@@ -796,10 +796,10 @@ static void ima_pcrread(u32 idx, struct tpm_digest *d)
}
/*
- * The boot_aggregate is a cumulative hash over TPM registers 0 - 7. With
- * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
- * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
- * allowing firmware to configure and enable different banks.
+ * The boot_aggregate is a cumulative hash over TPM registers 0-7 (TPM 1.2)
+ * or 0-9 (TPM 2.0). With TPM 1.2 the boot_aggregate was based on reading the
+ * SHA1 PCRs, but with TPM 2.0 hash agility, TPM chips could support multiple
+ * TPM PCR banks, allowing firmware to configure and enable different banks.
*
* Knowing which TPM bank is read to calculate the boot_aggregate digest
* needs to be conveyed to a verifier. For this reason, use the same
20c59ce010f8 ("ima: extend boot_aggregate with kernel measurements") added registers 8-9 for TPM 2.0. Documented it in the code, but it should be mentioned in the docs above the function. Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Hi, feel free to further change docs (if I wasn't correct). I omit the fact that reg. 8-9 are only for ! sha1 Kind regards, Petr security/integrity/ima/ima_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)