Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp2247706lqb; Mon, 27 May 2024 12:54:13 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWlePXGTcINcTIqnROIU+Fc5Usiid+uZi59cFAXJr/UDRpXPXHg+MhloEDXKyNiQUu697gCXuHFZ4U76AeAFT7MdrITbMfXU4rgt7IwOQ== X-Google-Smtp-Source: AGHT+IG5m2f/mgmr+ZMfKpwy/JLLozjHdmDe7hS53G1wVJkPyhLTSuyMF2XTGBerCq+gVR+T7Bv6 X-Received: by 2002:a05:6358:281a:b0:197:94a2:1f35 with SMTP id e5c5f4694b2df-197e565d770mr1222266155d.26.1716839653299; Mon, 27 May 2024 12:54:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716839653; cv=pass; d=google.com; s=arc-20160816; b=h0ir1chzZWFUcLjlLxwizodWTcBBdkc9YVC3wxYQkfdoSkDolGUKJn/hkFdiG4Y4zb inJkkGhI8SkEypvCPvnqoDxXRa5n++MXomoGF/2nveYM0llNGsDwess7AfZH0cK8lIbp l5RvaIFH0zhfi65l26JwRBoZ7OAxNwo2pdTM73aeB+vbZ44Z0Ilp57AlBsHJ2ZNDqP1j 6fP4jidSm0Fgx8T3B44DuYwHk9lJw6j5e5seB7tFXK6DoA0VtT8KhtSWHp37nE1rLBh8 dgp/VukT5A+ztMIMuXkKAGePmlNLjNbN6Lv1hlhhhbd6lrxrqmGJciluLQ9DIsc9vmOM C7qA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:to:from:subject:cc:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=gs4+hTXerF+lBTGkFtCPS8+4ICTsolzb2nr7bKmVg5Y=; fh=+0MIkfyLH9VsjV6wJ6SrqpABvaisCEVqiihk8QJqKVw=; b=SZdqNKfAi1WkJVWDsFBoo0AfphyZJyK5da61PSGQeotEgfwINOx0M1UNUr3hUzs5wb 96dyX4e1/gynzAxUnuyVcDKnnk/vUIVVduEdOY4ysnmOjtKfzJ/XyZCiG/0V3EdE2gEn oltfdYACBrIpMql/t/xHgTDUpYvEOf9MJk7dm8SBkqKlHMo+iTsgV/K5tgLOKoOSulGs 8P+BiAR6r1hIKYYjh1TFITX7Ovj6lZEEQMXQotdxpn7DyV5lIGig8PS1RnjiwD9bXlLb EZtWbtfKw36eZKBgmppHCTJj0PpxLRk9CTkf65Yo3h7ghr3ihTnV1AgwaoWifq/jJciB IJ/Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kMX3uOIw; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-191374-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191374-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-68221c6a22bsi7007500a12.170.2024.05.27.12.54.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 May 2024 12:54:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-191374-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kMX3uOIw; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-191374-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191374-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 6F9B6B214AC for ; Mon, 27 May 2024 19:54:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C5774224D1; Mon, 27 May 2024 19:53:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kMX3uOIw" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B77E910A11; Mon, 27 May 2024 19:53:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716839638; cv=none; b=oknPJOzs7u8UG4r4w7jJD7pPrWsBerA1jdL5UN65bNVcQhtIaOnYXrX+JuIIoZHjJ4ZwWt7zuBPLMK6WlG7zFtHOOe5l08Bgts2xoo2HAuvLcH4zLamHLi0Zs1gnmQQ4aKLBqiJORltxmFIw4a91aBo+L6zH4IvJFT7P3kclHoQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716839638; c=relaxed/simple; bh=gs4+hTXerF+lBTGkFtCPS8+4ICTsolzb2nr7bKmVg5Y=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=PSlzSZHq2J4mlisa8CiiHnAm44iQan6kOBKJg+H2b42+uhaMYH1uh9RhsWqU1euFv0icWtUS+mxPDEaGBpWMJd4lN/ubdfUyn63Oduv82u6ayOxbm+BOHh1HC+4vMB1S3dN4TimT1uLpmeHeiJBP0PA6yK0BrnM45ZneS/wEEOA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kMX3uOIw; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8A626C2BBFC; Mon, 