Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use
From: Dr. Greg
Date: Wed Nov 30 2022 - 16:05:48 EST
On Sun, Nov 27, 2022 at 11:41:26AM -0500, James Bottomley wrote:
Good afternoon, I hope the week is going well for everyone.
> On Sun, 2022-11-27 at 18:33 +0200, Jarkko Sakkinen wrote:
> > On Mon, Nov 14, 2022 at 12:11:20PM -0500, James Bottomley wrote:
> > > On Fri, 2022-11-11 at 15:16 -0800, Evan Green wrote:
> > > > Introduce a new Kconfig, TCG_TPM_RESTRICT_PCR, which if enabled
> > > > restricts usermode's ability to extend or reset PCR 23.
> > >
> > > Could I re ask the question here that I asked of Matthew's patch
> > > set:
> > >
> > > https://lore.kernel.org/all/b0c4980c8fad14115daa3040979c52f07f7fbe2c.camel@xxxxxxxxxxxxx/
> > >
> > > Which was could we use an NVRAM index in the TPM instead of a PCR???
> > > The reason for asking was that PCRs are rather precious and might
> > > get more so now that Lennart has some grand scheme for using more
> > > of them in his unified boot project.?? Matthew promised to play with
> > > the idea but never got back to the patch set to say whether he
> > > investigated this or not.
> >
> > Even for PCR case it would be better to have it configurable through
> > kernel command-line, including a disabled state, which would the
> > default.
> >
> > This would be backwards compatible, and if designed properly, could
> > more easily extended for NV index later on.
>
> Um how? The observation is in the above referenced email is that PCR23
> is reserved in the TCG literature for application usage. If any
> application is actually using PCR23 based on that spec then revoking
> access to user space will cause it to break. This is an ABI change
> which is not backwards compatible. You can call it a distro problem if
> it's command line configurable, but the default would be what most
> distros take, so it's rather throwing them under the bus if there is an
> application using it.
>
> Of course, if no application is actually using PCR23, then it's
> probably OK to use it in the kernel and make it invisible to user
> space, but no evidence about this has actually been presented.
If there isn't, there will be in in the next week or so, if we can
stay on schedule. Otherwise, I fear that Casey Schaufler, who I
believe is holding his breath, may turn irretrievably blue.... :-)
The Trust Orchestration System, Quixote, that we are releasing for
Linux uses PCR23 to generate an attestation of the functional state
value for an internally modeled security domain.
TSEM, the LSM based kernel component in all of this, supports the
ability to implement multiple 'domains', nee namespaces, each of which
can have a security modeling function attached to it. Each internally
modeled domain has to have the ability to independently attest the
functional value of the security model implemented for the
domain/namespace.
We have found, and I believe others will find that, particularly the
resettable registers, are too precious to be constrained from general
usage. We actually just finished lifting the PCR23 extension
functionality out of the TSEM driver and into userspace because having
it in the kernel was too constraining.
With respect to making the behavior a command-line option. We've
slogged through 2+ years of conversations with sizable players who
have indicated that if the 'distys' don't implement something, it
isn't a relevant Linux technology, so a command-line option poses a
barrier to innovation.
> James
Have a good day.
As always,
Dr. Greg
The Quixote Project - Flailing at the Travails of Cybersecurity