search

tpm2-software / tpm2-abrmd

TPM2 Access Broker & Resource Management Daemon implementing the TCG spec.
https://github.com/tpm2-software/tpm2-abrmd
BSD 2-Clause "Simplified" License
116 stars 100 forks source link

tpm2-abrmd.conf: match kernel RM userperms #805

Closed williamcroberts closed 2 years ago

williamcroberts commented 2 years ago

The in-kernel resource manager (RM) has permissions of: tss(user) tss(group) 0660(mode)

Currently the tpm2-abrmd systemd conf allows for anyone to connect to the dbus service and use the TPM, while this in and of itself is allowed per the spec and whom can access to the TPM should not be used in your threat modeling (assume access), it would be nice to match the in-kernel RM and prevent any surprises.

Signed-off-by: William Roberts william.c.roberts@intel.com

codecov[bot] commented 2 years ago

Codecov Report

Merging #805 (2647cc3) into master (71bfb94) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #805   +/-   ##
=======================================
  Coverage   79.63%   79.63%           
=======================================
  Files          32       32           
  Lines        3722     3722           
=======================================
  Hits         2964     2964           
  Misses        758      758

:mega: Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

flihp commented 2 years ago

I just re-ran the one failing CI task with no luck. This appears to be a test against FreeBSD which is a bit outside of my wheel house. Since this is a change that resolves a configuration where we've ended up on the wrong side of the principle of least surprise I'm going to merge this as is. A fix to the failing action, that appears on the surface at least to be unrelated, can follow.