Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp5787960rwb;
        Mon, 14 Nov 2022 09:25:16 -0800 (PST)
X-Google-Smtp-Source: AA0mqf7z70JpNsDfqSC6/i+Y6E5DE43TuicSfDSVmC3OkUOTOYV4cJlTdfEQyTAmrvsSaj6dLb7k
X-Received: by 2002:a17:902:e413:b0:186:9cf4:e53b with SMTP id m19-20020a170902e41300b001869cf4e53bmr310968ple.50.1668446715879;
        Mon, 14 Nov 2022 09:25:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668446715; cv=none;
        d=google.com; s=arc-20160816;
        b=Cej6wAddasYPAwPidzfISx9fdDWoPvqmfnf8S9MnozMU2QJBy3ubwAJwKqpWVTess9
         UsFlzpcquAVWSTIxRQlEGRb/gZhYBvYTlSQAVSml7VgK1y+AAwoo7sflczvsy2lvxwjc
         LRUA987ghIlGWSaW9hVqYWCXW8iCTfS/uBns6nmmSFu1+S6Fo2+YOxekCKwIV+zQk/Cq
         VvvO1mTSjKL7iV1v/XHLROBV/q4c5qpzuofWAwPGponINtk0b9/tEJK7ceRGv9TpHbI+
         hXhrFKrPuxa0JbSulloevTlKJddpHWALzPnulSeewz7dBQ8W4udfuVycgzmS9N3qs3fQ
         AP4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :user-agent:references:in-reply-to:date:cc:to:reply-to:from:subject
         :message-id:dkim-signature;
        bh=x7c7LUNyumPEJ3B8TV1/j9qF5b+3SUS7E0BiRFnwAbo=;
        b=flE/WlsFdz7nzDzsy6BxvWM+/J7fV+ZIBYeolCy3aAQkIcSiB8MdiAuyhZS3ZBQKuk
         I5N2eE9smyAkQRMoRKvIk90rwKAhH9Z6IPN5oAr4sQHztm1VoYOadWWsk0qfFU7zdPlh
         4t6qWeyRqvPb+M9sZR9SZMX3O5HbGp8jhZi7EkxWwT2IqHfDzqJpPlBzkak+TdhQ7yLO
         /RpAe/UhLu/rd9x7mfnIdmzxeK+xGN3aCJEm9ZMaE4kUBGMGoBoCpo3YX9g0RGSaapMz
         oStLFRi4fMi+lwJfcc07YgjvAP4tKNtq+8LXPz3Bi98EkbMQEzHbvHlw9aWvGu/BIN3+
         /Z+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=jCAlNuRY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j13-20020a170903024d00b0018745a8a351si10994595plh.517.2022.11.14.09.25.02;
        Mon, 14 Nov 2022 09:25:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=jCAlNuRY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236399AbiKNRLn (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 88 others); Mon, 14 Nov 2022 12:11:43 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50422 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237134AbiKNRLl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Nov 2022 12:11:41 -0500
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2768B31EED;
        Mon, 14 Nov 2022 09:11:41 -0800 (PST)
Received: from pps.filterd (m0098417.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.5) with ESMTP id 2AEGqVsV025573;
        Mon, 14 Nov 2022 17:11:29 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject :
 from : reply-to : to : cc : date : in-reply-to : references : content-type
 : content-transfer-encoding : mime-version; s=pp1;
 bh=x7c7LUNyumPEJ3B8TV1/j9qF5b+3SUS7E0BiRFnwAbo=;
 b=jCAlNuRYfC9tDAwR1wGmzlrGM4FCQuveLCx7EbqludrC77hhyQOSEbbDwWLJeVMRLKAu
 kvw5+hV+v1nHCEyuIDrEaVi+Y7ti4yoap9iMlmZO5sP570owC/o3f48bs/PUB2Y12Q2W
 lKotJayK2kXckExHyelwtXz4flCDhN3GD+v1Mr24E+ZWVxGM7InBJCI1lWu0mJZx+t3n
 nuokWmodJhwszEOMkVN1gS3QENvZoYHpPj2msnCY0JnkND+dWb6yFTJis63E2V6BKs+j
 /CplmGFItoICs5t5c0jm3UJIsvhkVFiYJqyte8tGF46ZD1lcTSeX+gD1Z0ZyjvjxQBLw GA== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3kusjxrf8e-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 14 Nov 2022 17:11:28 +0000
Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1])
        by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 2AEGv8qw008757;
        Mon, 14 Nov 2022 17:11:28 GMT
Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3kusjxrf80-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 14 Nov 2022 17:11:28 +0000
Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1])
        by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 2AEH5KDH010721;
        Mon, 14 Nov 2022 17:11:27 GMT
Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
        by ppma02dal.us.ibm.com with ESMTP id 3kt349jrvd-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 14 Nov 2022 17:11:27 +0000
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
        by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 2AEHBUeJ6881896
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Mon, 14 Nov 2022 17:11:30 GMT
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 47DFF7805E;
        Mon, 14 Nov 2022 18:08:54 +0000 (GMT)
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 41B9B7805C;
        Mon, 14 Nov 2022 18:08:50 +0000 (GMT)
Received: from lingrow.int.hansenpartnership.com (unknown [9.211.83.197])
        by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
        Mon, 14 Nov 2022 18:08:49 +0000 (GMT)
Message-ID: <8ae56656a461d7b957b93778d716c6161070383a.camel@linux.ibm.com>
Subject: Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to
 kernel-only use
From:   James Bottomley <jejb@linux.ibm.com>
Reply-To: jejb@linux.ibm.com
To:     Evan Green <evgreen@chromium.org>, linux-kernel@vger.kernel.org
Cc:     corbet@lwn.net, linux-integrity@vger.kernel.org,
        Eric Biggers <ebiggers@kernel.org>, gwendal@chromium.org,
        dianders@chromium.org, apronin@chromium.org,
        Pavel Machek <pavel@ucw.cz>, Ben Boeckel <me@benboeckel.net>,
        rjw@rjwysocki.net, Kees Cook <keescook@chromium.org>,
        dlunev@google.com, zohar@linux.ibm.com,
        Matthew Garrett <mgarrett@aurora.tech>, jarkko@kernel.org,
        linux-pm@vger.kernel.org, Matthew Garrett <mjg59@google.com>,
        Jason Gunthorpe <jgg@ziepe.ca>, Peter Huewe <peterhuewe@gmx.de>
Date:   Mon, 14 Nov 2022 12:11:20 -0500
In-Reply-To: <20221111151451.v5.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid>
References: <20221111231636.3748636-1-evgreen@chromium.org>
         <20221111151451.v5.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.4 
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: SPoXwJpwVDHbFazbYEXvpg1f0RZ1H4pz
X-Proofpoint-ORIG-GUID: bSxPprtCkFl2jtIKUQFcKMctzDpA0WDH
Content-Transfer-Encoding: 7bit
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
 definitions=2022-11-14_13,2022-11-11_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 adultscore=0
 spamscore=0 suspectscore=0 impostorscore=0 lowpriorityscore=0
 malwarescore=0 clxscore=1011 mlxlogscore=801 phishscore=0
 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.12.0-2210170000 definitions=main-2211140117
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 2022-11-11 at 15:16 -0800, Evan Green wrote:
> Introduce a new Kconfig, TCG_TPM_RESTRICT_PCR, which if enabled
> restricts usermode's ability to extend or reset PCR 23.

Could I re ask the question here that I asked of Matthew's patch set:

https://lore.kernel.org/all/b0c4980c8fad14115daa3040979c52f07f7fbe2c.camel@linux.ibm.com/

Which was could we use an NVRAM index in the TPM instead of a PCR?  The
reason for asking was that PCRs are rather precious and might get more
so now that Lennart has some grand scheme for using more of them in his
unified boot project.  Matthew promised to play with the idea but never
got back to the patch set to say whether he investigated this or not.

James