[PATCH] ima: optimize ima_pcr_extend function by asynchronous

Tianjia Zhang tianjia.zhang at linux.alibaba.com
Wed Apr 15 02:53:06 UTC 2020

On 2020/4/15 2:07, Ken Goldman wrote:
> I wonder if there's a different issue?  I just ran selftest with 
> fullTest = yes in two different TPM vendors.
> One took 230 msec, the other 320 msec.
> I've never seen anything near 10 seconds.
> Note that this is worse than the worst case because it's forcing a full 
> retest.  The TPM typically starts its self test immediately at power up 
> and could be complete by the time the OS starts to boot.
> When I run selftest with fullTest = no, I get 30 msec, probably
> because it's not doing anything.
> On 4/14/2020 7:50 AM, Tianjia Zhang wrote:
>> Because ima_pcr_extend() to operate the TPM chip, this process is
>> very time-consuming, for IMA, this is a blocking action, especially
>> when the TPM is in self test state, this process will block for up
>> to ten seconds.

Ten seconds is an extreme scenario, and I haven't seen this worst case, 
but the TPM driver will fail to return in this scenario.

Thanks and best,

More information about the Linux-security-module-archive mailing list