Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON files after creation #2881

Open
JordanLBogdanov opened this issue Aug 1, 2024 · 1 comment
Open

JSON files after creation #2881

JordanLBogdanov opened this issue Aug 1, 2024 · 1 comment

Comments

@JordanLBogdanov
Copy link

Hello team.

I need to create a read only system, and I was wondering: аre the JSON files read-only after creation, or do they change at some point after that?

I am talking about the ones in: /usr/local/var/lib/tpm2-tss/system/keystore/*

P.S.
The only thing we do with the TPM chip, for now, is to create some indexes in the NVRAM before making the OS read-only.
After that we only read and write information to the TPM's NVRAM.

Thanks.
@JuergenReppSIT
Copy link
Member

Currently the JSON file of a NV object in the keystore is updated after every write operation. This is actually unnecessary after the first write operation. The content of the file will only be changed after the first write because the NV_WRITTEN bit is set. I could create a PR where the keystore is updated only after the first write? So you could call a dummy write after the object creation before making the OS read-only.
If the auth value of the NV index is changed also a write to the keystore is currently executed.

JuergenReppSIT added a commit to JuergenReppSIT/tpm2-tss that referenced this issue Aug 2, 2024
@JuergenReppSIT
FAPI: Fix unnecessary writes to keystore.
a9cef76 
* A duplicate write operation to the keystore was executed by
  Fapi_NvWrite.
* A write operation to the keystore was only needed after the
  first call of Fapi_NvWrite because the NV_WRITTEN bit was set.
* A write operation to the keystore by Fapi_ChangeAuth was only needed
  if the value of the attribute with_auth was changed.

Addresses: tpm2-software#2881

Signed-off-by: Juergen Repp <juergen_repp@web.de>
@JuergenReppSIT JuergenReppSIT mentioned this issue Aug 2, 2024
Merged
AndreasFuchsTPM pushed a commit that referenced this issue Aug 13, 2024
@JuergenReppSIT @AndreasFuchsTPM
FAPI: Fix unnecessary writes to keystore.
6c6812b 
* A duplicate write operation to the keystore was executed by
  Fapi_NvWrite.
* A write operation to the keystore was only needed after the
  first call of Fapi_NvWrite because the NV_WRITTEN bit was set.
* A write operation to the keystore by Fapi_ChangeAuth was only needed
  if the value of the attribute with_auth was changed.

Addresses: #2881

Signed-off-by: Juergen Repp <juergen_repp@web.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JuergenReppSIT @JordanLBogdanov