[PATCH v5 05/11] security: keys: trusted: Allow storage of PCR values in creation data
Eric Biggers
ebiggers at kernel.org
Sun Nov 13 22:01:07 UTC 2022
On Fri, Nov 11, 2022 at 03:16:30PM -0800, Evan Green wrote:
> + creationpcrs= hex integer representing the set of PCRs to be
> + included in the creation data. For each bit set, the
> + corresponding PCR will be included in the key creation
> + data. Bit 0 corresponds to PCR0. Currently only the first
> + PC standard 24 PCRs are supported on the currently active
> + bank. Leading zeroes are optional. TPM2 only.
What does "currently active bank" mean?
> + /* PCR bitmask */
> + for (i = 0; i < 3; i++) {
> + char tmp = 0;
> +
> + for (j = 0; j < 8; j++) {
> + char bit = (i * 8) + j;
> +
> + if (options->creation_pcrs & (1 << bit))
> + tmp |= (1 << j);
> + }
> + tpm_buf_append_u8(&buf, tmp);
> + }
Why not just:
tpm_buf_append_u8(&buf, options->creation_pcrs);
tpm_buf_append_u8(&buf, options->creation_pcrs >> 8);
tpm_buf_append_u8(&buf, options->creation_pcrs >> 16);
Also what if bit 24 or above is set? Should an error be returned?
- Eric
More information about the Linux-security-module-archive
mailing list