Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data

[PATCH 0/9] Enable hibernation when Lockdown is enabled · Matthew Garrett <hidden> · 2021-02-20
[PATCH 1/9] tpm: Add support for in-kernel resetting of PCRs · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 1/9] tpm: Add support for in-kernel resetting of PCRs · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
[PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-24
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · James Bottomley <hidden> · 2021-02-24
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-28
[PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
Re: [PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-22
Re: [PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-24
[PATCH 4/9] security: keys: trusted: Store the handle of a loaded key · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 4/9] security: keys: trusted: Store the handle of a loaded key · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
[PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Ben Boeckel <hidden> · 2021-02-21
Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-22
[PATCH 6/9] pm: hibernate: Optionally store and verify a hash of the image · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 6/9] pm: hibernate: Optionally store and verify a hash of the image · Evan Green <hidden> · 2021-05-05
[PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to protect image integrity · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to protect image integrity · Randy Dunlap <hidden> · 2021-02-20
Re: [PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to protect image integrity · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-22
[PATCH 8/9] pm: hibernate: Verify the digest encryption key · Matthew Garrett <hidden> · 2021-02-20
[PATCH 9/9] pm: hibernate: seal the encryption key with a PCR policy · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Evan Green <hidden> · 2021-05-04
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Jarkko Sakkinen <jarkko@kernel.org> · 2021-05-05
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Jarkko Sakkinen <jarkko@kernel.org> · 2021-05-05
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Evan Green <hidden> · 2021-05-05

From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2021-02-20 03:10:09
Also in: keyrings, linux-integrity, lkml

On Sat, Feb 20, 2021 at 01:32:51AM +0000, Matthew Garrett wrote:

When TPMs generate keys, they can also generate some information
describing the state of the PCRs at creation time. This data can then
later be certified by the TPM, allowing verification of the PCR values.
This allows us to determine the state of the system at the time a key
was generated. Add an additional argument to the trusted key creation
options, allowing the user to provide the set of PCRs that should have
their values incorporated into the creation data.

Signed-off-by: Matthew Garrett <redacted>

LGTM too.

Something popped into mind: could we make PCR 23 reservation dynamic
instead of a config option.

E.g. if the user space uses it, then it's dirty and hibernate will
fail. I really dislike the static compilation time firewall on it.

/Jarkko

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help