Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong auth/policy test

From: Tadeusz Struk
Date: Thu Dec 12 2019 - 16:07:25 EST

Next message: Andrew Murray: "Re: [PATCH] pcie: Add quirk for the Arm Neoverse N1SDP platform"
Previous message: Waiman Long: "Re: [PATCH v2] mm/hugetlb: defer free_huge_page() to a workqueue"
In reply to: James Bottomley: "Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong auth/policy test"
Next in thread: James Bottomley: "Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong auth/policy test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/12/19 12:54 PM, James Bottomley wrote:
> Not in the modern kernel resource manager world: anyone who is in the
> tpm group can access the tpmrm device and we haven't added a dangerous
> command filter like we promised we would, so unless they have actually
> set lockout or platform authorization, they'll find they can execute it

The default for the tpm2_* tools with '-T device' switch is to talk to
/dev/tpm0.

If one would try to run it, by mistake, it would fail with:

$ tpm2_clear -T device
ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init()
Failed to open device file /dev/tpm0: Permission denied

To point it to /dev/tpmrm0 it would need to be:
$ tpm2_clear -T device:/dev/tpmrm0

--
Tadeusz

Next message: Andrew Murray: "Re: [PATCH] pcie: Add quirk for the Arm Neoverse N1SDP platform"
Previous message: Waiman Long: "Re: [PATCH v2] mm/hugetlb: defer free_huge_page() to a workqueue"
In reply to: James Bottomley: "Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong auth/policy test"
Next in thread: James Bottomley: "Re: [PATCH =v2 3/3] tpm: selftest: cleanup after unseal with wrong auth/policy test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]