EOn Tue, 2018-02-20 at 08:57 -0500, James Bottomley wrote: > On Tue, 2018-02-20 at 15:30 +0200, Jarkko Sakkinen wrote: > > The calls for tpm2_get_pcr_allocation() and tpm2_get_cc_attrs_tbl() > > could be also moved before the self test. > > That's not a good idea for a couple of reasons > > 1. You really should do as little as possible with the TPM before the > self test As Alexander correctly pointed out earlier, the section 12.3 Self-Test Modes of the architecture specification states that "If a command requires use of an untested algorithm or functional module, the TPM performs the test and then completes the command actions." It would mean only running the self test for GetCapability as the first test if I understand what I'm reading correctly. > 2. The TPM might not be started before the self test, so it would error > all commands with TPM_RC_INITIALIZE anyway (this was the problem > with the initial version of the patch set). Do not see an issue to run Startup beforehand. > So self test should be the first command we send to the TPM. The only > reason I was suspicious of tpm_validate_command() is because it can > manufacture a TPM_RC_COMMAND_CODE return. However, that turned out not > to be the case (and tpm_validate_command() has a bypass for sending > everything to the TPM before the attribute table is initialized, so > it's all working correctly). > > James /Jarkko
