On Thu, Mar 06, 2025 at 03:15:39PM +0000, Jonathan McDowell wrote: > We're seeing a lot of: > > tpm tpm0: auth session is active > > messages in our logs. This is emitted (once per boot) by > tpm2_start_auth_session() if the auth sessions is already active when it > is called. It's by design actually: https://web.git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?id=df745e25098dc > Investigating I think this is because tpm2_pcr_extend() calls > tpm_buf_append_hmac_session() which sets TPM2_SA_CONTINUE_SESSION so > tpm_buf_check_hmac_response() does not cleanup the auth session, but > then doesn't call tpm2_end_auth_session(). > > Looking at tpm2_get_random() it uses TPM2_SA_CONTINUE_SESSION but *also* > cleans up with tpm2_end_auth_session(). > > I'd be sending a patch proposing the addition of tpm2_end_auth_session() > to the end of tpm2_pcr_extend() but I recall a bunch of discussion > about trying to cache the HMAC session to improve IMA performance, so I > don't know if perhaps we should be dropping the warning instead? > > (As an aside, I'm not clear dropping the warning is enough, as I can't > see where the session otherwise gets cleaned up other than by accident > when the RNG tries to get more randomness.) It would be appropriate action, or relaxing it into pr_debug(). > > J. > > -- > I've got a trigger inside. BR, Jarkko
