Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp1035223lqd; Thu, 25 Apr 2024 04:22:32 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXofc3VRuuo1YT7x8hGcoUykOw6nyVVTjaGZwJiLcB5P4c9PHUmrcUs3Bb3ka0KfrMQCuRdR++lG0cTMS6QxlrWmySbUJ8C2EG9u0xSjA== X-Google-Smtp-Source: AGHT+IG/ABq8iWPojwgkWXU+6/BOKr+S77dznPbMnrUqg6xYadssK95RQP2WTBQ146TWPFlQyS7t X-Received: by 2002:a17:906:a951:b0:a58:7985:8eae with SMTP id hh17-20020a170906a95100b00a5879858eaemr3343917ejb.76.1714044152415; Thu, 25 Apr 2024 04:22:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714044152; cv=pass; d=google.com; s=arc-20160816; b=OzRFjAoJzvxMDlnJy9gI8ncUpd6e73HRLzJtDibVwivZb5YWQoyoODSmOfHjcpzmWx h+R/O5FJzJOP358e2Ko8LywlZI+7g1WQvx5kb4W6ZK63j8IDP0IryCf5t11mhOrz4zH1 HlTNNmx8KeloADgLJQjiyckmViIf1b9g3mH99oXHbpvWSy5vYWd6sPYYGH9fso+5OQ3R Z1VWzorOk+KO1Kj5A9G42pWbKAEDAxyzCBxsHVhfh4WsvEiZQ7FKCZYg9XFGQScvvaBh XPj4R5bxz6auk2KJ5Hw7Wdf4ZavcB7bCo13kzeRk0Na5M79SHDlufwylS5nWhtJ0l2GN /bSQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date; bh=qLuQmqXTg5JpCiFHAVm2b1XWjFdgkQJM5cyksxqz0pU=; fh=nQnfg1UjSx1sRwOvxUE4yOD+lkou/OT1AmhFYtzrNOQ=; b=Jas6QUJ+W+SzEeDoi4CG7VnZOt+KxXBaztGuaKX87VpHOh6lancL5BhVcNXmxQv/dI VVpeYJ8g5jZ4OahjOnOT/BVGT2v9/uc9TQrXszgV3tvTNFCDtLhKrrhsHcCTLFnUvMoh j6U1Q77fgKRMPV23TMg90iMe/I2LnZaQ11DbDLuKrLxe64xUX7RCdXTjrGPBPxj1uhhp 8MdjddvZ0H0xwTW2YmWF5rgxLR/eI0f1GXpTTbzCeV8VqUK+Ab13G58i3/nRiBIqrBNk cmuHm69CnqJzsSRAQzNDKStqzPQLGHaUdxYqxARrE3kFr6cesEC3cPxTg8m7yo2HZVFY 5zdQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=0pointer.de); spf=pass (google.com: domain of linux-kernel+bounces-158431-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158431-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id v1-20020a170906564100b00a5209dd8ad9si9443352ejr.8.2024.04.25.04.22.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 04:22:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-158431-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=0pointer.de); spf=pass (google.com: domain of linux-kernel+bounces-158431-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158431-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 296391F232E3 for ; Thu, 25 Apr 2024 11:13:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AA74B8625D; Thu, 25 Apr 2024 11:13:18 +0000 (UTC) Received: from gardel.0pointer.net (gardel.0pointer.net [85.214.157.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76F5B200BF; Thu, 25 Apr 2024 11:13:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=85.214.157.71 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714043598; cv=none; b=GqKDqswDGCIoh9H4NayEBV/vP03lm2Q9KzwyJjD89rpy6b5eChxYdUN2cSM1LpDf8KgJWKgjwWt/lefn4AUaVmAA0OTa9bwOmWBfMExBWc7+xzmx2f+MrzgfTazeH16tRUMAkQdbLquI01v8MymagmjzsSgzyNKzLXvzTBuit7c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714043598; c=relaxed/simple; bh=qLuQmqXTg5JpCiFHAVm2b1XWjFdgkQJM5cyksxqz0pU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=p3s9a2alqVdYlqPO53447TzjOFuTztJQTlEOWYwu7QsxTXikgjOuT+HNfoVyRfnlFEWV9kdleSjo2ApIZQvvZn7EUoB/y5ssAYGytwU/Vnv24M2+bNkQyfIVuY6l2ggOucdwAevMmdQ1HpWVbpQpTiMbkMgqLV+lXKIFHfOtrkw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=0pointer.de; spf=pass smtp.mailfrom=0pointer.de; arc=none smtp.client-ip=85.214.157.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=0pointer.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=0pointer.de Received: from gardel-login.0pointer.net (gardel-mail [85.214.157.71]) by gardel.0pointer.net (Postfix) with ESMTP id BE710E80EF2; Thu, 25 Apr 2024 13:13:11 +0200 (CEST) Received: by gardel-login.0pointer.net (Postfix, from userid 1000) id 271D9160029; Thu, 25 Apr 2024 13:13:10 +0200 (CEST) Date: Thu, 25 Apr 2024 13:13:09 +0200 From: Lennart Poettering To: Ard Biesheuvel Cc: Ilias Apalodimas , James Bottomley , Mikko Rapeli , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: Re: [PATCH] efi: expose TPM event log to userspace via sysfs Message-ID: References: <6e751959b9056884c1b9d3ba23e303d1737d8763.camel@HansenPartnership.