"Kevin O'Connor" <kevin@koconnor.net>
wrote on 01/05/2016 03:35:35 PM:

> 
> On Tue, Jan 05, 2016 at 02:05:55PM -0500, Stefan Berger wrote:
> > "Kevin O'Connor" <kevin@koconnor.net> wrote on
01/05/2016 12:16:18 PM:
> > > On Tue, Dec 29, 2015 at 07:17:40PM -0500, Kevin O'Connor
wrote:
> > > > The following series involves some code reorganization
in the TPM code
> > > > that I found useful in understanding the code.
> > > 
> > > FYI, I committed patches 1-9 (after some bug fixes).
> > 
> > The result of the 2nd patch set also looks good.
> 
> Thanks - I pushed most of that series as well.
> 
> I've been looking further at error recovery in the TPM code.  I'm
not
> sure I fully understand what needs to be done on an error.
> 
> If I understand it correctly, the SeaBIOS TPM code has three major
> requirements:
> 
> - Pass through commands from the 16bit bios interface to the TPM.
>   This is useful for bootloaders/oproms that don't have a TPM
driver.
> 
>   - I think the only requirement for error recovery here is that
we
>     return an appropriate error code to the caller of the
16bit BIOS
>     interface.
Once we leave the BIOS and enter trusted grub bootloader
for example, we have
given up physical presence. So certain functionality
is not available anymore
and calling tpm_set_failure() actually will not be
able to deactivate the TPM
anymore. That said, whatever happens in terms of TPM
failures that trusted grub
may encounter would have to be handled differently.
I do not remember
having read something about theses cases in the specs,
though the possibilty
would exist to extend and / or log a special value.

> 
> - Take "measurements" during the boot process so that later
on users
>   can verify if some low-level code has changed (and thus attempt
to
>   identify if malicious code may have been inserted into the
>   firmware).
> 
>   - The major requirement here seems to be that if we can't take
a
>     measurement that we either "cap" measurements
or shutdown the TPM.
>     If we don't do this, it opens the possibility of a malicious
>     program forging measurements.
That's correct. We don't cap the measurements but
try to temporarily deactivate
the TPM until the next reboot.

> 
>   - It's also useful to skip taking measurements if the TPM device
is
>     not present so that we don't waste CPU time taking measurements
>     that will never be used.
Correct.

> 
> - Implement physical presence capability so that critical settings
in
>   the TPM can only be changed by someone that can prove they
are
>   physically present at the hardware (and thus attempt to prevent
>   malicious code that temporarily obtains escalated privileges
from
>   altering these important settings).
> 
>   - The major requirement here seems to be that the "physical
>     presence" lock always be set prior to starting
the boot loader.
Yes, we have to give up physical presence and lock
that.

>     And, of course, we need to implement the ability to
change the
>     critical settings (via the tpm menu).
> 
> Does the above seem correct?
This sounds correct. 
Capping actually is mentioned in the spec for certain
error conditions where the value 01h
is supposed to be measured into PCR[0-7]. I don't
read about logging these, though.
   Stefan

> 
> -Kevin
>