[PATCH v9 6/6] tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()

Jarkko Sakkinen jarkko.sakkinen at linux.intel.com
Fri Feb 1 13:41:51 UTC 2019


On Fri, Feb 01, 2019 at 03:39:49PM +0200, Jarkko Sakkinen wrote:
> On Fri, Feb 01, 2019 at 11:06:41AM +0100, Roberto Sassu wrote:
> > Currently, tpm_pcr_extend() accepts as an input only a SHA1 digest.
> > 
> > This patch replaces the hash parameter of tpm_pcr_extend() with an array of
> > tpm_digest structures, so that the caller can provide a digest for each PCR
> > bank currently allocated in the TPM.
> > 
> > tpm_pcr_extend() will not extend banks for which no digest was provided,
> > as it happened before this patch, but instead it requires that callers
> > provide the full set of digests. Since the number of digests will always be
> > chip->nr_allocated_banks, the count parameter has been removed.
> > 
> > Due to the API change, ima_pcr_extend() and pcrlock() have been modified.
> > Since the number of allocated banks is not known in advance, the memory for
> > the digests must be dynamically allocated. To avoid performance degradation
> > and to avoid that a PCR extend is not done due to lack of memory, the array
> > of tpm_digest structures is allocated by the users of the TPM driver at
> > initialization time.
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> 
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com>
> Tested-by: Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com>

I tested that this does not break TPM. I'd need someone to check that
this does not break IMA. After that, I'm ready to apply this series.

/Jarkko



More information about the Linux-security-module-archive mailing list