On Thu, 2025-03-06 at 15:15 +0000, Jonathan McDowell wrote:
> We're seeing a lot of:
>
> tpm tpm0: auth session is active
>
> messages in our logs. This is emitted (once per boot) by
> tpm2_start_auth_session() if the auth sessions is already active when it
> is called.
>
> Investigating I think this is because tpm2_pcr_extend() calls
> tpm_buf_append_hmac_session() which sets TPM2_SA_CONTINUE_SESSION so
> tpm_buf_check_hmac_response() does not cleanup the auth session, but
> then doesn't call tpm2_end_auth_session().
>
> Looking at tpm2_get_random() it uses TPM2_SA_CONTINUE_SESSION but *also*
> cleans up with tpm2_end_auth_session().
>
> I'd be sending a patch proposing the addition of tpm2_end_auth_session()
> to the end of tpm2_pcr_extend() but I recall a bunch of discussion
> about trying to cache the HMAC session to improve IMA performance, so I
> don't know if perhaps we should be dropping the warning instead?
Hi Jonathan,
That suggestion was nixed. Instead the boot command line option
"tpm.disable_pcr_integrity" was upstreamed to disable the HMAC for TPM extends.
Refer to commit 27184f8905ba ("tpm: Opt-in in disable PCR integrity
protection').
Mimi
>
> (As an aside, I'm not clear dropping the warning is enough, as I can't
> see where the session otherwise gets cleaned up other than by accident
> when the RNG tries to get more randomness.)
>
