On Fri Apr 5, 2024 at 3:24 AM EEST, William Brown wrote:
>
>
> > On 5 Apr 2024, at 01:49, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > The reality is that unless you context save a session, you don't need
> > degapping and pretty much every TSS based use of sessions doesn't need
> > to save them, so people who construct TPM based systems rarely run into
> > this.
>
> This is the odd part - I'm *not* context saving sessions here.
>
> Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoaded, value: 0 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoadedAvail, value: 3 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActive, value: 1 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActiveAvail, value: 63 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ActiveSessionsMax, value: 64 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ContextGapMax, value: 255 }] })
>
> Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoaded, value: 0 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoadedAvail, value: 3 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActive, value: 1 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActiveAvail, value: 63 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ActiveSessionsMax, value: 64 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ContextGapMax, value: 255 }] })
>
> Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoaded, value: 0 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrLoadedAvail, value: 3 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActive, value: 1 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: HrActiveAvail, value: 63 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ActiveSessionsMax, value: 64 }] })
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [TaggedProperty { property: ContextGapMax, value: 255 }] })
>
>
> I could be completely wrong, but my reading of the specification is that HrActive/HrLoaded are the values of interest here, and we can see they remain at 0/1 for each test as the sessions and loaded objects are removed at the end of each test.
>
> And yet, I'm running into the error 0x0901. So something else is going on that I'm not 100% sure about.
We should catch all TPM2_StartAuthSession commands written to /dev/tpm0.
In practice this means checking the 32-bit value in buf[6] of the second
parameter of tpm_transmit().
This could be e.g. checked with bpftrace by hooking kprobe into the
function and comparing that to 0x00000176. It is in big-endian order.
I can try to bake a script for this if you need help...
That way we can catch all session creations.
>
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer,
> Identity and Access Management
> SUSE Labs, Australia
BR, Jarkko
