Re: TPM 2.0 Linux sysfs interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 8/28/19 5:03 PM, Mimi Zohar wrote:
> [Cc'ing Petr Vorel]
> 
> Hi Piotr,

Hi Mimi,

> 
> On Tue, 2019-08-27 at 01:24 +0200, Piotr Król wrote:
>> Hi all,
>> I'm moving here discussion that I started with Jarkko and Peter on LinkedIn.
>>
>> I'm preparing for 2 talks during LPC 2019 System Boot MC and one of it
>> will discuss TPM 2.0 sysfs support [1]. This was discussed couple times
>> [2] and explained why it is not done yet by Jarkko [3].
>>
>> Why is this important?
>> - there seem to be no default method to distinguish if we dealing with
>> TPM 1.2 or 2.0 in the system. 
> 
> Agreed, this affects both the LTP IMA tests and ima-evm-utils package,
> which need to support both TPM 1.2 and 2.0 for the forseeable future.
> The LTP IMA tests check different sysfs files to determine if it is
> TPM 1.2 or TPM 2.0 (eg. /sys/class/tpm/tpm0/device/description,
> /sys/class/tpm/tpm0/device/pcrs and /sys/class/misc/tpm0/device/pcrs),
> but the "description" file is not defined by all TPM 2.0's.  It
> shouldn't be that difficult to define a single common sysfs file.

Thank you for that use cases I will point to that during LPC discussion.

Jarkko said that what he potential can cope with is:
/sys/class/tpm/tpm0/protocol_major

But maybe version file is also good to go, depends what it should return
and how that information should be obtained for various TPM versions.

> 
>> - distros use various tools to detect TPM based on sysfs (e.g. Qubes OS
>> scripts)
>> - tpm2-software has ton of dependencies, is not easy to build,
>> development is way faster then distros can manage and packages are often
>> out of date or even broken, so using it can be troublesome
>> - for deeply embedded systems adding fully-featured tpm2-software
>> doesn't make sense e.g. if we just need PCRs values
>>
>> Jarkko comment on detecting 1.2 vs 2.0:
>> "Detecting TPM 2.0 is dead easy: send any idempotent TPM 2.0 command and
>> check if the tag field matches 0x8002 (TPM_NO_SESSIONS). The sysfs
>> features for TPM 1.2 are for the large part useless as you can get the
>> same data by using TPM commands."
>>
>> Ok, but doesn't this mean I need TPM2 software stack?
>> Peter mentioned that it can be tricky to invoke such tools early in boot
>> process.
> 
> ima-evm-utils now uses the TPM 2.0 TSS[1] to read the PCRs.  I haven't
> tried using it during boot, but I don't forsee a problem. I guess it
> depends on how early you need to read the PCRs.

I'm still looking into use case to provide correct examples. I'm
thinking about edge computing devices e.g. Azure IoT Edge, AWS IoT and
Greengrass and its ability to perform trusted boot, but do not have
something well exercised yet.

Definitely there is automatic validation of hardware modules which is
time sensitive and faster access to basic functions verification, then
more savings to manufacturer.

For research purposes I tried couple queries on GitHub to check who use
pcrs throughs sysfs [1][2]. Among others you can find CoreOS, Android,
already mentioned LTP, some google projects. Quite a lot of user space
code to be fixed. Maybe if I will have enough time I will prepare
statistics about usage of given endpoints to quantify how those affect
system.

[1]
https://github.com/search?q=%22%2Fsys%2Fclass%2Ftpm%2Ftpm0%2Fdevice%2Fpcrs%22&type=Code
[2]
https://github.com/search?q=%22%2Fsys%2Fclass%2Fmisc%2Ftpm0%2Fdevice%2Fpcrs%22&type=Code

Best Regards,
-- 
Piotr Król
Embedded Systems Consultant
GPG: B2EE71E967AA9E4C
https://3mdeb.com | @3mdeb_com



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux