On Thu, 2018-03-15 at 10:29 -0700, James Bottomley wrote:

On Thu, 2018-03-15 at 13:14 -0400, Mimi Zohar wrote:

quoted

On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote:

quoted

On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote:

quoted

quoted

If EFI is extending the TPM, will the events be added to the TPM
event log or to the IMA measurement list?

I'm not proposing any changes to the tpm_pcr_extend API. ?At the
moment it does an extend without logging, so that's what it will do
in the EFI driver case as well. ?That means logging is still the
responsibility of the caller.

Does EFI support extending multiple TPM banks?

The specs are here:

https://trustedcomputinggroup.org/tcg-efi-protocol-specification/

As I said, I'm not planning to change the tpm_pcr_.. API. ?At the
moment for a TPM2 we extend all banks in the tpm_pcr_extend() API, so
that's what we'll continue to do ... including extending the sha256
banks with the sha1 hash, which seems to be our current practice.

Thanks, what you're planning on doing is a lot clearer now.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html