Re: [tpmdd-devel] [Ibmtpm20tss-users] add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms

2017-01-04 Thread Kenneth Goldman
James Bottomley wrote on 01/04/2017 02:45:21 PM: > > James is proposing using the Decrypt op to do this job. > > I believe the TCG has decided this is the only way to sign arbitrary > data. My suspicion is that this was an omission, not a decision. In fact, Part 1 explicitly describes a caller

Re: [tpmdd-devel] add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms

2017-01-04 Thread Kenneth Goldman
Jason Gunthorpe wrote on 01/04/2017 01:54:34 PM: > We don't need the algorithm in the TPM. We just need to be able to RSA > sign an arbitary OID + externally computed hash like TPM 1.2 could. > > What is the recommended way to create a key with a sign-only intent > that can be used with arbitar

Re: [tpmdd-devel] [Ibmtpm20tss-users] add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms

2017-01-04 Thread James Bottomley
On Wed, 2017-01-04 at 11:54 -0700, Jason Gunthorpe wrote: > On Wed, Jan 04, 2017 at 01:48:44PM -0500, Kenneth Goldman wrote: > >Jason Gunthorpe wrote on > > 01/03/2017 > >07:42:17 PM: > >> > ... but my current TPM doesn't understand > >> > anything other than sha1 or sha256, so it

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jason Gunthorpe
On Wed, Jan 04, 2017 at 10:57:51AM -0800, James Bottomley wrote: > > You are doing all this work to get the user space side in shape, I'd > > like to see matching kernel support. To me that means out-of-the-box > > a user can just use your plugins, the plugins will access /dev/tmps > > and everyth

Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands

2017-01-04 Thread Stefan Berger
James Bottomley wrote on 01/04/2017 02:05:35 PM: > From: James Bottomley > To: Stefan Berger/Watson/IBM@IBMUS > Cc: Jarkko Sakkinen , tpmdd- > de...@lists.sourceforge.net, Jason Gunthorpe > Date: 01/04/2017 02:05 PM > Subject: Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands >

Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands

2017-01-04 Thread James Bottomley
On Wed, 2017-01-04 at 13:59 -0500, Stefan Berger wrote: > [ 67.699811] WARNING: CPU: 12 PID: 870 at mm/page_alloc.c:3511 What's the code context around this line in your source? Or what kernel version? If it's this if (order >= MAX_ORDER) { WARN_ON_ONCE(!(gfp_mask & _

Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands

2017-01-04 Thread Stefan Berger
James Bottomley wrote on 01/04/2017 01:19:36 PM: > From: James Bottomley > To: Stefan Berger/Watson/IBM@IBMUS, Jarkko Sakkinen > > Cc: linux-security-mod...@vger.kernel.org, tpmdd- > de...@lists.sourceforge.net, open list > Date: 01/04/2017 01:19 PM > Subject: Re: [tpmdd-devel] [PATCH RFC 2/4

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread James Bottomley
On Wed, 2017-01-04 at 11:31 -0700, Jason Gunthorpe wrote: > On Wed, Jan 04, 2017 at 06:53:03AM -0800, James Bottomley wrote: > > > > > But this is not trousers, this is an in-kernel 0666 char dev > > > > that will be active on basically every Linux system with a TPM. > > > > I think we have a du

Re: [tpmdd-devel] add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms

2017-01-04 Thread Jason Gunthorpe
On Wed, Jan 04, 2017 at 01:48:44PM -0500, Kenneth Goldman wrote: >Jason Gunthorpe wrote on 01/03/2017 >07:42:17 PM: >> > ... but my current TPM doesn't understand >> > anything other than sha1 or sha256, so it wouldn't allow more state >of >> > the art algorithms like sha22

[tpmdd-devel] add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms

2017-01-04 Thread Kenneth Goldman
Jason Gunthorpe wrote on 01/03/2017 07:42:17 PM: > > ... but my current TPM doesn't understand > > anything other than sha1 or sha256, so it wouldn't allow more state of > > the art algorithms like sha224, sha384 or sha512 either. > > Okay, yes, that is horrible :( If it is that bad it might no

Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands

2017-01-04 Thread Jason Gunthorpe
On Wed, Jan 04, 2017 at 01:04:59PM -0500, Stefan Berger wrote: >> @@ -943,7 +943,9 @@ EXPORT_SYMBOL_GPL(tpm2_probe); >> */ >> int tpm2_auto_startup(struct tpm_chip *chip) >> { >> + u32 nr_commands; >> int rc; >> + int i; >> >> rc = tpm_get_timeou

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Kenneth Goldman
"Dr. Greg Wettstein" wrote on 01/04/2017 11:12:41 AM: > The kernel needs a resource manager. Everyone needs to think VERY > hard and VERY, VERY carefully about what gets put into the kernel. In > making a decision, put the ABSOLUTE smallest amount of code into the > kernel ... If you're a TCG

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jason Gunthorpe
On Wed, Jan 04, 2017 at 06:53:03AM -0800, James Bottomley wrote: > > > But this is not trousers, this is an in-kernel 0666 char dev that > > > will be active on basically every Linux system with a TPM. I think > > > we have a duty to be very conservative here. > > Just to note on this that trou

Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands

2017-01-04 Thread James Bottomley
On Wed, 2017-01-04 at 13:04 -0500, Stefan Berger wrote: > Jarkko Sakkinen wrote on 01/02/2017 > 08:22:08 AM: > > > --- a/drivers/char/tpm/tpm2-cmd.c > > +++ b/drivers/char/tpm/tpm2-cmd.c > > @@ -943,7 +943,9 @@ EXPORT_SYMBOL_GPL(tpm2_probe); > > */ > > int tpm2_auto_startup(struct tpm_chip *ch

Re: [tpmdd-devel] [Ibmtpm20tss-users] [TrouSerS-tech] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-04 Thread Kenneth Goldman
Trimmed the CC list a bit. Where does this discussion really belong? Trousers is for TPM 1.2, and it's not a TSS or TPM device driver issue. If you're all TCG members, the TCG's TPM WG is the real place to go if you want to get something fixed. James Bottomley wrote on 01/03/2017 06:22:56 P

Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands

2017-01-04 Thread Stefan Berger
Jarkko Sakkinen wrote on 01/02/2017 08:22:08 AM: > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -943,7 +943,9 @@ EXPORT_SYMBOL_GPL(tpm2_probe); > */ > int tpm2_auto_startup(struct tpm_chip *chip) > { > + u32 nr_commands; > int rc; > + int i; > > rc

Re: [tpmdd-devel] [PATCH RFC 4/4] tpm: add the infrastructure for TPM space for TPM 2.0

2017-01-04 Thread Stefan Berger
Jarkko Sakkinen wrote on 01/02/2017 08:22:10 AM: > > Added a ioctl for creating a TPM space. The space is isolated from the > other users of the TPM. Only a process holding the file with the handle > can access the objects and only objects that are created through that > file handle can be acce

[tpmdd-devel] [RESEND][RFC] tpm_tis: broken on TPMs with a static burst count

2017-01-04 Thread Maciej S. Szmigiero
(Resending as no reply received, this time with CCs to TPM maintainers and author of the original commit). Hi all, Commit 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access) broke TPM support on ThinkPad X61S (and likely also on other machines which use TPMs with a static burst co

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jason Gunthorpe
On Wed, Jan 04, 2017 at 02:58:10PM +0200, Jarkko Sakkinen wrote: > On Tue, Jan 03, 2017 at 02:54:45PM -0700, Jason Gunthorpe wrote: > > On Mon, Jan 02, 2017 at 09:26:58PM -0800, James Bottomley wrote: > > > > > OK, so I put a patch together that does this (see below). It all works > > > nicely (wi

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread James Bottomley
On Wed, 2017-01-04 at 14:50 +0200, Jarkko Sakkinen wrote: > On Tue, Jan 03, 2017 at 05:17:32PM -0700, Jason Gunthorpe wrote: > > On Tue, Jan 03, 2017 at 02:39:58PM -0800, James Bottomley wrote: [...] > > > > Even if TPM 2 has a stronger password based model, I still > > > > think the kernel should

