You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Let's add an environment variable TPM2TSS_TCTI to tctildr.
Why?
This is something which has to bugged me for a long time. When working on an application (or the tss tests), it would be great to be able to change the tcti via environment variable. E.g. when I have device, I could change it to libtpms, pcap:device, ... on the fly (without changing C code or shuffling aroung symlinks to libraries).
That is often already possible on application-level (TPM2TOOLS_TCTIand TPM2OPENSSL_TCTI), but not on tss-level.
The tss tests do have some handling based on various env-variables, but it is out-of-date and does not use the tctildr. (FYI: I'm currently working on this and might submit a draft PR in the coming weeks as a conversation starter).
Suggestion
Let's add an environment variable TPM2TSS_TCTI to tctildr. It will then attempt to load the given tcti (or fail with a descriptive error message if it can't).
I'm not concerned that users will override their TCTI accidentally, but we might want to emit a warning log, just in case.
Security
Security is not impacted, here. Implementing this feature only increases usability. If an attacker has access to env variables, we have other problems, anyway (such as library hijacking via LD_PRELOAD).
The text was updated successfully, but these errors were encountered:
This is curious but also poses a security risk. I would like to follow the development of this feature. It will be very useful if implemented securely.
Let's add an environment variable
TPM2TSS_TCTI
to tctildr.Why?
This is something which has to bugged me for a long time. When working on an application (or the tss tests), it would be great to be able to change the tcti via environment variable. E.g. when I have
device
, I could change it tolibtpms
,pcap:device
, ... on the fly (without changing C code or shuffling aroung symlinks to libraries).That is often already possible on application-level (
TPM2TOOLS_TCTI
andTPM2OPENSSL_TCTI
), but not on tss-level.Basically asking for the same thing: #2626
TSS Tests
The tss tests do have some handling based on various env-variables, but it is out-of-date and does not use the tctildr. (FYI: I'm currently working on this and might submit a draft PR in the coming weeks as a conversation starter).
Suggestion
Let's add an environment variable
TPM2TSS_TCTI
to tctildr. It will then attempt to load the given tcti (or fail with a descriptive error message if it can't).I'm not concerned that users will override their TCTI accidentally, but we might want to emit a warning log, just in case.
Security
Security is not impacted, here. Implementing this feature only increases usability. If an attacker has access to env variables, we have other problems, anyway (such as library hijacking via LD_PRELOAD).
The text was updated successfully, but these errors were encountered: