On Mon, Sep 07, 2020 at 07:37:42PM +0200, Greg KH wrote: > On Mon, Sep 07, 2020 at 04:21:21PM +0300, Jarkko Sakkinen wrote: > > On Sun, Sep 06, 2020 at 01:32:45PM -0700, James Bottomley wrote: > > > Create sysfs per hash groups with 24 PCR files in them one group, > > > named pcr-<hash>, for each agile hash of the TPM. The files are > > > plugged in to a PCR read function which is TPM version agnostic, so > > > this works also for TPM 1.2 but the hash is only sha1 in that case. > > > > > > Note: the macros used to create the hashes emit spurious checkpatch > > > warnings. Do not try to "fix" them as checkpatch recommends, otherwise > > > they'll break. > > > > > > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > > > Reviewed-by: Jerry Snitselaar <jsnitsel@xxxxxxxxxx> > > > Tested-by: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxx> > > > > I'm not sure why this should be in sysfs when event log is in > > securityfs. > > > > Also, securityfs does not have to follow sysfs requirements, > > which gives ability to dump all PCRs in a single binary file. > > You can dump all registers in a single binary file in sysfs as well :) Thanks for confirming this. I think sysfs makes more sense. In a production system you have a single TPM, and that's why there is a single global event log coming from the BIOS. That's why securityfs makes sense for the event log. However, PCRs themselves are device local, Linux supports multiple TPM devices, and sometimes for development and testing purposes you might want to do this. /Jarkko
