From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
"James Bottomley" <James.Bottomley@HansenPartnership.com>,
"Mimi Zohar" <zohar@linux.ibm.com>,
<linux-integrity@vger.kernel.org>
Cc: <roberto.sassu@huawei.com>, <mapengyu@gmail.com>,
"Paul Moore" <paul@paul-moore.com>,
<linux-kernel@vger.kernel.org>, <christian@heusel.eu>
Subject: Re: [RFC PATCH] tpm: Allow the TPM2 pcr_extend HMAC capability to be disabled on boot
Date: Thu, 07 Nov 2024 01:42:28 +0200 [thread overview]
Message-ID: <D5FHSOW7V440.36E1YDA8Q2698@kernel.org> (raw)
In-Reply-To: <D5FHR6UVEH4G.1OE6D5PDU26X5@kernel.org>
On Thu Nov 7, 2024 at 1:40 AM EET, Jarkko Sakkinen wrote:
> On Thu Nov 7, 2024 at 1:22 AM EET, Jarkko Sakkinen wrote:
> > > I'm a bit confused here. It's TPM2_PCR_Extend we have the trouble with
> > > (as Mimi says in her email that you quoted) not TPM2_GetRandom.
> > >
> > > The random number generator reseed occurs in a kernel thread that fires
> > > about once a minute, so it doesn't show up in really any of the boot
> > > timings. Plus even with sessions added, what there now isn't a
> > > significant overhead even to the running kernel given it's asynchronous
> > > and called infrequently.
> >
> > Ah, right then we need the boot flag, and my earlier comments to the
> > parameter apply. I've never used IMA so I don't actually even know in
> > detail how it is using TPM.
> >
> > Now that I did some seek I mixed this up with the report:
> >
> > https://chaos.social/@gromit/113345582873908273
> >
> > Anyway concerning this issue and patch, my earlier comments still apply.
>
> Makes me wonder tho why do we then export tpm_get_random() in the first
> place? HWRNG does not needed that export, and the code does not have any
> of the mentioned features.
I mean specifically the code for tpm_get_random() and tpm2_get_random().
BR, Jarkko
next prev parent reply other threads:[~2024-11-06 23:42 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-15 19:39 [RFC PATCH] tpm: Allow the TPM2 pcr_extend HMAC capability to be disabled on boot Mimi Zohar
2024-10-15 21:29 ` Jarkko Sakkinen
2024-10-15 21:46 ` Jarkko Sakkinen
2024-10-19 8:42 ` kernel test robot
2024-11-06 22:26 ` Jarkko Sakkinen
2024-11-06 22:52 ` James Bottomley
2024-11-06 23:22 ` Jarkko Sakkinen
2024-11-06 23:40 ` Jarkko Sakkinen
2024-11-06 23:42 ` Jarkko Sakkinen [this message]
2024-11-06 23:52 ` Mimi Zohar
2024-11-07 0:03 ` Jarkko Sakkinen
2024-11-07 1:07 ` Mimi Zohar
2024-11-07 1:55 ` Jarkko Sakkinen
2024-11-07 3:14 ` Mimi Zohar
2024-11-07 6:32 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D5FHSOW7V440.36E1YDA8Q2698@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=christian@heusel.eu \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mapengyu@gmail.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.