tpm_manager: can't use auth session for nvram access after suspend |
||||||||
Issue descriptiontpm_manager starts a global trunks_session_ when it starts and later uses it to access nvram spaces when owner password is required (e.g. to delete a space). TPM Resume flushes sessions, so after suspend that session handle becomes invalid. Example: [set_firmware_management_parameters deletes FWMP space then creates it again. At first it succeeds.] # cryptohome --action=set_firmware_management_parameters --flags=8 SetFirmwareManagementParameters success. [After suspend it fails.] # powerd_dbus_suspend --wakeup_timeout=10 # cryptohome --action=set_firmware_management_parameters --flags=8 error: CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE SetFirmwareManagementParameters error: 27 # cryptohome --action=remove_firmware_management_parameters error: CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE RemoveFirmwareManagementParameters error: 28 [And starts working again after restarting tpm_managerd.] # restart tpm_managerd # cryptohome --action=set_firmware_management_parameters --flags=8 SetFirmwareManagementParameters success.
,
Feb 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/tpm/+/3b2f151e823ea7dbf2e1ddb78c27b91a9b1ab58b commit 3b2f151e823ea7dbf2e1ddb78c27b91a9b1ab58b Author: Andrey Pronin <apronin@chromium.org> Date: Fri Feb 10 04:48:46 2017 trunks: implement scoped global sessions While trunksd doesn't support virtualized session handles, there is always a chance that a global session created during a daemon initialization is flushed later after suspend-resume. Implement a ScopedGlobalHmacSession helper to simplify supporting per-operation sessions when a global session is defined. BUG= chromium:689582 BUG=chromium:473843 TEST=Unit tests Change-Id: Ibc96eef9e4e0edcab0e75b2405138417610637ea Reviewed-on: https://chromium-review.googlesource.com/438781 Commit-Ready: Andrey Pronin <apronin@chromium.org> Tested-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> [modify] https://crrev.com/3b2f151e823ea7dbf2e1ddb78c27b91a9b1ab58b/trunks/trunks.gyp [add] https://crrev.com/3b2f151e823ea7dbf2e1ddb78c27b91a9b1ab58b/trunks/scoped_global_session_test.cc [add] https://crrev.com/3b2f151e823ea7dbf2e1ddb78c27b91a9b1ab58b/trunks/scoped_global_session.h
,
Feb 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/tpm/+/46d549455b7268e53abc2b35c0c5c23499a4758d commit 46d549455b7268e53abc2b35c0c5c23499a4758d Author: Andrey Pronin <apronin@chromium.org> Date: Fri Feb 10 04:48:46 2017 tpm_manager: use per-operation sessions Use per-operation sessions in tpm_manager for nvram access authorizxation. Before this change, tpm_manager started a global trunks_session_ when it launched, and later used that session to access nvram spaces when owner password was required (e.g. to delete a space). TPM Resume flushes sessions, so after suspend that global session handle became invalid. BUG= chromium:689582 BUG=chrome-os-partner:58786 TEST=On first login, initiate suspend: powerd_dbus_suspend --wakeup_timeout=10 Then attempt setting FWMP flags: cryptohome --action=set_firmware_management_parameters --flags=8 That operation should succeed. Change-Id: I8903841e5f8e211ab59b43c1dc21d89e55b12ca1 Reviewed-on: https://chromium-review.googlesource.com/438782 Commit-Ready: Andrey Pronin <apronin@chromium.org> Tested-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> [modify] https://crrev.com/46d549455b7268e53abc2b35c0c5c23499a4758d/tpm_manager/server/tpm2_nvram_impl.cc
,
Feb 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/tpm/+/11166683fa09e9226ab492a0ed4e11f573a88587 commit 11166683fa09e9226ab492a0ed4e11f573a88587 Author: Andrey Pronin <apronin@chromium.org> Date: Sat Feb 11 01:54:02 2017 trunks: implement scoped global sessions While trunksd doesn't support virtualized session handles, there is always a chance that a global session created during a daemon initialization is flushed later after suspend-resume. Implement a ScopedGlobalHmacSession helper to simplify supporting per-operation sessions when a global session is defined. BUG= chromium:689582 BUG=chromium:473843 TEST=Unit tests Change-Id: Ibc96eef9e4e0edcab0e75b2405138417610637ea Reviewed-on: https://chromium-review.googlesource.com/438781 Commit-Ready: Andrey Pronin <apronin@chromium.org> Tested-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> (cherry picked from commit 3b2f151e823ea7dbf2e1ddb78c27b91a9b1ab58b) [modify] https://crrev.com/11166683fa09e9226ab492a0ed4e11f573a88587/trunks/trunks.gyp [add] https://crrev.com/11166683fa09e9226ab492a0ed4e11f573a88587/trunks/scoped_global_session_test.cc [add] https://crrev.com/11166683fa09e9226ab492a0ed4e11f573a88587/trunks/scoped_global_session.h
,
Feb 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/tpm/+/8500850ce1b2cd27627f158637d88db7982f6313 commit 8500850ce1b2cd27627f158637d88db7982f6313 Author: Andrey Pronin <apronin@chromium.org> Date: Sat Feb 11 01:54:05 2017 tpm_manager: use per-operation sessions Use per-operation sessions in tpm_manager for nvram access authorizxation. Before this change, tpm_manager started a global trunks_session_ when it launched, and later used that session to access nvram spaces when owner password was required (e.g. to delete a space). TPM Resume flushes sessions, so after suspend that global session handle became invalid. BUG= chromium:689582 BUG=chrome-os-partner:58786 TEST=On first login, initiate suspend: powerd_dbus_suspend --wakeup_timeout=10 Then attempt setting FWMP flags: cryptohome --action=set_firmware_management_parameters --flags=8 That operation should succeed. Change-Id: I8903841e5f8e211ab59b43c1dc21d89e55b12ca1 Reviewed-on: https://chromium-review.googlesource.com/438782 Commit-Ready: Andrey Pronin <apronin@chromium.org> Tested-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> (cherry picked from commit 46d549455b7268e53abc2b35c0c5c23499a4758d) [modify] https://crrev.com/8500850ce1b2cd27627f158637d88db7982f6313/tpm_manager/server/tpm2_nvram_impl.cc
,
Feb 13 2017
,
Apr 17 2017
,
May 30 2017
,
Aug 1 2017
,
Oct 14 2017
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by apronin@chromium.org
, Feb 7 2017