On 24 March 2017 at 03:54, Mario Six <mario....@gdsys.cc> wrote: > On Wed, Mar 22, 2017 at 2:05 PM, Simon Glass <s...@chromium.org> wrote: >> On 20 March 2017 at 03:28, Mario Six <mario....@gdsys.cc> wrote: >>> It is sometimes convenient to know how many and/or which resources are >>> currently loaded into a TPG, e.g. to test is a flush operation succeeded. >>> >>> Hence, we add a command that lists the resources of a given type currently >>> loaded into the TPM. >>> >>> Signed-off-by: Mario Six <mario....@gdsys.cc> >>> --- >>> cmd/tpm.c | 76 >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++- >>> drivers/tpm/Kconfig | 7 +++++ >>> 2 files changed, 82 insertions(+), 1 deletion(-) >> >> Reviewed-by: Simon Glass <s...@chromium.org> >> >> Again I wonder if we need the CONFIG. >> > > Thanks for the review! > > As for the CONFIG option, well, there is the trivial symmetry reason that the > flush command is deactivatable, so this should be too (since they are, > essentially, complementary functions, one view, one deletion). > > Also, the list function is really more of a debug tool than a function that > should be in a production environment. > > And, the most important reason why I think the CONFIG is justified is this: > should a embedded device with a TPM that's using U-Boot as a boot loader be > subjected to a security evaluation (e.g. Common Criteria), an evaluator might > ask why a function like this, which, essentially has no real purpose aside > from > providing debug information, is part of the TOE (especially if the TPM is used > as a fundamental security mechanism in the design). It enables an attacker > that > gains access to the U-Boot console to, for example, read the handles of the > keys stored in the TPM, which is already one part of the data needed to access > them. Granted, it's not a huge advantage, but the best answer you can give an > evaluator is always "That's not possible" :-). > > So, from a user perspective, I think it's desirable to have to option to > deactivate this function.
OK well I'm OK with it. > > Best regards, > > Mario Applied to u-boot-dm, thanks! _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
