Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use

From: James Bottomley
Date: Tue Jan 17 2023 - 18:27:33 EST

Next message: Alex Williamson: "Re: [PATCH v4] vfio: fix potential deadlock on vfio group lock"
Previous message: Johannes Berg: "Re: [PATCH net-next] wifi: ipw2200: use strscpy() to instead of strncpy()"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 2023-01-14 at 19:05 -0800, Matthew Garrett wrote:
> On Sat, Jan 14, 2023 at 6:55 AM James Bottomley <jejb@xxxxxxxxxxxxx>
> wrote:
> > Can we go back again to why you can't use locality? It's exactly
> > designed for this since locality is part of creation data.
> > Currently everything only uses locality 0, so it's impossible for
> > anyone on Linux to produce a key with anything other than 0 in the
> > creation data for locality. However, the dynamic launch people are
> > proposing that the Kernel should use Locality 2 for all its
> > operations, which would allow you to distinguish a key created by
> > the kernel from one created by a user by locality.
> >
> > I think the previous objection was that not all TPMs implement
> > locality, but then not all laptops have TPMs either, so if you ever
> > come across one which has a TPM but no locality, it's in a very
> > similar security boat to one which has no TPM.
>
> It's not a question of TPM support, it's a question of platform
> support. Intel chipsets that don't support TXT simply don't forward
> requests with non-0 locality. Every Windows-sticker laptop since 2014
> has shipped with a TPM, but the number that ship with TXT support is
> a very small percentage of that. I agree that locality is the obvious
> solution for a whole bunch of problems, but it's just not usable in
> the generic case.

How sure are you of this statement? Of all the Laptops I have with
TPM2 (a sample size of 2), my old Dell XPS-13 (a 9350 bought in 2016
with a TPM 1.2 that was firmware upgraded to 2.0) has a Nuvoton TIS TPM
that doesn't respond on any locality other than 0. However, my more
modern Inspiron 13 2-in-1 (a 7391 from 2019 recently bought
refurbished) has an Intel PTT TPM using the CRB interface and responds
fine on locality 1 and also indicates that locality in the creation
data. Neither of these laptops has TXT nor the SMX extensions, so that
would seem to indicate your statement above isn't universal.

James

Next message: Alex Williamson: "Re: [PATCH v4] vfio: fix potential deadlock on vfio group lock"
Previous message: Johannes Berg: "Re: [PATCH net-next] wifi: ipw2200: use strscpy() to instead of strncpy()"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]