Re: [tpmdd-devel] [RFC] tpm2-space: add handling for global session exhaustion

From: James Bottomley
Date: Fri Jan 27 2017 - 17:06:08 EST

On Fri, 2017-01-27 at 16:42 -0500, Ken Goldman wrote:
> On 1/18/2017 3:48 PM, James Bottomley wrote:
> > In a TPM2, sessions can be globally exhausted once there are
> > TPM_PT_ACTIVE_SESSION_MAX of them (even if they're all context
> > saved).
> > The Strategy for handling this is to keep a global count of all the
> > sessions along with their creation time. Then if we see the TPM
> > run
> > out of sessions (via the TPM_RC_SESSION_HANDLES) we first wait for
> > one
> > to become free, but if it doesn't, we forcibly evict an existing
> > one.
> > The eviction strategy waits until the current command is repeated
> > to
> > evict the session which should guarantee there is an available
> > slot.
> Beware the nasty corner case:
> - Application asks for a session and gets 02000000
> - Time elapses and 02000000 gets forcibly flushed
> - Later, app comes back, asks for a second session and again gets
> 02000000.
> - App gets very confused.
> May it be better to close the connection completely, which the
> application can detect, than flush a session and give this corner
> case?

if I look at the code I've written, I don't know what the session
number is, I just save sessionHandle in a variable for later use (lets
say to v1). If I got the same session number returned at a later time
and placed it in v2, all I'd notice is that an authorization using v1
would fail. I'm not averse to killing the entire connection but,
assuming you have fallback, it might be kinder simply to ensure that
the operations with the reclaimed session fail (which is what the code
currently does).

> ~~~~
> Part of me says to defer this. That is:
> 64 sessions / 3 = 21 simultaneous applications. If we have 21
> simultaneous TCG applications, we'll all celebrate. For the DoS,
> chmod and chgrp /dev/tpm and let only well behaved applications in
> the group.
> Agreed, it's not a long term solution.

My use case is secret protection in the cloud. I can certainly see >
21 applications wanting to do this at roughly the same time. However,
the periods over which they actually all need sessions should be very
short, hence the leasing proposal which would stagger them.