Hi all,

I'm investigating an issue where the TPM driver breaks on the latest
upstream kernel. I believe I've tracked it down to the HMAC session
feature that primarily lives in drivers/char/tpm/tpm2-sessions.c.

Our TPM doesn't support TPM2_ContextSave. So we get the following call
stack during initialization:

1. tpm_tis_init calls

2. tpm_tis_core_init, which calls

3. tpm_chip_bootstrap, which calls

4. tpm_auto_startup, which calls

5. tpm2_auto_startup, which calls

6. tpm2_sessions_init, which calls

7. tpm2_create_null_primary, which calls

8. tpm2_save_context, which fails because the command is not
supported. This causes tpm_tis_core_init to skip the call to
tpm_chip_register. This causes processes trying to open /dev/tpm0 to
hit the error "no such device"

I have two main concerns about this feature:

1. It seems problematic that the kernel autonomously sends
not-strictly-necessary traffic to the TPM, and breaks userspace if it
fails. I would define "strictly necessary" traffic as things like
calling TPM2_Startup.
2. It's not clear to me that the HMAC session feature solves its own
threat model. Reading through the documentation at the top of
https://github.com/torvalds/linux/blob/master/drivers/char/tpm/tpm2-sessions.c,
it seems like we assume that the adversary either isn't sophisticated
enough to interpose the CreatePrimary command, or that userspace
somehow recovers trust after the fact by attesting the null key with
the EK. I'm not sure how this is expected to work, given this
userspace wasn't correctly measured into the TPM (due to the
interposer) and could therefore be malicious.

Is someone able to help me fill in the gaps in my understanding here?

Thanks
Chris

Reply via email to