lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1de8359d-f231-452c-bf5c-9fc01f0ec800@leemhuis.info>
Date: Tue, 10 Sep 2024 14:41:15 +0200
From: "Linux regression tracking (Thorsten Leemhuis)"
 <regressions@...mhuis.info>
To: James Bottomley <James.Bottomley@...senPartnership.com>,
 Linux regressions mailing list <regressions@...ts.linux.dev>,
 Jarkko Sakkinen <jarkko@...nel.org>
Cc: keyrings@...r.kernel.org,
 "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
 LKML <linux-kernel@...r.kernel.org>, Pengyu Ma <mapengyu@...il.com>,
 Roberto Sassu <roberto.sassu@...weicloud.com>
Subject: Re: [regression] significant delays when secureboot is enabled since
 6.10

On 10.09.24 14:22, James Bottomley wrote:
> On Tue, 2024-09-10 at 11:01 +0200, Linux regression tracking (Thorsten
> Leemhuis) wrote:
>>
>> 6519fea6fd372b ("tpm: add hmac checks to tpm2_pcr_extend()") [v6.10-
>> rc1]
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=219229 :
>>
>>> When secureboot is enabled,
>>> the kernel boot time is ~20 seconds after 6.10 kernel.
>>> it's ~7 seconds on 6.8 kernel version.
>>>
>>> When secureboot is disabled,
>>> the boot time is ~7 seconds too.
>>>
>>> Reproduced on both AMD and Intel platform on ThinkPad X1 and T14.
> 
> We always suspected encryption and hmac would add overheads which is
> why it's gated by a config option.  The way to fix this is to set
> 
> CONFIG_TCG_TPM_HMAC to N

FWIW (mainly for others that later find this thread on lore), I's pretty
sure James meant CONFIG_TCG_TPM2_HMAC.

> of course, TPM transactions are then insecure, but it's the same state
> as you were in before.

Hmmm. But it's on by default on X86_64.

Hmmm. If this would cause serious trouble, I'd say this is a regression
that must be fixed, as we can't expect people to know that they need to
turn this off. But delays during boot? Hmmm. Makes me wonder what Linus
stance would be here. I suspect it might be "why was this enabled by
default for x86_64 anyway, new features almost always should be off by
default", but might be wrong there. And given that this was introduced
in 6.10 I assume a lot of users already have CONFIG_TCG_TPM2_HMAC=Y in
their .config files already anyway. :-/

Hmmm. :-|

Ciao, Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