From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>,
"Jarkko Sakkinen" <jarkko.sakkinen@iki.fi>,
<openssl-tpm2-engine@groups.io>
Cc: <linux-integrity@vger.kernel.org>
Subject: Re: [PATCH 1/8] tss: Fix handling of TPM_RH_NULL in intel-tss
Date: Sat, 03 Aug 2024 23:43:56 +0300 [thread overview]
Message-ID: <D36KI8TC0600.1OAIM33YQYMLX@kernel.org> (raw)
In-Reply-To: <237c1ed926d926bfddb92a959a27543479b5f0ae.camel@HansenPartnership.com>
On Sat Aug 3, 2024 at 10:47 PM EEST, James Bottomley wrote:
> On Sat, 2024-08-03 at 22:31 +0300, Jarkko Sakkinen wrote:
> > On Sat Aug 3, 2024 at 8:51 PM EEST, James Bottomley wrote:
> > > On Sat, 2024-08-03 at 20:08 +0300, Jarkko Sakkinen wrote:
> > > > On Fri Aug 2, 2024 at 11:25 PM EEST, James Bottomley wrote:
> > > > > Now that we're going to be using the NULL primary to salt
> > > > > sessions, the Intel TSS shim needs fixing to cope with this.
> > > > > In the Intel TSS, there are two internal handles representing
> > > > > NULL: ESYS_TR_NONE and ESYS_TR_RH_NULL. We translate
> > > > > TPM_RH_NULL to ESYS_TR_NONE because
> > > >
> > > > Can you split this into two paragraphs.
> > > >
> > > > I'm lost why it has two representations.
> > >
> > > Well, I actually have no idea why the Intel TSS has two
> > > representations for *every* handle: an internal one (specific to
> > > the TSS) and an external one that everyone uses, like 81000001 or
> > > 40000007. As far as I can see it just adds pointless complexity to
> > > the coding. The IBM TSS only has one, so for code which works with
> > > both, the shim has to transform between internal and external
> > > handle representations before sending the command onward to the
> > > Intel TSS.
> >
> > Is it possible to address this complexity and move into a single
> > representation? I.e. use external presentation all the way.
>
> Yes, that's what the current code does. It began life as pure IBM TSS
> so it used what the Intel TSS would consider as all external handle
> representations. The external to internal shift (and back) happens
> inside the TSS shim.
Ah, right, OK now I'm on page, thank you.
>
> > > Even more mysteriously the Intel TSS has three representations for
> > > the NULL handle: an internal one, an external one (40000007) and
> > > one you use for an empty session (ESYS_TR_NONE). The IBM TSS uses
> > > TPM_RH_NULL for all three so you can't just translate from external
> > > to internal you have to know if you're using the handle for a
> > > session or a hierarchy as well.
> >
> > Same question applies to this too.
>
> Remember this is just fixing the Intel TSS Shim. The fact that we have
> to use three different handles for NULL isn't visible outside the shim,
> so a consumer of these APIs just uses TPM_RH_NULL everywhere. The fix
> is that the Intel TSS Shim was using the wrong handle for some
> operations.
OK, got it, thanks.
BR, Jarkko
next prev parent reply other threads:[~2024-08-03 20:44 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 20:25 [PATCH 0/8] openssl_tpm2_engine: Add attestation functions for primary keys James Bottomley
2024-08-02 20:25 ` [PATCH 1/8] tss: Fix handling of TPM_RH_NULL in intel-tss James Bottomley
2024-08-03 17:08 ` Jarkko Sakkinen
2024-08-03 17:51 ` James Bottomley
2024-08-03 19:31 ` Jarkko Sakkinen
2024-08-03 19:47 ` James Bottomley
2024-08-03 20:43 ` Jarkko Sakkinen [this message]
2024-08-04 13:42 ` [PATCH v2 " James Bottomley
2024-08-04 15:37 ` [openssl-tpm2-engine] " James Bottomley
2024-08-04 21:28 ` Jarkko Sakkinen
2024-08-05 2:48 ` [openssl-tpm2-engine] " James Bottomley
2024-08-05 11:54 ` Jarkko Sakkinen
2024-08-02 20:26 ` [PATCH 2/8] libcommon: add ability to create a signing primary key James Bottomley
2024-08-02 20:26 ` [PATCH 3/8] libcommon: add bin2hex and tmp2_get_hexname James Bottomley
2024-08-03 17:21 ` Jarkko Sakkinen
2024-08-02 20:26 ` [PATCH 4/8] libcommon: add primary creation from template James Bottomley
2024-08-02 20:26 ` [PATCH 5/8] tss: add tpm2_Certify, tpm2_ActivateCredential and tpm2_PolicyOR James Bottomley
2024-08-02 20:26 ` [PATCH 6/8] tools: add new attest_tpm2_primary command James Bottomley
2024-08-02 20:26 ` [PATCH 7/8] attest_tpm2_primary: add man page James Bottomley
2024-08-02 20:26 ` [PATCH 8/8] tests: add tests for attest_tpm2_primary James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D36KI8TC0600.1OAIM33YQYMLX@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=jarkko.sakkinen@iki.fi \
--cc=linux-integrity@vger.kernel.org \
--cc=openssl-tpm2-engine@groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).