From: Wyllys I. <wyl...@su...> - 2008-12-09 14:20:50
|
Changes: * Some TPMs (ATML) fail to release auth sessions when certain GetCapability functions fail and will quickly run out of sessions effectively DOS-ing the chip. This fix resets the TPM after such a failure so the auth sessions are cleared. *** src/tcs/tcsi_caps_tpm.c.old Fri Dec 5 07:52:01 2008 --- src/tcs/tcsi_caps_tpm.c Fri Dec 5 07:53:26 2008 *************** *** 61,66 **** --- 61,83 ---- return result; } + #ifdef __sun__ + static TSS_RESULT + reset_tpm() + { + char reset[] = { + 0, 193, /* TPM_TAG_RQU_COMMAND */ + 0, 0, 0, 10, /* length */ + 0, 0, 0, 90 /* TPM_ORD_Reset */ + }; + TSS_RESULT ret; + + ret = req_mgr_submit_req(reset); + + return (ret); + } + #endif /* __sun__ */ + TSS_RESULT TCSP_GetCapabilityOwner_Internal(TCS_CONTEXT_HANDLE hContext, /* in */ TPM_AUTH * pOwnerAuth, /* in / out */ *************** *** 91,97 **** --- 108,122 ---- if (!result) { result = tpm_rsp_parse(TPM_ORD_GetCapabilityOwner, txBlob, paramSize, pVersion, pNonVolatileFlags, pVolatileFlags, pOwnerAuth); + #ifndef __sun__ } + #else + } else if (result == 0x0a) { + /* ATML TPMs do not release the auth sessions when this command fails */ + /* so we force a reset to avoid running out of sessions. */ + (void) reset_tpm(); + } + #endif /* __sun__ */ LogResult("GetCapowner", result); done: |
From: Hal F. <hal...@gm...> - 2008-12-09 19:01:51
|
This is another example of what I was talking about with the patches. It is not Solaris related at all, is it? And isn't it possible that resetting the TPM like this would break other persistent state that the TCS daemon may be relying on, like loaded keys? Hal On Tue, Dec 9, 2008 at 6:20 AM, Wyllys Ingersoll <wyl...@su...> wrote: > Changes: > * Some TPMs (ATML) fail to release auth sessions when certain > GetCapability functions fail > and will quickly run out of sessions effectively DOS-ing the chip. > This fix > resets the TPM after such a failure so the auth sessions are cleared. > > *** src/tcs/tcsi_caps_tpm.c.old Fri Dec 5 07:52:01 2008 > --- src/tcs/tcsi_caps_tpm.c Fri Dec 5 07:53:26 2008 > *************** > *** 61,66 **** > --- 61,83 ---- > return result; > } > > + #ifdef __sun__ > + static TSS_RESULT > + reset_tpm() > + { > + char reset[] = { > + 0, 193, /* TPM_TAG_RQU_COMMAND */ > + 0, 0, 0, 10, /* length */ > + 0, 0, 0, 90 /* TPM_ORD_Reset */ > + }; > + TSS_RESULT ret; > + > + ret = req_mgr_submit_req(reset); > + > + return (ret); > + } > + #endif /* __sun__ */ > + > TSS_RESULT > TCSP_GetCapabilityOwner_Internal(TCS_CONTEXT_HANDLE hContext, /* in */ > TPM_AUTH * pOwnerAuth, /* in / > out */ > *************** > *** 91,97 **** > --- 108,122 ---- > if (!result) { > result = tpm_rsp_parse(TPM_ORD_GetCapabilityOwner, > txBlob, paramSize, pVersion, > pNonVolatileFlags, > pVolatileFlags, pOwnerAuth); > + #ifndef __sun__ > } > + #else > + } else if (result == 0x0a) { > + /* ATML TPMs do not release the auth sessions when this > command fails */ > + /* so we force a reset to avoid running out of sessions. */ > + (void) reset_tpm(); > + } > + #endif /* __sun__ */ > > LogResult("GetCapowner", result); > done: |
From: Wyllys I. <wyl...@su...> - 2008-12-09 19:10:25
|
