From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: William Roberts <bill.c.roberts@gmail.com>,
Ken Goldman <kgold@linux.ibm.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>, linux-integrity@vger.kernel.org
Subject: Re: Seal/Unseal trusted keys against PCR policy
Date: Fri, 06 Jan 2023 18:07:18 -0500 [thread overview]
Message-ID: <a763fdc8e247e217b5efe860be4aebccb708b245.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAFftDdr6qs33HaaPK3MMmyi9-mMjUuLURt9PAum6hJ3N3m=_iw@mail.gmail.com>
On Fri, 2023-01-06 at 16:23 -0600, William Roberts wrote:
> On Fri, Jan 6, 2023, 15:55 Ken Goldman <kgold@linux.ibm.com> wrote:
> >
> > On 12/28/2022 5:48 PM, James Bottomley wrote:
> > > The main thing you have to do is connect to the TPM not through
> > > the
> > > resource manager so the policy session survives multiple commands
> > >
> > > export TPM_DEVICE=/dev/tpm0
> >
> > Just FYI, as James says, command line utilities interact with the
> > resource manager. When I want to run command line programs through
> > the
> > resource manager, I use a proxy to keep the /dev/tpmrm0 session
> > connected.
> >
> > https://github.com/kgoldman/ibmtss/blob/master/utils/tpmproxy.c hol
> > ds an
> > open source proxy.
> >
>
> If you need to do this in production that tpmproxy allows anyone to
> connect to it. So while it's open it would circumvent the permissions
> on /dev/tpmrm0. You can just use tpm2-tools, which uses contexts and
> avoids this problem.
The specific issue with this is that using contexts, no-one could
figure out a way to pass the session into the kernel:
https://lore.kernel.org/linux-integrity/CADg8p94kTNkoByjLhEij3KkigLxhwU8PxnO82cRaO0Ejh7T3Zg@mail.gmail.com/
How should this be done?
James
next prev parent reply other threads:[~2023-01-06 23:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-27 4:14 Seal/Unseal trusted keys against PCR policy Sughosh Ganu
2022-12-27 15:40 ` James Bottomley
2022-12-28 20:40 ` Sughosh Ganu
2022-12-28 22:48 ` James Bottomley
2022-12-29 8:42 ` Sughosh Ganu
2023-01-06 21:52 ` Ken Goldman
2023-01-06 22:23 ` William Roberts
2023-01-06 23:07 ` James Bottomley [this message]
[not found] ` <CAFftDdrnoc7zsxqLGuGDVK9fh1xh3E3dT2+9rKm7BPr114ZjFA@mail.gmail.com>
2023-01-11 12:19 ` Sughosh Ganu
2023-01-11 12:31 ` James Bottomley
2023-01-11 13:50 ` William Roberts
2023-01-11 14:42 ` James Bottomley
2023-01-06 23:17 ` Ken Goldman
2023-01-07 0:38 ` William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a763fdc8e247e217b5efe860be4aebccb708b245.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=bill.c.roberts@gmail.com \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=sughosh.ganu@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox