Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp3061314lqo;
        Tue, 21 May 2024 06:00:21 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCW5hjU8uQ2JRWnI4WAuENyXe4ppxO1CGPDUoUy+8Rzian3zM7NWnT8Zsuq0uV9f8ZdRb+G7aA+mGW6qfVv7bdJxi67rMNcCYK3C4OBZAg==
X-Google-Smtp-Source: AGHT+IErXvVUksKeFzrzWA8MeLyL2njb4SN6Jko/qWew9TMIt4W50kBmxO86e5jgsBRmYxpGG6qa
X-Received: by 2002:a05:6a20:7495:b0:1af:a469:75aa with SMTP id adf61e73a8af0-1afde1979c1mr36353699637.46.1716296420999;
        Tue, 21 May 2024 06:00:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716296420; cv=pass;
        d=google.com; s=arc-20160816;
        b=f84cKNK3HsIeahvLCOZk5/8ix6UNUoREN+L8h2iBSeYsEypJfE05JttqzPbopYlwxO
         JRtDgcAWF221o3TwSV/nlav9okQFCxk2AR1Wbu46sVfL7h9y4H2+MXxdU6pbjV09gRTx
         CGzYBuAGD1V9Ok4+wM4biHeQTM8ZLonLYLL0TRJFVmWVdE1PdXSzRsvwjshcSD/iVAbP
         0+W3uevJONRnJAD+72UdvqRbwAyc7x7qjtORbTxo/D85tMVN9yV//z9hH/KJ8gLc4w2O
         KBuguTx/ZdKfnbk1wO/k0ZHp4Yf2ifsMVhHfpq8DRlVT9xs7e/hSvobDOrJbuJbWh+VY
         bzUQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:references:cc:to:from:subject:message-id:date
         :content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:dkim-signature;
        bh=qNyvWQi5666TPN2cfc0e/5vlTHavvitwYAQK/8qYaIM=;
        fh=yvKbqNlBgcBX1DAN5cJuEuQXqXdtMDxXDK/nls30fqs=;
        b=o2+pE2NKGCVnUC6FHXVG0j0r4qzKBJHE29CGChU/7cDiQSG4pmqabzPhJsbVDFB3l1
         5TlHWROdMX2vs0NXOXpEK0Tgmdh65Ty3mkR72g5SDTpuS0q+I0LBR2W4IJ0trs/5eC/6
         EVzlGy5tyiyNOZUVnB88eNPboiKv6MNhb5SmoM2K+wkUETyDzj1Td/TNBkBVfh4etgDO
         BVhRJ0+Fgat+oWpFPseWnzJ9VC66/fF953braGBPMEFlS2+rFBxZa4ffMr8tOaRXqje4
         Mqx4NpsyiHTcauCpPkggbD6byeP9uzJws6qsp/RCp+lxQJmYJTYooSOsInUaA0Cc1Bgd
         oJtw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JHz5GuZd;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-184977-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-184977-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-184977-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id 41be03b00d2f7-65a8f805365si4510536a12.707.2024.05.21.06.00.20
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 May 2024 06:00:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-184977-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JHz5GuZd;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-184977-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-184977-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7CB7B283550
	for <linux.lists.archive@gmail.com>; Tue, 21 May 2024 13:00:19 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5A497757FC;
	Tue, 21 May 2024 13:00:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JHz5GuZd"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 672077641B;
	Tue, 21 May 2024 13:00:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716296405; cv=none; b=iMji3YxKwbZmHM2a+Bf3wxemnGsnbvThuhVNB6xHzXnEAgDprnw+wAzeyUOw5AziTZHwkemn4VKukb8K6mzsyJtLV57+kI04oeVQdQ2sH2z+i2ZTLRxnLRbSnyPKW+8MCxI6acuoc/mO7AaacgpXKfwu7s8NdA5J+poixPCN4yw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716296405; c=relaxed/simple;
	bh=6A5BdKSf5VUXROgZCq8+mD3AstPzPEfZnDiuy877J4c=;
	h=Mime-Version:Content-Type:Date:Message-Id:Subject:From:To:Cc:
	 References:In-Reply-To; b=hey5rYYx4pjo5MM1GDKuvc1xAWZEdkOTt+gWI5nCPVsk0isNFYwHeQXkXyofpfkhyMGPVsLtzcnuTgCdEcptHoxO2kizq9JQjBViTsej3Cky/ExOSWhce8JCjwTT52FXdLDij+0uTF1Ht/ESwGQ2YfhuBUtiU10pFcQOwLubygA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JHz5GuZd; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2863EC4AF09;
	Tue, 21 May 2024 13:00:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1716296404;
	bh=6A5BdKSf5VUXROgZCq8+mD3AstPzPEfZnDiuy877J4c=;
	h=Date:Subject:From:To:Cc:References:In-Reply-To:From;
	b=JHz5GuZddYbH0BtYnTqA20tyssHscewyt6aWgsupQZZfnXHpOQg2gRttGOY43P3kx
	 kkbw29ThC4By0rYLNCM4HV9ejm12SDBwPpfWYpd+IRgltUZQrJqPj4wUcfJle3/3ZW
	 InF1CQ/r0vkWxXgRe3I16bM8rbIhnhq4VzhTQ3oD6Lg9IAPbWksgLLz6DEfh8/5+M/
	 HZCxopYsEPjxi8MY1JGurciTpjgTq48W4mH3aNuIOAtBNI7VvkQ1wjaEBJOZUwgd3A
	 GF6lph6r/+Its8TCtAFNhECRFDImvJAHctq2d8F6GZ3BRomYTbyQMTDidNFKSWUKwu
	 ekHHXgrRomabw==
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Tue, 21 May 2024 16:00:00 +0300
Message-Id: <D1FCAPJSYLTS.R9VC1CXDCIHH@kernel.org>
Subject: Re: [PATCH 1/3] tpm: Disable TCG_TPM2_HMAC by default
From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "James Bottomley" <James.Bottomley@HansenPartnership.com>, "Vitor
 Soares" <ivitro@gmail.com>, <linux-integrity@vger.kernel.org>
Cc: <keyrings@vger.kernel.org>, "Peter Huewe" <peterhuewe@gmx.de>, "Jason
 Gunthorpe" <jgg@ziepe.ca>, "Mimi Zohar" <zohar@linux.ibm.com>, "David
 Howells" <dhowells@redhat.com>, "Paul Moore" <paul@paul-moore.com>, "James
 Morris" <jmorris@namei.org>, "Serge E. Hallyn" <serge@hallyn.com>,
 <linux-kernel@vger.kernel.org>, <linux-security-module@vger.kernel.org>
X-Mailer: aerc 0.17.0
References: <20240519235122.3380-1-jarkko@kernel.org>
 <20240519235122.3380-2-jarkko@kernel.org>
 <850862655008f84ef0b6ecd99750e8dc395304d1.camel@gmail.com>
 <D1F4V8NMSUNZ.2VCTEKHZZ0LB@kernel.org>
 <17dc838120b56ce342c34611596c7b46dcd9ab5a.camel@HansenPartnership.com>
In-Reply-To: <17dc838120b56ce342c34611596c7b46dcd9ab5a.camel@HansenPartnership.com>

