On 2/22/2017 12:39 PM, James Bottomley wrote:
Right at the moment the kernel use of tpm2 looks like
acquire chip->tpm_mutex
load key
process key
unload key
release chip->tpm_mutex
The advantage to context save/ context load over load / flush
is that load requires the parent(s). The parent chain may be long,
a parent may require authorization, or authorization may be impossible
because PCRs are no longer in the correct state.
In TPM 1.2, there was a performance difference because load was an
asymmetric key operation, but it's symmetric in TPM 2.0.
When the kernel needs to use resources that persisted beyond it
dropping the chip->tpm_mutex (say using policy or audit sessions),
then it would need to become a customer of the RM.
BTW, use of an EK private key requires a policy session.