Hal Finney wrote: > This is another example of what I was talking about with the patches. > It is not Solaris related at all, is it? > > And isn't it possible that resetting the TPM like this would break > other persistent state that the TCS daemon may be relying on, like > loaded keys? > > Hal > Correct, it is not Solaris-specific, if it is not useful to anyone else, the feel free to reject it. I submitted it for consideration, if it is useful to others, remove the "ifdefs". I have not found it to be a problem in my testing, but I haven't tested every scenario. I have found that having a buggy TPM run out of auth session space to be very annoying and this seemed to be a reasonable workaround. -Wyllys > On Tue, Dec 9, 2008 at 6:20 AM, Wyllys Ingersoll > <wyl...@su...> wrote: > >> Changes: >> * Some TPMs (ATML) fail to release auth sessions when certain >> GetCapability functions fail >> and will quickly run out of sessions effectively DOS-ing the chip. >> This fix >> resets the TPM after such a failure so the auth sessions are cleared. >> >> *** src/tcs/tcsi_caps_tpm.c.old Fri Dec 5 07:52:01 2008 >> --- src/tcs/tcsi_caps_tpm.c Fri Dec 5 07:53:26 2008 >> *************** >> *** 61,66 **** >> --- 61,83 ---- >> return result; >> } >> >> + #ifdef __sun__ >> + static TSS_RESULT >> + reset_tpm() >> + { >> + char reset[] = { >> + 0, 193, /* TPM_TAG_RQU_COMMAND */ >> + 0, 0, 0, 10, /* length */ >> + 0, 0, 0, 90 /* TPM_ORD_Reset */ >> + }; >> + TSS_RESULT ret; >> + >> + ret = req_mgr_submit_req(reset); >> + >> + return (ret); >> + } >> + #endif /* __sun__ */ >> + >> TSS_RESULT >> TCSP_GetCapabilityOwner_Internal(TCS_CONTEXT_HANDLE hContext, /* in */ >> TPM_AUTH * pOwnerAuth, /* in / >> out */ >> *************** >> *** 91,97 **** >> --- 108,122 ---- >> if (!result) { >> result = tpm_rsp_parse(TPM_ORD_GetCapabilityOwner, >> txBlob, paramSize, pVersion, >> pNonVolatileFlags, >> pVolatileFlags, pOwnerAuth); >> + #ifndef __sun__ >> } >> + #else >> + } else if (result == 0x0a) { >> + /* ATML TPMs do not release the auth sessions when this >> command fails */ >> + /* so we force a reset to avoid running out of sessions. */ >> + (void) reset_tpm(); >> + } >> + #endif /* __sun__ */ >> >> LogResult("GetCapowner", result); >> done: >> |
From: Marcel S. <m.s...@si...> - 2008-12-09 19:36:25
|
Hi Wyllys, the TPM_Reset command is deprecated in the 1.2 specification and on some TPMs it is not even implemented any more. So I would highly dissuade from including this patch into TrouSerS. As a workaround for the Atmel TPM (are you referring to Atmel 1.1b or Atmel 1.2?), instead of resetting the TPM, you can still terminate handles via TPM_Terminate_Handle, but this command is also deprecated in the 1.2 spec and has been replaced by TPM_FlushSpecific (which of course will not work on a 1.1b TPM). Is it possible, that you have built your TrouSerS against spec 1.2 but are using a 1.1b TPM? This would explain, why sessions are not terminated and therefore bring your TPM out of resources. Best regards, Marcel Hal Finney schrieb: > This is another example of what I was talking about with the patches. > It is not Solaris related at all, is it? > > And isn't it possible that resetting the TPM like this would break > other persistent state that the TCS daemon may be relying on, like > loaded keys? > > Hal > > On Tue, Dec 9, 2008 at 6:20 AM, Wyllys Ingersoll > <wyl...@su...