Re: [RFC PATCH v2 07/13] tpm: enable bank selection for PCR extend

Tue, 25 Mar 2025 18:19:10 -0700 

On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:

> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index dfdcbd009720..23ded8ea47dc 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -226,16 +226,34 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
>   * @chip:    TPM chip to use.
>   * @pcr_idx: index of the PCR.
>   * @digests: list of pcr banks and corresponding digest values to extend.
> + * @banks_skip_mask: pcr banks to skip
>   *
>   * Return: Same as with tpm_transmit_cmd.
>   */
>  int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
> -                 struct tpm_digest *digests)
> +                 struct tpm_digest *digests,
> +                 unsigned long banks_skip_mask)
>  {
>       struct tpm_buf buf;
> +     unsigned long skip_mask;
> +     u32 banks_count;
>       int rc;
>       int i;
>  
> +     banks_count = 0;
> +     skip_mask = banks_skip_mask;
> +     for (i = 0; i < chip->nr_allocated_banks; i++) {
> +             const bool skip_bank = skip_mask & 1;
> +
> +             skip_mask >>= 1;
> +             if (skip_bank)
> +                     continue;
> +             banks_count++;
> +     }

Setting ima_unsupported_pcr_banks_mask used BIT(i).  Testing the bit should be
as straight forward here and below.

The first TPM extend after boot is the boot_aggregate.  Afterwards the number of
banks being extended should always be the same.  Do we really need to re-
calculate the number of banks needing to be extended each time?

> +
> +     if (banks_count == 0)
> +             return 0;
> +
>       if (!disable_pcr_integrity) {
>               rc = tpm2_start_auth_session(chip);
>               if (rc)
> @@ -257,9 +275,16 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
>               tpm_buf_append_auth(chip, &buf, 0, NULL, 0);
>       }
>  
> -     tpm_buf_append_u32(&buf, chip->nr_allocated_banks);
> +     tpm_buf_append_u32(&buf, banks_count);
>  
> +     skip_mask = banks_skip_mask;
>       for (i = 0; i < chip->nr_allocated_banks; i++) {
> +             const bool skip_bank = skip_mask & 1;
> +
> +             skip_mask >>= 1;
> +             if (skip_bank)
> +                     continue;
> +

>               tpm_buf_append_u16(&buf, digests[i].alg_id);
>               tpm_buf_append(&buf, (const unsigned char *)&digests[i].digest,
>                              chip->allocated_banks[i].digest_size);

Reply via email to