Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1325404rwb; Tue, 27 Sep 2022 11:21:29 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4QNcB+A9NCe3uHzVeOa2lcfjVkn8W9ht2RktrUv5nLXBiaXl9/ljznFbWpLNRqP94UieXT X-Received: by 2002:a17:903:1110:b0:178:9f67:b543 with SMTP id n16-20020a170903111000b001789f67b543mr28013029plh.131.1664302889325; Tue, 27 Sep 2022 11:21:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664302889; cv=none; d=google.com; s=arc-20160816; b=vCP0LWLgECYxp+FWUFZ6EdZkS2sj/b4+qjGNgdhNHKgNG2DRVKlmoKUyv6jNWzpyau +VNUm5rn/MJLDEU/nY8VEFUPuu5BKC9hrmg1649VZ9RNaq+gTg+wt3hEmPgJHLI6UhZw 2J5mVQAd7rc3Fy8xHommNLIF1l5hylF/mOaF0mBLyhSYjknNJqW9Mv1hdefW6pghN66o wdf1l/YrXgDfy7kc//XLpGn/+jS0AaBX79/uOQ5yB6OAH0SG6lHyaRRC+DhD3TXq14nK lu/E/DOrVqu2+ie0dVDsaKS+DLsnscgfY1D6AwwVLY7t3tWH7bCajjLaBtCmJPCEZ5ij lvnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:dkim-signature:dkim-signature; bh=gkfETQGOUkN/p+KkeVW4lZaExlmLKRZn8wJCWXZOXRI=; b=KfKW4BZXrZ7i/ipFvLf/WLW0HRuAi+Pemt8el7J/i0IgK4bmT3PviKMiOBjc00lFKu r78DgKrHp1T52VXJTlYnTDeqGmGph82fwrnrLWkzzE7iot9Z2wsH5+XVHtvjShhyjZSV ErBupCmOqqgu3caPkruXwJ0TOy07BDznp2rxZMU6vnAAngJClHxvCAJtcRvudU3CWtGe 55IqVeUOKcxoPypBHLfHgcXRoV2nqEEsySY62bRm/sLiolvBrriF6WIrL9iYxX07k4qg ha26cd7LHrGfcioV7BhwQtL81M930fpsTgMxFcnaE2CEOouMnLOkTcp/U2VFbWoI9Wxy /VRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@benboeckel.net header.s=fm1 header.b="sl/KntKi"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=q6PBxVsB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u7-20020a17090341c700b001755d722578si2870898ple.524.2022.09.27.11.21.17; Tue, 27 Sep 2022 11:21:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@benboeckel.net header.s=fm1 header.b="sl/KntKi"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=q6PBxVsB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231985AbiI0Q6U (ORCPT + 99 others); Tue, 27 Sep 2022 12:58:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231436AbiI0Q6C (ORCPT ); Tue, 27 Sep 2022 12:58:02 -0400 Received: from new2-smtp.messagingengine.com (new2-smtp.messagingengine.com [66.111.4.224]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 559ECADCEA; Tue, 27 Sep 2022 09:57:53 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailnew.nyi.internal (Postfix) with ESMTP id 967875809C1; Tue, 27 Sep 2022 12:57:50 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Tue, 27 Sep 2022 12:57:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benboeckel.net; h=cc:cc:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1664297870; x=1664305070; bh=gk fETQGOUkN/p+KkeVW4lZaExlmLKRZn8wJCWXZOXRI=; b=sl/KntKinPRXzDDFxY luTWeO/SAjzn6ocbPDU+4KC12/bVB6ccIpBzxeskfUvDq2NgfLfP3ltMZX4+xa6X BhM0uzytzQN2YmEsxfOPgepG40v0MKaXtnPL3fujQWOK7fsXRv+lLYXEfTf8Ex6y LW+YRy64iVE2l+jp4KNKtXCxHGQRYUkmhkb6+tZrgjVrLfa5UlTvyQ8GWbNDMBSe iTpYp2NbuxpA4SC0WuhpORxMR7exRrXmD1CI+rCPyDCT5v0Bd4UykGSrpEdbDlTN pW6LoTYLKUq9Y057QwyPJdKta6TKAwUs+8WTuIuIPki55EHVRFtUq3rZF1mUWqF2 sSMA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1664297870; x=1664305070; bh=gkfETQGOUkN/p+KkeVW4lZaExlmL KRZn8wJCWXZOXRI=; b=q6PBxVsB6TAiVJKjj7grNbonKK2ajkzvu/Dzd2TH3CFA hnLfkasV7cvf9QZxfOLarnnYK4fGDO+k/0vjt3ORJi3AYKxeDF2cHfdTtzgkZOA/ bVWzsJkB/rtVBcG17iWEeLE/B16IzohQIu4UGywnXvxCXy0G3oVEs2Tu8U6fYPGt 2F1d6esauHi1hMziOUxsKaOKag/bzfMP3IqBrCogwrG73VGlF+jc9EB9QKkBZVCo E6s8ewS0UBSQvkPpmfsqmmIFjuX2ddnMMMQXsV0J2jiUexlrYdBAiq0dfWhQ4D7V 5X1QklITrS/WgLhZpKhKtd8fejhParaszKfQhyWxvA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeegiedgkeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujggfsehttdertddtreejnecuhfhrohhmpeeuvghn uceuohgvtghkvghluceomhgvsegsvghnsghovggtkhgvlhdrnhgvtheqnecuggftrfgrth htvghrnheptefgvefgfffhveeltefhfeettdefgfelteefheetgfejfefgfeeigfeutedv ffefnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmvgessggvnhgsohgvtghkvghlrdhnvght X-ME-Proxy: Feedback-ID: iffc1478b:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 27 Sep 2022 12:57:48 -0400 (EDT) Date: Tue, 27 Sep 2022 12:58:43 -0400 From: Ben Boeckel To: Evan Green Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, apronin@chromium.org, dlunev@google.com, jarkko@kernel.org, Pavel Machek , rjw@rjwysocki.net, corbet@lwn.net, linux-pm@vger.kernel.org, zohar@linux.ibm.com, Kees Cook , Eric Biggers , jejb@linux.ibm.com, gwendal@chromium.org, Matthew Garrett , Matthew Garrett , Matthew Garrett , David Howells , James Morris , Paul Moore , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v3 05/11] security: keys: trusted: Allow storage of PCR values in creation data Message-ID: References: <20220927164922.3383711-1-evgreen@chromium.org> <20220927094559.v3.5.I32591db064b6cdc91850d777f363c9d05c985b39@changeid> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220927094559.v3.5.I32591db064b6cdc91850d777f363c9d05c985b39@changeid> User-Agent: Mutt/2.2.7 (2022-08-07) X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 27, 2022 at 09:49:16 -0700, Evan Green wrote: > From: Matthew Garrett > > When TPMs generate keys, they can also generate some information > describing the state of the PCRs at creation time. This data can then > later be certified by the TPM, allowing verification of the PCR values. > This allows us to determine the state of the system at the time a key > was generated. Add an additional argument to the trusted key creation > options, allowing the user to provide the set of PCRs that should have > their values incorporated into the creation data. > > Link: https://lore.kernel.org/lkml/20210220013255.1083202-6-matthewgarrett@google.com/ > Signed-off-by: Matthew Garrett > Signed-off-by: Evan Green > --- Reviewed-by: Ben Boeckel Thanks! --Ben