Re: [PATCH] char: tpm: ftpm_tee: use kernel login identifier

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dearl all,

Typo in my previous post!

On Thu, 11 May 2023 at 06:47, Etienne Carriere
<etienne.carriere@xxxxxxxxxx> wrote:
>
> Hello Jarkko,
>
> On Thu, 11 May 2023 at 00:12, Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote:
> >
> > On Fri May 5, 2023 at 9:43 PM EEST, Etienne Carriere wrote:
> > > Changes fTPM TEE driver to open the TEE session with REE kernel login
> > > identifier rather than public login. This is needed in case fTPM service
> > > it denied to user land application and restricted to kernel operating
> > > system services only.
> > >
> > > Signed-off-by: Etienne Carriere <etienne.carriere@xxxxxxxxxx>
> >
> >
> > Can you bring up a little context here?
> >
> > What is REE login?
> > Does it break backwards compatibility to switch?
> > What kind of scenario we are talking about? What does it mean in plain
> > English when fTPM service is denied.
> > What is fTPM service?
>
> By fTPM service I meant the services exposed by fTPM through its
> OP-TEE interface, that are the commands a client can invoke in fTPM,
> see [1].
>
> Regarding backward compatibility, this change is backward compatible
> as far as the OP-TEE entity this driver communicates with is of
> revision 3.9.0 or above.
> I understand this case should be addressed in some way.
>
> In current implementation, fTPM can be invoked by Linux kernel drivers
> (through Linux kernel tee API as tpm_ftpm_tee currently does) as well
> as by userland application (through TEE client library API [2]).
> This change makes tpm_ftpm_tee to invoke fTPM interface using a client
> identifier stating it is the Linux kernel that invokes it, not a
> userland application. fTPM implementation does not check the client
> identity when a client opens a session toward it. Therefore using a
> public identifier (TEE_IOCTL_LOGIN_PUBLIC) or the OS privilege
> identifier (TEE_IOCTL_LOGIN_REE_KERNEL) does not matter, as far as
> OP-TEE supports these IDs. The former is native to OP-TEE initial UAPI
> [3], the latter was introduced in OP-TEE 3.9.0 [4] and Linux kernel
> v5.8 [5].
>
> That said, this change does fix an existing issue in fTPM integration.

Typo, sorry, I meant
"That said, this change does **NOT** fix an existing issue in fTPM integration."

BR,
Etienne

> The fTPM entity currently only accepts a single session opened towards
> it. This is enforced as fTPM sets property TA_FLAG_SINGLE_INSTANCE and
> does not set property TA_FLAG_MULTI_SESSION [6].
> Linux kernel tpm_ftpm_tee driver currently opens a session to fTPM at
> probe time and releases it at remove time so once the driver is
> successfully probed, no userland application can use TEE userland
> client API to open another session and communicate with fTPM.
>
> [1] https://github.com/microsoft/ms-tpm-20-ref/blob/main/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c#L456
> [2] https://github.com/OP-TEE/optee_client
> [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c9cca2cc50569efc65945325c173cecba83bd
> [4] https://github.com/OP-TEE/optee_os/commit/78f462f646e7c037bea13aa6282c81f255922a4f
> [5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=104edb94cc4b3101bab33161cd861de13e85610b
> [6] https://github.com/microsoft/ms-tpm-20-ref/blob/main/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h#L47
>
> Regards,
> Etienne
>
> >
> > > ---
> > >  drivers/char/tpm/tpm_ftpm_tee.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/char/tpm/tpm_ftpm_tee.c b/drivers/char/tpm/tpm_ftpm_tee.c
> > > index 528f35b14fb6..6d32e260af43 100644
> > > --- a/drivers/char/tpm/tpm_ftpm_tee.c
> > > +++ b/drivers/char/tpm/tpm_ftpm_tee.c
> > > @@ -241,7 +241,7 @@ static int ftpm_tee_probe(struct device *dev)
> > >       /* Open a session with fTPM TA */
> > >       memset(&sess_arg, 0, sizeof(sess_arg));
> > >       export_uuid(sess_arg.uuid, &ftpm_ta_uuid);
> > > -     sess_arg.clnt_login = TEE_IOCTL_LOGIN_PUBLIC;
> > > +     sess_arg.clnt_login = TEE_IOCTL_LOGIN_REE_KERNEL;
> > >       sess_arg.num_params = 0;
> > >
> > >       rc = tee_client_open_session(pvt_data->ctx, &sess_arg, NULL);
> > > --
> > > 2.25.1
> >
> > BR, Jarkko



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux