Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss
Ken,toggle quoted message. . .
In our case, the target is an embedded device and the only active user of TPM (post manufacture install) is the openssl engine, and even then, it is only used during boot and software upgrade.
I suppose someone could make a denial of service attack on that port. The option would be to add user/group tss and make openssl SGID tss.
I'll have to give that some thought.
Thank you for the feedback, this is all new stuff for me.
From: Ken Goldman <kgold@...>
Sent: Thursday, January 3, 2019 7:07 PM
To: Doug Fraser <doug.fraser@...>; James Bottomley <James.Bottomley@...>; firstname.lastname@example.org; Ibmtpm20tss-users@...
Subject: Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss
On 1/3/2019 3:59 PM, Doug Fraser wrote:
Hello All.Way back, the wisdom was to set some group protection (i.e., a group of trusted applications) on /dev/tpmxxx.
Using /dev/tpmrm0 protects against an application locking the TPM and/or using all the resources.
However, even when using /dev/tpmrm0, might one want to protect against an application extending PCR 10, for example?
Another - does /tpmrm0 protect against an application doing the write() but never the read(), and thus blocking the device?