On Mon, Nov 14, 2022 at 12:11:20PM -0500, James Bottomley wrote: > On Fri, 2022-11-11 at 15:16 -0800, Evan Green wrote: > > Introduce a new Kconfig, TCG_TPM_RESTRICT_PCR, which if enabled > > restricts usermode's ability to extend or reset PCR 23. > > Could I re ask the question here that I asked of Matthew's patch set: > > https://lore.kernel.org/all/b0c4980c8fad14115daa3040979c52f07f7fbe2c.camel@xxxxxxxxxxxxx/ > > Which was could we use an NVRAM index in the TPM instead of a PCR? The > reason for asking was that PCRs are rather precious and might get more > so now that Lennart has some grand scheme for using more of them in his > unified boot project. Matthew promised to play with the idea but never > got back to the patch set to say whether he investigated this or not. Even for PCR case it would be better to have it configurable through kernel command-line, including a disabled state, which would the default. This would be backwards compatible, and if designed properly, could more easily extended for NV index later on. BR, Jarkko