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 09:47:21PM -0800, Andy Lutomirski wrote: > On 01/02/2017 09:26 PM, James Bottomley wrote: > > On Mon, 2017-01-02 at 13:40 -0800, James Bottomley wrote: > > > On Mon, 2017-01-02 at 21:33 +0200, Jarkko Sakkinen wrote: > > > > On Mon, Jan 02, 2017 at 08:36:20AM -0800, James Bot

Re: [tpmdd-devel] [PATCH v7 2/2] tpm: add securityfs support for TPM 2.0 firmware event log

2017-01-04 Thread Jarkko Sakkinen
On Wed, Jan 04, 2017 at 02:08:06PM +0530, Nayna wrote: > > > On 01/03/2017 07:03 PM, Jarkko Sakkinen wrote: > > On Tue, Jan 03, 2017 at 01:09:18PM +0530, Nayna wrote: > > > > > > > > > On 01/03/2017 03:42 AM, Jarkko Sakkinen wrote: > > > > On Sun, Dec 11, 2016 at 12:35:33AM -0500, Nayna Jain wr

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 02:54:45PM -0700, Jason Gunthorpe wrote: > On Mon, Jan 02, 2017 at 09:26:58PM -0800, James Bottomley wrote: > > > OK, so I put a patch together that does this (see below). It all works > > nicely (with a udev script that sets the resource manager device to > > 0666): > > >

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 05:17:32PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 03, 2017 at 02:39:58PM -0800, James Bottomley wrote: > > > > I think we should also consider TPM 1.2 support in all of this, it is > > > still a very popular peice of hardware and it is equally able to > > > support a R

Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 02:47:02PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 03, 2017 at 08:36:10AM -0800, James Bottomley wrote: > > > > I'm not sure about this. Why you couldn't have a very thin daemon > > > that prepares the file descriptor and sends it through UDS socket to > > > a client.

Re: [tpmdd-devel] [PATCH RFC 4/4] tpm: add the infrastructure for TPM space for TPM 2.0

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 12:16:34PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 03, 2017 at 02:37:30AM +0200, Jarkko Sakkinen wrote: > > On Mon, Jan 02, 2017 at 02:09:53PM -0700, Jason Gunthorpe wrote: > > > On Mon, Jan 02, 2017 at 03:22:10PM +0200, Jarkko Sakkinen wrote: > > > > Added a ioctl for c

Re: [tpmdd-devel] [PATCH RFC 4/4] tpm: add the infrastructure for TPM space for TPM 2.0

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 11:46:27AM -0700, Jason Gunthorpe wrote: > On Tue, Jan 03, 2017 at 02:37:30AM +0200, Jarkko Sakkinen wrote: > > On Mon, Jan 02, 2017 at 02:09:53PM -0700, Jason Gunthorpe wrote: > > > On Mon, Jan 02, 2017 at 03:22:10PM +0200, Jarkko Sakkinen wrote: > > > > Added a ioctl for c

Re: [tpmdd-devel] [PATCH RFC 1/4] tpm: migrate struct tpm_buf to struct tpm_chip

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 12:13:28PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 03, 2017 at 02:57:37AM +0200, Jarkko Sakkinen wrote: > > On Mon, Jan 02, 2017 at 02:01:01PM -0700, Jason Gunthorpe wrote: > > > On Mon, Jan 02, 2017 at 03:22:07PM +0200, Jarkko Sakkinen wrote: > > > > Since there is only

Re: [tpmdd-devel] [TrouSerS-tech] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-04 Thread Jarkko Sakkinen
On Tue, Jan 03, 2017 at 04:40:53PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 03, 2017 at 03:22:56PM -0800, James Bottomley wrote: > > > I think it is very important to natively support the sign-only key > > > usage restriction. TPM1.2 goes so far as to declare keys that can be > > > used for arbi

Re: [tpmdd-devel] [PATCH v7 2/2] tpm: add securityfs support for TPM 2.0 firmware event log

2017-01-04 Thread Nayna
On 01/03/2017 07:03 PM, Jarkko Sakkinen wrote: > On Tue, Jan 03, 2017 at 01:09:18PM +0530, Nayna wrote: >> >> >> On 01/03/2017 03:42 AM, Jarkko Sakkinen wrote: >>> On Sun, Dec 11, 2016 at 12:35:33AM -0500, Nayna Jain wrote: Unlike the device driver support for TPM 1.2, the TPM 2.0 does