Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp53012ybl; Thu, 12 Dec 2019 13:56:13 -0800 (PST) X-Google-Smtp-Source: APXvYqzBYllS4PfEMcv2MKJVpNGdiG+d0/0KE3yqegM2yppddlLnueh6qovsxjjImZu+Ns335y8Z X-Received: by 2002:a05:6830:1e2d:: with SMTP id t13mr10973799otr.128.1576187773424; Thu, 12 Dec 2019 13:56:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576187773; cv=none; d=google.com; s=arc-20160816; b=XkSPNOqtKgvcMhnlhMOjeEvRKrFaGdmwVXW+97vVpr/JmaQtVs8gEVN/ZkcObApe1V ihdwWWT0cO1zABmgiXjFxtZ8zO3WMS48f8imf38B0dO0wwKVwTd8HxANr3idGWGicnlr I4RJB7JqXYYiGBVSaG3KqXXHgyIf4skBTSjgsbB6pZYXUmrytVUx5hCu6vDWcdsgfUug Y6SsY7YLzPKjzC1XpcBre6kqhgeeEpQcpzgiyREfuFFG2wW0dObEF/a7/bs/qDIbAsSK rROec3K6yoUVUFZ58GIP6BDxunca5fw4/CqIV2OnQvWmplLfPAUhihFNy+g80O8sA3HB JJKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:cc:to:subject; bh=mox68yywhqzfhqYyhNnXQw+envGnMxowkNOBdaGwn5E=; b=jCElGjP7qqPCNT7Bh+6Muby7+517HcscgxwXke8MK305LzbOpDIjEI+5P8LihMtfF5 f3cn4huHPsXP/pXtDnZtm9Fi81P9PPmJ/1LWOtenoQ/7Jb1WNhDYIP7o3vYb6hOufSFa 3Wd2nYyaOYuHRtVvTM71KJ6g1c4s2nEE9jRzjoxVP7DVTdm1VAASEQqKP/L5nSPnQQ+3 F7yZNoV+2/twakpELHznnvzlOzUK19pwqNDIuG4FYX5jQaD3njA6ZK5W+uES8kRAPxQx 9exHIo+JALzZeecMEKtwj4O4rBUVHhJmbkim1ADc16slOhSfbtGcNS3xm5RFlFhJZi9p uDBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x126si3865690oix.53.2019.12.12.13.56.01; Thu, 12 Dec 2019 13:56:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730938AbfLLVHX (ORCPT + 99 others); Thu, 12 Dec 2019 16:07:23 -0500 Received: from mga06.intel.com ([134.134.136.31]:6822 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730742AbfLLVHX (ORCPT ); Thu, 12 Dec 2019 16:07:23 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Dec 2019 13:07:22 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,307,1571727600"; d="scan'208";a="364097914" Received: from tstruk-mobl1.jf.intel.com (HELO [10.7.196.67]) ([10.7.196.67]) by orsmga004.jf.intel.com with ESMTP; 12 Dec 2019 13:07:22 -0800 Subject: Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong auth/policy test To: James Bottomley , jarkko.sakkinen@linux.intel.com Cc: peterz@infradead.org, linux-kernel@vger.kernel.org, jgg@ziepe.ca, mingo@redhat.com, jeffrin@rajagiritech.edu.in, linux-integrity@vger.kernel.org, will@kernel.org, peterhuewe@gmx.de References: <157617292787.8172.9586296287013438621.stgit@tstruk-mobl1> <157617293957.8172.1404790695313599409.stgit@tstruk-mobl1> <1576180263.10287.4.camel@HansenPartnership.com> <1576184085.10287.13.camel@HansenPartnership.com> From: Tadeusz Struk Autocrypt: addr=tadeusz.struk@intel.com; keydata= mQGNBF2okUMBDADGYZuwqK87k717uEyQ5hqo9X9ICnzpPt38ekB634MdtBwdK8KAFRWIpnT9 fb5bt/AFgGc1gke/Nr8PFsFcRiNTDuWpwO/zJdWWp+fdnB9dKI0usYY9+Y5Q3lhBeiBN7mDK fAoFjyeufKzY3pOM9Gy6FvGQjDyLm2H5siW0IKAsMjAiQ35qI7hednM2XECHqewt4yzxvPZr LpgpFvR43nJBUGULGPWqv0usVircd1bBJ4D24j/kaYmuDeyex/HdqTV8sWBx3NFFKtyZB7FV EPekbHIxaRxg3kgZzCKXrwoufLR5ErGO/oqJmGjuCMWp14iZ0mtN4BzYdhzqHmtJhc8/nSwV NIZUF+JpMk/KpYcPlpmMzBcLKHkAhEvIEoynKCcFHqNUjeu+tqL4Nc6Wl36T2EQw3u9hDk4Y uX4ZGe6BzADl8Sphgyld99I4jAeoEzSCbWnqS411iVPXyxfe+46zuW3ORncxNoyy3EqGu8m5 347fgFADQpc9+jdc1qFcxncAEQEAAbQnVGFkZXVzeiBTdHJ1ayA8dGFkZXVzei5zdHJ1a0Bp bnRlbC5jb20+iQHUBBMBCAA+FiEE91vcGmaCEzGCRUztOkAW4c1UqhwFAl2okUcCGwMFCQHh M4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQOkAW4c1UqhwVZQv/dTaTLe1s6xFyAkYJ aK8IqKOYo2s29bTDoeul7U2WFivgryGRX3mNblMfV6lwwRcNfjSF+gOVrT6+N1l2vrDmqtPG ywKjrL18C7TssAxj7oIDSdRCHbIRjHs6N2jmeg4MPOfBHI3saeatBlDJAVfDMLIey412agTV kuVOGkPvMaqB9vh9dZhLXdiRy8Hb4mHvEDR3w5YOGHz0dPkH97WS3y28b9OOLcXShieCW/cJ vRpWVI5qod6oEqJIx7AKh8Albmj6U5wyOHWl/ZnmPgacVzrYTF/po/mSL6cIR5p2gnaINnkf h9fHkmhZgwwuw5Ua4DmAyWw9bmF7VYcAdnSbyLwl7WF9Nb7Lg1e4R1eG6JW88xEEOVonn9ML GUQ+ts5i1L3SwwL9R5WCmRhfVcTNERu2BWbuHjoVEccxhSG2ESKqqbPlnL7zVwcMYz4aIO7S XJUQAxAVz4pHkuQQg2+XjVuxG/IB4PEhTfeyIZ/OWmN+m+qTYbu1ebNeLXaG3lu2uQGNBF2o kUcBDACtgd7j0GWo05BN68gCC10t3PIEhQCAQhOKIFBpfv8yGvrvw9bnAN6FeU86CDERBhQS KlthNlynuJGa+ws2LtGidUDTw2W/Pi7vhV/45bVh5ldK/CNioI7I9Kcof5e2ooxmjOV+znst rc4zu4YYAChdRArXBVw6TyTucuNdctgHfAC5RJXcq7qtnbBarp3yKZdMwIwKlNTCFl8kbsBD 2uHI2xcVWQ2iF51s1wzsaJa3jK8Chkld/uVgqdo86zgFcl8DQFgytXz+q/eFsca3Ca95fNWc bDeOtCjfNloeuYCiEAK0KrwAG16qkeoBvmG0AHrOIwAdCJgE2cDsBfhMmSy3qiQ6E0+STqw9 OwYo9k+fZwfoxOnAIRD3T0SaTwc8GGf8fJRtL+oiGUzXVU+FsKFgL0xdMUdCioLFOjWyChXm W9LbLHWe0+yJSKs+qsMgObAGPEUszx4/fckYrQ3TzbvosQyQLpOxRDMAZOmxsqk8qxNvtwkq 2dk1/u9px+syaxMAEQEAAYkBvAQYAQgAJhYhBPdb3BpmghMxgkVM7TpAFuHNVKocBQJdqJFH AhsMBQkB4TOAAAoJEDpAFuHNVKocGYML/37TFWRz/VbhazKlMxEX+JI76q9cQ2KWcBEn/OYY PLHXFzYEKrBMUxzpUaxRLeHadIeGI+4c2EDfFRigzY4GiseN8HNhl5t2jEb5FX/M6WHVCfNt vGz6dVAaES6z4UqWW8cP1insosSFi5slHjoUNk9Sx9FQ/oIX9FemLxxH4HcFlxGmUrVUiiof en/LmOP4UBVPxRJ20UeFOD3XcwQerS0r4LEK2Zpl/lB7WbGSCZjoVq9xhv5i+9Z04KvVkTCY T/vfPu+7KPf+gxGMZZqi+mILWBzCbhOa25HOjeJ780zGDQa05DF6WWepIlNYoiaYeqwhcmWP gwizcH5TjTP7SF96/2USKmZCsgKKiVy4a9yHyafeDxCa6NwL1wVRaCqJhdtjgfGrcSx0u++F H5Vo0zSBk5Nx0fx2HT16roAnfoOj4wLa/0xVtt+9XXdcoueQwO4imuUeR1Spm1Yni1oBuaR3 yvcQkH/25MiQZ3/8hU+0Tpfy9SPQyBxrtguvPBPfRg== Message-ID: Date: Thu, 12 Dec 2019 13:07:26 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: <1576184085.10287.13.camel@HansenPartnership.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/12/19 12:54 PM, James Bottomley wrote: > Not in the modern kernel resource manager world: anyone who is in the > tpm group can access the tpmrm device and we haven't added a dangerous > command filter like we promised we would, so unless they have actually > set lockout or platform authorization, they'll find they can execute it The default for the tpm2_* tools with '-T device' switch is to talk to /dev/tpm0. If one would try to run it, by mistake, it would fail with: $ tpm2_clear -T device ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Permission denied To point it to /dev/tpmrm0 it would need to be: $ tpm2_clear -T device:/dev/tpmrm0 -- Tadeusz