Re: [PATCH v14 3/5] security: keys: trusted: fix TPM2 authorizations

[Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>]

On Wed, Dec 23, 2020 at 11:58:17AM -0800, James Bottomley wrote:
> On Tue, 2020-12-22 at 18:01 -0500, Ken Goldman wrote:
> > On 11/29/2020 5:20 PM, James Bottomley wrote:
> > > Note this is both and enhancement and a potential bug fix.  The TPM
> > > 2.0 spec requires us to strip leading zeros, meaning empyty
> > > authorization is a zero length HMAC whereas we're currently passing
> > > in 20 bytes of zeros.  A lot of TPMs simply accept this as OK, but
> > > the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this
> > > patch makes the Microsoft TPM emulator work with trusted keys.
> > 
> > 1 - To be precise, it strips trailing zeros, but 20 bytes of zero
> > results in an empty buffer either way.
> > 
> > "
> > Part 1 19.6.4.3	Authorization Size Convention
> > 
> > Trailing octets of zero are to be removed from any string before it
> > is used as an authValue.
> > "
> > 
> > 
> > 2 - If you have a test case for the MS simulator, post it and I'll
> > give it a try.
> > 
> > I did a quick test, power cycle to set platform auth to empty, than
> > create primary with a parent password 20 bytes of zero, and the
> > SW TPM accepted it.
> > 
> > This was a password session, not an HMAC session.
> 
> I reported it to Microsoft as soon as I found the problem, so, since
> this patch set has been languishing for years, I'd hope it would be
> fixed by now.  It is still, however, possible there still exist TPM
> implementations based on the unfixed Microsoft reference platform.
> 
> James

One year :-) A bit over but by all practical means... [*]

BTW, can you use my kernel org address for v15? 

[*] https://lore.kernel.org/linux-integrity/1575781600.14069.8.camel@HansenPartnership.com/

/Jarkko