'Re: [tpmdd-devel] [PATCH 0/3] tpm: retrieve digest size of unknown algorithms from TPM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tpmdd-devel
Subject:    Re: [tpmdd-devel] [PATCH 0/3] tpm: retrieve digest size of unknown algorithms from TPM
From:       Jarkko Sakkinen <jarkko.sakkinen () linux ! intel ! com>
Date:       2017-10-04 7:32:58
Message-ID: 20171004073258.be2j7mdeud2pjbyk () linux ! intel ! com
[Download RAW message or body]

Hi

And apologies for late review.

On Mon, Sep 25, 2017 at 01:19:47PM +0200, Roberto Sassu wrote:
> This patch set derives from a larger patch set which modifies the TPM
> driver API in order to extend a PCR with multiple digests. It can be
> retrieved at the URL:
> 
> https://sourceforge.net/p/tpmdd/mailman/message/35905412/

A patch set should be able to live on its own. Please remove this link.

I don't care about that patch set at this point and I'm not going to
give any distant promises.

> The TPM driver currently relies on the crypto subsystem to determine the
> digest size of supported TPM algorithms. In the future, TPM vendors might
> implement new algorithms in their chips, and those algorithms might not
> be supported by the crypto subsystem.
> 
> Usually, vendors provide patches for the new hardware, and likely
> the crypto subsystem will be updated before the new algorithm is
> introduced. However, old kernels might be updated later, after patches
> are included in the mainline kernel. This would leave the opportunity
> for attackers to misuse PCRs, as PCR banks with an unknown algorithm
> are not extended.
> 
> This patch set provides a long term solution for this issue. If a TPM
> algorithm is not known by the crypto subsystem, the TPM driver retrieves
> the digest size from the TPM with a PCR read. All the PCR banks are
> extended, even if the algorithm is not yet supported by the crypto
> subsystem.

This part makes sense to me.

/Jarkko

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic