On Thu, 2024-11-07 at 11:51 +0200, Jarkko Sakkinen wrote: > The initial HMAC session feature added TPM bus encryption and/or integrity > protection to various in-kernel TPM operations. This can cause performance > bottlenecks with IMA, as it heavily utilizes PCR extend operations. > > In order to mitigate this performance issue, introduce a kernel > command-line parameter to the TPM driver for disabling the integrity > protection for PCR extension. > > Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/linux-integrity/20241015193916.59964-1-zohar@xxxxxxxxxxxxx/ > Fixes: 6519fea6fd37 ("tpm: add hmac checks to tpm2_pcr_extend()") > Co-developed-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > Co-developed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> > --- > v2: > - Move tpm_buf_append_handle() to the correct file, remove spurious > parameter (name), include error on TPM2B and add documentation. > Keep the declaration in linux/tpm.h despite not exported as it > is easiest to maintain tpm_buf_* in a single header. > - Rename kernel command-line option as "disable_pcr_integrity_protection", > as Mimi pointed out it does not carry SA_ENCRYPT flag. > v1: > - Derived from the earlier RFC patch with a different parameter scope, > cleaner commit message and some other tweaks. I decided to create > something because I did not noticed any progress. Note only compile > tested as I wanted to get something quickly out. > --- > .../admin-guide/kernel-parameters.txt | 10 ++++ > drivers/char/tpm/tpm-buf.c | 20 ++++++++ > drivers/char/tpm/tpm2-cmd.c | 30 ++++++++--- > drivers/char/tpm/tpm2-sessions.c | 51 ++++++++++--------- > include/linux/tpm.h | 3 ++ > 5 files changed, 83 insertions(+), 31 deletions(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 1518343bbe22..9fc406b20a74 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -6727,6 +6727,16 @@ > torture.verbose_sleep_duration= [KNL] > Duration of each verbose-printk() sleep in jiffies. > > + tpm.disable_pcr_integrity_protection= [HW,TPM] > + Do not protect PCR registers from unintended physical > + access, or interposers in the bus by the means of > + having an encrypted and integrity protected session "encrypted" isn't needed here. > + wrapped around TPM2_PCR_Extend command. Consider this > + in a situation where TPM is heavily utilized by > + IMA, thus protection causing a major performance hit, > + and the space where machines are deployed is by other > + means guarded. > + > tpm_suspend_pcr=[HW,TPM] > Format: integer pcr id > Specify that at suspend time, the tpm driver > diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c > index cad0048bcc3c..e49a19fea3bd 100644 > --- a/drivers/char/tpm/tpm-buf.c > +++ b/drivers/char/tpm/tpm-buf.c > @@ -146,6 +146,26 @@ void tpm_buf_append_u32(struct tpm_buf *buf, const u32 value) > } > EXPORT_SYMBOL_GPL(tpm_buf_append_u32); > > +/** > + * tpm_buf_append_handle() - Add a handle > + * @chip: &tpm_chip instance > + * @buf: &tpm_buf instance > + * @handle: a TPM object handle > + * > + * Add a handle to the buffer, and increase the count tracking the number of > + * handles in the command buffer. Works only for command buffers. > + */ > +void tpm_buf_append_handle(struct tpm_chip *chip, struct tpm_buf *buf, u32 handle) > +{ > + if (buf->flags & TPM_BUF_TPM2B) { > + dev_err(&chip->dev, "Invalid buffer type (TPM2B)\n"); > + return; > + } > + > + tpm_buf_append_u32(buf, handle); > + buf->handles++; > +} > + > /** > * tpm_buf_read() - Read from a TPM buffer > * @buf: &tpm_buf instance > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index 1e856259219e..cc443bcf15e8 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -14,6 +14,10 @@ > #include "tpm.h" > #include <crypto/hash_info.h> > > +static bool disable_pcr_integrity_protection; > +module_param(disable_pcr_integrity_protection, bool, 0444); > +MODULE_PARM_DESC(disable_pcr_integrity_protection, "Disable TPM2_PCR_Extend encryption"); I like the name 'disable_pcr_integrity_protection. However, the name and description doesn't match. Replace 'encryption' with 'integrity protection'. > + > static struct tpm2_hash tpm2_hash_map[] = { > {HASH_ALGO_SHA1, TPM_ALG_SHA1}, > {HASH_ALGO_SHA256, TPM_ALG_SHA256}, > @@ -232,18 +236,26 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, > int rc; > int i; > > - rc = tpm2_start_auth_session(chip); > - if (rc) > - return rc; > + if (!disable_pcr_integrity_protection) { > + rc = tpm2_start_auth_session(chip); > + if (rc) > + return rc; > + } > > rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND); > if (rc) { > - tpm2_end_auth_session(chip); > + if (!disable_pcr_integrity_protection) > + tpm2_end_auth_session(chip); > return rc; > } > > - tpm_buf_append_name(chip, &buf, pcr_idx, NULL); > - tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); > + if (!disable_pcr_integrity_protection) { > + tpm_buf_append_name(chip, &buf, pcr_idx); tpm_buf_append_name() parameters didn't change. Don't remove the 'name' field here. > + tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); > + } else { > + tpm_buf_append_handle(chip, &buf, pcr_idx); Or here. > + tpm_buf_append_auth(chip, &buf, 0, NULL, 0); > + } > > tpm_buf_append_u32(&buf, chip->nr_allocated_banks); > > Mimi