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Do, 25.04.24 12:36, Ard Biesheuvel (ardb@kernel.org) wrote: > > systemd these days makes use of the TPM — if available — for various > > purposes, such as disk encryption, measuring boot phases and system > > identity and various other things. Now, for the purpose of disk > > encryption, we need to wait for two things: the hard drive, and the > > TPM to be probed/driver loaded/accessible. /etc/fstab tells us pretty > > explicitly what bloock device to wait for, hence it's easy. But > > waiting for a TPM is harder: we might need it for disk encryption, but > > we don't know right-away if there actually *is* a TPM device to show > > up, and hence don't know whether to wait for it or not. > > > > I take it this means that the LUKS metadata lacks a 'this key is > sealed into the TPM' bit? Well, it does carry that info. But this is of no relevance really. typically luks has multiple keys enrolled, and which slot(s) to use is really up to the moment of invocation, depending on what is available. moreover, i used disk encryption as one example, but we have more users of TPM. for example we measure early in the initrd that we are now in the initd, and when we leave the initrd we measure that we are now gone. we also have a tool that sets up the TPM SRK. All that stuff is supposed to be run if a TPM is available, but delayed just enough until the TPM actually shows up, but no more. So for all of that stuff we must have a way to delay tings correctly. > So exposing the physical address of the TPM event log is probably not > what we want here. > > Note that the TPM event log table is a Linux/efistub construct, > whereas the TPM final log table actually comes from the firmware > directly. So the former only exists if the EFI stub executed first, > and managed to invoke the TCG protocol etc. OTOH, the TPM final log is > TPM2 only, so it doesn't exist on TPM 1.2 (side note: in systemd we do not care about tpm 1.2 anymore, we only support tpm2, and treat systems with just tpm 1.2 like systems that have no tpm). > Another thing we need to consider is TDX, which exposes a pseudo-TPM > which does not support sealing, along with a CC protocol similar to > the TCG2 protocol. This code will use the event log infrastructure as > well: there are discussions going on at the moment whether we can > improve the way these protocols are combined. The way the delay for a tpm device is actually implemented in systemd is somewhat generic: there's a target unit called "tpm2.target". Typically we just delay its activation until a /dev/tpmrm0 device shows up, if the firmware check suggested that. But you could also stuff all kinds of other stuff before that. For exampe, we could also delay it until some userspace service is running that turns the local security tech into a "fake" tpm device or similar. So from our side it's entirely pluggable already, and supports other ways to synchronize properly on a TPM being available, people can plug in whatever they need there for the synchronization. However, our primary focus is to cover nicely the typical/generic systems that have a discrete TPM or ftpm that just needs some generic driver probing/loading to be available. Or in other words: i am fully aware that a tpm-like device can be provided by various means. For now, with this firmware flag file thing we primarily care about the simple case where it's just driver loading that we need to do. > So we should define a scope here: > - do we need TPM1.2 support? For our systemd usecase, that's a clear no. > - do we need non-EFI boot support? My own focus is EFI. systemd supports non-EFI of course. If people care about non-EFI I am sure they'd be thankful if we could provide a similar automatism > - do we need to do anything in particular for FDE on TDX, which has a > TPM event log but no TPM is likely to appear. I'd ignore that for now. And if they provide a software tpm-like device eventually they just have to plug in the service that provides it before tpm2.target and be done with it. I think we have an acceptable approach for that already. > I am fine with adding a sysfs node under /sys/firmware/efi that > exposes some of this information, e.g., > linux_efi_tpm_eventlog::version, but not the physical address of the > table. Yeah, the physical address is of no interest to us. We just need to know the existance, and that independently of any actualy tpm device having shown up. i.e. existance of /sys/kernel/security/tpm0/binary_bios_measurements would be good enough for is if it was available without "tpm0" actually being around... Lennart -- Lennart Poettering, Berlin