On Thu, 2025-03-06 at 13:59 -0500, Mimi Zohar wrote: > On Thu, 2025-03-06 at 15:15 +0000, Jonathan McDowell wrote: > > We're seeing a lot of: > > > > tpm tpm0: auth session is active > > > > messages in our logs. This is emitted (once per boot) by > > tpm2_start_auth_session() if the auth sessions is already active > > when it is called. > > > > Investigating I think this is because tpm2_pcr_extend() calls > > tpm_buf_append_hmac_session() which sets TPM2_SA_CONTINUE_SESSION > > so tpm_buf_check_hmac_response() does not cleanup the auth session, > > but then doesn't call tpm2_end_auth_session(). > > > > Looking at tpm2_get_random() it uses TPM2_SA_CONTINUE_SESSION but > > *also* cleans up with tpm2_end_auth_session(). > > > > I'd be sending a patch proposing the addition of > > tpm2_end_auth_session() to the end of tpm2_pcr_extend() but I > > recall a bunch of discussion about trying to cache the HMAC session > > to improve IMA performance, so I don't know if perhaps we should be > > dropping the warning instead? > > Hi Jonathan, > > That suggestion was nixed. Well it's also upstream as https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df745e25098dcb2f706399c0d06dd8d1bab6b6ec even though it didn't work out for large numbers of extends. However, that commit introduced this message on a warn once behaviour, so it seems to be expected that this gets printed once for some reason. From a code flow point of view, the lazy session handling seems to be working correctly, so I think just dropping the warn is correct. Regards, James
