[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-keyrings
Subject: Re: [PATCH v2 09/11] KEYS: trusted: Add session encryption protection to the seal/unseal path
From: Ben Boeckel <me () benboeckel ! net>
Date: 2023-01-29 13:06:19
Message-ID: Y9ZvS9PozyX5AxpZ () farprobe
[Download RAW message or body]
On Tue, Jan 24, 2023 at 12:55:14 -0500, James Bottomley wrote:
> If some entity is snooping the TPM bus, the can see the data going in
^^^ they
> to be sealed and the data coming out as it is unsealed. Add parameter
> and response encryption to these cases to ensure that no secrets are
> leaked even if the bus is snooped.
>
> As part of doing this conversion it was discovered that policy
> sessions can't work with HMAC protected authority because of missing
> pieces (the tpm Nonce). I've added code to work the same way as
> before, which will result in potential authority exposure (while still
> adding security for the command and the returned blob), and a fixme to
> redo the API to get rid of this security hole.
--Ben
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic