Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp647775rdb; Thu, 1 Feb 2024 22:23:13 -0800 (PST) X-Google-Smtp-Source: AGHT+IHomn0x/259kg9tCrvgEhVBHIcd3Y/zCqzXJrgwg5MBtKtTidIiPqZDXEmvne7YvRgpkuyT X-Received: by 2002:a05:6a00:ca:b0:6db:9e9f:6a55 with SMTP id e10-20020a056a0000ca00b006db9e9f6a55mr7558953pfj.25.1706854992836; Thu, 01 Feb 2024 22:23:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706854992; cv=pass; d=google.com; s=arc-20160816; b=BQSXdUZKihhApFTKRHWXtA58Q/vz8O+PtIX/+Mu8yStEGunzTASZXEu6tXLOE3s4Sa q4WVwZJj9O3IrwnPz0noKTAiAwDQJ01G8jHTuZNFzpbJ1xpWxPAN7hJWKUgGzOykOZtk aWJWsrGRkYwPXxWxVQeaXl7x1r3FBsDEWWAMqcCUOllEtWlF+Bectvcrb5k5fnU+VnRi QQuY/VURtEXAHLNmH8J17Xm7KaVhMH6rRXfiSDVvbs+SyzZoQ/nCMiX4pdVyeUqBU29M CeRy2T0rqwDUn0frdLC3/80pLCsknThIyku9I3ZgluaaVUrPCOqw5r+52Xm7ZfLXkvvq 9ktA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=IdnDnWwicxhxY+6j5Z/z7W9AvWFA3J+AIkeTvkXoXqY=; fh=iAVXiok7UnrlEbEjtM2koEKCkBxoSI1f2m8Ejr3lMYA=; b=lqRHtq70iFgw5FkEnOF9G2LbRVdxgN4JHqulThWN+kIw6qlO16Vr3KDxT3oC0nboLf R+vulTHURnZjSq50AM2SVeMSGDb/D1jxBSoJMPPMQMcx/kdo1NfTFo+pL/WKhmAVpmmE cgSOh5NT48FrbuG9+ar8nXhDNh2o+3/cTI4gEHmgCCz8xx57+EZCJ7/THddIDKkBW3WS ZX3p6ozJ0BFl5ADu99IiVK8W/HppSvXoqH9eYbc2Rlkk9FaaVSaDLzayn8WOp6fC/ztV Lovf2ebQoczkZp9N3H0VBZRIZU1tt4vkKvcJHI55MapC4LhciT1KpgWLNSPS2RN2q0lB jNBA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b="o15p/M4Z"; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=G092jmu9; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-49265-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49265-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com X-Forwarded-Encrypted: i=1; AJvYcCUFREySEBttF7/3TsSHOcfX45htYd1za+TM7CMvzBJB5Hq/TS6G5zJC8WRfa8syfWjnqt7YvanLWIiBBdbcfW5vw3hRfvCJV+SrVjOZOA== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id j35-20020a63fc23000000b005cdfc9ab80csi1053888pgi.396.2024.02.01.22.23.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Feb 2024 22:23:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-49265-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b="o15p/M4Z"; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=G092jmu9; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-49265-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49265-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 060C42869D2 for ; Fri, 2 Feb 2024 06:22:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F18EC1759F; Fri, 2 Feb 2024 06:18:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="o15p/M4Z"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="G092jmu9" Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 092871758D; Fri, 2 Feb 2024 06:18:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706854729; cv=none; b=vEv8N4N+qrGMzagOw6Rjxz9rqa2alNHllrTk+8cZM4mPrMvaKFN07Wip2x2UHHgmqZOLg1gFA+tYRteohMUQLIJPYwBsuC0jfj60cXbxGZE4gK25Yro56/8grfwYAl4b95I5I7SeOBsi1VhPwgf1YZfVNQUXhVK8HnpDRr6tdnc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706854729; c=relaxed/simple; bh=7aSFtMWxyruiW2XGYS9sj6ZEUHr9W1gcJK7SdJMgrQc=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=JxEwA7DkCvWR1QQd6GZ+tGa/ENRZj0mJnxVWUUjxUH69bEg4s9J+sozr8he1KA8HGNU5ISJqUqkblz8aXgJXh9oRFgJ/bTkCKu/DWPhoae3xyAyWcFYkNdzedERYR2AijO4j2VZU8J73fbb2jirYW5erP2J7RhoEgrJf3pA80T4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=o15p/M4Z; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=G092jmu9; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1706854726; bh=7aSFtMWxyruiW2XGYS9sj6ZEUHr9W1gcJK7SdJMgrQc=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=o15p/M4ZGbNijUsuVCmGazuJgcdZ88LsR5H3/8XZI5QftvAWt0FPekWPOFyd6ToHa