Menu
▾
▴
Re: [Linux-ima-devel] [tpmdd-devel] [PATCH 0/4] Extend TPM 2.0 PCR banks each with corresponding digest
|
From: Mimi Z. <zo...@li...> - 2017-04-05 12:25:15
|
Hi Jarkko, On Wed, 2017-04-05 at 15:16 +0300, Jarkko Sakkinen wrote: > On Wed, Mar 29, 2017 at 12:24:48PM +0200, Roberto Sassu wrote: > > tpm_pcr_extend() was originally designed to extend a TPM 1.2 PCR with > > a SHA1 digest. With TPM 2.0, multiple hash algorithms can be supported, > > but, at the moment, only one digest can be passed to the function. > > > > Since TCG mandates that all PCR banks must be extended, commit c1f92b4 > > (tpm: enhance TPM 2.0 PCR extend to support multiple banks) filled > > the gap by padding the SHA1 digest passed to tpm_pcr_extend(), to extend > > remaining PCR banks. > > > > This patch set adds support for providing a digest for each PCR bank. > > > > The first patch adds an additional check to tpm2_pcr_extend() to ensure > > that all digests have been provided (to meet TCG specs). > > > > The second patch provides a mechanism for TPM users to convert a TPM > > algorithm ID to a crypto ID and vice-versa, so that they can calculate > > the digest of an event data by using the crypto subsystem. > > > > The third patch allows TPM users to know which hash algorithms the TPM > > supports. Since the limit of active banks is fixed (the size of the > > active_banks array in the tpm_chip structure), the new function > > tpm_pcr_algorithms() accepts as input a sized array. > > > > The fourth patch introduces tpm_pcr_extend_digests(), which accepts > > as input a sized array of tpm2_digest structures. Each array element > > contains the algorithm and the digest for a PCR bank. > > I don't understand why you are making these changes and why put the > commit messages in the cover letter and not in the commits where you > merely have the short summary. These patches are prereqs for IMA to extend multiple TPM banks directly and include multiple hashes in the IMA measurement list. Mimi > With the given information I'm not taking any of this. If we with > more information these somehow make sense please remove the commit > messages from the cover letter and write proper one to the commits. > Just explain in plain english what the heck you are doing... |