On Mon, 2024-09-30 at 23:13 -0400, Mimi Zohar wrote: > > > > > just disabling it for IMA or disabling it entirely based on whether > > > IMA is configured? > > > > Since tpm2_pcr_extend() is unused if IMA is disabled, we don't really > > need to condition on it, we could just remove the HMAC from extends. > > Ok, so defining a new Kconfig is unnecessary. IMA is enabled at boot/runtime, based on loading a policy. Similarly the TPM HMAC performance impact decision at least for IMA needs to be left with the system owner, not with the person building the kernel. My suggestion would be to define an IMA boot command line option that enables TPM HMAC. Without the boot command line option, a warning should be emitted. Mimi
