Re: [PATCH RFC] tpm: define a command filter

From: Jarkko Sakkinen
Date: Thu Jan 26 2017 - 06:14:25 EST

On Wed, Jan 25, 2017 at 03:11:36PM -0700, Jason Gunthorpe wrote:
> On Wed, Jan 25, 2017 at 10:21:37PM +0200, Jarkko Sakkinen wrote:
> > There should be anyway someway to limit what commands can be sent but
> > I understand your point.
> What is the filter for?
> James and I talked about a filter to create a safer cdev for use by
> users. However tpms0 cannot be that 'safer' cdev - it is now the 'all
> access' path.

What do you mean by "safer cdev"?

> I also suggested a filter in the kernel to ensure that the RM is only
> passing commands it actually knows it handles properly. eg you would
> filter out list handles. That is hardwired into the kernel, and does
> not ge to be configured by user space.

In many cases you would want to limit the set of operations that client
can use. For example, not every client needs NV operations. In general
you might want to have mechanism for limiting privileges. I haven't
really considered this from the perspective that you've been discussing
but more from the "principle of least privilege" perspective.

Are you suggesting that in such cases you could just create daemon for
proxying the traffic (when you want to limit privileges)? You could just
make that daemon a whole lot simpler if it just needs to pass the file
desriptor to the client after defining the set of operations that the
client can use.

This is a high priority decision to make because it's hard to apply
principle of least privilege (with everything disallowed defaultts)
if it is not done in the first place.