Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data

[PATCH 0/9] Enable hibernation when Lockdown is enabled · Matthew Garrett <hidden> · 2021-02-20
[PATCH 1/9] tpm: Add support for in-kernel resetting of PCRs · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 1/9] tpm: Add support for in-kernel resetting of PCRs · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
[PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-24
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · James Bottomley <hidden> · 2021-02-24
Re: [PATCH 2/9] tpm: Allow PCR 23 to be restricted to kernel-only use · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-28
[PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
Re: [PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-22
Re: [PATCH 3/9] security: keys: trusted: Parse out individual components of the key blob · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-24
[PATCH 4/9] security: keys: trusted: Store the handle of a loaded key · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 4/9] security: keys: trusted: Store the handle of a loaded key · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
[PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-20
Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Ben Boeckel <hidden> · 2021-02-21
Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-22
[PATCH 6/9] pm: hibernate: Optionally store and verify a hash of the image · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 6/9] pm: hibernate: Optionally store and verify a hash of the image · Evan Green <hidden> · 2021-05-05
[PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to protect image integrity · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to protect image integrity · Randy Dunlap <hidden> · 2021-02-20
Re: [PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to protect image integrity · Matthew Garrett <mjg59@srcf.ucam.org> · 2021-02-22
[PATCH 8/9] pm: hibernate: Verify the digest encryption key · Matthew Garrett <hidden> · 2021-02-20
[PATCH 9/9] pm: hibernate: seal the encryption key with a PCR policy · Matthew Garrett <hidden> · 2021-02-20
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Evan Green <hidden> · 2021-05-04
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Jarkko Sakkinen <jarkko@kernel.org> · 2021-05-05
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Jarkko Sakkinen <jarkko@kernel.org> · 2021-05-05
Re: [PATCH 0/9] Enable hibernation when Lockdown is enabled · Evan Green <hidden> · 2021-05-05

From: Ben Boeckel <hidden>
Date: 2021-02-21 19:46:44
Also in: keyrings, linux-integrity, lkml

On Sat, Feb 20, 2021 at 05:09:07 +0200, Jarkko Sakkinen wrote:

Something popped into mind: could we make PCR 23 reservation dynamic
instead of a config option.

E.g. if the user space uses it, then it's dirty and hibernate will
fail. I really dislike the static compilation time firewall on it.

I don't know the threat model here, but couldn't hibernation then be
blocked by userspace using PCR 23 in some way (thus becoming a Denial of
Service)? Are elevated permissions required to use PCR values?

--Ben

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help