Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform initialization of TPM

2018-05-25 Thread Ken Goldman 

On 5/10/2018 10:31 AM, David R. Bild wrote:


Could this be implemented as a first priority to daemon. If it turns out
to be bad approach we can reconsider kernel. If we land it to kernel it
is harder to take steps back.


Is the daemon an implementation of the TCG resource manager spec?


The TCG spec does use a daemon approach, similar to tcsd for TPM 1.2.

The Linux TPM driver is currently using a different approach, a 
in-kernel (in the TPM device driver) resource manager.


The advantages I see to putting the resource manager in the device 
driver are:


1 - Kernel uses of the TPM go through the same device driver, so they 
leverage the resource manager.


2 - The TPM device driver offers a standard /dev/tpmrm0 interface,
100% compatible with /dev/tpm0.

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform initialization of TPM

2018-05-25 Thread Ken Goldman 

On 5/8/2018 11:36 AM, James Bottomley wrote:

On Tue, 2018-05-08 at 10:29 -0500, David R. Bild wrote:

On Tue, May 8, 2018 at 10:25 AM, James Bottomley




I don't see any reason to set an unreachable password for the
platform
hierarchy if the UEFI didn't.  If the desire is to disable the
platform
hierarchy, then it should be disabled, not have a random password
set.


"Set random password and throw away the key" was my way of disabling
the platform hierarchy.  Is there a better way of doing that?


Well, yes, use TPM2_HierarchyControl to set phEnable to CLEAR.


There is a huge difference between the two.

"Set a random password" is the recommended approach.  This just
prohibits using the platform authorization - a good idea.

phEnable CLEAR disables the hierarchy, preventing it from being used
at all.  A basic problem would be that the EK certificates could not be
read.

There are likely to be other issues, like not being able to do a field 
upgrade post-OS,


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html