On Mon, 2023-12-04 at 08:59 -0500, Mimi Zohar wrote: > On Mon, 2023-12-04 at 08:53 -0500, James Bottomley wrote: > > On Mon, 2023-12-04 at 08:43 -0500, Mimi Zohar wrote: [...] > > > Is there a way of not degrading IMA performance without disabling > > > HMAC encryption/decryption? > > > > Well, perhaps we should measure it. My operating assumption, since > > extend is a simple hash, is that most of the latency of extend is > > actually in the LPC (or i2c or whatever) bus round trip. To do > > HMAC, you have to have a session, which adds an extra command and > > thus doubles the round trip. > > Agreed getting some statistics would be beneficial. Instead of > creating a session for each IMA extend, would it be possible to > estable a session once and re-use it? Not really. Sessions are fairly cheap to establish, so there's not much work the TPM has to do, so context save/restore would still have the same doubling of the bus round trip. Keeping a session permanently in the TPM would avoid the second round trip but be visible to all the users and highly undesirable (would impact the number of sessions they could create). James
