Re: [tpmdd-devel] [PATCH v2 4/7] tpm: infrastructure for TPM spaces

From: Ken Goldman
Date: Wed Feb 22 2017 - 15:56:28 EST


On 2/22/2017 12:39 PM, James Bottomley wrote:

Right at the moment the kernel use of tpm2 looks like

acquire chip->tpm_mutex
load key
process key
unload key
release chip->tpm_mutex

The advantage to context save/ context load over load / flush
is that load requires the parent(s). The parent chain may be long,
a parent may require authorization, or authorization may be impossible because PCRs are no longer in the correct state.

In TPM 1.2, there was a performance difference because load was an asymmetric key operation, but it's symmetric in TPM 2.0.

When the kernel needs to use resources that persisted beyond it
dropping the chip->tpm_mutex (say using policy or audit sessions),
then it would need to become a customer of the RM.

BTW, use of an EK private key requires a policy session.