lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <D5FQETQOFXXC.36JDXUU5521P@kernel.org>
Date: Thu, 07 Nov 2024 08:27:32 +0200
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "Jarkko Sakkinen" <jarkko@...nel.org>, "Mimi Zohar"
 <zohar@...ux.ibm.com>, <linux-integrity@...r.kernel.org>, "Jonathan Corbet"
 <corbet@....net>, "Peter Huewe" <peterhuewe@....de>, "Jason Gunthorpe"
 <jgg@...pe.ca>, "James Bottomley" <James.Bottomley@...senPartnership.com>
Cc: "Roberto Sassu" <roberto.sassu@...wei.com>, <linux-doc@...r.kernel.org>,
 <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] tpm: Opt-in in disable PCR encryption on TPM2 chips

On Thu Nov 7, 2024 at 8:24 AM EET, Jarkko Sakkinen wrote:
> On Thu Nov 7, 2024 at 4:48 AM EET, Mimi Zohar wrote:
> > On Thu, 2024-11-07 at 02:51 +0200, Jarkko Sakkinen wrote:
> > > On Thu Nov 7, 2024 at 2:47 AM EET, Jarkko Sakkinen wrote:
> > > > From: Mimi Zohar <zohar@...ux.ibm.com>
> > > > 
> > > > The initial encrypted HMAC session feature added TPM bus encryption to
> > > > various in-kernel TPM operations. This can cause performance bottlenecks
> > > > with IMA, as it heavily utilizes PCR extend operations.
> >
> > The patch Subject line and problem description aren't quite right.  In the case
> > of TPM pcr_extend, the session isn't being encrypted, only HMAC'ed.  According
> > to James, it's the HMAC itself that is causing the performance degradation. I
> > would remove the word "encrypted" throughout.
>
> I have to say I disagree with that. Encryption is the feature we get
> with HMAC and is more understandable for most. HMAC is implemnetation
> detail.

Sorry my bad. In the case of PCR extend SA_ENCRYPT is not passed.

Well, that underlines my point tbh :-) I cannot know from HMAC
whether it is encrypte or not, can I?

I.e. open for any other word than encrypted or HMAC because other
is wrong and other provides zero information content.

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