Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1424341rwb; Thu, 1 Dec 2022 17:37:09 -0800 (PST) X-Google-Smtp-Source: AA0mqf6jFuoGQc8nCuQSnni7anPjiERIVSqrqdOwa69KW3LepwkOO/jN+9RFy1chgzuSptbbGNQ9 X-Received: by 2002:a17:90a:4705:b0:219:255:78a6 with SMTP id h5-20020a17090a470500b00219025578a6mr39279666pjg.114.1669945029041; Thu, 01 Dec 2022 17:37:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669945029; cv=none; d=google.com; s=arc-20160816; b=0jaqEQoNGGPtYKFc+8hD+RcFFVi/1/axG6KIVO1/+oKW8zOnTd6UlKLG2JUo9p4tsm qJw9qKn/4u50zhNIvM3uYpg8RnKBBi9Wv7WZiDaOq4mnAtJ8kuPc4tavKBtxu6l7YEcX 343Sn456dkiS2pA7aXj8QQUhR61usTtv4yppjdPxMjcU8y4AHLIesfTlRGTJ/AoZ6V04 nKkb0mYIpQhiSXKG+UhTeOhH8XIWeQY9C4teLpdX0qzeNOJgEbXwVtbJmx95HA/zc0En POpIE3a1JoLh2TlRkBp+19T75zYnyu4JeC4F/z+aEeKyB/vxQGsI5rizhqiNCN1ZOsYu h+Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:reply-to:message-id:subject:cc:to:from:date; bh=7xqA4izlxCEUFADpCejtY9y1dj6e3l/YwV+whFChDjs=; b=NZwi2DAqdr4yiSEItE63AxjEZd7wbbbI2eRVlYwCna7sLje0kNq/dceoA4QAjTztq6 nnb4onW8nA4OquLi6MBRPZhFZp1ymKDfGIlEGGo19D4/fwfya8iYFdf7gmtmt2Gq32+F 2NhR0Q7EldZPIWOaSua+sQg+UvkSx1VwOOV8KFQrUw2vyMgq6HK1fHhX8W2KN6xlJJKg qwkdncH7lY9NyGhcsnHCgTSoMmjLkq+yv9LdXHnVYvhn4XKloydaEdVXablS2u1XM4+5 FSNgp6rW/sANk/AXDDeLFCSK+xjrfP2pJ4qd+FUMqTC2T6PKDWcBLXtiEapQJsQoMXGi 2K+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 130-20020a621988000000b0057346470e4fsi5648045pfz.344.2022.12.01.17.36.58; Thu, 01 Dec 2022 17:37:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231430AbiLBBLc (ORCPT + 81 others); Thu, 1 Dec 2022 20:11:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230000AbiLBBLa (ORCPT ); Thu, 1 Dec 2022 20:11:30 -0500 Received: from wind.enjellic.com (wind.enjellic.com [76.10.64.91]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BF267CF785; Thu, 1 Dec 2022 17:11:27 -0800 (PST) Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id 2B21AUHv025989; Thu, 1 Dec 2022 19:10:30 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id 2B21ATfW025988; Thu, 1 Dec 2022 19:10:29 -0600 Date: Thu, 1 Dec 2022 19:10:29 -0600 From: "Dr. Greg" To: Casey Schaufler Cc: James Bottomley , Jarkko Sakkinen , Evan Green , linux-kernel@vger.kernel.org, corbet@lwn.net, linux-integrity@vger.kernel.org, Eric Biggers , gwendal@chromium.org, dianders@chromium.org, apronin@chromium.org, Pavel Machek , Ben Boeckel , rjw@rjwysocki.net, Kees Cook , dlunev@google.com, zohar@linux.ibm.com, Matthew Garrett , linux-pm@vger.kernel.org, Matthew Garrett , Jason Gunthorpe , Peter Huewe Subject: Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use Message-ID: <20221202011028.GA25824@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20221111231636.3748636-1-evgreen@chromium.org> <20221111151451.v5.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid> <8ae56656a461d7b957b93778d716c6161070383a.camel@linux.ibm.com> <53e3d7f9cc50e1fe9cf67e7889c6b5498580e5d9.camel@linux.ibm.com> <20221130202220.GA13122@wind.enjellic.com> <5d4b205a-9a6c-aa6a-0c83-17e9861fecf8@schaufler-ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5d4b205a-9a6c-aa6a-0c83-17e9861fecf8@schaufler-ca.com> User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Thu, 01 Dec 2022 19:10:30 -0600 (CST) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 30, 2022 at 01:34:28PM -0800, Casey Schaufler wrote: Good evening to everyone. > On 11/30/2022 12:22 PM, Dr. Greg wrote: > > On Sun, Nov 27, 2022 at 11:41:26AM -0500, James Bottomley wrote: > >> Of course, if no application is actually using PCR23, then it's > >> probably OK to use it in the kernel and make it invisible to user > >> space, but no evidence about this has actually been presented. > > > > If there isn't, there will be in in the next week or so, if we can > > stay on schedule. Otherwise, I fear that Casey Schaufler, who I > > believe is holding his breath, may turn irretrievably blue.... :-) > > Sorry to disappoint, but my supply of apoplexy is firmly rooted > elsewhere for the time being. :-( Also, you overestimate my interest > in things TPM related. I was being too clever by half, my comment had nothing to do with your interest, or lack thereof about TPM's.... :-) I had replied to one of the threads where LSM stacking and IMA integration issues were being discussed and I commented that TSEM may contribute to those conversations. You had replied back and said that sending teasers was unfair, I was suggesting with my comment that you were holding your breath waiting for the release of TSEM.... :-) On a related note to this thread, a major component of Quixote/TSEM is the notion of raising the question and opportunity for shaping what TPM's should be when they grow up, given the limited resources they bring to the table, let alone the notion that they are about retrospective rather than prospective trust. > I am very interested to see TSEM. I have heard nothing of it to > date. Hardly anyone has, small team, very focused, working in a deep dive for the last couple of years to bring this forward. Hopefully it will prove of interest and utility, I don't believe there is a reference in the literature to an equivalent approach. Have a good evening. As always, Dr. Greg The Quixote Project - Flailing at the Travails of Cybersecurity