Re: [PATCH v14 3/5] security: keys: trusted: fix TPM2 authorizations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2020-12-22 at 18:01 -0500, Ken Goldman wrote:
> On 11/29/2020 5:20 PM, James Bottomley wrote:
> > Note this is both and enhancement and a potential bug fix.  The TPM
> > 2.0 spec requires us to strip leading zeros, meaning empyty
> > authorization is a zero length HMAC whereas we're currently passing
> > in 20 bytes of zeros.  A lot of TPMs simply accept this as OK, but
> > the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this
> > patch makes the Microsoft TPM emulator work with trusted keys.
> 
> 1 - To be precise, it strips trailing zeros, but 20 bytes of zero
> results in an empty buffer either way.
> 
> "
> Part 1 19.6.4.3	Authorization Size Convention
> 
> Trailing octets of zero are to be removed from any string before it
> is used as an authValue.
> "
> 
> 
> 2 - If you have a test case for the MS simulator, post it and I'll
> give it a try.
> 
> I did a quick test, power cycle to set platform auth to empty, than
> create primary with a parent password 20 bytes of zero, and the
> SW TPM accepted it.
> 
> This was a password session, not an HMAC session.

I reported it to Microsoft as soon as I found the problem, so, since
this patch set has been languishing for years, I'd hope it would be
fixed by now.  It is still, however, possible there still exist TPM
implementations based on the unfixed Microsoft reference platform.

James





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux