Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADF9CC25B4E for ; Tue, 24 Jan 2023 12:05:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233101AbjAXMF5 (ORCPT ); Tue, 24 Jan 2023 07:05:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229935AbjAXMFw (ORCPT ); Tue, 24 Jan 2023 07:05:52 -0500 X-Greylist: delayed 843 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 24 Jan 2023 04:05:50 PST Received: from wind.enjellic.com (wind.enjellic.com [76.10.64.91]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 347022333A; Tue, 24 Jan 2023 04:05:50 -0800 (PST) Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id 30OBp2L3017928; Tue, 24 Jan 2023 05:51:02 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id 30OBp0bo017927; Tue, 24 Jan 2023 05:51:00 -0600 Date: Tue, 24 Jan 2023 05:51:00 -0600 From: "Dr. Greg" To: William Roberts Cc: Jarkko Sakkinen , James Bottomley , Matthew Garrett , Evan Green , linux-kernel@vger.kernel.org, corbet@lwn.net, linux-integrity@vger.kernel.org, Eric Biggers , gwendal@chromium.org, dianders@chromium.org, apronin@chromium.org, Pavel Machek , Ben Boeckel , rjw@rjwysocki.net, Kees Cook , dlunev@google.com, zohar@linux.ibm.com, linux-pm@vger.kernel.org, Matthew Garrett , Jason Gunthorpe , Peter Huewe Subject: Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use Message-ID: <20230124115100.GA17771@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20221111231636.3748636-1-evgreen@chromium.org> <20221111151451.v5.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid> <8ae56656a461d7b957b93778d716c6161070383a.camel@linux.ibm.com> <08302ed1c056da86a71aa2e6ca19111075383e75.camel@linux.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Tue, 24 Jan 2023 05:51:02 -0600 (CST) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 23, 2023 at 11:48:25AM -0600, William Roberts wrote: Good morning, I hope the week is going well for everyone. > On Fri, Jan 20, 2023 at 9:29 PM Jarkko Sakkinen wrote: > > > > On Sat, Jan 14, 2023 at 09:55:37AM -0500, James Bottomley wrote: > > > On Tue, 2023-01-03 at 13:10 -0800, Matthew Garrett wrote: > > > > On Tue, Jan 3, 2023 at 1:05 PM William Roberts > > > > wrote: > > > > > > > > > What's the use case of using the creation data and ticket in this > > > > > context? Who gets the creationData and the ticket? > > > > > Could a user supplied outsideInfo work? IIRC I saw some patches > > > > > flying around where the sessions will get encrypted and presumably > > > > > correctly as well. This would allow the transfer of that > > > > > outsideInfo, like the NV Index PCR value to be included and > > > > > integrity protected by the session HMAC. > > > > > > > > The goal is to ensure that the key was generated by the kernel. In > > > > the absence of the creation data, an attacker could generate a > > > > hibernation image using their own key and trick the kernel into > > > > resuming arbitrary code. We don't have any way to pass secret data > > > > from the hibernate kernel to the resume kernel, so I don't think > > > > there's any easy way to do it with outsideinfo. > > > > > > Can we go back again to why you can't use locality? It's exactly > > > designed for this since locality is part of creation data. Currently > > > everything only uses locality 0, so it's impossible for anyone on Linux > > > to produce a key with anything other than 0 in the creation data for > > > locality. However, the dynamic launch people are proposing that the > > > Kernel should use Locality 2 for all its operations, which would allow > > > you to distinguish a key created by the kernel from one created by a > > > user by locality. > > > > > > I think the previous objection was that not all TPMs implement > > > locality, but then not all laptops have TPMs either, so if you ever > > > come across one which has a TPM but no locality, it's in a very similar > > > security boat to one which has no TPM. > > > > Kernel could try to use locality 2 and use locality 0 as fallback. > I don't think that would work for Matthew, they need something > reliable to indicate key provenance. Indeed, I was going to mention that. Falling back means that the security guarantee is lost, perhaps silently and lost on the owner of the system, if they are not paying attention to things like the boot logs. One of the persistent challenges with these hardware security technologies is that they need to be ubiquitous to be useful, something that has historically plagued all of these technologies. > I was informed that all 5 localities should be supported starting > with Gen 7 Kaby Lake launched in 2016. Don't know if this is still > "too new". It will be necessary, and important, to differentiate between 'supported' and 'available'. Historically, security features have been SKU'ified, in other words, made available only on specific SKU's, even when the platform writ large has the necessary support. These SKU's are designed to be directed at various verticals or OEM's who are perceived to be willing to pay more for enhanced security. I've had conversations on whether or not hardware technologies would be available and the conversation usually ends with the equivalent of: "Show us the business case for supporting this." Which translates, roughly, into how much money are we going to make if we offer this. Unfortunately, without being ubiquitous, as you note for a long period of time, there is no development interest, which in turn translates into no market 'pull'. A rather troublesome dilemma for security innovation. As always, Dr. Greg The Quixote Project - Flailing at the Travails of Cybersecurity