On Wed, Aug 19, 2020 at 11:09:43AM -0300, Jason Gunthorpe wrote:
> On Wed, Aug 19, 2020 at 09:27:33AM -0400, Mimi Zohar wrote:
> > On Wed, 2020-08-19 at 09:02 -0300, Jason Gunthorpe wrote:
> > > On Tue, Aug 18, 2020 at 02:55:50PM -0400, Mimi Zohar wrote:
> > >
> > > > The problem is that there isn't just one single userspace library or
> > > > application for reading PCRs. So now not only is there the kernel
> > > > "boot_aggregate" regression testing, but regression testing of the tool
> > > > itself to support multiple methods of reading the PCRs.
> > >
> > > I was thinking just open code
> > > open("/dev/tpm")
> > > write(read_pcrs_cmd)
> > > read(read_pcrs_cmd)
> > >
> > > It isn't particularly hard to retrive the PCRs, don't really need to
> > > depend on a library.
> >
> > Ok, do you want to contribute it to ima-evm-utils? While you're at it,
> > do you also have code to parse the TPM 2.0 event log that you could
> > contribute?
> >
> > Seriously, we shouldn't be (re-)writing code to do this.
>
> The kernel should not be used a dumping ground to work around a
> dysfunctional userspace either. :(
>
> You've basicaly said you can't rely on a sane userspace library
> because *reasons* so we need to dump stuff in the kernel instead.
>
> It is not a good justification to add new uAPI.
>
> James seems to have the same basic conclusion too, unfortunately.
It seems to me the point is that we often want to do these things in
very early and/or stripped-down userspaces.
I'm definately also in favor of having sysfs provide these.
