Re: [PATCH] tpm: Disable TPM2_TCG_HMAC by default

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jonathan McDowell <noodles@earth.li>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: linux-integrity@vger.kernel.org, stable@vger.kernel.or,
	Chris Fenner <cfenn@google.com>, Peter Huewe <peterhuewe@gmx.de>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	David Howells <dhowells@redhat.com>,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	open list <linux-kernel@vger.kernel.org>,
	"open list:KEYS/KEYRINGS" <keyrings@vger.kernel.org>,
	"open list:SECURITY SUBSYSTEM"
	<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] tpm: Disable TPM2_TCG_HMAC by default
Date: Thu, 18 Sep 2025 19:56:53 +0100	[thread overview]
Message-ID: <aMxV9fB0E72QQY2G@earth.li> (raw)
In-Reply-To: <20250825203223.629515-1-jarkko@kernel.org>

On Mon, Aug 25, 2025 at 11:32:23PM +0300, Jarkko Sakkinen wrote:
>After reading all the feedback, right now disabling the TPM2_TCG_HMAC
>is the right call.
>
>Other views discussed:
>
>A. Having a kernel command-line parameter or refining the feature
>   otherwise. This goes to the area of improvements.  E.g., one
>   example is my own idea where the null key specific code would be
>   replaced with a persistent handle parameter (which can be
>   *unambigously* defined as part of attestation process when
>   done correctly).
>
>B. Removing the code. I don't buy this because that is same as saying
>   that HMAC encryption cannot work at all (if really nitpicking) in
>   any form. Also I disagree on the view that the feature could not
>   be refined to something more reasoable.
>
>Also, both A and B are worst options in terms of backporting.
>
>Thus, this is the best possible choice.

I think this is reasonable; it's adding runtime overhead and not adding 
enough benefit to be the default upstream.

Reviewed-By: Jonathan McDowell <noodles@earth.li>

>Cc: stable@vger.kernel.or # v6.10+
>Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation")
>Suggested-by: Chris Fenner <cfenn@google.com>
>Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
>---
>PS. I did not post this last week because that would have been most
>likely the most counter-productive action to taken. It's better
>sometimes to take a bit of time to think (which can be seen that
>I've given also more reasonable weight to my own eaerlier
>proposals).
>
>I also accept further changes, if there is e.g., inconsistency
>with TCG_TPM_HMAC setting or similar (obviously).
>---
> drivers/char/tpm/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
>index dddd702b2454..3e4684f6b4af 100644
>--- a/drivers/char/tpm/Kconfig
>+++ b/drivers/char/tpm/Kconfig
>@@ -29,7 +29,7 @@ if TCG_TPM
>
> config TCG_TPM2_HMAC
> 	bool "Use HMAC and encrypted transactions on the TPM bus"
>-	default X86_64
>+	default n
> 	select CRYPTO_ECDH
> 	select CRYPTO_LIB_AESCFB
> 	select CRYPTO_LIB_SHA256
>-- 
>2.39.5

J.

-- 
] https://www.earth.li/~noodles/ []  Is this real - that's the first   [
]  PGP/GPG Key @ the.earth.li    []    thing I think every morning.    [
] via keyserver, web or email.   []                                    [
] RSA: 4096/0x94FA372B2DA8B985   []                                    [

next prev parent reply	other threads:[~2025-09-18 18:57 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-25 20:32 [PATCH] tpm: Disable TPM2_TCG_HMAC by default Jarkko Sakkinen
2025-09-18 18:56 ` Jonathan McDowell [this message]
2025-09-18 19:12   ` Jarkko Sakkinen
2025-09-18 19:50     ` Chris Fenner
2025-09-18 20:52       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aMxV9fB0E72QQY2G@earth.li \
    --to=noodles@earth.li \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=cfenn@google.com \
    --cc=dhowells@redhat.com \
    --cc=jarkko@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=peterhuewe@gmx.de \
    --cc=serge@hallyn.com \
    --cc=stable@vger.kernel.or \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).