Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss

Doug Fraser
 

Ken,

In our case, the target is an embedded device and the only active user of TPM (post manufacture install) is the openssl engine, and even then, it is only used during boot and software upgrade.
I suppose someone could make a denial of service attack on that port. The option would be to add user/group tss and make openssl SGID tss.

I'll have to give that some thought.

Thank you for the feedback, this is all new stuff for me.

Douglas Fraser

-----Original Message-----
From: Ken Goldman <kgold@...>
Sent: Thursday, January 3, 2019 7:07 PM
To: Doug Fraser <doug.fraser@...>; James Bottomley <James.Bottomley@...>; openssl-tpm2-engine@groups.io; Ibmtpm20tss-users@...
Subject: Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss

On 1/3/2019 3:59 PM, Doug Fraser wrote:
Hello All.

On UDEV rules....

(depending on where I search, different answers)

I am currently setting both /dev/tpm0 and /dev/tpmrm0 to mode 0666

I don't care who the owner or group is, since I am not running SUID
tss


Is this inherently wrong-headed to be working this way?
Way back, the wisdom was to set some group protection (i.e., a group of trusted applications) on /dev/tpmxxx.

Using /dev/tpmrm0 protects against an application locking the TPM and/or using all the resources.

However, even when using /dev/tpmrm0, might one want to protect against an application extending PCR 10, for example?

Another - does /tpmrm0 protect against an application doing the write() but never the read(), and thus blocking the device?

Join openssl-tpm2-engine@groups.io to automatically receive all group messages.