From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965478AbbKDNPi (ORCPT ); Wed, 4 Nov 2015 08:15:38 -0500 Received: from mga01.intel.com ([192.55.52.88]:53935 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752679AbbKDNPg (ORCPT ); Wed, 4 Nov 2015 08:15:36 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,243,1444719600"; d="scan'208";a="593865095" Date: Wed, 4 Nov 2015 15:13:26 +0200 From: Jarkko Sakkinen To: Mimi Zohar Cc: Peter Huewe , Marcel Selhorst , David Howells , tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, chris.j.arges@canonical.com, seth.forshee@canonical.com, colin.king@canonical.com, josh@joshtriplett.org, Jonathan Corbet , James Morris , "Serge E. Hallyn" , "open list:DOCUMENTATION" Subject: Re: [PATCH v2 1/3] keys, trusted: select the hash algorithm Message-ID: <20151104131326.GA5677@intel.com> References: <1446204910-29948-1-git-send-email-jarkko.sakkinen@linux.intel.com> <1446204910-29948-2-git-send-email-jarkko.sakkinen@linux.intel.com> <1446466609.2659.50.camel@linux.vnet.ibm.com> <20151103073923.GA9751@intel.com> <1446565151.2570.77.camel@linux.vnet.ibm.com> <20151103161217.GA13757@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151103161217.GA13757@intel.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 03, 2015 at 06:12:17PM +0200, Jarkko Sakkinen wrote: > On Tue, Nov 03, 2015 at 10:39:11AM -0500, Mimi Zohar wrote: > > On Tue, 2015-11-03 at 09:39 +0200, Jarkko Sakkinen wrote: > > > On Mon, Nov 02, 2015 at 07:16:49AM -0500, Mimi Zohar wrote: > > > > On Fri, 2015-10-30 at 13:35 +0200, Jarkko Sakkinen wrote: > > > > > > > > > @@ -787,6 +791,20 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > > > > > return -EINVAL; > > > > > opt->pcrlock = lock; > > > > > break; > > > > > + case Opt_hash: > > > > > + for (i = 0; i < HASH_ALGO__LAST; i++) { > > > > > + if (!strcmp(args[0].from, hash_algo_name[i])) { > > > > > + opt->hash = i; > > > > > + break; > > > > > + } > > > > > + } > > > > > + res = tpm_is_tpm2(TPM_ANY_NUM); > > > > > > > > While looking at this, I wanted to verify that chips are still added to > > > > the tail of the tpm_chip_list. Unfortunately, commit "afb5abc tpm: > > > > two-phase chip management functions" reverted David Howell's commit > > > > "770ab65 TPM: Add new TPMs to the tail of the list to prevent > > > > inadvertent change of dev". > > > > > > > > > + if (res < 0) > > > > > + return res; > > > > > + if (i == HASH_ALGO__LAST || > > > > > + (!res && i != HASH_ALGO_SHA1)) > > > > > + return -EINVAL; > > > > > + break; > > > > > > > > If the first TPM registered is a TPM 1.2, then changing the default TPM > > > > 2.0 hash algorithm will fail. > > > > > > Now that we are going fix this issue in 4.3 and 4.4 do you find this > > > patch otherwise acceptable? > > > > > > PS. In other options that we don't support in TPM2 I'm planning to > > > submit a fix that they will return -EINVAL (like pcrinfo). > > > > I don't have a problem failing the request, but I do suggest adding some > > sort of error message. Different systems might behavior differently > > without any explanation. > > Something like the pr_info("trusted_key: TPM 1.x supports only sha1")? I've started to think that maybe it was a bad idea to break this into patch set as the changes are small and they make sense only together. What do you think? Should quash everything into single patch? > > Mimi /Jarkko