Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1107566pxb; Sun, 21 Feb 2021 11:49:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJybXLQWSx4KcwcJ34Xp7gAm9+RsmOm3eL86eOWQYlbpHDnzED+kX2AiY6mML0XCoxRpQntN X-Received: by 2002:a17:906:ca15:: with SMTP id jt21mr18483379ejb.58.1613936993669; Sun, 21 Feb 2021 11:49:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613936993; cv=none; d=google.com; s=arc-20160816; b=DJV48JgNdd9NsIBwMiC9Tt58a26vSyt2N5Lb40mpAzmrKfbOlRrs2QWt/s1Usf/7kI 4fMmEztqkRo3q9jIhINMxCsxrxiQTGSYlOK9NYQvVvtuP/7RBxciH7EaB7ZjgxetCmAc GLUPTLNn9i7qPjGRFLxUkpLaH8uYGfBfLBaEGkqvKcQpoKDUq25lzbdiyNFcIhGQzidS /3W1GLnOzG8yGuoE6zB3dpHubgeDmkJyHVcrhIn6l+EKPtONNcnqJvQgCa+r9R+Q1rkf USlkh6bDEDWtIAHpMqz/HwI5xH88jWzUzGM9P8ibrT0RQMhNb6+K8yy4QyDF5geen74Q fXxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=KK7U3PtBaDBEZQddjEEuQxaWjx0rOhXM1pRTOxjzCQ4=; b=s9V7o5CFHjBdY9xRFdUTjjQI5fgn3rVfWZ506+C/mV1GZW86QfqYDgmNBDHmHvxmjm Q4ocuqaYhCOemAxOCVQdPcbSYNlrdvOEiXHcJNz3k+clcl6g1HANwNQybIl2xzLn9W0J SzCwSSj52o1F3E+hBtUdZTu9htCxKxqJ7vUzcNBT+jGAfZZeP3DEI/lckXauBorN49uw 92uELrwOI+3sEjui8z+ASCc/bR1LrHb8M+Mk/6q/BHWJhJJc8kLfiUX/fp7UUrX2IkTk azLmSAVl1FsEoTOj5IesceoK93/fkErfHctD8TDP6ycE7hB0Iy5ccXxJC+lrWYqcC23f ZFFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@benboeckel.net header.s=fm1 header.b=QhEAa3a0; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=DizqxHw0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m9si10512552edj.103.2021.02.21.11.49.31; Sun, 21 Feb 2021 11:49:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@benboeckel.net header.s=fm1 header.b=QhEAa3a0; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=DizqxHw0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230469AbhBUTqX (ORCPT + 99 others); Sun, 21 Feb 2021 14:46:23 -0500 Received: from new2-smtp.messagingengine.com ([66.111.4.224]:54133 "EHLO new2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230401AbhBUTpi (ORCPT ); Sun, 21 Feb 2021 14:45:38 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailnew.nyi.internal (Postfix) with ESMTP id 17C6E58024F; Sun, 21 Feb 2021 14:44:32 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Sun, 21 Feb 2021 14:44:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benboeckel.net; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm1; bh=KK7U3PtBaDBEZQddjEEuQxaWjx0 rOhXM1pRTOxjzCQ4=; b=QhEAa3a0K46bSjQTH6GKygCzlEvzxjwWPdriVPwLeDj CKwWlpU/pChFf26OIIu/C6C3VS89XiijU8lJaProgZi5XdSrsBvpQcyWQ+BERJeF JUGjZZIiIMb0oxeltg/xPZtgOCHdsOiv52h72eAdV0YmXA7qWSgsa5zE17WPun5Z gr8B/HPtHI+fuRYRiB3fIxzlM0xzVt1ztadCgF5r4s2L+tZxMK18MGqeNsodFI5T msiGzegsmXh/dxvDUKyF/ypH7BxUGNV7Biu8GiWkuR+TzGuMuaWHnE7oTQ7P78Ah xAUgTvD5dCaPIcGaYDSYsPYZi3uYzNFxULzhfADQfZw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=KK7U3P tBaDBEZQddjEEuQxaWjx0rOhXM1pRTOxjzCQ4=; b=DizqxHw0MABc+iOWp01mCF /OgT2nN9Cg6gAVUoS0L9YTEXweK1TBAMJEDJLJLXW44TywJrVcZE8ZK/JzlzWy0x 7G175BK9mIk4FCA6sNIwOzIvTfoPB5heq/2yPMoKeGfzRyswMgeY/yOtUAdEyBJs UOQzvRuXw3nTtmJmX83lsdd/CBxSC5jn3TkNWJr7RLm9drjhvMJfghJ34tQcfUUH MbwIkcrHZkSqJCln4bAulOv/AtvkeL7/++GMWZmOkHd8L9fi7d+0Np5LYbx9FQvY AAUHaeldqDJVAMzazTEba3vEYCrwbLg2kCg0IzsbRrUxC7GttxKDkwiMk/RsLHTw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkedugdduvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjfgesthdtredttderjeenucfhrhhomhepuegvnhcu uehovggtkhgvlhcuoehmvgessggvnhgsohgvtghkvghlrdhnvghtqeenucggtffrrghtth gvrhhnpeevffdtteetgfdttdekueefgedttddtueeugeekgeetffeuteffjeduieehhfek tdenucfkphepvdegrdduieelrddvtddrvdehheenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmvgessggvnhgsohgvtghkvghlrdhnvght X-ME-Proxy: Received: from localhost (unknown [24.169.20.255]) by mail.messagingengine.com (Postfix) with ESMTPA id 62DBA1080063; Sun, 21 Feb 2021 14:44:31 -0500 (EST) Date: Sun, 21 Feb 2021 14:44:29 -0500 From: Ben Boeckel To: Jarkko Sakkinen Cc: Matthew Garrett , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-pm@vger.kernel.org, keyrings@vger.kernel.org, zohar@linux.ibm.com, jejb@linux.ibm.com, corbet@lwn.net, rjw@rjwysocki.net, Matthew Garrett Subject: Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data Message-ID: References: <20210220013255.1083202-1-matthewgarrett@google.com> <20210220013255.1083202-6-matthewgarrett@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.0.5 (2021-01-21) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Feb 20, 2021 at 05:09:07 +0200, Jarkko Sakkinen wrote: > Something popped into mind: could we make PCR 23 reservation dynamic > instead of a config option. > > E.g. if the user space uses it, then it's dirty and hibernate will > fail. I really dislike the static compilation time firewall on it. I don't know the threat model here, but couldn't hibernation then be blocked by userspace using PCR 23 in some way (thus becoming a Denial of Service)? Are elevated permissions required to use PCR values? --Ben