Mimi Zohar <zo...@linux.ibm.com> writes: > On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote: >> Right now, PCR banks with unsupported hash algorithms are getting >> invalidated over and over again for each new measurement list entry >> recorded. >> >> A subsequent patch will make IMA to invalidate PCR banks associated with >> unsupported hash algorithms only once at a PCR's first use. To prepare for >> that, make it track the set of PCRs ever extended. >> >> Maintain the set of touched PCRs in an unsigned long bitmask, >> 'ima_extended_pcrs_mask'. >> >> Amend the IMA_INVALID_PCR() #define to check that a given PCR can get >> represented in that bitmask. Note that this is only for improving code >> maintainablity, it does not actually constain the set of allowed PCR >> indices any further. >> >> Make ima_pcr_extend() to maintain the ima_extended_pcrs_mask, i.e. to set >> the currently extented PCR's corresponding bit. >> >> Note that at this point there's no provision to restore the >> ima_extended_pcrs_mask value after kexecs yet, that will be the subject of >> later patches. >> >> Signed-off-by: Nicolai Stange <nsta...@suse.de> > > Hi Nicolai, > > IMA extends measurements in the default TPM PCR based on the Kconfig > CONFIG_IMA_MEASURE_PCR_IDX option. Normally that is set to PCR 10. The IMA > policy rules may override the default PCR with a per policy rule > specific PCR.
Yes, that matches my understanding. > INVALID_PCR() checks the IMA policy rule specified is a valid PCR register. > > Is the purpose of this patch to have a single per TPM bank violation or > multiple > violations, one for each PCR used within the TPM bank? One for each PCR individually, issued when a given PCR is being referenced for the first time from some IMA event. Thanks! Nicolai -- SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany GF: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
