From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>,
"Christoph Anton Mitterer" <calestyo@scientia.org>,
<linux-integrity@vger.kernel.org>
Subject: Re: regression: kernel log "flooded" with tpm tpm0: A TPM error (2306) occurred attempting to create NULL primary
Date: Thu, 14 Nov 2024 00:34:30 +0200 [thread overview]
Message-ID: <D5LEQGJ9X3NF.3K3YVPNE6KQJK@kernel.org> (raw)
In-Reply-To: <89542959611252d64572ffad438f48b4f54131f0.camel@HansenPartnership.com>
On Wed Nov 13, 2024 at 8:12 PM EET, James Bottomley wrote:
> > I think we might have to expect the NULL name to change on actual
> > hibernation because unlike suspend to ram it does power off the TPM.
>
> I checked the code: we're coming in on the correct path to renew the
> null seed after hibernation, so it should all work. The problem seems
> to be that your TPM itself is doing something invalid because the name
> we calculate for the primary key doesn't match what your TPM says it
> should be. Absent some form of attack or bus integrity problem, that
> shouldn't ever happen, so I'm even more curious to know why it worked
> in 6.11.5 and before and whether current upstream works.
>
> I haven't found it yet, but I think the every 10s signature is because
> the hibernation path is trying to restart the TPM device and won't take
> no for an answer.
My fix returned the behavior how it was before my earlier fix in this
corner case (i.e. disable TPM). The issue has gone unnoticed before
since it has emitted only a single klog entry.
On suspend this has not happened to me so obvious deduction is that
hibernate resets the null seed.
Hibernate needs an addition a fix to disable bus encryption from kernel
command-line completely, i.e. tpm.disable_integrity following the
convention from my earlier fix [1].
Fast-forward, in order to *enable* bus encryption with hibernate, a
feature patch would be needed to specify a NV key in the kernel
command-line. It probably cannot be resolved with a null key, at least
not based on these empirical results... I would not mind to be wrong in
this tho.
So to summarize:
1. Fix: tpm.disable_integrity
2. Feature: tpm.integrity_key=<persistent handle>
I've never got hibernate working even after trying and without even
having TPM in the configuration so pretty hard to test it beforehand...
[1] https://lore.kernel.org/linux-integrity/20241113184449.477731-1-jarkko@kernel.org/T/#u
BR, Jarkko
next prev parent reply other threads:[~2024-11-13 22:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-13 14:44 regression: kernel log "flooded" with tpm tpm0: A TPM error (2306) occurred attempting to create NULL primary Christoph Anton Mitterer
2024-11-13 15:47 ` James Bottomley
2024-11-13 18:12 ` James Bottomley
2024-11-13 22:34 ` Jarkko Sakkinen [this message]
2024-11-13 22:43 ` Jarkko Sakkinen
2024-11-13 23:56 ` Christoph Anton Mitterer
2024-11-14 2:06 ` James Bottomley
2024-11-14 2:17 ` Christoph Anton Mitterer
2024-11-14 4:57 ` Jarkko Sakkinen
2024-11-25 13:49 ` Christoph Anton Mitterer
2024-11-30 2:37 ` Jarkko Sakkinen
2024-11-14 4:56 ` Jarkko Sakkinen
2024-11-13 18:49 ` Jarkko Sakkinen
2024-11-13 18:59 ` Jarkko Sakkinen
2024-11-14 0:04 ` Christoph Anton Mitterer
2024-11-14 4:52 ` Jarkko Sakkinen
2024-11-14 23:57 ` Christoph Anton Mitterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D5LEQGJ9X3NF.3K3YVPNE6KQJK@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=calestyo@scientia.org \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.