From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
"James Bottomley" <James.Bottomley@HansenPartnership.com>,
<linux-integrity@vger.kernel.org>
Cc: <roberto.sassu@huawei.com>, <mapengyu@gmail.com>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"David Howells" <dhowells@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Peter Huewe" <peterhuewe@gmx.de>,
"Jason Gunthorpe" <jgg@ziepe.ca>, <keyrings@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v5 0/5] Lazy flush for the auth session
Date: Tue, 24 Sep 2024 20:26:47 +0300 [thread overview]
Message-ID: <D4EOVMA9YR3W.1X1ARMW6APFPP@kernel.org> (raw)
In-Reply-To: <D4ENT15WZFRI.HA0FFVBWVISI@kernel.org>
On Tue Sep 24, 2024 at 7:36 PM EEST, Jarkko Sakkinen wrote:
> On Tue Sep 24, 2024 at 7:33 PM EEST, James Bottomley wrote:
> > On Tue, 2024-09-24 at 19:29 +0300, Jarkko Sakkinen wrote:
> > > On Tue Sep 24, 2024 at 4:48 PM EEST, James Bottomley wrote:
> > [...]
> > > > Patch 3 is completely unnecessary: the null key is only used to
> > > > salt the session and is not required to be resident while the
> > > > session is used (so can be flushed after session creation)
> > > > therefore keeping it around serves no purpose once the session is
> > > > created and simply clutters up the TPM volatile handle slots. (I
> > > > don't know of a case where we use all the slots in a kernel
> > > > operation, but since we don't need it lets not find out when we get
> > > > one). So I advise dropping patch 3.
> > >
> > > Let's go this through just to check I'm understanding.
> > >
> > > Holding null key had radical effect on boot time: it cut it down by
> > > 5 secons down to 15 seconds:
> > >
> > > https://lore.kernel.org/linux-integrity/CALSz7m1WG7fZ9UuO0URgCZEDG7r_wB4Ev_4mOHJThH_d1Ed1nw@mail.gmail.com/
> > >
> > > Then in subsequent version I implemented lazy auth session and boot
> > > time went down to 9.7 seconds.
> > >
> > > So is the point you're trying to make that since auth session is
> > > already held as long as we can and they flushed in synchronous
> > > point too, I can just as well drop patch 3?
> >
> > Yes, because the null key is only used in session generation which is
> > now lazy, it adds or subtracts nothing from the timings. When you're
> > forced to flush the session, the null key goes too, so you again have
> > to restore it from the context. When you can keep the session you
> > don't need the null key because you're not regenerating it.
>
> Yeah, OK, then we're in sync with this. It's evolutionary cruft.
>
> Just had to check that the logic matches how I projected your earlier
> comment because these are sensitive changes.
I'm definitely going keeep 1/5 and 2/5 as they are still bug fixes.
So they will appear in v6 unchanged and perf fixes (which are not
functional fixes) should not be built on top of broken code.
BR, Jarkko
next prev parent reply other threads:[~2024-09-24 17:26 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-21 12:08 [PATCH v5 0/5] Lazy flush for the auth session Jarkko Sakkinen
2024-09-21 12:08 ` [PATCH v5 1/5] tpm: Return on tpm2_create_null_primary() failure Jarkko Sakkinen
2024-10-03 14:57 ` Stefan Berger
2024-10-07 23:47 ` Jarkko Sakkinen
2024-09-21 12:08 ` [PATCH v5 2/5] tpm: Implement tpm2_load_null() rollback Jarkko Sakkinen
2024-10-03 15:27 ` Stefan Berger
2024-09-21 12:08 ` [PATCH v5 3/5] tpm: flush the null key only when /dev/tpm0 is accessed Jarkko Sakkinen
2024-09-21 12:08 ` [PATCH v5 4/5] tpm: Allocate chip->auth in tpm2_start_auth_session() Jarkko Sakkinen
2024-09-24 13:33 ` James Bottomley
2024-09-24 16:13 ` Jarkko Sakkinen
2024-09-24 18:13 ` Jarkko Sakkinen
2024-09-21 12:08 ` [PATCH v5 5/5] tpm: flush the auth session only when /dev/tpm0 is open Jarkko Sakkinen
2024-09-24 13:43 ` James Bottomley
2024-09-24 16:13 ` Jarkko Sakkinen
2024-09-24 18:07 ` Jarkko Sakkinen
2024-09-24 18:40 ` James Bottomley
2024-09-24 21:35 ` Jarkko Sakkinen
2024-09-24 21:51 ` James Bottomley
2024-09-25 7:42 ` Jarkko Sakkinen
2024-09-25 7:46 ` Jarkko Sakkinen
2024-09-25 7:53 ` Jarkko Sakkinen
2024-09-21 12:36 ` [PATCH v5 0/5] Lazy flush for the auth session Paul Menzel
2024-09-21 13:13 ` Jarkko Sakkinen
2024-09-21 14:38 ` Jarkko Sakkinen
2024-09-22 17:51 ` Jarkko Sakkinen
2024-09-24 13:48 ` James Bottomley
2024-09-24 16:29 ` Jarkko Sakkinen
2024-09-24 16:33 ` James Bottomley
2024-09-24 16:36 ` Jarkko Sakkinen
2024-09-24 17:26 ` Jarkko Sakkinen [this message]
2024-09-24 17:28 ` Jarkko Sakkinen
2024-09-24 18:01 ` Jarkko Sakkinen
2024-10-01 18:10 ` Mimi Zohar
2024-10-07 23:45 ` Jarkko Sakkinen
2024-10-03 15:14 ` Stefan Berger
2024-10-07 23:49 ` Jarkko Sakkinen
2024-10-11 14:06 ` Jarkko Sakkinen
2024-10-11 16:10 ` Roberto Sassu
2024-10-11 16:25 ` Jarkko Sakkinen
2024-10-12 10:56 ` Jarkko Sakkinen
2024-10-14 11:45 ` Mimi Zohar
2024-10-14 12:34 ` Jarkko Sakkinen
2024-10-15 20:08 ` Mimi Zohar
2024-10-15 22:14 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D4EOVMA9YR3W.1X1ARMW6APFPP@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mapengyu@gmail.com \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).