Re: [PATCH v2] tpm: Opt-in in disable PCR integrity protection

Mon, 11 Nov 2024 11:54:37 -0800 

On Thu, 2024-11-07 at 08:52 -0500, James Bottomley wrote:
> On Thu, 2024-11-07 at 15:49 +0200, Jarkko Sakkinen wrote:
> > On Thu Nov 7, 2024 at 3:20 PM EET, James Bottomley wrote:
> > > On Thu, 2024-11-07 at 11:51 +0200, Jarkko Sakkinen wrote:
> > > [...]
> > > > +void tpm_buf_append_auth(struct tpm_chip *chip, struct tpm_buf
> > > > *buf,
> > > > +                        u8 attributes, u8 *passphrase, int
> > > > passphrase_len)
> > > > +{
> > > > +       /* offset tells us where the sessions area begins */
> > > > +       int offset = buf->handles * 4 + TPM_HEADER_SIZE;
> > > > +       u32 len = 9 + passphrase_len;
> > > > +
> > > > +       if (tpm_buf_length(buf) != offset) {
> > > > +               /* not the first session so update the existing
> > > > length */
> > > > +               len += get_unaligned_be32(&buf->data[offset]);
> > > > +               put_unaligned_be32(len, &buf->data[offset]);
> > > > +       } else {
> > > > +               tpm_buf_append_u32(buf, len);
> > > > +       }
> > > > +       /* auth handle */
> > > > +       tpm_buf_append_u32(buf, TPM2_RS_PW);
> > > > +       /* nonce */
> > > > +       tpm_buf_append_u16(buf, 0);
> > > > +       /* attributes */
> > > > +       tpm_buf_append_u8(buf, 0);
> > > > +       /* passphrase */
> > > > +       tpm_buf_append_u16(buf, passphrase_len);
> > > > +       tpm_buf_append(buf, passphrase, passphrase_len);
> > > > +}
> > > > +
> > > 
> > > The rest of the code looks fine, but if you're going to extract
> > > this as a separate function instead of doing the open coded struct
> > > tpm2_null_auth that was there originally, you should probably
> > > extract and use the tpm2_buf_append_auth() function in
> > > trusted_tpm2.c
> > 
> > So this was straight up from Mimi's original patch :-)
> 
> Yes, I had the same comment prepped for that too.

But it wasn't sent ...
> 
> > Hmm... was there duplicate use for this in the patch? I'll check
> > this.
> 
> The original open coded the empty auth append with struct
> tpm2_null_auth since it's the only user.  However, since we do have
> another user in trusted keys, it might make sense to consolidate.

Instead of delaying the current patch from being upstreamed, perhaps this change
can be deferred?

thanks,

Mimi

Reply via email to