Use password based sessions if no other session types specified#3587
Use password based sessions if no other session types specified#3587matthewruffell wants to merge 1 commit into
Conversation
For authentication with ESYS_TR_PASSWORD used by the --pwd-session (-z) parameter, ensure we turn this off when used in conjuntion with other authentication types, like session:, file: or pcr: as using them all together creates conflicts. This lets combinations like the following work: Before: $ sudo tpm2_nvread --pwd-session --auth=session:session.ctx 0x1500016 WARN: Reading full size of the NV index ERROR: Cannot specify password type "session:" After: $ sudo tpm2_nvread --pwd-session --auth=session:session.ctx 0x1500016 WARN: Reading full size of the NV index ERROR: Could not open path "session.ctx", due to error: "No such file or directory" This is especially useful when --pwd-session is enabled by default in FIPS based environments. Addresses: tpm2-software#3521 Signed-off-by: Satya Jhaveri <satya.jhaveri@canonical.com> Signed-off-by: Matthew Ruffell <matthew.ruffell@canonical.com>
| #define NULL_OBJECT_LEN (sizeof(NULL_OBJECT) - 1) | ||
|
|
||
| #define SESSION_PREFIX "session:" | ||
| #define SESSION_PREFIX_LEN sizeof(SESSION_PREFIX) - 1 |
There was a problem hiding this comment.
wrap it in braces! Otherwise something like SESSION_PREFIX_LEN * 2 would result in sizeof(SESSION_PREFIX) - 2.
The others too.
There was a problem hiding this comment.
I think this is the better idea, I just wanted to copy
tpm2-tools/lib/tpm2_auth_util.c
Lines 27 to 28 in 844a611
|
Currently, there is no way to enable --pwd-session globally for tpm2_tools (e.g., via an environment variable). Why not just omit the --pwd-session parameter? |
When FIPS 140-3 is enabled, tpm2-tools really isn't all that useful, since every single command looks a lot like this: Its why I was very thankful for your So I went and wrote a vendor patch for Ubuntu FIPS packages that when the system is in FIPS mode, turn on Since most users interact with tpm2-tools through scripts, like clevis etc, they don't want to go and update every single call to tpm2-tools to include --pwd-session. But at the same time, when we want to use You don't have to merge the patch, but I just wanted to open this MR incase any other distro is interested in these patches if they ever implement FIPS SP800-131A. Thanks for your time. |
|
Hey @matthewruffell However, the next release (for Q4 of 2026) is targeted to be a major version bump with breaking changes anyways, so we could merge it there. Sounds good ? |
This PR fixes the problem where you currently can't specify authentication with ESYS_TR_PASSWORD by the --pwd-session (-z) parameter, and session / file / pcr based auth at the same time.
This is especially useful when --pwd-session is enabled by default in FIPS based environments for all tpm2-tools commands, but we want to disable it when users specify --auth=session: etc.
This lets combinations like the following work:
Before:
$ sudo tpm2_nvread --pwd-session --auth=session:session.ctx 0x1500016
WARN: Reading full size of the NV index
ERROR: Cannot specify password type "session:"
After:
$ sudo tpm2_nvread --pwd-session --auth=session:session.ctx 0x1500016
WARN: Reading full size of the NV index
ERROR: Could not open path "session.ctx", due to error: "No such file or directory"
This fixes issue #3521.
I know the code duplicates SESSION_PREFIX, FILE_PREFIX, PCR_PREFIX from lib/tpm2_auth_util.c, but I wanted to get your feedback on the idea before we start moving these definitions into common header files.