Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks
From: Ken Goldman
Date: Mon Jan 27 2020 - 15:55:25 EST
On 1/27/2020 11:50 AM, Lakshmi Ramasubramanian wrote:
Can the number of allocated banks (ima_tpm_chip->nr_allocated_banks) be
zero? Should that be checked before accessing "allocated_banks"?
Summary:
It's unlikely that Linux on a PC will encounter a TPM without PCR 10.
It is likely that PCR 10 will be only SHA-256, that there will be no
SHA-1 PCR 10.
~~
In theory:
Yes, one could have a TPM with no allocated banks.
In practice:
A PC Client TPM must have at least one bank with PCR 0 and PCR 17.
Some other TPMs, like automotive or embedded, may be different.
Most platforms will be designed to meet Windows requirements, which will
have AFAIK at least one bank of 24 PCRs.
The TPM specification permits allocation of partial banks. In theory,
one could encounter a TPM with e.g., PCR 0-7 but not PCR 10.
In practice, AFAIK the hardware TPMs implement only full banks.
Platform firmware allocates full banks.