On Tue May 21, 2024 at 3:33 PM EEST, James Bottomley wrote:
> On Tue, 2024-05-21 at 10:10 +0300, Jarkko Sakkinen wrote:
> > This benchmark could be done in user space using /dev/tpm0.
>
> Let's actually try that.  If you have the ibmtss installed, the command
> to time primary key generation from userspace on your tpm is
>
> time tsscreateprimary -hi n -ecc nistp256
>
>
> And just for chuckles and grins, try it in the owner hierarchy as well
> (sometimes slow TPMs cache this)
>
> time tsscreateprimary -hi o -ecc nistp256
>
> And if you have tpm2 tools, the above commands should be:
>
> time tpm2_createprimary -C n -G ecc256
> time tpm2_createprimary -C o -G ecc256

Thanks, I definitely want to try these in my NUC7. I can try both
stacks and it is pretty good test machine because it is old'ish
and slow ;-)

I'm also thinking differently than when I put out this pull request.
I honestly think that it must be weird use case to use TPM with
a machine that dies with a HMAC pipe. It makes no sense to me and
I think we should focus on common sense here.

I could imagine one use case: pre-production hardware that is not
yet in ASIC. But in that case you would probably build your kernel
picking exactly the right options. I mean it is only a default
after all.

I think we could add this:

	default X86 || ARM64

This pretty covers the spectrum where HMAC does make sense by
default. We can always relax it but this does not really take
away the legit user base from the feature.

It would be a huge bottleneck to make HMAC also opt-in because
the stuff it adds makes a lot of sense when build on top. E.g.
the asymmetric key patch set that I sent within early week was
made possible by all this great work that you've done.

So yeah, I'd like to send the above Kconfig changes, but that
is all I want to do this at this point.

> James

BR, Jarkko