[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <D5FQETQOFXXC.36JDXUU5521P@kernel.org>
Date: Thu, 07 Nov 2024 08:27:32 +0200
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "Jarkko Sakkinen" <jarkko@...nel.org>, "Mimi Zohar"
<zohar@...ux.ibm.com>, <linux-integrity@...r.kernel.org>, "Jonathan Corbet"
<corbet@....net>, "Peter Huewe" <peterhuewe@....de>, "Jason Gunthorpe"
<jgg@...pe.ca>, "James Bottomley" <James.Bottomley@...senPartnership.com>
Cc: "Roberto Sassu" <roberto.sassu@...wei.com>, <linux-doc@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] tpm: Opt-in in disable PCR encryption on TPM2 chips
On Thu Nov 7, 2024 at 8:24 AM EET, Jarkko Sakkinen wrote:
> On Thu Nov 7, 2024 at 4:48 AM EET, Mimi Zohar wrote:
> > On Thu, 2024-11-07 at 02:51 +0200, Jarkko Sakkinen wrote:
> > > On Thu Nov 7, 2024 at 2:47 AM EET, Jarkko Sakkinen wrote:
> > > > From: Mimi Zohar <zohar@...ux.ibm.com>
> > > >
> > > > The initial encrypted HMAC session feature added TPM bus encryption to
> > > > various in-kernel TPM operations. This can cause performance bottlenecks
> > > > with IMA, as it heavily utilizes PCR extend operations.
> >
> > The patch Subject line and problem description aren't quite right. In the case
> > of TPM pcr_extend, the session isn't being encrypted, only HMAC'ed. According
> > to James, it's the HMAC itself that is causing the performance degradation. I
> > would remove the word "encrypted" throughout.
>
> I have to say I disagree with that. Encryption is the feature we get
> with HMAC and is more understandable for most. HMAC is implemnetation
> detail.
Sorry my bad. In the case of PCR extend SA_ENCRYPT is not passed.
Well, that underlines my point tbh :-) I cannot know from HMAC
whether it is encrypte or not, can I?
I.e. open for any other word than encrypted or HMAC because other
is wrong and other provides zero information content.
BR, Jarkko
Powered by blists - more mailing lists