27 May 2024 19:53:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1716839638; bh=gs4+hTXerF+lBTGkFtCPS8+4ICTsolzb2nr7bKmVg5Y=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=kMX3uOIwUbY4z1oSa5Fc5gzmnADM2vzwwEPRFFWVx6IiteFSzoxMFVi7PH7rUay3e R6s513j6YbGX1guMLS59ae+r/cM5++kUPBiXmMfW9JGMvor5oAIK+HBzzFUw1VTTpm 6wcqj84Z9tupcIQfPvs77fdQvk4fpne183J3cawuU+Fa5kLbzTGlAtoo9g+fA1P1xe tbq82N+OoLHZuZIa1kTSMIfidjFaP6yCR+A11EKPwJk5lpR2yKtUxxkQ1WuI5+Pgkl 8AI+I+cysDIe+NEO36zK/JD0TuHybLb5IrqbDEkb5Kmg3GTNxpqDVPAlqHpjkHDj2Z fcpIAFgjfMxQw== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Mon, 27 May 2024 22:53:53 +0300 Message-Id: Cc: , "Peter Huewe" , "Jason Gunthorpe" , "Mimi Zohar" , "David Howells" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , , Subject: Re: [PATCH 1/3] tpm: Disable TCG_TPM2_HMAC by default From: "Jarkko Sakkinen" To: "James Bottomley" , "Vitor Soares" , X-Mailer: aerc 0.17.0 References: <20240519235122.3380-1-jarkko@kernel.org> <20240519235122.3380-2-jarkko@kernel.org> <850862655008f84ef0b6ecd99750e8dc395304d1.camel@gmail.com> <17dc838120b56ce342c34611596c7b46dcd9ab5a.camel@HansenPartnership.com> <2dd8d49516ec9c7cb8c1182b5b8537b1e82d7067.camel@gmail.com> <17a5dcd7aceb356587ef7c8f45b0f6359b2d2a91.camel@HansenPartnership.com> <0c12c9ea10aa97e246230fc33e6b35c571102b48.camel@gmail.com> <3e4bbd0f0fe9f57fd7555a3775e8d71031c0d6c5.camel@gmail.com> In-Reply-To: On Mon May 27, 2024 at 8:57 PM EEST, James Bottomley wrote: > On Mon, 2024-05-27 at 18:34 +0300, Jarkko Sakkinen wrote: > > On Mon May 27, 2024 at 6:12 PM EEST, Jarkko Sakkinen wrote: > > > On Mon May 27, 2024 at 6:01 PM EEST, Jarkko Sakkinen wrote: > > > > On Mon May 27, 2024 at 5:51 PM EEST, Jarkko Sakkinen wrote: > > > > > On Thu May 23, 2024 at 10:59 AM EEST, Vitor Soares wrote: > > > > > > On Wed, 2024-05-22 at 19:11 +0300, Jarkko Sakkinen wrote: > > > > > > > On Wed May 22, 2024 at 5:58 PM EEST, Vitor Soares wrote: > > > > > > > > I did run with ftrace, but need some more time to go > > > > > > > > through it. > > > > > > > >=20 > > > > > > > > Here the step I did: > > > > > > > > kernel config: > > > > > > > > =C2=A0 CONFIG_FUNCTION_TRACER > > > > > > > > =C2=A0 CONFIG_FUNCTION_GRAPH_TRACER > > > > > > > >=20 > > > > > > > > ftrace: > > > > > > > > =C2=A0 # set filters > > > > > > > > =C2=A0 echo tpm* > set_ftrace_filter > > > > > > > >=20 > > > > > > > > =C2=A0 # set tracer > > > > > > > > =C2=A0 echo function_graph > current_tracer > > > > > > > >=20 > > > > > > > > =C2=A0 # take the sample > > > > > > > > =C2=A0 echo 1 > tracing_on; time modprobe tpm_tis_spi; echo= 0 > > > > > > > > > tracing_on > > > > > > > >=20 > > > > > > > > regards, > > > > > > > > Vitor Soares > > > > > > >=20 > > > > > > > I'm now compiling distro kernel (OpenSUSE) for NUC7 with > > > > > > > v6.10 contents. > > > > > > >=20 > > > > > > > After I have that setup, I'll develop a perf test either > > > > > > > with perf or > > > > > > > bpftrace. I'll come back with the possible CONFIG_* that > > > > > > > should be in > > > > > > > place in your kernel. Might take up until next week as I > > > > > > > have some > > > > > > > conference stuff to