by default Chris Fenner
2025-08-15 12:04 ` Jarkko Sakkinen
2025-08-15 15:45 ` Chris Fenner
2025-08-15 16:26 ` Jarkko Sakkinen
2025-08-15 17:06 ` Chris Fenner
2025-08-15 17:45 ` Jarkko Sakkinen
2025-08-15 17:52 ` Jarkko Sakkinen [this message]
2025-08-15 17:58 ` Jarkko Sakkinen
2025-08-15 18:04 ` Jarkko Sakkinen
2025-08-15 18:09 ` Chris Fenner
2025-08-18 17:42 ` Jarkko Sakkinen
-- strict thread matches above, loose matches on Subject: below --
2024-05-18 11:34 Jarkko Sakkinen
2024-05-20 14:50 ` James Bottomley
2024-05-20 15:44 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJ9z4OlwvFdEA2Q_@kernel.org \
--to=jarkko@kernel.org \
--cc=cfenn@google.com \
--cc=jarkko.sakkinen@iki.fi \
--cc=jgg@ziepe.ca \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.