Re: Multiple Security Issues in the TrouSerS tpm1.2 tscd Daemon

[Jonas Witschel <diabonas () archlinux org>]

On 2020-08-05 14:51, Jerry Snitselaar wrote:
> > Mitigation and Bugfixes
> > =======================
> >
> > It seems best to me to run the tcsd as the tss:tss user and group right away
> > and to not rely on the privilege drop logic implemented in the daemon itself.
> > All of a), b) and c) should no longer be problematic in this case. I found
> > that on Debian and Gentoo Linux this is already the case. To make this work a
> > udev rule needs to be packaged that passes ownership of /dev/tpm0 device to
> > the tss user. To prevent regressions when switching from the privilege drop
> > approach to this new approach, a possibly already existing
> > /var/lib/tpm/system.auth file needs to be safely chown()'ed to the tss user
> > during package updates.
>
> On Fedora and RHEL there currently is a udev rule (from upstream) that
> ships with the tpm2-tss package that is setting ownership of /dev/tpm0
> to tss:root. I don't recall what the reasoning was for the group being
> root. For /dev/tpmrm0 it sets it to tss:tss, so not sure what the reason
> was for /dev/tpm0. I believe that package is part of a default install,
> so that will need to be worked out. I don't know if you run into that
> with SUSE as well.

The idea behind not giving the tss group access to /dev/tpm0 as well is to prevent users from gaining direct access to 
the TPM and being able to DoS it. Users privileged to access the TPM should be added to the tss group so that they can 
access the TPM trough an access broker/resource manager (like tpm2-abrmd, the in-kernel resource manager /dev/tpmrm0, 
or tcsd in case of TPM 1.2), but not have "bare metal" access, which is limited to the tss user and root. See [1] for 
reference.

Cheers,
Jonas

[1] https://github.com/tpm2-software/tpm2-tss/pull/963#issuecomment-381142241

Attachment: signature.asc
Description: