Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp12371741rwl; Tue, 3 Jan 2023 13:21:10 -0800 (PST) X-Google-Smtp-Source: AMrXdXv//DRYMF6kR+owdzrhQW4yPvBNySaymdSVclwJW3+/4aRL0ZkRXVxfveUyVt1wkk2hS0Fy X-Received: by 2002:a17:907:8c82:b0:7c0:f7b2:b19a with SMTP id td2-20020a1709078c8200b007c0f7b2b19amr42242386ejc.27.1672780869873; Tue, 03 Jan 2023 13:21:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672780869; cv=none; d=google.com; s=arc-20160816; b=Im32JGCZc2rPIiP6ORWa39vFFtTzE/eX4cNnfMNvWjHa5UAtNYmnZRkM0Sd+3jsf5Z lmRe6/jBAEadlTONuBp5Ek/RmMny0j9snZhk+/OEDHChkI0C3UFnXVs5zrgAHQNIlvqR LX/bZI/r1GBIxvRfas/gkNTKHuOKNg6+y7Gswi/2v9XBsCo/uRrkBgc3x7JUlDf52i+i VSFsgjuE7Vq5R7EU1cwPtLm8MqWDWH21c9OKRyZwI5c1QqstfoAmI3gqQpWCHyFWiMRw MPjWoOt7GoYzR95vdTQcwQC7N423l7xxc/Ftw8zHzPkg8P5qoIp6aLszdkdy7U07bGwq hFSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ECm8WA+k+WcnWoeg/q1MJBXySQiL93FB03e86BM2/mI=; b=FhKfXOMtqACBvKPoZzrJqqW6cIDAFqxzDUEk0RP7atdGjRukGX/GN3NcYNNRfEQhnF 9/zv5GgDwZnslxah+SotfxxZ6KXR5LbwjuQip6MpRj3/XjIXIPK8uKZj+K1mR55tVlCj pVrwg0b3MAUtL92THRWKZ1r0hHOWdNLJv16twnk89KiN4qSMWDwdSZnhHkLHYNgRS+bB hkx7/+KwxXKOXmT7A+YgH4xaJtEYbRM6VIS9RrRR20qTYbsTxy261zEd2rcVvhiiZoZ8 KyC71ZoDWlliToLWiDvFCqp9bpRzmMaHnMDZyVs2QpzSdRTMvJ7j8Bz9Z48UT6AnB9A4 VAJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@aurora.tech header.s=google header.b=jqx8FVn4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=aurora.tech Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ae4-20020a17090725c400b007c10e7a7628si29096943ejc.839.2023.01.03.13.20.55; Tue, 03 Jan 2023 13:21:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@aurora.tech header.s=google header.b=jqx8FVn4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=aurora.tech Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238734AbjACUml (ORCPT + 59 others); Tue, 3 Jan 2023 15:42:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233670AbjACUmd (ORCPT ); Tue, 3 Jan 2023 15:42:33 -0500 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A152E13D61 for ; Tue, 3 Jan 2023 12:42:31 -0800 (PST) Received: by mail-ed1-x532.google.com with SMTP id r26so40418477edc.5 for ; Tue, 03 Jan 2023 12:42:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aurora.tech; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ECm8WA+k+WcnWoeg/q1MJBXySQiL93FB03e86BM2/mI=; b=jqx8FVn4X/0/v8pr/ntGsHhYBbI9ZfIaVDTWvlZU2RqguJHRQ8nJF2HNmVuKLInpc5 tG8AQrf5yS4d3Z0WqTnKKXyUIbP/Am3C9fR+d98WFqXM6StuZqw4DtH0jJme67GoA91W fQut24FU+yvi6h/F0FRXsrFLdUXTArdJ0v78kCYFLfq199Q0YDhBe/n9ZGPqZac5vvGE 6EmHgnfhqxgUwrp54KPRAtcZse2vrtxPu/SN2n1CVLBVUJvyGARPHXeeu4XfoMUZW5kk 8tqUyCJk6tYxFoyxqYEODmDOzhoUZiqfPFVqD8EHiwBX9/oMAipsCQGdwoM2o75h5k2h UI8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ECm8WA+k+WcnWoeg/q1MJBXySQiL93FB03e86BM2/mI=; b=gTdrHT0Cd4M2THckZOSkfwKgngkgJh3q/qtHNES65Pmpu4X7U/KWvAIesJoIW5wLBw EDfUTD8LBuSD+VyUBNPJbYT4U9kle/KT21o8tU1n+BH4aq6CfuKb23pslhUfIpTWUkSQ epjb1EiiuTNU+IoJ3/SiG85sgAEoKO7YaVD8zW95OyggpPtpH8Ex3+lbaxiarKM3hjFS LEVG1TWIvzf3BUuLOnEJTcR1X0i6vlt6mFDuxi0Ay7Od3uTlbiMNi/le46ppQ6q1YUXm at/j+tcS3neuZli+TO0WRVF04YzM2KdqozBF9PNCmm/L27+rppKTIr8/QGmwzW9BlhU4 0gQg== X-Gm-Message-State: AFqh2krux6fWwv7d0uUUdVRTSC7eCcTScdqD2T/6eFUdIfFaEOr0gpYN HeLxSgT6/TqpBUQ0msGj2nuA5ASfWKkSqzOZJ5uKXQ== X-Received: by 2002:aa7:cb52:0:b0:484:93ac:33a6 with SMTP id w18-20020aa7cb52000000b0048493ac33a6mr2511161edt.81.1672778550139; Tue, 03 Jan 2023 12:42:30 -0800 (PST) MIME-Version: 1.0 References: <20221111231636.3748636-1-evgreen@chromium.org> <20221111151451.v5.3.I9ded8c8caad27403e9284dfc78ad6cbd845bc98d@changeid> <8ae56656a461d7b957b93778d716c6161070383a.camel@linux.ibm.com> In-Reply-To: <8ae56656a461d7b957b93778d716c6161070383a.camel@linux.ibm.com> From: Matthew Garrett Date: Tue, 3 Jan 2023 12:42:19 -0800 Message-ID: Subject: Re: [PATCH v5 03/11] tpm: Allow PCR 23 to be restricted to kernel-only use To: jejb@linux.ibm.com Cc: Evan Green , linux-kernel@vger.kernel.org, corbet@lwn.net, linux-integrity@vger.kernel.org, Eric Biggers , gwendal@chromium.org, dianders@chromium.org, apronin@chromium.org, Pavel Machek , Ben Boeckel , rjw@rjwysocki.net, Kees Cook , dlunev@google.com, zohar@linux.ibm.com, jarkko@kernel.org, linux-pm@vger.kernel.org, Matthew Garrett , Jason Gunthorpe , Peter Huewe Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 14, 2022 at 9:11 AM James Bottomley wrote: > > On Fri, 2022-11-11 at 15:16 -0800, Evan Green wrote: > > Introduce a new Kconfig, TCG_TPM_RESTRICT_PCR, which if enabled > > restricts usermode's ability to extend or reset PCR 23. > > Could I re ask the question here that I asked of Matthew's patch set: > > https://lore.kernel.org/all/b0c4980c8fad14115daa3040979c52f07f7fbe2c.camel@linux.ibm.com/ > > Which was could we use an NVRAM index in the TPM instead of a PCR? The > reason for asking was that PCRs are rather precious and might get more > so now that Lennart has some grand scheme for using more of them in his > unified boot project. Matthew promised to play with the idea but never > got back to the patch set to say whether he investigated this or not. Is there any way to get key creation data to include NV indexes? If not, no, we can't use NVRAM.