On Thu, Nov 03, 2022 at 11:01:16AM -0700, Evan Green wrote: > When using encrypted hibernate images, have the TPM create a key for us > and seal it. By handing back a sealed blob instead of the raw key, we > prevent usermode from being able to decrypt and tamper with the > hibernate image on a different machine. > > We'll also go through the motions of having PCR23 set to a known value at > the time of key creation and unsealing. Currently there's nothing that > enforces the contents of PCR23 as a condition to unseal the key blob, > that will come in a later change. > > Sourced-from: Matthew Garrett <mjg59@xxxxxxxxxx> I'd say Suggested-by. "Source-from:" is not a tag that has ever been used before. :) Otherwise, looks good. Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
