20c59ce010f8 ("ima: extend boot_aggregate with kernel
measurements") added registers 8-9 for TPM 2.0. Documented it in the
code, but it should be mentioned in the docs above the function.
Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
---
Hi,
feel free to further change docs (if I wasn't correct).
I omit the fact that reg. 8-9 are only for ! sha1
Kind regards,
Petr
security/integrity/ima/ima_crypto.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 21989fa0c107..56b587fd4f9d 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -796,10 +796,10 @@ static void ima_pcrread(u32 idx, struct tpm_digest *d)
}
/*
- * The boot_aggregate is a cumulative hash over TPM registers 0 - 7. With
- * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
- * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
- * allowing firmware to configure and enable different banks.
+ * The boot_aggregate is a cumulative hash over TPM registers 0-7 (TPM 1.2)
+ * or 0-9 (TPM 2.0). With TPM 1.2 the boot_aggregate was based on reading the
+ * SHA1 PCRs, but with TPM 2.0 hash agility, TPM chips could support multiple
+ * TPM PCR banks, allowing firmware to configure and enable different banks.
*
* Knowing which TPM bank is read to calculate the boot_aggregate digest
* needs to be conveyed to a verifier. For this reason, use the same
--
2.29.1
