On Thu, Mar 06, 2025 at 11:30:01AM -0800, James Bottomley wrote: > On Thu, 2025-03-06 at 13:59 -0500, Mimi Zohar wrote: > > On Thu, 2025-03-06 at 15:15 +0000, Jonathan McDowell wrote: > > > We're seeing a lot of: > > > > > > tpm tpm0: auth session is active > > > > > > messages in our logs. This is emitted (once per boot) by > > > tpm2_start_auth_session() if the auth sessions is already active > > > when it is called. > > > > > > Investigating I think this is because tpm2_pcr_extend() calls > > > tpm_buf_append_hmac_session() which sets TPM2_SA_CONTINUE_SESSION > > > so tpm_buf_check_hmac_response() does not cleanup the auth session, > > > but then doesn't call tpm2_end_auth_session(). > > > > > > Looking at tpm2_get_random() it uses TPM2_SA_CONTINUE_SESSION but > > > *also* cleans up with tpm2_end_auth_session(). > > > > > > I'd be sending a patch proposing the addition of > > > tpm2_end_auth_session() to the end of tpm2_pcr_extend() but I > > > recall a bunch of discussion about trying to cache the HMAC session > > > to improve IMA performance, so I don't know if perhaps we should be > > > dropping the warning instead? > > > > Hi Jonathan, > > > > That suggestion was nixed. > > Well it's also upstream as > > https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df745e25098dcb2f706399c0d06dd8d1bab6b6ec > > even though it didn't work out for large numbers of extends. However, > that commit introduced this message on a warn once behaviour, so it > seems to be expected that this gets printed once for some reason. From > a code flow point of view, the lazy session handling seems to be > working correctly, so I think just dropping the warn is correct. +1 > > Regards, > > James BR, Jarkko
