Thread (12 messages) 12 messages, 6 authors, 2020-12-23

Re: [PATCH RESEND v4 0/1] add sysfs exports for TPM 2 PCR registers

From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: 2020-11-30 15:27:28
Also in: linux-integrity 

On Mon, 2020-11-30 at 09:18 +0100, Greg KH wrote:
On Sun, Nov 29, 2020 at 02:30:21PM -0800, James Bottomley wrote:
quoted
Cc to linux-api to get an opinion on two issues.  First the
background:

We've had a fairly extensive discussion over on linux-integrity and
iterated to the conclusion that the kernel does need to export TPM
2.0 PCR values for use by a variety of userspace integrity
programmes including early boot.  The principle clinching argument
seems to be that these values are required by non-root systems, but
in a default Linux set up the packet marshalled communication
device: /dev/tpmrm0, is by default only usable by
root.  Historically, TPM 1.2 exported these values via sysfs in a
single file containing all 24 values:

  /sys/class/tpm/tpm0/pcrs

with the format

  PCR-00: 7D 29 CB 08 0C 0F C4 16 7A 0E 9A F7 C6 D3 97 CD C1 21 A7
69 
  PCR-01: 9C B6 79 4C E4 4B 62 97 4C AB 55 13 1A 2F 7E AE 09 B3 30
BE 
  ...
As you know, this breaks the "one value per file" for sysfs, so
please, do not add more files that do this.
I haven't ... if you read the below you'll see it's now one value per
file.
quoted
TPM 2.0 adds more complexity: because of it's "agile" format, each
TPM 2.0 is required to support a set of hashes (of which at least
sha1 and sha256 are required but quite a few TPM 2.0s have at least
two or three more) and maintain 24 PCR registers for each supported
hash. The current patch exports each PCR bank under the directory

  /sys/class/tpm/tpm0/pcr-<hash>/<bank>

So the sha256 bank value of PCR 7 can be obtained as

  cat /sys/class/tpm/tpm0/pcr-sha256/7
  2ED93F199692DC6788EFA6A1FE74514AB9760B2A6CEEAEF6C808C13E4ABB0D42

And the output is a single non-space separated ascii hex value of
the hash.

The issues we'd like input on are:

 1. Should this be in sysfs or securityfs?
If you want to use sysfs, use one value per file please.
It is ... each PCR gives one hash value per PCR and bank.  That's what
the file above is showing.  The hash values are 20 bytes for sha1, 32
bytes for sha256 and so on.
quoted
  2. Should we export the values as one value per file (current
patch)
     or as a binary blob of all 24?
Binary sysfs files are for "pass-through" mode where the kernel is
not parsing/manipulating the data at all.  Do these values come
straight from the hardware?  If so, sure, use a binary blob.  If not,
then no, do not use that in sysfs as sysfs is to be in text format.
There was a question over whether the hash should be ascii as above
(hex representation) so human readable, or the 20/32/whatever binary
bytes of the hash.  I think we've got that resolved that ascii works.

James
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help