| Message ID | 1568031408.6613.29.camel@HansenPartnership.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | add integrity and security to TPM2 transactions | expand |
On Mon, Sep 09, 2019 at 01:16:48PM +0100, James Bottomley wrote: > Link to previous cover letter: > > https://lore.kernel.org/linux-integrity/1540193596.3202.7.camel@HansenPartnership.com/ > > This is marked v6 instead of v5 because I did a v5 after feedback on v4 > but didn't get around to posting it and then had to rework the whole of > the kernel space handling while I was on holiday. I also added the > documentation of how the whole thing works and the rationale for doing > it in tpm-security.rst (patch 11). The main reason for doing this now > is so we have something to discuss at Plumbers. > > The new patch set implements the various splits requested, but the main > changes are that the kernel space is gone and is replaced by a context > save and restore of the generated null seed. This is easier to handle > than a full kernel space given the new threading for TPM spaces, but > conceptually it is still very like a space. I've also made whether > integrity and encryption is turned on a Kconfig option. > > James So... is there a changelog for the revisions? /Jarkko
On Tue, 2019-09-10 at 17:21 +0100, Jarkko Sakkinen wrote: > On Mon, Sep 09, 2019 at 01:16:48PM +0100, James Bottomley wrote: > > Link to previous cover letter: > > > > https://lore.kernel.org/linux-integrity/1540193596.3202.7.camel@Han > > senPartnership.com/ > > > > This is marked v6 instead of v5 because I did a v5 after feedback > > on v4 > > but didn't get around to posting it and then had to rework the > > whole of > > the kernel space handling while I was on holiday. I also added the > > documentation of how the whole thing works and the rationale for > > doing > > it in tpm-security.rst (patch 11). The main reason for doing this > > now > > is so we have something to discuss at Plumbers. > > > > The new patch set implements the various splits requested, but the > > main > > changes are that the kernel space is gone and is replaced by a > > context > > save and restore of the generated null seed. This is easier to > > handle > > than a full kernel space given the new threading for TPM spaces, > > but > > conceptually it is still very like a space. I've also made whether > > integrity and encryption is turned on a Kconfig option. > > > > James > > So... is there a changelog for the revisions? Well, yes, standard way: they're in the individual patches under the '- --' prefixed with v6: James
On Tue, Sep 10, 2019 at 05:21:32PM +0100, Jarkko Sakkinen wrote: > On Mon, Sep 09, 2019 at 01:16:48PM +0100, James Bottomley wrote: > > Link to previous cover letter: > > > > https://lore.kernel.org/linux-integrity/1540193596.3202.7.camel@HansenPartnership.com/ > > > > This is marked v6 instead of v5 because I did a v5 after feedback on v4 > > but didn't get around to posting it and then had to rework the whole of > > the kernel space handling while I was on holiday. I also added the > > documentation of how the whole thing works and the rationale for doing > > it in tpm-security.rst (patch 11). The main reason for doing this now > > is so we have something to discuss at Plumbers. > > > > The new patch set implements the various splits requested, but the main > > changes are that the kernel space is gone and is replaced by a context > > save and restore of the generated null seed. This is easier to handle > > than a full kernel space given the new threading for TPM spaces, but > > conceptually it is still very like a space. I've also made whether > > integrity and encryption is turned on a Kconfig option. > > > > James > > So... is there a changelog for the revisions? This also desperately needs a cover letter with the full rationale and not just a link to an aged cover letter. I have bigger problems with the form than the function ATM. TPM's threat model does not cover hardware attacks. It is hardware designed to give some protection against software attacks. If I were sending these patches I would start to look for an angle from that perspective. /Jarkko