prepare but I try to have stuff ready > > > > > > > early next > > > > > > > week. > > > > > > >=20 > > > > > > > No need to rush with this as long as possible patches go to > > > > > > > rc2 or rc3. > > > > > > > Let's do a proper analysis instead. > > > > > > >=20 > > > > > > > In the meantime you could check if you get perf and/or > > > > > > > bpftrace to=20 > > > > > > > your image that use to boot up your device. Preferably both > > > > > > > but > > > > > > > please inform about this. > > > > > > >=20 > > > > > >=20 > > > > > > I already have perf running, for the bpftrace I might not be > > > > > > able to help. > > > > >=20 > > > > > The interesting function to look at with/without hmac is > > > > > probably > > > > > tpm2_get_random(). > > > > >=20 > > > > > I attached a patch that removes hmac shenigans out of > > > > > tpm2_get_random() > > > > > for the sake of proper comparative testing. > > > >=20 > > > > Other thing that we need to measure is to split the cost into > > > > two parts: > > > >=20 > > > > 1. Handshake, i.e. setting up and shutdowning a session. > > > > 2. Transaction, payload TPM command. > > > >=20 > > > > This could be done by setting up couple of kprobes_events: > > > >=20 > > > > =C2=A0 payload_event: tpm2_get_random() etc. > > > > =C2=A0 hmac_event: tpm2_start_auth_session(), tpm2_end_auth_session= () > > > > etc. > > > >=20 > > > > And just summing up the time for a boot to get a cost for hmac. > > > >=20 > > > > I'd use bootconfig for this: > > > >=20 > > > > https://www.kernel.org/doc/html/v6.9/trace/boottime-trace.html > > > >=20 > > > > So I've made up plans how measure the incident but not sure when > > > > I > > > > have time to pro-actively work on a benchmark (thus sharing > > > > details). > > > >=20 > > > > So I think with just proper bootconfig wtih no other tools uses > > > > this > > > > can be measured. > > >=20 > > >=20 > > > I'll disable this for anything else than X86_64 by default, and put > > > such patch to my next pull request. > > >=20 > > > Someone needs to do the perf analysis properly based on the above > > > descriptions. I cannot commit my time to promise them to get the > > > perf regressions fixed by time. I can only commit on limiting the > > > feature ;-) > > >=20 > > > It is thus better be conservative and reconsider opt-in post 6.10. > > > X86_64 is safeplay because even in that 2018 NUC7 based on Celeron, > > > hmac is just fine. > >=20 > > While looking at code I started to wanted what was the reasoning > > for adding *undocumented* "TPM2_OA_TMPL" in include/linux/tpm.h. > > It should really be in tpm2-sessions.c and named something like > > TPM2_NULL_KEY_OA or similar. > > Well, because you asked for it. I originally had all the flags spelled > out and I'm not a fan of this obscurity, but you have to do stuff like > this to get patches accepted: > > https://lore.kernel.org/linux-integrity/CZCKTWU6ZCC9.2UTEQPEVICYHL@suppil= ovahvero/ I still think the constant does make sense. The current constant does not really imply that it is for the null key, it is defined in the wrong file and has no actual legit documentation to go with it. BR, Jarkko