Comments (10)
On embedded platforms you may not have C standard library fully implemented or prefer to avoid setjmp
or longjmp
for other reasons like safety, nuances of environment, etc.
from ms-tpm-20-ref.
It also seems definition of TPM_FAIL_RETURN should be moved to TpmBuildSwitches.h to be shared with Platform.h and as a result consitent.
from ms-tpm-20-ref.
Agree - NO_LONGJMP builds are currently broken in this version of the code. I suspect it is actually worse. An earlier (1.38) version of the code was not consistent about inspecting return values and correctly percolating failures up the stack, e.g. by pAssert. Presumably any failures turn up on the next ExecuteCommand that should detect the earlier call to TpmFail, but I know that (at least some variants of) 1.38 wasn't consistent about it. I don't know that 1.59+ is any better because I don't think the NO_LONGJMP configuration has been verified in a long time.
That's not to say it shouldn't work - I believe NO_LONGJMP should be supported.
from ms-tpm-20-ref.
Why use NO_LONGJMP? setjmp
and longjmp
are C standard library functions that require no OS support.
from ms-tpm-20-ref.
NO_LONGJMP
is less safe. It means that execution will continue after the TPM is in an invalid state. The results of this are unpredictable and possibly insecure. Much better to longjmp()
back to the command loop.
from ms-tpm-20-ref.
I think TPM will benefit from avoiding functions returning void
which can call TpmFail()
or calling TpmFail()
instead of returning TPM_RC_FAILURE
, and do error escalation properly, so no need to longjmp()
. longjmp()
causes hidden control flow as you need to know what nested functions are doing while reviewing higher level.
Change can start with:
#ifndef NO_LONGJMP
# define FAIL_RETURN(returnCode)
# define TPM_FAIL_RETURN NORETURN void
#if !FAIL_TRACE
# define FAIL(errorCode) (TpmFail(errorCode))
# define LOG_FAILURE(errorCode) (TpmLogFailure(errorCode))
#else
# define FAIL(errorCode) TpmFail(FUNCTION_NAME, __LINE__, errorCode)
# define LOG_FAILURE(errorCode) TpmLogFailure(FUNCTION_NAME, __LINE__, errorCode)
#endif
#else /* NO_LONGJMP set */
# define FAIL_RETURN(returnCode) return (returnCode)
# define TPM_FAIL_RETURN TPM_RC
#if !FAIL_TRACE
# define FAIL(errorCode) return TpmFail(errorCode)
# define LOG_FAILURE(errorCode) return TpmLogFailure(errorCode)
#else
# define FAIL(errorCode) return TpmFail(FUNCTION_NAME, __LINE__, errorCode)
# define LOG_FAILURE(errorCode) return TpmLogFailure(FUNCTION_NAME, __LINE__, errorCode)
#endif
#endif
And adjusting prototypes and use of macros accordingly.
To be clear in the use case I have TPM2 is called from Rust code (whole platform and crypto adaptation is written in Rust), so I can't just use setjmp
and longjmp
without extra wrappers.
from ms-tpm-20-ref.
To be clear in the use case I have TPM2 is called from Rust code (whole platform and crypto adaptation is written in Rust), so I can't just use
setjmp
andlongjmp
without extra wrappers.
Have you considered writing the whole thing in Rust? The TPM2 codebase has had at least one vulnerability due to memory unsafety.
from ms-tpm-20-ref.
Have you considered writing the whole thing in Rust? The TPM2 codebase has had at least one vulnerability due to memory unsafety.
Yes, considered, but it is a heavy lifting for the whole functionality which was hard to justify for specific project - I'd rather prefer this to be done under umbrella of TCG. It also requires a comprehensive set of tests covering large set of corner cases, crypto, etc. TPM2 specification is not a formal specification (not written in formal language) and reference code is a kind of formal specification to test against. Another aspect - not many Rust developers, toolchain issues for embedded platforms.
from ms-tpm-20-ref.
Personally, I would prefer to see an implementation proven correct in Coq, Isabelle, or another formal verification tool.
from ms-tpm-20-ref.
Probably ChatGPT can be trained to serve as a translator from English to some formal verification tool to prove consistency, completeness and correctness 😇 But still, it is a request to TCG. So far this reference code as part of TPM spec is most formal specification of how TPM shall work even though there are known and unknown issues.
from ms-tpm-20-ref.
Related Issues (20)
- Build fails
- the DFStart function may has two lines of code implementation that may be incorrect
- Table-driven marshalling code is not type-safe
- OP-TEE fTPM crashes with persistent storage HOT 3
- Execution of test cases failed on macOS
- NV_MEMORY_SIZE HOT 2
- Cooperative Checkpointing Implementation HOT 3
- How to enable MEASURED_BOOT macro using a yocto recipe HOT 1
- TPM2_LoadExternal does not validate authPolicy size if private area is not loaded. HOT 1
- This repo is missing important files
- Default branch changed from `master` to `main`
- Code formatting for TPM reference implementation HOT 1
- Is the generator for the TPM sources available? HOT 8
- fTPM usage of RTC HOT 2
- Where to find the TPM 2.0 Spec
- Does not build with OpenSSL 3 HOT 1
- WolfSSL reference outdated
- Missing dependencies break parallel fTPM builds HOT 1
- bad substitution when configuring TPMCmd in Windows Subsystem for Ubuntu Linux HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ms-tpm-20-ref.