From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>,
"Roberto Sassu" <roberto.sassu@huaweicloud.com>,
"Linux regressions mailing list" <regressions@lists.linux.dev>
Cc: <keyrings@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"LKML" <linux-kernel@vger.kernel.org>,
"Pengyu Ma" <mapengyu@gmail.com>
Subject: Re: [regression] significant delays when secureboot is enabled since 6.10
Date: Sun, 15 Sep 2024 17:50:40 +0300 [thread overview]
Message-ID: <D46XX6HNU686.50X57ZWI2GUX@kernel.org> (raw)
In-Reply-To: <0b22c2c4b4a998fb44bb08be60a359acb9ecb8da.camel@HansenPartnership.com>
On Sun Sep 15, 2024 at 4:59 PM EEST, James Bottomley wrote:
> On Sun, 2024-09-15 at 13:07 +0300, Jarkko Sakkinen wrote:
> > On Sun Sep 15, 2024 at 12:43 PM EEST, Jarkko Sakkinen wrote:
> > > When it comes to boot we should aim for one single
> > > start_auth_session during boot, i.e. different phases would leave
> > > that session open so that we don't have to load the context every
> > > single time. I think it should be doable.
> >
> > The best possible idea how to improve performance here would be to
> > transfer the cost from time to space. This can be achieved by keeping
> > null key permanently in the TPM memory during power cycle.
>
> No it's not at all. If you look at it, the NULL key is only used to
> encrypt the salt for the start session and that's the operating taking
> a lot of time. That's why the cleanest mitigation would be to save and
> restore the session. Unfortunately the timings you already complain
> about still show this would be about 10x longer than a no-hmac extend
> so I'm still waiting to see if IMA people consider that an acceptable
> tradeoff.
The bug report does not say anything about IMA issues. Please read the
bug reports before commenting ;-) I will ignore your comment because
it is plain misleading information.
https://bugzilla.kernel.org/show_bug.cgi?id=219229
>
> > It would give about 80% increase given Roberto's benchmark to all
> > in-kernel callers. There's no really other possible solution for this
> > to make any major improvements. So after opt-in kernel command line
> > option I might look into this.
> >
> > This is already done locally in tpm2_get_random(), which uses
> > continueSession to keep session open for all calls.
>
> The other problem if the session is context saved, as I already said,
> is that it becomes long lived and requires degapping the session
> manager.
I don't really care what you claim, I care what you code only at most.
Especially when topic shifted like it was now to IMA, which feels to
me like misguided communication tbh.
I don't think a round trip in kernel would qualify in that but there
is more low-hanging fruit too.
One low-hanging fruit improvement in the startup code is the handling
of null key. If it was flushed only on need, which means in practice
access to /dev/tpm0 or /dev/tpmrm0
I'm already working on patch set which adds chip->null_key that will
be flushed on-need basis only. I can measure with qemu how it affects
boot time.
BR, Jarkko
next prev parent reply other threads:[~2024-09-15 14:50 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 9:01 [regression] significant delays when secureboot is enabled since 6.10 Linux regression tracking (Thorsten Leemhuis)
2024-09-10 9:05 ` Roberto Sassu
2024-09-10 12:39 ` Jarkko Sakkinen
2024-09-10 12:48 ` Jarkko Sakkinen
2024-09-10 12:57 ` James Bottomley
2024-09-10 13:28 ` Jarkko Sakkinen
2024-09-11 8:53 ` Roberto Sassu
2024-09-11 12:21 ` James Bottomley
2024-09-12 13:16 ` Jarkko Sakkinen
2024-09-12 13:26 ` James Bottomley
2024-09-12 13:36 ` Roberto Sassu
2024-09-12 14:13 ` James Bottomley
2024-09-12 14:52 ` Roberto Sassu
2024-09-12 14:26 ` Jarkko Sakkinen
2024-09-14 10:42 ` Jarkko Sakkinen
2024-09-14 10:51 ` Jarkko Sakkinen
2024-09-14 10:58 ` Jarkko Sakkinen
2024-09-11 15:14 ` Jarkko Sakkinen
2024-09-12 8:13 ` Roberto Sassu
2024-09-12 14:23 ` Jarkko Sakkinen
2024-09-13 20:50 ` Jarkko Sakkinen
2024-09-13 22:06 ` Jarkko Sakkinen
2024-09-15 9:43 ` Jarkko Sakkinen
2024-09-15 10:07 ` Jarkko Sakkinen
2024-09-15 13:59 ` James Bottomley
2024-09-15 14:50 ` Jarkko Sakkinen [this message]
2024-09-15 14:55 ` Jarkko Sakkinen
2024-09-15 15:00 ` James Bottomley
2024-09-15 16:22 ` Jarkko Sakkinen
2024-09-21 15:40 ` Jarkko Sakkinen
2024-09-22 14:11 ` Jarkko Sakkinen
2024-09-10 12:22 ` James Bottomley
2024-09-10 12:41 ` Linux regression tracking (Thorsten Leemhuis)
2024-09-10 22:40 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D46XX6HNU686.50X57ZWI2GUX@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mapengyu@gmail.com \
--cc=regressions@lists.linux.dev \
--cc=roberto.sassu@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.