Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp528020imn; Wed, 3 Aug 2022 14:16:12 -0700 (PDT) X-Google-Smtp-Source: AA6agR6iBM9H5ELxJl57DDSo1SMpo9zX7RKx5EY7xw65PcwBB4wND17uEK8sTtv4a0y90hbtEBh8 X-Received: by 2002:a05:6a00:22d0:b0:52e:49f3:3f52 with SMTP id f16-20020a056a0022d000b0052e49f33f52mr2958801pfj.54.1659561371818; Wed, 03 Aug 2022 14:16:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659561371; cv=none; d=google.com; s=arc-20160816; b=a2ZQ2jaJZlZFPMiCTcGSm1pdW9ZA/1/xbbApcmo2hehmkMbLOmniCSVDnKVTwPBqLE Gj3qgAkS9MAbkjg+GdP5va7psJoQXAiLPwa8We2sOY5UlN+95CXmD8yeXo5c3/ihgn+d K6pDXdaUHEN4PKuHXzji2lwE/ziWg2vY+YpejQpMyarwrNyndXt5PgWLO0ncZTl4PuRY fk9/lugIWVtsoozV6f5f6ojG9bcMid4pa3wfkI2+1jP30spfAVP1fVvQR43h1MPJEDng 9xy2Tjt+lCcX+yK86QqU4NTWCGi23gPog4ppt1L1BUGNLXqhAF5qU6gNqnpZyc8TY4Tz ibKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=qCvjB0XOGwom3VuKpUHiorVjWdQfyMRzQDadmEnUHfo=; b=uV+lPYyKDoDkDuDTLyC/Nlc0oPqWdXmlk7Dsyfi/uEJlL5Oe0tdO661F/ptlgcfj7F CkbMQIyngM89u6Ebi1BuG2g1Yso0BDOUxeBMH5yrZCZWT59O5DL/U3E1KeQm1WIpgRud qlyopW6f1sgEdWIjXG7Ydb5I4e0YNp5XdXb9o33zCtd1NjWT5tbNYtFo5a6OxqaDyQLe fxcJfTwRv5ujRIno2UYJ71kRXcEGHdGOtRT1Cp9o6X/7gOitM29q1o5xfusxiiuk+Hwm yWV9zRI25i7KD5R8JxD+LVpHiGbtc216LudHXmA9BUIBocmOMoPxevl0numCYdQV7RfA KUsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iH2cHiyX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q3-20020a170902a3c300b0016ef7235e05si2935068plb.615.2022.08.03.14.15.58; Wed, 03 Aug 2022 14:16:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iH2cHiyX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238742AbiHCUtS (ORCPT + 99 others); Wed, 3 Aug 2022 16:49:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237819AbiHCUtQ (ORCPT ); Wed, 3 Aug 2022 16:49:16 -0400 Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3006D19298 for ; Wed, 3 Aug 2022 13:49:15 -0700 (PDT) Received: by mail-ot1-x32f.google.com with SMTP id q6-20020a05683033c600b0061d2f64df5dso11461083ott.13 for ; Wed, 03 Aug 2022 13:49:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qCvjB0XOGwom3VuKpUHiorVjWdQfyMRzQDadmEnUHfo=; b=iH2cHiyXqK9lCPc7UF2E5siG7sE1VBvgiD6bj0XQ2XOZEaHWJVTEvWFzAA+rrjMZ7J 83IqAOQGL8q5iEALOWpLAFFRpwoS2W0T5hAzgenMRyTvAkanoMjyTA1vMnKZDjkRagYa mZErqeI7eut841LPwAGXKQTDKHa/GLL+Sd9GY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qCvjB0XOGwom3VuKpUHiorVjWdQfyMRzQDadmEnUHfo=; b=H5qJtamlw1DGFdHRhLPKnCkCZ3nX+etqKr0s0DAheT92DLsnHZvpcCUFQDI++R8pgD kPyxYHNhNqV8kyxujPWCui98O8nvptABPxgNIxrh27Gdgur2hKchdXumIxqq8YHsOsWk 21ZCcsyQ5ldv+n96UfwrzZMcKQhfNjkF4D/NczWhU3qTnC5WPLFMhMuKnirMP/dCgDsI 0qFbjHGvs0f3tosMzGcsuovOCO0IA4AkIuMAqlvELwCowQ1Kkfko1iAr6oWcIkI36vGp zvN+EPXY4aeZCiLyZpqfG0HzvO1dDssuscbcxhb4mDNo4Di5/E+3ZbvWnZxIwEhNBNUL kerw== X-Gm-Message-State: ACgBeo0b6My+YjF9zD4Ev+kbnJWdUycMY+EPeP/3M4Y3hNgDDlKT2Tnw 51NcI3EP5NnSyS4pI0091PUsGqd513vxAw== X-Received: by 2002:a9d:77cb:0:b0:636:9586:2cee with SMTP id w11-20020a9d77cb000000b0063695862ceemr422462otl.39.1659559754367; Wed, 03 Aug 2022 13:49:14 -0700 (PDT) Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com. [209.85.210.46]) by smtp.gmail.com with ESMTPSA id z26-20020a9d62da000000b0061c82e055fdsm4199650otk.14.2022.08.03.13.49.13 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Aug 2022 13:49:13 -0700 (PDT) Received: by mail-ot1-f46.google.com with SMTP id q6-20020a05683033c600b0061d2f64df5dso11461057ott.13 for ; Wed, 03 Aug 2022 13:49:13 -0700 (PDT) X-Received: by 2002:a05:6830:290a:b0:618:b519:53f5 with SMTP id z10-20020a056830290a00b00618b51953f5mr9795854otu.237.1659559753343; Wed, 03 Aug 2022 13:49:13 -0700 (PDT) MIME-Version: 1.0 References: <20220504232102.469959-1-evgreen@chromium.org> <20220504161439.4.I32591db064b6cdc91850d777f363c9d05c985b39@changeid> In-Reply-To: From: Evan Green Date: Wed, 3 Aug 2022 13:48:37 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 04/10] security: keys: trusted: Allow storage of PCR values in creation data To: Eric Biggers Cc: LKML , Matthew Garrett , Daniil Lunev , zohar@linux.ibm.com, "James E.J. Bottomley" , linux-integrity@vger.kernel.org, Jonathan Corbet , "Rafael J. Wysocki" , Gwendal Grignou , Jarkko Sakkinen , Linux PM , Matthew Garrett , Matthew Garrett , David Howells , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, "open list:DOCUMENTATION" , linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 2, 2022 at 4:00 PM Eric Biggers wrote: > > On Wed, May 04, 2022 at 04:20:56PM -0700, Evan Green wrote: > > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c > > index aa108bea6739b3..2975827c01bec0 100644 > > --- a/security/keys/trusted-keys/trusted_tpm1.c > > +++ b/security/keys/trusted-keys/trusted_tpm1.c > > @@ -713,6 +713,7 @@ enum { > > Opt_hash, > > Opt_policydigest, > > Opt_policyhandle, > > + Opt_creationpcrs, > > }; > > > > static const match_table_t key_tokens = { > > @@ -725,6 +726,7 @@ static const match_table_t key_tokens = { > > {Opt_hash, "hash=%s"}, > > {Opt_policydigest, "policydigest=%s"}, > > {Opt_policyhandle, "policyhandle=%s"}, > > + {Opt_creationpcrs, "creationpcrs=%s"}, > > {Opt_err, NULL} > > }; > > > > @@ -858,6 +860,13 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > > return -EINVAL; > > opt->policyhandle = handle; > > break; > > + case Opt_creationpcrs: > > + if (!tpm2) > > + return -EINVAL; > > + res = kstrtoint(args[0].from, 16, &opt->creation_pcrs); > > + if (res < 0) > > + return -EINVAL; > > + break; > > I thought that TPM1 is deprecated. Are you sure you need more TPM1 features? It seems that trusted_tpm1.c is not just TPM1 functions, but also common functions that call TPM2 primitives. A few of these functions (like this getoptions()) seem to even error out if !tpm_is_tpm2(chip). -Evan