[U-Boot] [PATCH 3/3] lib: tpm: Add command to list resources

[Mario Six]

On Wed, Mar 22, 2017 at 2:05 PM, Simon Glass <sjg at chromium.org> wrote:
> On 20 March 2017 at 03:28, Mario Six <mario.six at gdsys.cc> wrote:
>> It is sometimes convenient to know how many and/or which resources are
>> currently loaded into a TPG, e.g. to test is a flush operation succeeded.
>>
>> Hence, we add a command that lists the resources of a given type currently
>> loaded into the TPM.
>>
>> Signed-off-by: Mario Six <mario.six at gdsys.cc>
>> ---
>>  cmd/tpm.c           | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>  drivers/tpm/Kconfig |  7 +++++
>>  2 files changed, 82 insertions(+), 1 deletion(-)
>
> Reviewed-by: Simon Glass <sjg at chromium.org>
>
> Again I wonder if we need the CONFIG.
>

Thanks for the review!

As for the CONFIG option, well, there is the trivial symmetry reason that the
flush command is deactivatable, so this should be too (since they are,
essentially, complementary functions, one view, one deletion).

Also, the list function is really more of a debug tool than a function that
should be in a production environment.

And, the most important reason why I think the CONFIG is justified is this:
should a embedded device with a TPM that's using U-Boot as a boot loader be
subjected to a security evaluation (e.g. Common Criteria), an evaluator might
ask why a function like this, which, essentially has no real purpose aside from
providing debug information, is part of the TOE (especially if the TPM is used
as a fundamental security mechanism in the design). It enables an attacker that
gains access to the U-Boot console to, for example, read the handles of the
keys stored in the TPM, which is already one part of the data needed to access
them. Granted, it's not a huge advantage, but the best answer you can give an
evaluator is always "That's not possible" :-).

So, from a user perspective, I think it's desirable to have to option to
deactivate this function.

Best regards,

Mario