Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data

From: Jarkko Sakkinen
Date: Fri Feb 19 2021 - 22:10:08 EST


On Sat, Feb 20, 2021 at 01:32:51AM +0000, Matthew Garrett wrote:
> When TPMs generate keys, they can also generate some information
> describing the state of the PCRs at creation time. This data can then
> later be certified by the TPM, allowing verification of the PCR values.
> This allows us to determine the state of the system at the time a key
> was generated. Add an additional argument to the trusted key creation
> options, allowing the user to provide the set of PCRs that should have
> their values incorporated into the creation data.
>
> Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>

LGTM too.

Something popped into mind: could we make PCR 23 reservation dynamic
instead of a config option.

E.g. if the user space uses it, then it's dirty and hibernate will
fail. I really dislike the static compilation time firewall on it.

/Jarkko