[tpmdd-devel] [PATCH RESEND 3/3] tpm-chip: Export TPM device to user space even when startup failed
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Wed Aug 30 11:07:48 UTC 2017
On Wed, Aug 30, 2017 at 12:34:16PM +0200, Michal Suchánek wrote:
> On Wed, 30 Aug 2017 13:20:02 +0300
> Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com> wrote:
>
> > On Wed, Aug 30, 2017 at 01:15:10PM +0300, Jarkko Sakkinen wrote:
> > > On Tue, Aug 29, 2017 at 03:17:39PM +0200, Michal Suchánek wrote:
> > > > Hello,
> > > >
> > > > On Tue, 29 Aug 2017 15:55:09 +0300
> > > > Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com> wrote:
> > > >
> > > > > On Mon, Aug 28, 2017 at 05:15:58PM +0000,
> > > > > Alexander.Steffen at infineon.com wrote:
> > > > > > But is that just because nobody bothered to implement the
> > > > > > necessary logic or for some other reason?
> > > > >
> > > > > We do not want user space to access broken hardware. It's a
> > > > > huge risk for system stability and potentially could be used
> > > > > for evil purposes.
> > > > >
> > > > > This is not going to mainline as it is not suitable for general
> > > > > consumption. You must use a patched kernel if you want this.
> > > > >
> > > > > /Jarkko
> > > > >
> > > >
> > > > It has been pointed out that userspace applications that use
> > > > direct IO access exist for the purpose. So using a kernel driver
> > > > is an improvement over that if the interface is otherwise sane.
> > > >
> > > > What do you expect is the potential for instability or evil use?
> > >
> > > By definition the use of broken hardware can have unpredictable
> > > effects. Use a patched kernel if you want to do it.
> > >
> > > /Jarkko
> >
> > I.e. too many unknown unknowns for mainline.
> >
> > I could consider a solution for the TPM error case on self-test that
> > allows only restricted subset of commands.
> >
> > The patch description did not go to *any* detail on how it is used so
> > practically it's unreviewable at this point. There's a big burder of
> > proof and now there's only hand waving.
> >
> Hello,
>
> there was a bug patched recently in which Linux was not sending the
> shutdown command on system shutdown. Presumably with this bug some TPMs
> consider being under attack and stop performing most functions.
> However, you should be able to read the log if this is implemented
> sanely. For that the TPM needs to be accessible.
>
> There are probably other cases when the TPM might be useless for system
> use but it might be useful to access it. For example, does Linux handle
> uninitialized TPMs?
>
> Thanks
>
> Michal
Agreed. I still think it would make sense to start with a limited subset
of TPM commands, not with all-command-allowed.
I guess Alexander should be able to propose such subset.
/Jarkko
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list