Re: [PATCH] tpm: Opt-in in disable PCR encryption on TPM2 chips

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu Nov 7, 2024 at 8:24 AM EET, Jarkko Sakkinen wrote:
> On Thu Nov 7, 2024 at 4:48 AM EET, Mimi Zohar wrote:
> > On Thu, 2024-11-07 at 02:51 +0200, Jarkko Sakkinen wrote:
> > > On Thu Nov 7, 2024 at 2:47 AM EET, Jarkko Sakkinen wrote:
> > > > From: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> > > > 
> > > > The initial encrypted HMAC session feature added TPM bus encryption to
> > > > various in-kernel TPM operations. This can cause performance bottlenecks
> > > > with IMA, as it heavily utilizes PCR extend operations.
> >
> > The patch Subject line and problem description aren't quite right.  In the case
> > of TPM pcr_extend, the session isn't being encrypted, only HMAC'ed.  According
> > to James, it's the HMAC itself that is causing the performance degradation. I
> > would remove the word "encrypted" throughout.
>
> I have to say I disagree with that. Encryption is the feature we get
> with HMAC and is more understandable for most. HMAC is implemnetation
> detail.

Sorry my bad. In the case of PCR extend SA_ENCRYPT is not passed.

Well, that underlines my point tbh :-) I cannot know from HMAC
whether it is encrypte or not, can I?

I.e. open for any other word than encrypted or HMAC because other
is wrong and other provides zero information content.

BR, Jarkko





[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux