Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tpm2-util: force default TCTI to be "device" with parameter "/dev/tpm… #25393

Merged
merged 2 commits into from Nov 16, 2022
Merged

tpm2-util: force default TCTI to be "device" with parameter "/dev/tpm… #25393

merged 2 commits into from Nov 16, 2022

Conversation

poettering
Copy link
Member

…rm0"

Apparently some distros default to tss-abmrd. Let's bypass that and always go to the kernel resource manager.

abmrd cannot really work for us, since we want to access the TPM already in earliest boot i.e. in environments the abmrd service is not available in.

Fixes: #25352

@poettering poettering mentioned this pull request Nov 15, 2022
Closed
yuwata
yuwata approved these changes Nov 15, 2022
View reviewed changes
src/shared/tpm2-util.c Outdated Show resolved Hide resolved
src/shared/tpm2-util.c Show resolved Hide resolved
@poettering
tpm2-util: force default TCTI to be "device" with parameter "/dev/tpm…
3490668 
…rm0"

Apparently some distros default to tss-abmrd. Let's bypass that and
always go to the kernel resource manager.

abmrd cannot really work for us, since we want to access the TPM already
in earliest boot i.e. in environments the abmrd service is not available
in.

Fixes: systemd#25352
@poettering
tpm2: add some extra validation of device string before using it
50a0851 
Let's add some extra validation before constructing and using the .so
name to load. This isn't really security sensitive, given that we
used secure_getenv() to get the device string (and it thus should have
been come from a trusted source) but let's better be safe than sorry.
@poettering
Copy link
Member Author

I reworked the patch set a bit, adding a way for people to explicitly request the default device picking logic of tpm2-tss if they want by setting the device env var to an empty string.

@poettering
Copy link
Member Author

dropping green label since reworked quite a bit, and I added a second commit

@bluca bluca added the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label Nov 15, 2022
@poettering poettering merged commit 155519f into systemd:main Nov 16, 2022
@keszybz keszybz removed good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed needs-stable-backport labels Nov 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluca bluca bluca approved these changes

@yuwata yuwata yuwata approved these changes

Assignees
No one assigned
Labels
tpm2
Milestone
No milestone
4 participants
@poettering @bluca @yuwata @keszybz