lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7586c7e6e6028a734a8cac3d4b1a8504e6cd4b21.camel@HansenPartnership.com>
Date: Sun, 15 Sep 2024 11:00:48 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Jarkko Sakkinen <jarkko@...nel.org>, Roberto Sassu
	 <roberto.sassu@...weicloud.com>, Linux regressions mailing list
	 <regressions@...ts.linux.dev>
Cc: keyrings@...r.kernel.org, "linux-integrity@...r.kernel.org"
	 <linux-integrity@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	Pengyu Ma <mapengyu@...il.com>
Subject: Re: [regression] significant delays when secureboot is enabled
 since 6.10

On Sun, 2024-09-15 at 17:50 +0300, Jarkko Sakkinen wrote:
> On Sun Sep 15, 2024 at 4:59 PM EEST, James Bottomley wrote:
> > On Sun, 2024-09-15 at 13:07 +0300, Jarkko Sakkinen wrote:
> > > On Sun Sep 15, 2024 at 12:43 PM EEST, Jarkko Sakkinen wrote:
> > > > When it comes to boot we should aim for one single
> > > > start_auth_session during boot, i.e. different phases would
> > > > leave that session open so that we don't have to load the
> > > > context every single time.  I think it should be doable.
> > > 
> > > The best possible idea how to improve performance here would be
> > > to transfer the cost from time to space. This can be achieved by
> > > keeping null key permanently in the TPM memory during power
> > > cycle.
> > 
> > No it's not at all.  If you look at it, the NULL key is only used
> > to encrypt the salt for the start session and that's the operating
> > taking a lot of time.  That's why the cleanest mitigation would be
> > to save and restore the session.  Unfortunately the timings you
> > already complain about still show this would be about 10x longer
> > than a no-hmac extend so I'm still waiting to see if IMA people
> > consider that an acceptable tradeoff.
> 
> The bug report does not say anything about IMA issues. Please read
> the bug reports before commenting ;-) I will ignore your comment
> because it is plain misleading information.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=219229

Well, given that the kernel does no measured boot extends after the EFI
boot stub (which isn't session protected) finishes, what's your theory
for the root cause?

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