On Tue, Nov 20, 2018 at 02:33:45PM -0700, Jason Gunthorpe wrote: > So it really is essential that all steps, including the BIOS use > secure PCR updates, or you may as well not bother in Linux, at least > for security reasons. > > And I think you were on the right track, the TPM should have a > per-boot authorization that flows through all layers of the TPM stack > and guarantees the TPM hasn't been rebooted and with crypto prevents > lost PCR updates. > > But that does require standardization, as we do need the BIOS to > participate. These talks were already started before LSS 2018 on chat session. The idea would be to promote the same approach for BIOS. I see what James is doing a piece, not a full solution but you have to start from somewhere. As an opt-in feature it should be ok. /Jarkko
