Re: [RFC PATCH] IMA: Remove evm_overlay.sh

Hi Mimi, Ignaz, > Proof of concept, it was never fixed in the kernel. > Instead we should have some basic EVM tests. gently ping. Is evm_overlay.sh test useful for you? Otherwise I'll delete it. Kind regards, Petr > Signed-off-by: Petr Vorel > --- > runtest/ima

Re: [RFC PATCH v2 3/6] tpm: add send_recv() ops in tpm_class_ops

On Fri, Mar 07, 2025 at 04:37:12PM +0100, Stefano Garzarella wrote: > On Thu, Mar 06, 2025 at 11:52:46PM +0200, Jarkko Sakkinen wrote: > > On Wed, Mar 05, 2025 at 03:02:29PM -0400, Jason Gunthorpe wrote: > > > On Wed, Mar 05, 2025 at 10:04:25AM +0100, Stefano Garzarella wrote: > > > > Jason suggest

Re: [PATCH] tpm: Drop warning when an auth session is active

On Fri, Mar 07, 2025 at 05:25:36PM +, Jonathan McDowell wrote: > On Fri, Mar 07, 2025 at 06:36:02PM +0200, Jarkko Sakkinen wrote: > > On Fri, Mar 07, 2025 at 10:56:44AM +, Jonathan McDowell wrote: > > > Auth sessions are lazily flushed since commit df745e25098dc ("tpm: > > > Lazily flush th

Re: [PATCH v6 1/5] tpm_crb: implement driver compliant to CRB over FF-A

On Wed, Mar 05, 2025 at 11:36:07AM -0600, Stuart Yoder wrote: > The Arm specification TPM Service CRB over FF-A specification > defines the FF-A messages to interact with a CRB-based TPM > implemented as an FF-A secure partition. > > Spec URL: > https://developer.arm.com/documentation/den0138/late

[PATCH] tpm: Lazily flush auth session when getting random data

From: Jonathan McDowell Lazy flushing of TPM auth sessions was introduced to speed up IMA measurments into the TPM. Make use of it in tpm2_get_random as well, which has the added benefit of not needlessly cleaning up the session that IMA is using when there are no userspace accesses taking place.

Re: [PATCH v3 5/5] ima_violations.sh: require kernel v6.14 for minimizing violations tests

Hi Mimi, > Depending on the IMA policy and the number of violations, the kernel > patches for minimizing the number of open-writers and ToMToU (Time of > Measure Time of Use) violations may be a major performance improvement. I would prefer this to be squashed into "ima_violations.sh: additional

[PATCH] tpm: Drop warning when an auth session is active

Auth sessions are lazily flushed since commit df745e25098dc ("tpm: Lazily flush the auth session"), so it's expected that we might try to start a new session when one is still active. Signed-off-by: Jonathan McDowell --- drivers/char/tpm/tpm2-sessions.c | 1 - 1 file changed, 1 deletion(-) diff

Re: [PATCH] tpm: Lazily flush auth session when getting random data

On Fri, Mar 07, 2025 at 10:58:13AM +, Jonathan McDowell wrote: > From: Jonathan McDowell > > Lazy flushing of TPM auth sessions was introduced to speed up IMA > measurments into the TPM. Make use of it in tpm2_get_random as well, > which has the added benefit of not needlessly cleaning up the

Re: [PATCH] tpm: Drop warning when an auth session is active

On Fri, Mar 07, 2025 at 10:56:44AM +, Jonathan McDowell wrote: > Auth sessions are lazily flushed since commit df745e25098dc ("tpm: > Lazily flush the auth session"), so it's expected that we might try to > start a new session when one is still active. > > Signed-off-by: Jonathan McDowell > -

Re: [PATCH] tpm, tpm_tis: Workaround failed command reception on Infineon devices

On Fri, Mar 07, 2025 at 12:23:11AM +0200, Jarkko Sakkinen wrote: > On Thu, Mar 06, 2025 at 09:00:56AM +, Jonathan McDowell wrote: > > From: Jonathan McDowell > > > > Some Infineon devices have a issue where the status register will get > > stuck with a quick REQUEST_USE / COMMAND_READY sequen

Re: [PATCH] tpm, tpm_tis: Workaround failed command reception on Infineon devices

On Fri, Mar 07, 2025 at 04:36:12PM +, Jonathan McDowell wrote: > On Fri, Mar 07, 2025 at 12:23:11AM +0200, Jarkko Sakkinen wrote: > > On Thu, Mar 06, 2025 at 09:00:56AM +, Jonathan McDowell wrote: > > > From: Jonathan McDowell > > > > > > Some Infineon devices have a issue where the statu

Re: [RFC PATCH v2 3/6] tpm: add send_recv() ops in tpm_class_ops

On Thu, Mar 06, 2025 at 11:52:46PM +0200, Jarkko Sakkinen wrote: On Wed, Mar 05, 2025 at 03:02:29PM -0400, Jason Gunthorpe wrote: On Wed, Mar 05, 2025 at 10:04:25AM +0100, Stefano Garzarella wrote: > Jason suggested the send_recv() ops [2], which I liked, but if you prefer to > avoid that, I can

Re: [RFC PATCH v2 3/6] tpm: add send_recv() ops in tpm_class_ops

On Fri, Mar 07, 2025 at 12:15:34AM +0200, Jarkko Sakkinen wrote: On Wed, Mar 05, 2025 at 10:04:25AM +0100, Stefano Garzarella wrote: On Tue, Mar 04, 2025 at 10:21:55PM +0200, Jarkko Sakkinen wrote: > On Tue, Mar 04, 2025 at 06:56:02PM +0200, Jarkko Sakkinen wrote: > > On Mon, 2025-03-03 at 17:21

Re: [PATCH] tpm, tpm_tis: Fix timeout handling when waiting for TPM status

Hi Jonathan, On 05.03.25 10:45, Jonathan McDowell wrote: > From: Jonathan McDowell > > The change to only use interrupts to handle supported status changes, > then switch to polling for the rest, inverted the status test and sleep > such that we can end up sleeping beyond our timeout and not

[PATCH] tpm: End any active auth session before shutdown

From: Jonathan McDowell Lazy flushing of TPM auth sessions can interact badly with IMA + kexec, resulting in loaded session handles being leaked across the kexec and not cleaned up. Fix by ensuring any active auth session is ended before the TPM is told about the shutdown, matching what is done w

Re: Unbalanced TPM2 HMAC session calls

On Thu, 2025-03-06 at 13:59 -0500, Mimi Zohar wrote: > On Thu, 2025-03-06 at 15:15 +, Jonathan McDowell wrote: > > We're seeing a lot of: > > > > tpm tpm0: auth session is active > > > > messages in our logs. This is emitted (once per boot) by > > tpm2_start_auth_session() if the auth sessio

Re: [PATCH] tpm: Drop warning when an auth session is active

On Fri, Mar 07, 2025 at 06:36:02PM +0200, Jarkko Sakkinen wrote: > On Fri, Mar 07, 2025 at 10:56:44AM +, Jonathan McDowell wrote: > > Auth sessions are lazily flushed since commit df745e25098dc ("tpm: > > Lazily flush the auth session"), so it's expected that we might try to > > start a new ses