On Fri May 24, 2024 at 4:04 PM EEST, James Bottomley wrote: > This is actually a generic policy allowing a range of comparisons > against any value set in the TPM Clock, which includes things like the > reset count, a monotonic millisecond count and the restart count. The > most useful comparison is against the millisecond count for expiring > keys. However, you have to remember that currently Linux doesn't try > to sync the epoch timer with the TPM, so the expiration is actually > measured in how long the TPM itself has been powered on ... the TPM > timer doesn't count while the system is powered down. The millisecond > counter is a u64 quantity found at offset 8 in the timer structure, > and the <= comparision operand is 9, so a policy set to expire after the > TPM has been up for 100 seconds would look like > > 0000016d00000000000f424000080009 These random magic hex numbers confuse and do not bring any clarity. Also, please learn to use multiple paragraph when you write text. > > Where 0x16d is the counter timer policy code and 0xf4240 is 100 000 in > hex. > > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> Skip because enough stuff to address in the head. BR, Jarkko
