At Linux Plumbers Conference (https://lpc.events) there were several discussions about some of the problems with TPMs in modern laptops, like localities are very useful for key sealing policies (so they could only be unwrapped by the kernel), but most laptops/servers can't use them and also that 24 is too small a number of PCRs. For the former, instead of making the kernel operate in a different locality from the user and using a TPM2_PolicyLocality, we could get the kernel to create a well known NV PIN index with a random authorization only it knew and seal policies to it with TPM2_PolicySecret, so that only the kernel could construct the authorization to satisfy the policy. The PCR problem can be partly solved by using NV Extend indexes, which behave very much like PCRs. The flaw in both the above is that absent the ability to create platform NV indexes (which is impossible in modern firmware because the platform hierarchy gets locked out), anyone possessing the owner password (which is defined to be empty) can delete and recreate the index, causing the authorization to change for NV PIN and resetting the PCR for NV Extend. To mitigate this, we could block out a range of NV indexes to be only accessible with the kernel (say 256 with handles of the form 010f0ffXX - I chose this so as not to be too close to either the beginning or end, but obviously the exact prefix is up for discussion). The kernel would then snoop TPM2_NV_DefineSpace and TPM2_NV_UndefineSpace commands and trap and report an error for any attempt to add or delete an index in this range. We could then get the kernel to create its PIN NV and say 127 NV Extend indexes, which userspace would be able to extend, query and make policies on but not delete. I'm bringing this up for discussion now, in case anyone has a better idea or wants to add nuances (like measuring the creation to a real PCR and adding an event log to measured boot) before I (or someone else) look into coding it up. Regards, James
