On 2020-08-05 14:51, Jerry Snitselaar wrote: > > Mitigation and Bugfixes > > ======================= > > > > It seems best to me to run the tcsd as the tss:tss user and group right away > > and to not rely on the privilege drop logic implemented in the daemon > > itself. > > All of a), b) and c) should no longer be problematic in this case. I found > > that on Debian and Gentoo Linux this is already the case. To make this work > > a > > udev rule needs to be packaged that passes ownership of /dev/tpm0 device to > > the tss user. To prevent regressions when switching from the privilege drop > > approach to this new approach, a possibly already existing > > /var/lib/tpm/system.auth file needs to be safely chown()'ed to the tss user > > during package updates. > > > > On Fedora and RHEL there currently is a udev rule (from upstream) that > ships with the tpm2-tss package that is setting ownership of /dev/tpm0 > to tss:root. I don't recall what the reasoning was for the group being > root. For /dev/tpmrm0 it sets it to tss:tss, so not sure what the reason > was for /dev/tpm0. I believe that package is part of a default install, > so that will need to be worked out. I don't know if you run into that > with SUSE as well.
The idea behind not giving the tss group access to /dev/tpm0 as well is to prevent users from gaining direct access to the TPM and being able to DoS it. Users privileged to access the TPM should be added to the tss group so that they can access the TPM trough an access broker/resource manager (like tpm2-abrmd, the in-kernel resource manager /dev/tpmrm0, or tcsd in case of TPM 1.2), but not have "bare metal" access, which is limited to the tss user and root. See [1] for reference. Cheers, Jonas [1] https://github.com/tpm2-software/tpm2-tss/pull/963#issuecomment-381142241
signature.asc
Description: PGP signature
_______________________________________________ TrouSerS-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-tech
