[PATCH] tpm, tpm_tis: Workaround failed command reception on Infineon devices

From: Jonathan McDowell Some Infineon devices have a issue where the status register will get stuck with a quick REQUEST_USE / COMMAND_READY sequence. This is not simply a matter of requiring a longer timeout; the work around is to retry the command submission. Add appropriate logic to do this in

Re: [RFC][PATCH] ima: add measurement for first unverified write on ima policy file

On Wed, 2025-03-05 at 09:59 +0100, Roberto Sassu wrote: > On Mon, 2025-03-03 at 10:26 +, Enrico  Bravi wrote: > > On Thu, 2025-02-27 at 15:49 +0100, Roberto Sassu wrote: > > > On Thu, 2025-02-27 at 11:36 +, Enrico  Bravi wrote: > > > > On Wed, 2025-02-26 at 22:05 -0500, Mimi Zohar wrote: >

Re: [RFC][PATCH] ima: add measurement for first unverified write on ima policy file

On Thu, 2025-03-06 at 09:47 +0100, Roberto Sassu wrote: > On Thu, 2025-03-06 at 08:20 +, Enrico  Bravi wrote: > > On Wed, 2025-03-05 at 09:59 +0100, Roberto Sassu wrote: > > > On Mon, 2025-03-03 at 10:26 +, Enrico  Bravi wrote: > > > > On Thu, 2025-02-27 at 15:49 +0100, Roberto Sassu wrote:

Unbalanced TPM2 HMAC session calls

We're seeing a lot of: tpm tpm0: auth session is active messages in our logs. This is emitted (once per boot) by tpm2_start_auth_session() if the auth sessions is already active when it is called. Investigating I think this is because tpm2_pcr_extend() calls tpm_buf_append_hmac_session() whic

Re: [RFC][PATCH] ima: add measurement for first unverified write on ima policy file

On Thu, 2025-03-06 at 08:20 +, Enrico Bravi wrote: > On Wed, 2025-03-05 at 09:59 +0100, Roberto Sassu wrote: > > On Mon, 2025-03-03 at 10:26 +, Enrico  Bravi wrote: > > > On Thu, 2025-02-27 at 15:49 +0100, Roberto Sassu wrote: > > > > On Thu, 2025-02-27 at 11:36 +, Enrico  Bravi wrote:

Re: [PATCH v3 5/5] ima_violations.sh: require kernel v6.14 for minimizing violations tests

On Thu, 2025-03-06 at 18:26 +0100, Petr Vorel wrote: > Hi Mimi, > > > Depending on the IMA policy and the number of violations, the kernel > > patches for minimizing the number of open-writers and ToMToU (Time of > > Measure Time of Use) violations may be a major performance improvement. > > I wo

Re: Unbalanced TPM2 HMAC session calls

On Thu, Mar 06, 2025 at 03:15:39PM +, Jonathan McDowell wrote: > We're seeing a lot of: > > tpm tpm0: auth session is active > > messages in our logs. This is emitted (once per boot) by > tpm2_start_auth_session() if the auth sessions is already active when it > is called. It's by design a

Re: [RFC PATCH v2 3/6] tpm: add send_recv() ops in tpm_class_ops

On Wed, Mar 05, 2025 at 03:02:29PM -0400, Jason Gunthorpe wrote: > On Wed, Mar 05, 2025 at 10:04:25AM +0100, Stefano Garzarella wrote: > > Jason suggested the send_recv() ops [2], which I liked, but if you prefer to > > avoid that, I can restore what we did in v1 and replace the > > TPM_CHIP_FLAG_I

Re: [RFC PATCH v2 3/6] tpm: add send_recv() ops in tpm_class_ops

On Wed, Mar 05, 2025 at 10:04:25AM +0100, Stefano Garzarella wrote: > On Tue, Mar 04, 2025 at 10:21:55PM +0200, Jarkko Sakkinen wrote: > > On Tue, Mar 04, 2025 at 06:56:02PM +0200, Jarkko Sakkinen wrote: > > > On Mon, 2025-03-03 at 17:21 +0100, Stefano Garzarella wrote: > > > > On Sat, Mar 01, 2025

Re: TPM operation times out (very rarely)

On Wed, Mar 05, 2025 at 01:20:45PM +0100, Michal Suchánek wrote: > On Sat, Mar 01, 2025 at 04:13:23AM +0200, Jarkko Sakkinen wrote: > > On Mon, Feb 24, 2025 at 02:04:13PM +0100, Michal Suchánek wrote: > > > On Mon, Feb 10, 2025 at 07:32:53PM +0200, Jarkko Sakkinen wrote: > > > > On Mon Feb 10, 2025

Re: [PATCH] tpm, tpm_tis: Workaround failed command reception on Infineon devices

On Thu, Mar 06, 2025 at 09:00:56AM +, Jonathan McDowell wrote: > From: Jonathan McDowell > > Some Infineon devices have a issue where the status register will get > stuck with a quick REQUEST_USE / COMMAND_READY sequence. This is not > simply a matter of requiring a longer timeout; the work a

Re: [PATCH v6 0/5] Add support for the TPM FF-A start method

On Wed, Mar 05, 2025 at 11:36:06AM -0600, Stuart Yoder wrote: > Firmware Framework for Arm A-profile (FF-A) is a messaging framework > for Arm-based systems, and in the context of the TPM CRB driver is used > to signal 'start' to a CRB-based TPM service which is hosted in an > FF-A secure partition

Re: Unbalanced TPM2 HMAC session calls

On Thu, 2025-03-06 at 15:15 +, Jonathan McDowell wrote: > We're seeing a lot of: > > tpm tpm0: auth session is active > > messages in our logs. This is emitted (once per boot) by > tpm2_start_auth_session() if the auth sessions is already active when it > is called. > > Investigating I thi

Re: [PATCH v3 1/5] ima_violations.sh: force $LOG ToMToU violation earlier

Hi Mimi, > Violation tests are dependent on searching the $LOG file, which may > itself result in a ToMToU violation. Preempt getting an additional > violation during the tests by forcing the $LOG ToMToU violation > earlier. FYI I already merged this from v2 (modified, just swap TINFO message wi

Re: [PATCH 2/2] ima_setup.sh: Check 'cat' exit code when loading policy

Hi Mimi, all, > Parsing stderr should be enough, but check also 'cat' exit code > in case of error message change or other problem. FYI patchset merged. Kind regards, Petr

Re: Unbalanced TPM2 HMAC session calls

On Thu, 2025-03-06 at 11:30 -0800, James Bottomley wrote: > On Thu, 2025-03-06 at 13:59 -0500, Mimi Zohar wrote: > > On Thu, 2025-03-06 at 15:15 +, Jonathan McDowell wrote: > > > We're seeing a lot of: > > > > > > tpm tpm0: auth session is active > > > > > > messages in our logs. This is emit