From: Jason Gunthorpe Subject: Re: [PATCH v1.2 3/4] keys: add new trusted key-type Date: Mon, 8 Nov 2010 10:09:37 -0700 Message-ID: <20101108170937.GA31501@obsidianresearch.com> References: <1289230246-3856-1-git-send-email-zohar@linux.vnet.ibm.com> <1289230246-3856-4-git-send-email-zohar@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@linux-nfs.org, linux-crypto@vger.kernel.org, David Howells , James Morris , David Safford , Rajiv Andrade , Mimi Zohar To: Mimi Zohar Return-path: Received: from quartz.orcorp.ca ([139.142.54.143]:40682 "EHLO quartz.orcorp.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751904Ab0KHRJu (ORCPT ); Mon, 8 Nov 2010 12:09:50 -0500 Content-Disposition: inline In-Reply-To: <1289230246-3856-4-git-send-email-zohar@linux.vnet.ibm.com> Sender: linux-crypto-owner@vger.kernel.org List-ID: On Mon, Nov 08, 2010 at 10:30:45AM -0500, Mimi Zohar wrote: > pcrlock=n extends the designated PCR 'n' with a random value, > so that a key sealed to that PCR may not be unsealed > again until after a reboot. Nice, but this seems very strange to me, since it has nothing to do with the key and could be done easially in userspace? Jason