[PATCH 1/3] tpm: Disable TCG_TPM2_HMAC by default

James Bottomley James.Bottomley at HansenPartnership.com
Wed May 22 13:35:27 UTC 2024


On Wed, 2024-05-22 at 09:18 +0100, Vitor Soares wrote:
> On Tue, 2024-05-21 at 08:33 -0400, James Bottomley wrote:
> > On Tue, 2024-05-21 at 10:10 +0300, Jarkko Sakkinen wrote:
> > > This benchmark could be done in user space using /dev/tpm0.
> > 
> > Let's actually try that.  If you have the ibmtss installed, the
> > command to time primary key generation from userspace on your tpm
> > is
> > 
> > time tsscreateprimary -hi n -ecc nistp256
> > 
> > 
> > And just for chuckles and grins, try it in the owner hierarchy as
> > well (sometimes slow TPMs cache this)
> > 
> > time tsscreateprimary -hi o -ecc nistp256
> > 
> > And if you have tpm2 tools, the above commands should be:
> > 
> > time tpm2_createprimary -C n -G ecc256
> > time tpm2_createprimary -C o -G ecc256
> > 
> > James
> > 
> > 
> 
> Testing on an arm64 platform I get the following results.
> 
> hmac disabled:
>   time modprobe tpm_tis_spi
>   real    0m2.776s
>   user    0m0.006s
>   sys     0m0.015s
> 
>   time tpm2_createprimary -C n -G ecc256
>   real    0m0.686s
>   user    0m0.044s
>   sys     0m0.025s
> 
>   time tpm2_createprimary -C o -G ecc256
>   real    0m0.638s
>   user    0m0.048s
>   sys     0m0.009s
> 
> 
> hmac enabled:
>   time modprobe tpm_tis_spi
>   real    8m5.840s
>   user    0m0.005s
>   sys     0m0.018s
> 
> 
>   time tpm2_createprimary -C n -G ecc256
>   real    5m27.678s
>   user    0m0.059s
>   sys     0m0.009s
> 
>   (after first command)
>   real    0m0.395s
>   user    0m0.040s
>   sys     0m0.015s
> 
>   time tpm2_createprimary -C o -G ecc256
>   real    0m0.418s
>   user    0m0.049s
>   sys     0m0.009s

That's interesting: it suggests the create primary is fast (as
expected) but that the TPM is blocked for some reason.  Is there
anything else in dmesg if you do

dmesg|grep -i tpm

?

Unfortunately we don't really do timeouts on our end (we have the TPM
do it instead), but we could instrument your kernel with command and
time sent and returned.  That may tell us where the problem lies.

Regards,

James




More information about the Linux-security-module-archive mailing list