Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1384999pxb; Sun, 21 Feb 2021 23:46:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJz0k/2Ti0kX8EJ/bI3LpmWTBATdpO2j75YpXKDbxsFA9CzLCtoggK/QS8DYVVMIuUhwEF+K X-Received: by 2002:a17:906:cd02:: with SMTP id oz2mr19877756ejb.116.1613979960608; Sun, 21 Feb 2021 23:46:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613979960; cv=none; d=google.com; s=arc-20160816; b=KiJKnS+aiXzav8KFp4cTUilrDoJ2FFlcSwMvQS7sCNXT38c5NBrz1pWuTD/qLnH+1K 6whUmKUoKaoIRO4cW1LjnpqQrcqQEILSEwgPNsDxwy7Sy97J0ZRdIcFEF3wOYyRYKZWn arPasrHq591j+ZMUedQjtjAlKeK9wZvgB9KVrSexNK619GFouP/ij2hUezUocIHyk8e/ e3TS5O2we395/0tluHRhEuQ+0rOHiSQq2SkuSzjGkp6crZvMVW435ROlYoXemajC5Mc0 q7Abt2/8d1mid6qf8A3BnDzDub2sCb4av9dftCsCdsAlrDAWfHsauYBCf/oh1dg4q8yS dXLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=JXxcplmrK6Sc+97Shh3qS4r1YkW+BdqZXN6g+1x+z6Y=; b=FnSYRZSOPxrU3qSfd9mzldZF51p45GM4+dnS6ZH9tyw7V/PSDeQp7RuuONEwzK0H4D UcfzzHHDKcswlp+Kf55LRKY3YUPNu8sYIDMJ/G8gOqMBbCREIIpGjmu0N1NcJBmTEm+m qbswo5YH1hohFN27fPSGUTIYOfjnZTyTTs9TzLxuk8/IK4TT+3hy1rOzBwGp7g1wyZiG DZ8zXzVTOtz/cVeFHaAXqj7+O41ea0Qq+SWKvPEG/JmeefsduYj1+hEjrRNC2RvynERL xe1Blx+rXJB9jObT4N8ZWoofonYuXhJARBP22tPoU1dN2HY557750HC/b1YHEdr71Ic3 8+2w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x9si11106433ejb.735.2021.02.21.23.45.38; Sun, 21 Feb 2021 23:46:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230199AbhBVHmV (ORCPT + 99 others); Mon, 22 Feb 2021 02:42:21 -0500 Received: from cavan.codon.org.uk ([176.126.240.207]:38746 "EHLO cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230184AbhBVHlz (ORCPT ); Mon, 22 Feb 2021 02:41:55 -0500 X-Greylist: delayed 378 seconds by postgrey-1.27 at vger.kernel.org; Mon, 22 Feb 2021 02:41:54 EST Received: by cavan.codon.org.uk (Postfix, from userid 1000) id 90F3C40A2F; Mon, 22 Feb 2021 07:41:10 +0000 (UTC) Date: Mon, 22 Feb 2021 07:41:10 +0000 From: Matthew Garrett To: Jarkko Sakkinen Cc: Matthew Garrett , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-pm@vger.kernel.org, keyrings@vger.kernel.org, zohar@linux.ibm.com, jejb@linux.ibm.com, corbet@lwn.net, rjw@rjwysocki.net, Matthew Garrett Subject: Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data Message-ID: <20210222074110.GC30403@codon.org.uk> References: <20210220013255.1083202-1-matthewgarrett@google.com> <20210220013255.1083202-6-matthewgarrett@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Feb 20, 2021 at 05:09:07AM +0200, Jarkko Sakkinen wrote: > Something popped into mind: could we make PCR 23 reservation dynamic > instead of a config option. > > E.g. if the user space uses it, then it's dirty and hibernate will > fail. I really dislike the static compilation time firewall on it. We can fail hibernation if userland hasn't flagged things, but the concern is that if you hibernate with PCR 23 blocking enabled and then reboot with the blocking disabled, userland can obtain the blob from the hibernation image, extend PCR 23, modify the image and use the key they've recovered to make it look legitimate, enable PCR 23 blocking again and then resume into their own code.