Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Mon, Mar 20, 2017 at 09:56:17AM +, alexander.stef...@infineon.com wrote: > > I think the most straight-forward way to sort this out would be to limit > > validation to the resource manager. > > Sounds good to me. > > > If I send a fix, would you care to test it? > > Sure, will do. > >

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Mon, Mar 20, 2017 at 09:56:17AM +, alexander.stef...@infineon.com wrote: > > I think the most straight-forward way to sort this out would be to limit > > validation to the resource manager. > > Sounds good to me. > > > If I send a fix, would you care to test it? > > Sure, will do. > >

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> > There are a few special cases that need some thought though. For > > example, it is possible to use an upgrade to switch the TPM family > > from 1.2 to 2.0 (or vice versa). In this case it seems useful to let > > the kernel reinitialize the TPM driver, so it uses the correct > > timeouts for

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> > There are a few special cases that need some thought though. For > > example, it is possible to use an upgrade to switch the TPM family > > from 1.2 to 2.0 (or vice versa). In this case it seems useful to let > > the kernel reinitialize the TPM driver, so it uses the correct > > timeouts for

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On 3/20/2017 5:54 AM, alexander.stef...@infineon.com wrote: There are a few special cases that need some thought though. For example, it is possible to use an upgrade to switch the TPM family from 1.2 to 2.0 (or vice versa). In this case it seems useful to let the kernel reinitialize the TPM

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On 3/20/2017 5:54 AM, alexander.stef...@infineon.com wrote: There are a few special cases that need some thought though. For example, it is possible to use an upgrade to switch the TPM family from 1.2 to 2.0 (or vice versa). In this case it seems useful to let the kernel reinitialize the TPM

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Mon, Mar 20, 2017 at 09:54:41AM +, alexander.stef...@infineon.com wrote: > >>> 2. When upgrading the firmware on my TPM, it switches to a > >>> non-standard communication mode for the upgrade process and does not > >>> communicate using TPM2.0 commands during this time. Rejecting > >>>

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Mon, Mar 20, 2017 at 09:54:41AM +, alexander.stef...@infineon.com wrote: > >>> 2. When upgrading the firmware on my TPM, it switches to a > >>> non-standard communication mode for the upgrade process and does not > >>> communicate using TPM2.0 commands during this time. Rejecting > >>>

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> I think the most straight-forward way to sort this out would be to limit > validation to the resource manager. Sounds good to me. > If I send a fix, would you care to test it? Sure, will do. Alexander

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> I think the most straight-forward way to sort this out would be to limit > validation to the resource manager. Sounds good to me. > If I send a fix, would you care to test it? Sure, will do. Alexander

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

>>> 2. When upgrading the firmware on my TPM, it switches to a >>> non-standard communication mode for the upgrade process and does not >>> communicate using TPM2.0 commands during this time. Rejecting >>> non-TPM2.0 commands means upgrading won't be possible anymore. >> >> How non standard? Is

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

>>> 2. When upgrading the firmware on my TPM, it switches to a >>> non-standard communication mode for the upgrade process and does not >>> communicate using TPM2.0 commands during this time. Rejecting >>> non-TPM2.0 commands means upgrading won't be possible anymore. >> >> How non standard? Is

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Fri, Mar 17, 2017 at 03:40:15PM +, alexander.stef...@infineon.com wrote: > > Check for every TPM 2.0 command that the command code is supported and > > the command buffer has at least the length that can contain the header > > and the handle area. > > This breaks several use cases for me:

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Fri, Mar 17, 2017 at 03:40:15PM +, alexander.stef...@infineon.com wrote: > > Check for every TPM 2.0 command that the command code is supported and > > the command buffer has at least the length that can contain the header > > and the handle area. > > This breaks several use cases for me:

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> 1. I've got a TPM that implements vendor-specific command codes. Those > cannot be send to the TPM anymore, but are rejected with EINVAL. > >> 2. When upgrading the firmware on my TPM, it switches to a >> non-standard communication mode for the upgrade process and does not >> communicate using

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> 1. I've got a TPM that implements vendor-specific command codes. Those > cannot be send to the TPM anymore, but are rejected with EINVAL. > >> 2. When upgrading the firmware on my TPM, it switches to a >> non-standard communication mode for the upgrade process and does not >> communicate using

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Fri, Mar 17, 2017 at 03:40:15PM +, alexander.stef...@infineon.com wrote: > 1. I've got a TPM that implements vendor-specific command > codes. Those cannot be send to the TPM anymore, but are rejected > with EINVAL. > > 2. When upgrading the firmware on my TPM, it switches to a >

Re: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

On Fri, Mar 17, 2017 at 03:40:15PM +, alexander.stef...@infineon.com wrote: > 1. I've got a TPM that implements vendor-specific command > codes. Those cannot be send to the TPM anymore, but are rejected > with EINVAL. > > 2. When upgrading the firmware on my TPM, it switches to a >

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> Check for every TPM 2.0 command that the command code is supported and > the command buffer has at least the length that can contain the header > and the handle area. This breaks several use cases for me: 1. I've got a TPM that implements vendor-specific command codes. Those cannot be send to

RE: [tpmdd-devel] [PATCH v3 2/7] tpm: validate TPM 2.0 commands

> Check for every TPM 2.0 command that the command code is supported and > the command buffer has at least the length that can contain the header > and the handle area. This breaks several use cases for me: 1. I've got a TPM that implements vendor-specific command codes. Those cannot be send to

[PATCH v3 2/7] tpm: validate TPM 2.0 commands

Check for every TPM 2.0 command that the command code is supported and the command buffer has at least the length that can contain the header and the handle area. For ContextSave and FlushContext we mark the body to be part of the handle area. This gives validation for these commands at zero

[PATCH v3 2/7] tpm: validate TPM 2.0 commands

Check for every TPM 2.0 command that the command code is supported and the command buffer has at least the length that can contain the header and the handle area. For ContextSave and FlushContext we mark the body to be part of the handle area. This gives validation for these commands at zero