KYn3v3queevyDmuE2QgiMhZqTkZJlpnCuZGVao45brBP2PmdnQdLfZdLW3LujMau3D +Uet+IP0Vpoly2IFBiKUM472QbHzSacVwFi3dkGk= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1F0931280599; Fri, 2 Feb 2024 01:18:46 -0500 (EST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id neMQMEfg8vx4; Fri, 2 Feb 2024 01:18:45 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1706854725; bh=7aSFtMWxyruiW2XGYS9sj6ZEUHr9W1gcJK7SdJMgrQc=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=G092jmu9zocnFxifE/41kZxZ7zu0Zfnz+5eXhGw2faFyNM/EJS0TN2KuidNi1GRj2 mwA+UYynkOmJbq2zaRez4TXIJD56Hiq2ZNEQjTCjIdrnvIkB37AQJai63h/iK5QfRD Im1B4MEAklKAEXq222KRodq7U/C4faXfxWVqQoR4= Received: from [172.22.1.109] (66.224-78-194.adsl-static.isp.belgacom.be [194.78.224.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id B308C1280475; Fri, 2 Feb 2024 01:18:43 -0500 (EST) Message-ID: Subject: Re: [RFC PATCH v2 3/4] tsm: Map RTMRs to TCG TPM PCRs From: James Bottomley To: Kuppuswamy Sathyanarayanan , Samuel Ortiz , Dan Williams Cc: Qinkun Bao , "Yao, Jiewen" , "Xing, Cedric" , Dionna Amalie Glaze , biao.lu@intel.com, linux-coco@lists.linux.dev, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Date: Fri, 02 Feb 2024 07:18:40 +0100 In-Reply-To: <0c396883-6eb7-4ee9-955b-42e365a737cf@linux.intel.com> References: <20240128212532.2754325-1-sameo@rivosinc.com> <20240128212532.2754325-4-sameo@rivosinc.com> <0c396883-6eb7-4ee9-955b-42e365a737cf@linux.intel.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit On Sun, 2024-01-28 at 14:44 -0800, Kuppuswamy Sathyanarayanan wrote: > > On 1/28/24 1:25 PM, Samuel Ortiz wrote: > > Many user space and internal kernel subsystems (e.g. the Linux IMA) > > expect a Root of Trust for Storage (RTS) that allows for extending > > and reading measurement registers that are compatible with the TCG > > TPM PCRs layout, e.g. a TPM. In order to allow those components to > > alternatively use a platform TSM as their RTS, a TVM could map the > > available RTMRs to one or more TCG TPM PCRs. Once configured, those > > PCR to RTMR mappings give the kernel TSM layer all the necessary > > information to be a RTS for e.g. the Linux IMA or any other > > components that expects a TCG compliant TPM PCRs layout. > > Why expose the mapping to user space? IMO, the goal should be > to let user space application work without any changes. So we should > try to hide this conversion in kernel and let userspace code to use > PCR as usual. There's also the question about use case: if we're going to measure into RTMRs as though they were PCRs, they will need to collect the kernel measurements as well, which means the mapping will have to be fixed in early boot when the first TPM measurement is done. James