On Sat, Feb 20, 2021 at 05:09:07AM +0200, Jarkko Sakkinen wrote: > Something popped into mind: could we make PCR 23 reservation dynamic > instead of a config option. > > E.g. if the user space uses it, then it's dirty and hibernate will > fail. I really dislike the static compilation time firewall on it.
We can fail hibernation if userland hasn't flagged things, but the concern is that if you hibernate with PCR 23 blocking enabled and then reboot with the blocking disabled, userland can obtain the blob from the hibernation image, extend PCR 23, modify the image and use the key they've recovered to make it look legitimate, enable PCR 23 blocking again and then resume into their own code.
