Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use

From: William Roberts
Date: Sat Jan 14 2023 - 10:12:13 EST

Next message: Jacopo Mondi: "Re: [PATCH] media: ov5640: Update last busy timestamp to reset autosuspend timer"
Previous message: Gao Xiang: "[PATCH v2 2/2] erofs: simplify iloc()"
In reply to: James Bottomley: "Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use"
Next in thread: Matthew Garrett: "Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jan 14, 2023 at 8:55 AM James Bottomley <jejb@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2023-01-03 at 13:10 -0800, Matthew Garrett wrote:
> > On Tue, Jan 3, 2023 at 1:05 PM William Roberts
> > <bill.c.roberts@xxxxxxxxx> wrote:
> >
> > > What's the use case of using the creation data and ticket in this
> > > context? Who gets the creationData and the ticket?
> > > Could a user supplied outsideInfo work? IIRC I saw some patches
> > > flying around where the sessions will get encrypted and presumably
> > > correctly as well. This would allow the transfer of that
> > > outsideInfo, like the NV Index PCR value to be included and
> > > integrity protected by the session HMAC.
> >
> > The goal is to ensure that the key was generated by the kernel. In
> > the absence of the creation data, an attacker could generate a
> > hibernation image using their own key and trick the kernel into
> > resuming arbitrary code. We don't have any way to pass secret data
> > from the hibernate kernel to the resume kernel, so I don't think
> > there's any easy way to do it with outsideinfo.
>
> Can we go back again to why you can't use locality? It's exactly
> designed for this since locality is part of creation data. Currently
> everything only uses locality 0, so it's impossible for anyone on Linux
> to produce a key with anything other than 0 in the creation data for
> locality. However, the dynamic launch people are proposing that the
> Kernel should use Locality 2 for all its operations, which would allow
> you to distinguish a key created by the kernel from one created by a
> user by locality.
>
> I think the previous objection was that not all TPMs implement
> locality, but then not all laptops have TPMs either, so if you ever
> come across one which has a TPM but no locality, it's in a very similar
> security boat to one which has no TPM.
>

I also usually stick to features within the PTP spec[1], which includes
the locality support.

+2 for locality, I responded somewhere that I also support locality. I
was thinking more of TPM2_PolicyLocality I didn't realize that's
within the creationData. I was thinking more along the lines of, can I
wield the key over "did my locality create it". I'm not sure
what other protections are on the key,are there any protections
preventing them from
wielding it and using it to sign something nefarious?

1. https://trustedcomputinggroup.org/wp-content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Family_2.0_Revision_1.3v22.pdf

> James
>

Next message: Jacopo Mondi: "Re: [PATCH] media: ov5640: Update last busy timestamp to reset autosuspend timer"
Previous message: Gao Xiang: "[PATCH v2 2/2] erofs: simplify iloc()"
In reply to: James Bottomley: "Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use"
Next in thread: Matthew Garrett: "Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]