Received: by 10.223.164.202 with SMTP id h10csp465135wrb; Wed, 22 Nov 2017 09:54:46 -0800 (PST) X-Google-Smtp-Source: AGs4zMalcP7ZWEqq8QVzrXzYG4gHNBnMKrdry/sQ3R1Xt4TNB7b1oB2ZdQ4XwomCBbNFGmUk34np X-Received: by 10.84.141.36 with SMTP id 33mr22314998plu.247.1511373286834; Wed, 22 Nov 2017 09:54:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511373286; cv=none; d=google.com; s=arc-20160816; b=GpI7pizvbGJjUu4k3s3B7f8fR4B6udMW8v81K8aQ9olP9Oh7wv1B3RXvu+97GjHetL SiATmOYFtMbLr3akKxdgxh1ZqNxsqZwHApHQJmDe6sny8mzzZGxN4tubV6EsEypl2CLD a9E/6MwO7DPRVi1nxuFKEti5847cJNLuDLtA4veFrkSzCjDYV8dT3h5hvY1G9/KG3sAx KIkCyDu7FJB5iUEXfQtvBF4ysNwlpln0Wz6aL2U+1r2BLYX66PDw5mU/GlbeTMRdStMs huhhvsu4KNYnnP6cYvaZA+t6QRimtLoKRiDUMea/Wn8qRcYVuRqiSf9KUSC5T31uZhwb gSCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:cc:to:references:arc-authentication-results; bh=R6pafzXLHWfq7E0zWp4NRAGSxvKAZ8TaiguwFpReD+s=; b=WUbMJ0OpOlzCJss2joni4gHsWbe2O7wMC+MfaU33w14KQt3qUrifK7I2VoVrzUJIfn P7MjHNLju/f9aQPkE5jdSBccuOUR1nRkolJvuCod+9387gHUGLVUysZi3e4AtdnmQdFB AX28F44E0VoShafe/W0gupfox2r+IxUN71VldlihjNTzFlk9EndFiHx0f6eF+/zpYnDl T7hSBowJwP0Kjdh+fNdrMT+phYbbcmQ01FQg3d03I3w05iSqu+rrgJHGUhbOM1KaCBov QO93TBoPjmzUO2FTNXaH6u8eI9CzWxt5i+Z2DtyTlSpeOFB8p2w/i7dor2hnF9AaE0eo Fehg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d17si13884102pge.191.2017.11.22.09.54.35; Wed, 22 Nov 2017 09:54:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752158AbdKVRwh (ORCPT + 78 others); Wed, 22 Nov 2017 12:52:37 -0500 Received: from smtp.twobit.us ([38.83.192.235]:49670 "EHLO smtp.twobit.us" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751974AbdKVRwg (ORCPT ); Wed, 22 Nov 2017 12:52:36 -0500 X-Greylist: delayed 2158 seconds by postgrey-1.27 at vger.kernel.org; Wed, 22 Nov 2017 12:52:35 EST Received: from 162-228-90-173.lightspeed.sntcca.sbcglobal.net ([162.228.90.173] helo=[192.168.1.69]) by smtp.twobit.us with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1eHYQZ-0006xJ-Hy; Wed, 22 Nov 2017 17:03:12 +0000 References: <20171117100724.19257-1-javierm@redhat.com> <20171120231512.6wpqgcggfta3am7m@linux.intel.com> <7c148cf0-2403-55cf-1633-ff326d5c6f7b@redhat.com> <20171121123006.esr7yxs5lvorlfjf@linux.intel.com> To: Jarkko Sakkinen , Javier Martinez Canillas Cc: linux-kernel@vger.kernel.org, Peter Huewe , "Tricca, Philip B" , Jason Gunthorpe , linux-integrity@vger.kernel.org, "Roberts, William C" From: flihp Message-ID: <602091d7-1b16-4694-57b2-8031acce8cbc@twobit.us> Date: Wed, 22 Nov 2017 09:16:25 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 162.228.90.173 X-SA-Exim-Mail-From: flihp@twobit.us X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on smtp.twobit.us X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=unavailable autolearn_force=no version=3.4.0 Subject: Re: FW: [RFC PATCH] tpm: don't return -EINVAL if TPM command validation fails X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on smtp.twobit.us) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Apologies for the slow response. I didn't get switched over from tpmdd-devel to linux-integrity till just now. > On 11/21/2017 01:30 PM, Jarkko Sakkinen wrote: >> On Tue, Nov 21, 2017 at 10:07:34AM +0100, Javier Martinez Canillas >> wrote: >>> As mentioned, I think this should be documented. I guess most >>> people would see the in-kernel resource manager as a virtualized >>> TPM, since the "TSS TAB and Resource Manager Specification" [0] >>> explains the RM making an analogy with a virtual memory manager: >>> >>> "The Resource Manager (RM) manages the TPM context in a manner >>> similar to a virtual memory manager. It swaps objects, sessions, >>> and sequences in and out of the limited TPM memory as needed." >> >> A process in virtual memory has a different environment than code >> running on bare metal without page table, doesn't it? >> >>> And even your latest LPC presentation mention that the handles in >>> the in-kernel resource manager are virtualized [1]. >>> >>> And I disagree that it does not matter, since the same spec >>> says: >>> >>> "This layer is mostly transparent to the upper layers of the TSS >>> and is not required." >>> >>> But returning -EINVAL instead of a proper TPM command response >>> with a TPM_RC_COMMAND_CODE code makes it not transparent to the >>> upper layer. >> >> *mostly* >> > > Fair enough The intent of this "mostly transparent" stuff is to convey that the RM should be as transparent as possible while acknowledging that there are some cases where it's not / can't be. I can't say why the original author phrased it in this somewhat ambiguous way but I wouldn't call this a fair interpretation. It's definitely one way to read it though. The case in question is the RM performing a function on behalf of the TPM: command code validation. This is a perfectly valid thing to do in the RM though the RM should aim to behave as the TPM would if the RM takes any action (sending a TPM response buffer with the appropriate response code). An additional detail is described in section 3.1 "Error Codes". There is a mechanism to encode information about which layer in the stack produced the response buffer. When the TPM gets a command with a command code it doesn't support then this field will be '0' since '0' identifies the TPM. If the RM is taking over this function it should set the field to indicate as much. >>> If the TPM spaces infrastructure is not compliant with the spec, >>> then I think that should also be documented. >> >> TPM specification is not a formal specification AFAIK. >> >>>> matters less than breaking the sandbox. >>>> >>> >>> Yes, sorry for that. It wasn't clear to me that there was a >>> sandbox and my lack of familiarity with the code was the reason >>> why I posted as a RFC in the first place. >>> >>> Do you agree with Jason's suggestion to send a synthesized TPM >>> command in the that the command isn't supported? >> >> Nope. >> > > Ok. Thanks a lot for your feedback. I already had that patch but > didn't want to post it before knowing your opinion, I'll drop it > now. > > Philip, > > I think this means that we can now fix this in user-space then? That > was in fact my first suggestion in the filed tpm2-tools issue. We can work around quirks in the kernel RM in user space if we must (short term?) but I'm hesitant to do so in this case. Would feel better about a short term work-around knowing it's only going to be short term. Philip From 1584757833466986605@xxx Wed Nov 22 09:27:23 +0000 2017 X-GM-THRID: 1584335329705661541 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread