On Mon, 2020-11-30 at 09:18 +0100, Greg KH wrote: > On Sun, Nov 29, 2020 at 02:30:21PM -0800, James Bottomley wrote: > > Cc to linux-api to get an opinion on two issues. First the > > background: > > > > We've had a fairly extensive discussion over on linux-integrity and > > iterated to the conclusion that the kernel does need to export TPM > > 2.0 PCR values for use by a variety of userspace integrity > > programmes including early boot. The principle clinching argument > > seems to be that these values are required by non-root systems, but > > in a default Linux set up the packet marshalled communication > > device: /dev/tpmrm0, is by default only usable by > > root. Historically, TPM 1.2 exported these values via sysfs in a > > single file containing all 24 values: > > > > /sys/class/tpm/tpm0/pcrs > > > > with the format > > > > PCR-00: 7D 29 CB 08 0C 0F C4 16 7A 0E 9A F7 C6 D3 97 CD C1 21 A7 > > 69 > > PCR-01: 9C B6 79 4C E4 4B 62 97 4C AB 55 13 1A 2F 7E AE 09 B3 30 > > BE > > ... > > As you know, this breaks the "one value per file" for sysfs, so > please, do not add more files that do this. I haven't ... if you read the below you'll see it's now one value per file. > > TPM 2.0 adds more complexity: because of it's "agile" format, each > > TPM 2.0 is required to support a set of hashes (of which at least > > sha1 and sha256 are required but quite a few TPM 2.0s have at least > > two or three more) and maintain 24 PCR registers for each supported > > hash. The current patch exports each PCR bank under the directory > > > > /sys/class/tpm/tpm0/pcr-<hash>/<bank> > > > > So the sha256 bank value of PCR 7 can be obtained as > > > > cat /sys/class/tpm/tpm0/pcr-sha256/7 > > 2ED93F199692DC6788EFA6A1FE74514AB9760B2A6CEEAEF6C808C13E4ABB0D42 > > > > And the output is a single non-space separated ascii hex value of > > the hash. > > > > The issues we'd like input on are: > > > > 1. Should this be in sysfs or securityfs? > > If you want to use sysfs, use one value per file please. It is ... each PCR gives one hash value per PCR and bank. That's what the file above is showing. The hash values are 20 bytes for sha1, 32 bytes for sha256 and so on. > > 2. Should we export the values as one value per file (current > > patch) > > or as a binary blob of all 24? > > Binary sysfs files are for "pass-through" mode where the kernel is > not parsing/manipulating the data at all. Do these values come > straight from the hardware? If so, sure, use a binary blob. If not, > then no, do not use that in sysfs as sysfs is to be in text format. There was a question over whether the hash should be ascii as above (hex representation) so human readable, or the 20/32/whatever binary bytes of the hash. I think we've got that resolved that ascii works. James