On Mon, 2020-11-30 at 09:18 +0100, Greg KH wrote: > On Sun, Nov 29, 2020 at 02:30:21PM -0800, James Bottomley wrote: > > Cc to linux-api to get an opinion on two issues. First the background: > > > > We've had a fairly extensive discussion over on linux-integrity and > > iterated to the conclusion that the kernel does need to export TPM 2.0 > > PCR values for use by a variety of userspace integrity programmes > > including early boot. The principle clinching argument seems to be > > that these values are required by non-root systems, but in a default > > Linux set up the packet marshalled communication device: /dev/tpmrm0, > > is by default only usable by root. Historically, TPM 1.2 exported > > these values via sysfs in a single file containing all 24 values: > > > > /sys/class/tpm/tpm0/pcrs > > > > with the format > > > > PCR-00: 7D 29 CB 08 0C 0F C4 16 7A 0E 9A F7 C6 D3 97 CD C1 21 A7 69 > > PCR-01: 9C B6 79 4C E4 4B 62 97 4C AB 55 13 1A 2F 7E AE 09 B3 30 BE > > ... > > As you know, this breaks the "one value per file" for sysfs, so please, > do not add more files that do this. > > > TPM 2.0 adds more complexity: because of it's "agile" format, each TPM > > 2.0 is required to support a set of hashes (of which at least sha1 and > > sha256 are required but quite a few TPM 2.0s have at least two or > > three more) and maintain 24 PCR registers for each supported hash. > > The current patch exports each PCR bank under the directory > > > > /sys/class/tpm/tpm0/pcr-<hash>/<bank> > > > > So the sha256 bank value of PCR 7 can be obtained as > > > > cat /sys/class/tpm/tpm0/pcr-sha256/7 > > 2ED93F199692DC6788EFA6A1FE74514AB9760B2A6CEEAEF6C808C13E4ABB0D42 > > > > And the output is a single non-space separated ascii hex value of the > > hash. > > > > The issues we'd like input on are: > > > > 1. Should this be in sysfs or securityfs? > > If you want to use sysfs, use one value per file please. > > > 2. Should we export the values as one value per file (current patch) > > or as a binary blob of all 24? > > Binary sysfs files are for "pass-through" mode where the kernel is not > parsing/manipulating the data at all. Do these values come straight > from the hardware? If so, sure, use a binary blob. If not, then no, do > not use that in sysfs as sysfs is to be in text format. The data is coming from the hardware, but not the result of a single TPM command. Each TPM bank PCR has to be queried individually. The question is whether the result should be exported separately (via sysfs) or aggregated as a single binary blob (via securityfs). thanks, Mimi
