Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Add an interface for tpm #1502
Conversation
zyga
reviewed
Jul 7, 2016
| +capability dac_override, | ||
| + | ||
| +/dev/tpm0 rw, | ||
| +/etc/tcsd.conf r, |
zyga
reviewed
Jul 7, 2016
| + | ||
| +/dev/tpm0 rw, | ||
| +/etc/tcsd.conf r, | ||
| +/usr/sbin/tcsd mr, |
zyga
reviewed
Jul 7, 2016
| +/dev/tpm0 rw, | ||
| +/etc/tcsd.conf r, | ||
| +/usr/sbin/tcsd mr, | ||
| +/var/lib/tpm/system.data rw, |
zyga
Jul 7, 2016
Contributor
This shouldn't be used like that. Please make tpm tools respect $SNAP and $SNAP_DATA
zyga
reviewed
Jul 7, 2016
| +#include <abstractions/apache2-common> | ||
| +#include <abstractions/base> | ||
| + | ||
| +@{HOME}/.trousers/user.data rw, |
zyga
added
the
Reviewed
label
Jul 7, 2016
|
Hey I think this is not the way to go. Did you test this interface with trousers? Remember that at runtime $HOME won't be the real home and most of the filesystem will be the read-only core snap. You have to use $SNAP_DATA to store data related to the snap but not specific to any user. |
zyga
reviewed
Jul 7, 2016
| +# Description: for tcsd | ||
| +# Usage: common | ||
| + | ||
| +#include <abstractions/apache2-common> |
zyga
reviewed
Jul 7, 2016
| + | ||
| +#include <abstractions/apache2-common> | ||
| +#include <abstractions/base> | ||
| +#include <abstractions/postfix-common> |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Thanks for the comments. Removed rules that should be utilized via $SNAP and $SNAP_DATA in tpm snap. The <abstractions/apache2-common> and <abstractions/postfix-common> are generated by aa-genprof, and the permission actually required by tpm snap is bind (slot) and connect to (plug) interface lo. Both of these includes are removed. For the network permissions, I'm not sure if this should be the way to go, to include network permissions directly in tpm interface, or just let tpm snap uses network and network-bind instead and remove the <abstractions/nameservice>. |
morphis
reviewed
Jul 13, 2016
| @@ -34,6 +34,7 @@ var allInterfaces = []interfaces.Interface{ | ||
| &NetworkManagerInterface{}, | ||
| &PppInterface{}, | ||
| &SerialPortInterface{}, | ||
| + &Tpm12Interface{}, |
morphis
Jul 13, 2016
Contributor
Why do we name it Tpm12? Shouldn't this be just TPM so its not specific to any software or its version?
morphis
reviewed
Jul 13, 2016
| +func (iface *Tpm12Interface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) { | ||
| + switch securitySystem { | ||
| + case interfaces.SecurityAppArmor: | ||
| + old := []byte("###SLOT_SECURITY_TAGS###") |
morphis
reviewed
Jul 13, 2016
| +`) | ||
| + | ||
| +var tpm12PermanentSlotSecComp = []byte(` | ||
| +# Description: for tcsd |
morphis
Jul 13, 2016
Contributor
This shouldn't menation tcsd but describe that those are needed to talk to the system TPM chip over /dev/tpm0
morphis
reviewed
Jul 18, 2016
| +# Description: for those who need to talk to the system TPM chip over /dev/tpm0 | ||
| +# Usage: common | ||
| + | ||
| +/dev/tpm0 rw, |
morphis
Jul 18, 2016
Contributor
Can we ever only have /dev/tpm0 or can we also have multiple? Maybe not really common so lets start with tpm0.
morphis
reviewed
Jul 18, 2016
| + case interfaces.SecurityAppArmor: | ||
| + return tpmPermanentSlotAppArmor, nil | ||
| + case interfaces.SecuritySecComp, interfaces.SecurityDBus, interfaces.SecurityUDev: | ||
| + return nil, nil |
morphis
Jul 18, 2016
Contributor
Is there no further syscall required other than what the common part of the security profile already allows?
jessesung
Jul 19, 2016
•
Edited 1 time
-
jessesung
Jul 19, 2016
Contributor
-
Jul 19, 2016
No, syscalls required are in network and network-bind and tpm snap will use these interfaces.
jdstrand
Jul 25, 2016
Contributor
Based on your comment, I think you are saying that access to /dev/tpm0 would use standard syscalls and anything beyond that is simply because the software opening it has additional functionality that is correctly covered by network and network-bind.
What Simon and I want to make sure is that if the tpm snap legitimately needs network (ie, it reaches out over the network) and network-bind (it opens a network port), then, sure, don't worry about extra syscalls, but if you are using those interfaces when the tpm snap doesn't reach out over the network or bind to a port, then the needed syscalls should be here too.
morphis
reviewed
Jul 21, 2016
| +/dev/tpm0 rw, | ||
| +`) | ||
| + | ||
| +type TpmInterface struct { } |
morphis
Jul 21, 2016
Contributor
Also we can simply this class a lot of the allow the common interface class to specify slot snippets too. @zyga what do you think?
morphis
reviewed
Jul 21, 2016
| + | ||
| +var tpmPermanentSlotAppArmor = []byte(` | ||
| +# Description: for those who need to talk to the system TPM chip over /dev/tpm0 | ||
| +# Usage: common |
|
@jessesung You need to make the CI still happy. Also please add a description to doc/interfaces.md and atleast a manual integration test to https://github.com/snapcore/snapd/blob/master/integration-tests/manual-tests.md |
jessesung
added some commits
Jul 22, 2016
jdstrand
reviewed
Jul 25, 2016
| +# Description: for those who need to talk to the system TPM chip over /dev/tpm0 | ||
| +# Usage: reserved | ||
| + | ||
| +/dev/tpm0 rw, |
jdstrand
Jul 25, 2016
Contributor
I suspect you'll also need:
/sys/class/tpm/tpm0/** r,
but also to resolve /sys/class/tpm/tpm0/device and /sys/class/tpm/tpm0/subsystem to add the resolved paths.
jessesung
Jul 27, 2016
Contributor
Trousers works after having the permission to read/write /dev/tpm0 in my tests. I think we can start from this simple rule and add more rules later if we find something doesn't work.
jdstrand
reviewed
Jul 25, 2016
| + | ||
| +func (iface *TpmInterface) PermanentPlugSnippet(plug *interfaces.Plug, securitySystem interfaces.SecuritySystem) ([]byte, error) { | ||
| + switch securitySystem { | ||
| + case interfaces.SecurityDBus, interfaces.SecurityAppArmor, interfaces.SecuritySecComp, interfaces.SecurityUDev: |
|
In addition to my other comments, this also needs tests. Furthermore, a cursory check shows that a tpm 2 device shows up as /dev/tpm0 so I think calling this 'tpm' is the right choice (even if the description in this PR says otherwise (the code is right though)). |
jessesung
changed the title from
Add an interface for tpm 1.2
to
Add an interface for tpm
Jul 27, 2016
jessesung
added some commits
Aug 10, 2016
morphis
reviewed
Aug 11, 2016
| + | ||
| +### tpm | ||
| + | ||
| +Can access the first tpm device. |
jessesung
Aug 11, 2016
Contributor
tpm0 in /dev since that's the only device apparmor profile allows now.
morphis
reviewed
Aug 11, 2016
| +# Test tpm interface with tpm-tools | ||
| + | ||
| +1. Install tpm snap from store. | ||
| +2. Use tpm.version to read some basic information from tpm device. |
|
Some small things in line, otherwise LGTM. |
|
LGTM |
morphis
reviewed
Aug 11, 2016
| +/dev/tpm0 rw, | ||
| +` | ||
| + | ||
| +const tpmConnectedPlugSecComp = ` |
jdstrand
reviewed
Aug 11, 2016
| +Can access the tpm device /dev/tpm0. | ||
| + | ||
| +Usage: reserved | ||
| +Auto-Connect: no |
jdstrand
Aug 11, 2016
Contributor
Can you adjust this for the new format? FYI I notice that system-trace isn't following the proper format (feel free to fix it in passing if you want).
jdstrand
reviewed
Aug 11, 2016
| + c.Assert(snippet, IsNil) | ||
| + snippet, err = s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityUDev) | ||
| + c.Assert(err, IsNil) | ||
| + c.Assert(snippet, IsNil) |
jdstrand
Aug 11, 2016
•
Edited 1 time
-
jdstrand
Aug 11, 2016
Contributor
-
Aug 11, 2016
interfaces.SecuritySecComp and interfaces.SecurityMount are also unused. with s.iface.ConnectedPlugSnippet
jdstrand
reviewed
Aug 11, 2016
| + // connected plugs have a nil security snippet for seccomp | ||
| + snippet, err = s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecuritySecComp) | ||
| + c.Assert(err, IsNil) | ||
| + c.Assert(snippet, IsNil) |
jdstrand
Aug 11, 2016
Contributor
You can drop the seccomp one here based on my comment to add it to TestUnusedSecuritySystems
|
Once you make the testsuite and documentation fixes, LGTM. |
|
Thanks for making these changes (and the system-trace doc change). LGTM so long as the tests pass and/or a member of the snappy core team says the test failure is ok. +1 |
|
LGTM. |
mvo5
reviewed
Aug 12, 2016
| @@ -357,11 +357,16 @@ Can use kernel tracing facilities. This is restricted because it gives | ||
| privileged access to all processes on the system and should only be used with | ||
| trusted apps. | ||
| -Usage: reserved |
mvo5
Aug 12, 2016
Collaborator
Oh, nevermind. I see that Usage: reserved is removed everywhere. So +1 for this change.
jessesung
Aug 12, 2016
Contributor
System-trace happens to be in old format too. Fix it in the same commit with tpm.
mvo5
reviewed
Aug 12, 2016
| +# Description: for those who need to talk to the system TPM chip over /dev/tpm0 | ||
| +# Usage: reserved | ||
| + | ||
| +/dev/tpm0 rw, |
mvo5
Aug 12, 2016
Collaborator
Silly(?) question - can there ever be more than a single tpm? i.e. /dev/tpm{0,1,2} or something?
jessesung
Aug 12, 2016
Contributor
I'm not sure... But since devices we have right now have only tpm0, I'd suggest we start from here.
|
|
mvo5
merged commit d09b97f
into
snapcore:master
Aug 12, 2016
1 check passed
|
Can one of the admins verify this patch? |
jessesung commentedJul 7, 2016
Add an interface for tpm 1.2
Not sure if tpm 2.0 would share the same interface, so right now just name it as tpm12.
Signed-off-by: Wen-chien Jesse Sung jesse.sung@canonical.com