From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: tpm2@lists.01.org, Kenneth Goldman <kgoldman@us.ibm.com>
Cc: "Chris Friesen" <chris.friesen@windriver.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>,
"Qi, Yadong" <yadong.qi@intel.com>,
"Xu, Quan" <quan.xu@intel.com>
Subject: [Qemu-devel] Choosing PCR banks for swtpm's TPM 2
Date: Mon, 25 Jun 2018 11:05:55 -0400 [thread overview]
Message-ID: <aa9ce054-f58c-097d-aee3-8fae769d0840@linux.vnet.ibm.com> (raw)
Hi!
I am sending this email to solicit input on the choice of the PCR
banks to enable for swtpm's TPM 2. I have currently enabled 4 PCR banks
for SHA{1,256,384,512}. The downside of this is that running the TPM 2
with so many PCR banks has a performance impact when the Linux integrity
measurement architecture is used and has to extend measurements into all
PCR banks, which Linux does already.
TPM 2 has the PCR_Allocate() command for a user to select the PCR banks
to use. This command allows to make some PCR banks invisible. The change
has to be done through the firmware and has the downside that the TPM2
does not support TPM2_Shutdown(SU_STATE) after this command was used.
This prevents suspend/resume from working properly. So, it seems that
one shouldn't have to use this command, which in turn means the number
of PCR banks should be small.
Another complication with the swtpm is the upgrade path. Suspended VMs
will expect that the PCR banks that were available before the suspend
will be available after the resume and a possible swtpm upgrade. This in
turn means that the PCR banks should be chosen now and we'll have to
stick with them.
That said, my suggestion would be to enable only PCR banks for SHA256
for 'now' and SHA512 for the future. Having two PCR banks should enable
decent performance. If someone wants to have better performance he will
have to go through the firmware to select the PCR banks at the expense
of loosing suspend/resume support.
The change of PCR banks for the current 4 PCR banks will break the state
of all swtpms.
If you have suggestions, please let me know.
Regards,
Stefan
next reply other threads:[~2018-06-25 15:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-25 15:05 Stefan Berger [this message]
2018-06-25 15:18 ` [Qemu-devel] Choosing PCR banks for swtpm's TPM 2 Dr. David Alan Gilbert
2018-06-25 15:22 ` Stefan Berger
2018-06-25 15:29 ` Dr. David Alan Gilbert
2018-06-25 15:54 ` Stefan Berger
2018-06-25 16:11 ` Dr. David Alan Gilbert
2018-06-25 16:23 ` Stefan Berger
2018-06-25 15:25 ` Daniel P. Berrangé
2018-06-25 15:56 ` Stefan Berger
2018-06-25 15:59 ` Daniel P. Berrangé
2018-06-25 16:08 ` Stefan Berger
2018-06-25 16:10 ` Daniel P. Berrangé
2018-06-25 16:15 ` Stefan Berger
2018-06-25 19:44 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa9ce054-f58c-097d-aee3-8fae769d0840@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=chris.friesen@windriver.com \
--cc=kgoldman@us.ibm.com \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quan.xu@intel.com \
--cc=tpm2@lists.01.org \
--cc=yadong.qi@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).