On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
> PCR reads aren't currently authenticated even with
> CONFIG_TCG_TPM2_HMAC=y yet.
The reason being TPM2_PCR_Read can only support an audit session, so it
has even more overhead than the usual HMAC session for something you
don't care about
On Sun, Mar 23, 2025 at 03:09:08PM +0100, Nicolai Stange wrote:
> PCR reads aren't currently authenticated even with CONFIG_TCG_TPM2_HMAC=y
> yet.
>
> It is probably desirable though, as e.g. IMA does some PCR reads to form
> the cumulative boot digest subsequently extended into PCR 10 (an operati
James Bottomley writes:
> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> PCR reads aren't currently authenticated even with
>> CONFIG_TCG_TPM2_HMAC=y yet.
>
> The reason being TPM2_PCR_Read can only support an audit session, so it
> has even more overhead than the usual HMAC session
PCR reads aren't currently authenticated even with CONFIG_TCG_TPM2_HMAC=y
yet.
It is probably desirable though, as e.g. IMA does some PCR reads to form
the cumulative boot digest subsequently extended into PCR 10 (an operation
which *is* authenticated).
Furthermore, a subsequent patch will make I
