"Fuchs, Andreas" <[email protected]> wrote on 11/18/2014
10:22:11 AM:
> From: "Fuchs, Andreas" <[email protected]>
> To: Stefan Berger/Watson/IBM@IBMUS
> Cc: Stefan Berger <[email protected]>, "trousers-
> [email protected]" <[email protected]>
> Date: 11/18/2014 10:22 AM
> Subject: RE: [TrouSerS-tech] [PATCH] Allow to run tcsd as normal user
>
> Hi Stefan,
>
> thanks for clearing up that use case. TPM-emulator and vTPM have a
> different taste for me...
> So the "emulator" was what got me stuck on assuming development.
>
> vTPM-Setup for VMs and containers could of course be a valid use
> case I assume.
> I had always expected vTPMs to be more elaborate though to not
> require access of the Host-VM via the default channels but rather
> other interfaces, to also leverage Deep-Attestation potential.
>
> Would you mind giving me some pointers on what kinds of vTPMs your
> looking into ?
I cannot give you pointers. But I can tell you that I would like to use
the
TCSD to help setup a vTPM before it is used by a VM. This is to 'simulate
manufacturing' of a TPM, such as the steps of EK creation and NVRAM setup
with certificates for the vTPM. Trousers provides the tools for many of
the involved steps. To avoid having to start this process with root
rights,
the intention would be to have TCSD run with lesser privileges than what
it requires now.
Stefan
>
> Cheers,
> Andreas
>
>
> From: Stefan Berger [[email protected]]
> Sent: Tuesday, November 18, 2014 15:29
> To: Fuchs, Andreas
> Cc: Stefan Berger; [email protected]
> Subject: RE: [TrouSerS-tech] [PATCH] Allow to run tcsd as normal user
> "Fuchs, Andreas" <[email protected]> wrote on 11/18/
> 2014 09:13:53 AM:
>
> >
> > Hi Stefan,
> >
> > I think we are somewhat talking different directions here... ;-)
> >
> > Yes, tcsd should only be started as root and change to tss:tss to
> > access /dev/tpm0 /etc/tcsd.conf and /var/lib/tpm/system.data (or
> > what it's called).
> >
> > This should be packaged and not changed.
> >
> > Even with your (fixed) patch, starting tcsd will not succeed
> > starting, because /var/lib/tpm/system.data shall not be readable
> > only be user/group tss:tss. Otherwise your package is broken...
>
> There is a configuration option in the config file that let's one
> set the path to the system_ps_file. It will be created with 0600
> access rights and /var/lib/tpm will only be accessible by tss, so
> cannot be used by anyone else.
>
> >
> > So if you want to create a development environment for tpm-emulator-
> > use, I recommend:
>
> It's not meant only for development purposes, but for purposes
> related to a virtualized TPM as well where the TCSD would be used to
> setup the vTPM before it is used by QEMU for example. Therefore, the
> package should have the feature to allow starting the tcsd with non-
> root rights.
>
> Regards,
> Stefan
>
> >
> > - compile trousers with --disable-usercheck and
--prefix=/path/to/your/env
> >
> > - compile tpmd with a prefix to /path/to/your/env (so it also does
> > not access /var/lib/tpm for persistend data and socket anymore)
> > (p.s. don't know if patches for this are upstream or not)
> >
> > - select tpmd's tddl in your tcsd.conf in order to avoid having to
> > load tpmd_dev kernel-module...
> >
> > Then start your devel-tcsd, which will now not try to setuid anymore
> > and use a different tcsd.conf and system.data from your env-prefix.
> > So you are completely contained inside your development-environment...
:-)
> >
> > Feel free to contact me if things don't work as expected. I have
> > some setups of this kind for development here. Maybe I can help...
> >
> > Cheers,
> > Andreas
> >
>
> >
> > From: Stefan Berger [[email protected]]
> > Sent: Tuesday, November 18, 2014 14:59
> > To: Fuchs, Andreas
> > Cc: Stefan Berger; [email protected]
> > Subject: Re: [TrouSerS-tech] [PATCH] Allow to run tcsd as normal user
>
> > "Fuchs, Andreas" <[email protected]> wrote on 11/18/
> > 2014 07:48:21 AM:
> >
> >
> > >
> > > Hi Stefan,
> > >
> > > how does your use case differ in functionality from the --disable-
> > > usercheck configure switch ?
> >
> > The tcsd daemon using /dev/tpm0 has to be started as root. It should
> > also change to a non-privileged user, here tss. No changes in this
case.
> > So in the (intended) use case a non-privileged user can then also
> > start tcsd using sockets to talk to an emulator.
> >
> > > (see the #ifdef NOUSERCHECK right before your code additions)
> > > I think the use case is better covered by the configure-switch,
> > > since in a standard-environment you want to be warned / failed when
> > > there is uid-problems. And for your (and my) dev-envs we can have a
> > > second tssd-executable...
> >
> > Packages only get compiled in one way. On Fedora at least the part
> > checking the access rights to the config file and the setuid() part
> > are always compiled in and that's good this way.
> >
> > >
> > > Regarding the code: It seems as if you skip whenever getuid() == 0
> > > Isn't that reverse to what you described in the commit message ?
> >
> > My bad. Will repost.
> >
> > Stefan
> >
> > >
> > > Just my 2 cents on things,
> > >
> > > Cheers,
> > > Andreas
> > >
> > > ________________________________________
> > > From: Stefan Berger [[email protected]]
> > > Sent: Tuesday, November 18, 2014 13:28
> > > To: [email protected]
> > > Subject: [TrouSerS-tech] [PATCH] Allow to run tcsd as normal user
> > >
> > > Currently TCSD requires that it is run by root or the tss user
> > sinceonly then
> > > it will be able to setuid to tss or read the TCSD configuration
> > > file, which must
> > > also be owned by tss:tss. However, there are use cases when TCSD
> > does not need
> > > to be started as root, particularly when it communicates with a
> TPM emulator
> > > over sockets. In this case we should be able to start the TCSD from
a
> > > non-privileged user account.
> > >
> > > Signed-off-by: Stefan Berger <[email protected]>
> > > ---
> > > src/tcsd/svrside.c | 4 ++++
> > > src/tcsd/tcsd_conf.c | 5 +++++
> > > 2 files changed, 9 insertions(+)
> > >
> > > diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
> > > index 1ae1636..f00ff38 100644
> > > --- a/src/tcsd/svrside.c
> > > +++ b/src/tcsd/svrside.c
> > > @@ -463,6 +463,9 @@ main(int argc, char **argv)
> > > "(Compiled with --disable-usercheck)");
> > > #else
> > > #ifndef SOLARIS
> > > + if (getuid() == 0)
> > > + goto skip_setuid;
> > > +
> > > pwd = getpwnam(TSS_USER_NAME);
> > > if (pwd == NULL) {
> > > if (errno == 0) {
> > > @@ -474,6 +477,7 @@ main(int argc, char **argv)
> > > return TCSERR(TSS_E_INTERNAL_ERROR);
> > > }
> > > setuid(pwd->pw_uid);
> > > + skip_setuid:
> > > #endif
> > > #endif
> > >
> > > diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
> > > index a31503d..549c2bb 100644
> > > --- a/src/tcsd/tcsd_conf.c
> > > +++ b/src/tcsd/tcsd_conf.c
> > > @@ -772,6 +772,9 @@ conf_file_init(struct tcsd_config *conf)
> > >
> > > #ifndef NOUSERCHECK
> > > #ifndef SOLARIS
> > > + if (getuid() == 0)
> > > + goto skip_tss_check;
> > > +
> > > /* find the gid that owns the conf file */
> > > errno = 0;
> > > grp = getgrnam(TSS_GROUP_NAME);
> > > @@ -809,6 +812,8 @@ conf_file_init(struct tcsd_config *conf)
> > > LogError("TCSD config file (%s) must be mode 0600",
> > > tcsd_config_file);
> > > return TCSERR(TSS_E_INTERNAL_ERROR);
> > > }
> > > +
> > > + skip_tss_check:
> > > #endif /* SOLARIS */
> > > #endif /* NOUSERCHECK */
> > >
> > > --
> > > 1.9.3
> > >
> > >
> > >
> >
>
------------------------------------------------------------------------------
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > > from Actuate! Instantly Supercharge Your Business Reports and
Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App Integration &
more
> > > Get technology previously reserved for billion-dollar corporations,
FREE
> > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/
> 4140/ostg.clktrk
> > > _______________________________________________
> > > TrouSerS-tech mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/trousers-tech
> > >
> > >
> >
>
------------------------------------------------------------------------------
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > > from Actuate! Instantly Supercharge Your Business Reports and
Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App Integration &
more
> > > Get technology previously reserved for billion-dollar corporations,
FREE
> > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/
> 4140/ostg.clktrk
> > > _______________________________________________
> > > TrouSerS-tech mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/trousers-tech
> > > ------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
