On Mon, Jun 25, 2018 at 11:05:55AM -0400, Stefan Berger wrote:
Hi!
I am sending this email to solicit input on the choice of the PCR banks to
enable for swtpm's TPM 2. I have currently enabled 4 PCR banks for
SHA{1,256,384,512}. The downside of this is that running the TPM 2 with so
many PCR banks has a performance impact when the Linux integrity measurement
architecture is used and has to extend measurements into all PCR banks,
which Linux does already.
TPM 2 has the PCR_Allocate() command for a user to select the PCR banks to
use. This command allows to make some PCR banks invisible. The change has to
be done through the firmware and has the downside that the TPM2 does not
support TPM2_Shutdown(SU_STATE) after this command was used. This prevents
suspend/resume from working properly. So, it seems that one shouldn't have
to use this command, which in turn means the number of PCR banks should be
small.
Another complication with the swtpm is the upgrade path. Suspended VMs will
expect that the PCR banks that were available before the suspend will be
available after the resume and a possible swtpm upgrade. This in turn means
that the PCR banks should be chosen now and we'll have to stick with them.
Anything that has a risk of needing to change between versions would need
to be tied into the machine type in some way.