On Sat, Feb 20, 2021 at 01:32:51AM +0000, Matthew Garrett wrote: > When TPMs generate keys, they can also generate some information > describing the state of the PCRs at creation time. This data can then > later be certified by the TPM, allowing verification of the PCR values. > This allows us to determine the state of the system at the time a key > was generated. Add an additional argument to the trusted key creation > options, allowing the user to provide the set of PCRs that should have > their values incorporated into the creation data. > > Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> LGTM too. Something popped into mind: could we make PCR 23 reservation dynamic instead of a config option. E.g. if the user space uses it, then it's dirty and hibernate will fail. I really dislike the static compilation time firewall on it. /Jarkko
