On Wed, Feb 24, 2021 at 10:00:53AM -0800, James Bottomley wrote: > On Sat, 2021-02-20 at 01:32 +0000, Matthew Garrett wrote: > > Under certain circumstances it might be desirable to enable the > > creation of TPM-backed secrets that are only accessible to the > > kernel. In an ideal world this could be achieved by using TPM > > localities, but these don't appear to be available on consumer > > systems. > > I don't understand this ... the localities seem to work fine on all the > systems I have ... is this some embedded thing? I haven't made it work on an HP Z440 or a Lenovo P520. So now I'm wondering whether having chipsets with TXT support (even if it's turned off) confuse this point. Sigh. I'd really prefer to use localities than a PCR, so if it works on client platforms I'd be inclined to say we'll do a self-test and go for that, and workstation vendors can just recommend their customers use UPSes or something. > > An alternative is to simply block userland from modifying one of the > > resettable PCRs, leaving it available to the kernel. If the kernel > > ensures that no userland can access the TPM while it is carrying out > > work, it can reset PCR 23, extend it to an arbitrary value, create or > > load a secret, and then reset the PCR again. Even if userland somehow > > obtains the sealed material, it will be unable to unseal it since PCR > > 23 will never be in the appropriate state. > > This seems a bit arbitrary: You're removing this PCR from user space > accessibility, but PCR 23 is defined as "Application Support" how can > we be sure no application will actually want to use it (and then fail)? Absolutely no way of guaranteeing that, and enabling this option is certainly an ABI break. > Since PCRs are very scarce, why not use a NV index instead. They're > still a bounded resource, but most TPMs have far more of them than they > do PCRs, and the address space is much bigger so picking a nice > arbitrary 24 bit value reduces the chance of collisions. How many write cycles do we expect the NV to survive? But I'll find a client system with a TPM and play with locality support there - maybe we can just avoid this problem anyway.
