Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200806110623.yubvwntnnuhff46p@archlinux.org>
Date: Thu, 6 Aug 2020 13:06:23 +0200
From: Jonas Witschel <diabonas@...hlinux.org>
To: oss-security@...ts.openwall.com
Cc: trousers-tech@...ts.sourceforge.net, security@...e.de,
	Matthias Gerstner <mgerstner@...e.de>,
	Jerry Snitselaar <jsnitsel@...hat.com>
Subject: Re: Multiple Security Issues in the TrouSerS tpm1.2
 tscd Daemon

On 2020-08-05 14:51, Jerry Snitselaar wrote:
> > Mitigation and Bugfixes
> > =======================
> >
> > It seems best to me to run the tcsd as the tss:tss user and group right away
> > and to not rely on the privilege drop logic implemented in the daemon itself.
> > All of a), b) and c) should no longer be problematic in this case. I found
> > that on Debian and Gentoo Linux this is already the case. To make this work a
> > udev rule needs to be packaged that passes ownership of /dev/tpm0 device to
> > the tss user. To prevent regressions when switching from the privilege drop
> > approach to this new approach, a possibly already existing
> > /var/lib/tpm/system.auth file needs to be safely chown()'ed to the tss user
> > during package updates.
> >
> 
> On Fedora and RHEL there currently is a udev rule (from upstream) that
> ships with the tpm2-tss package that is setting ownership of /dev/tpm0
> to tss:root. I don't recall what the reasoning was for the group being
> root. For /dev/tpmrm0 it sets it to tss:tss, so not sure what the reason
> was for /dev/tpm0. I believe that package is part of a default install,
> so that will need to be worked out. I don't know if you run into that
> with SUSE as well.

The idea behind not giving the tss group access to /dev/tpm0 as well is to prevent users from gaining direct access to the TPM and being able to DoS it. Users privileged to access the TPM should be added to the tss group so that they can access the TPM trough an access broker/resource manager (like tpm2-abrmd, the in-kernel resource manager /dev/tpmrm0, or tcsd in case of TPM 1.2), but not have "bare metal" access, which is limited to the tss user and root. See [1] for reference.

Cheers,
Jonas

[1] https://github.com/tpm2-software/tpm2-tss/pull/963#issuecomment-381142241

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.