> wrote: >> Changes: >> * Some TPMs (ATML) fail to release auth sessions when certain >> GetCapability functions fail >> and will quickly run out of sessions effectively DOS-ing the chip. >> This fix >> resets the TPM after such a failure so the auth sessions are cleared. >> >> *** src/tcs/tcsi_caps_tpm.c.old Fri Dec 5 07:52:01 2008 >> --- src/tcs/tcsi_caps_tpm.c Fri Dec 5 07:53:26 2008 >> *************** >> *** 61,66 **** >> --- 61,83 ---- >> return result; >> } >> >> + #ifdef __sun__ >> + static TSS_RESULT >> + reset_tpm() >> + { >> + char reset[] = { >> + 0, 193, /* TPM_TAG_RQU_COMMAND */ >> + 0, 0, 0, 10, /* length */ >> + 0, 0, 0, 90 /* TPM_ORD_Reset */ >> + }; >> + TSS_RESULT ret; >> + >> + ret = req_mgr_submit_req(reset); >> + >> + return (ret); >> + } >> + #endif /* __sun__ */ >> + >> TSS_RESULT >> TCSP_GetCapabilityOwner_Internal(TCS_CONTEXT_HANDLE hContext, /* in */ >> TPM_AUTH * pOwnerAuth, /* in / >> out */ >> *************** >> *** 91,97 **** >> --- 108,122 ---- >> if (!result) { >> result = tpm_rsp_parse(TPM_ORD_GetCapabilityOwner, >> txBlob, paramSize, pVersion, >> pNonVolatileFlags, >> pVolatileFlags, pOwnerAuth); >> + #ifndef __sun__ >> } >> + #else >> + } else if (result == 0x0a) { >> + /* ATML TPMs do not release the auth sessions when this >> command fails */ >> + /* so we force a reset to avoid running out of sessions. */ >> + (void) reset_tpm(); >> + } >> + #endif /* __sun__ */ >> >> LogResult("GetCapowner", result); >> done: -- Sirrix AG security technologies - http://www.sirrix.com Marcel Selhorst eMail: m.s...@si... Tel +49(234) 61 0071-199 Fax +49(234) 61 0071-599 get my public key from keyserver, key id: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Ahmad-Reza Sadeghi, Christian Stüble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
From: Wyllys I. <wyl...@su...> - 2008-12-09 19:42:43
|
Marcel Selhorst wrote: > Hi Wyllys, > > the TPM_Reset command is deprecated in the 1.2 specification and on some TPMs it > is not even implemented any more. So I would highly dissuade from including this > patch into TrouSerS. > It's fine with me if that patch is rejected, I knew it was a hack anyway. I can try to rework it using TPM_FlushSpecific. > As a workaround for the Atmel TPM (are you referring to Atmel 1.1b or Atmel > 1.2?), instead of resetting the TPM, you can still terminate handles via > TPM_Terminate_Handle, but this command is also deprecated in the 1.2 spec and > has been replaced by TPM_FlushSpecific (which of course will not work on a 1.1b > TPM). > > Is it possible, that you have built your TrouSerS against spec 1.2 but are using > a 1.1b TPM? This would explain, why sessions are not terminated and therefore > bring your TPM out of resources. > I don't think so. TPM Version: 1.2 (ATML Rev: 13.9, SpecLevel: 2, errataRev: 1) -Wyllys |
From: Wyllys I. <wyl...@su...> - 2008-12-09 21:54:55
|
Here is a the tcsi_caps_tpm.c patch, this time using FlushSpecific. *** src/tcs/tcsi_caps_tpm.c.old Mon Jul 30 12:56:33 2007 --- src/tcs/tcsi_caps_tpm.c Tue Dec 9 13:46:04 2008 *************** *** 91,98 **** --- 91,108 ---- if (!result) { result = tpm_rsp_parse(TPM_ORD_GetCapabilityOwner, txBlob, paramSize, pVersion, pNonVolatileFlags, pVolatileFlags, pOwnerAuth); + #ifndef __sun__ } + #else + } else if (result == 0x0a) { + /* ATML TPMs do not release the auth sessions when this command fails */ + /* so we force a reset to avoid running out of sessions. */ + (void) TCSP_FlushSpecific_Internal(hContext, pOwnerAuth->AuthHandle, + TPM_RT_AUTH); + } + #endif /* __sun__ */ + LogResult("GetCapowner", result); done: auth_mgr_release_auth(pOwnerAuth, NULL, hContext); |