[PATCH v10 00/17] Remove nested TPM operations

Jarkko Sakkinen jarkko.sakkinen at linux.intel.com
Thu Jan 31 16:11:55 UTC 2019


On Wed, Jan 30, 2019 at 04:28:42PM -0800, James Bottomley wrote:
> On Tue, 2019-01-29 at 14:31 +0200, Jarkko Sakkinen wrote:
> > On Wed, Jan 23, 2019 at 01:53:44PM -0500, Stefan Berger wrote:
> > > On 1/23/19 1:20 PM, Jarkko Sakkinen wrote:
> > > > On Wed, Jan 16, 2019 at 11:23:25PM +0200, Jarkko Sakkinen wrote:
> > > > > Make the changes necessary to detach TPM space code and TPM
> > > > > activation
> > > > > code out of the tpm_transmit() flow because of both of these
> > > > > can cause
> > > > > nested tpm_transmit() calls. The nesteds calls make the whole
> > > > > flow hard
> > > > > to maintain, and thus, it is better to just fix things now
> > > > > before this
> > > > > turns into a bigger mess.
> > > > 
> > > > Any reasons not to merge this soon?
> > > 
> > > I suppose v10 hasn't changed anything signinficat. So, not from my
> > > perspective. Were you waiting for more Reviewed-by's?
> > 
> > Yeah, for example TPM space touching changes would be good to peer
> > check with James. I could have easily forgotten some implementation
> > detail, and it has been very stable piece off code, so don't want
> > to break it. Guess won't yet try to put this v5.1.
> 
> So the implementation detail I was looking for: internal kernel use of
> tpm_transmit_cmd() without tpm_find/try_get_ops() doesn't seem to
> exist, so I think this is all safe.  You can add my
> 
> Reviewed-by: James Bottomley <James.Bottomley at HansenPartnership.com>

Thank you. I'll send a new revision soonish.

> But I've got to say I can't test this yet because you've made a huge
> problem for me in the tpm security patches: they introduce a kernel
> space which now becomes somewhat problematic because the space handling
> moved into the device common code.  To get both these things to work
> together so I can test it, space handling is going to have to come
> slightly down from device common code so the kernel can use it.

Yeah, obviously. I'll apply these patches right after the next PR so
you will have a more stable platform to work on after that. Stefan
has tested these, and then there is one full cycle to fix details
if we find issues.

/Jarkko



More information about the Linux-security-module-archive mailing list