On Wed, Sep 11, 2019 at 09:42:49AM +0100, Jarkko Sakkinen wrote: > On Tue, Sep 10, 2019 at 05:21:32PM +0100, Jarkko Sakkinen wrote: > > On Mon, Sep 09, 2019 at 01:16:48PM +0100, James Bottomley wrote: > > > Link to previous cover letter: > > > > > > https://lore.kernel.org/linux-integrity/1540193596.3202.7.camel@HansenPartnership.com/ > > > > > > This is marked v6 instead of v5 because I did a v5 after feedback on v4 > > > but didn't get around to posting it and then had to rework the whole of > > > the kernel space handling while I was on holiday. I also added the > > > documentation of how the whole thing works and the rationale for doing > > > it in tpm-security.rst (patch 11). The main reason for doing this now > > > is so we have something to discuss at Plumbers. > > > > > > The new patch set implements the various splits requested, but the main > > > changes are that the kernel space is gone and is replaced by a context > > > save and restore of the generated null seed. This is easier to handle > > > than a full kernel space given the new threading for TPM spaces, but > > > conceptually it is still very like a space. I've also made whether > > > integrity and encryption is turned on a Kconfig option. > > > > > > James > > > > So... is there a changelog for the revisions? > > This also desperately needs a cover letter with the full rationale and > not just a link to an aged cover letter. I have bigger problems with the > form than the function ATM. > > TPM's threat model does not cover hardware attacks. It is hardware > designed to give some protection against software attacks. If I were > sending these patches I would start to look for an angle from that > perspective. The rationale can be essentially just that since there is often lots of *software* running outside the CPU on different cores all around the HW platform, this will add to defense in depth. I'm not looking for anything more rockety sciency than that. I think that was the key lesson from TPM Genie. /Jarkko
Link to previous cover letter: https://lore.kernel.org/linux-integrity/1540193596.3202.7.camel@HansenPartnership.com/ This is marked v6 instead of v5 because I did a v5 after feedback on v4 but didn't get around to posting it and then had to rework the whole of the kernel space handling while I was on holiday. I also added the documentation of how the whole thing works and the rationale for doing it in tpm-security.rst (patch 11). The main reason for doing this now is so we have something to discuss at Plumbers. The new patch set implements the various splits requested, but the main changes are that the kernel space is gone and is replaced by a context save and restore of the generated null seed. This is easier to handle than a full kernel space given the new threading for TPM spaces, but conceptually it is still very like a space. I've also made whether integrity and encryption is turned on a Kconfig option. James --- James Bottomley (12): tpm-buf: move from static inlines to real functions tpm-buf: add handling for TPM2B types tpm-buf: add cursor based functions for response parsing tpm2-space: export the context save and load commands tpm2-sessions: Add full HMAC and encrypt/decrypt session handling tpm-buf: add tpm_buf_parameters() tpm2: add hmac checks to tpm2_pcr_extend() tpm2: add session encryption protection to tpm2_get_random() trusted keys: Add session encryption protection to the seal/unseal path tpm: add the null key name as a tpm2 sysfs variable Documentation: add tpm-security.rst tpm2-sessions: NOT FOR COMMITTING add sessions testing Documentation/security/tpm/tpm-security.rst | 204 +++++ drivers/char/tpm/Kconfig | 11 + drivers/char/tpm/Makefile | 4 + drivers/char/tpm/tpm-buf.c | 202 +++++ drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-sysfs.c | 27 +- drivers/char/tpm/tpm.h | 117 +-- drivers/char/tpm/tpm2-cmd.c | 202 +++-- drivers/char/tpm/tpm2-sessions-test.c | 795 ++++++++++++++++++ drivers/char/tpm/tpm2-sessions.c | 1204 +++++++++++++++++++++++++++ drivers/char/tpm/tpm2-sessions.h | 138 +++ drivers/char/tpm/tpm2-space.c | 8 +- include/linux/tpm.h | 29 + 13 files changed, 2787 insertions(+), 155 deletions(-) create mode 100644 Documentation/security/tpm/tpm-security.rst create mode 100644 drivers/char/tpm/tpm-buf.c create mode 100644 drivers/char/tpm/tpm2-sessions-test.c create mode 100644 drivers/char/tpm/tpm2-sessions.c create mode 100644 drivers/char/tpm/tpm2-sessions.h