* init_ima() adds 8 % to boot time
@ 2022-02-19 9:44 Paul Menzel
2022-02-20 15:19 ` Mimi Zohar
0 siblings, 1 reply; 6+ messages in thread
From: Paul Menzel @ 2022-02-19 9:44 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin; +Cc: linux-integrity, LKML
[-- Attachment #1: Type: text/plain, Size: 3430 bytes --]
Dear Linux folks,
Debian builds its Linux kernel image with `CONFIG_IMA=y` since version
5.13.9 [1]. Unfortunately, on the Dell Latitude E7250 `init_ima` takes
around 33 ms, adding 8 % to the boot time up to loading the initrd.
[ 0.000000] Linux version 5.17.0-rc4-amd64
(debian-kernel@lists.debian.org) (gcc-11 (Debian 11.2.0-16) 11.2.0, GNU
ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT Debian 5.17~rc4-1~exp1
(2022-02-18)
[…]
[ 0.238520] calling init_tis+0x0/0xde @ 1
[ 0.254749] tpm_tis 00:08: 1.2 TPM (device-id 0x3205, rev-id 80)
[ 0.285665] initcall init_tis+0x0/0xde returned 0 after 46038 usecs
[…]
[ 0.301327] calling init_ima+0x0/0xb5 @ 1
[ 0.301332] ima: Allocated hash algorithm: sha256
[ 0.335502] ima: No architecture policies found
[ 0.335520] initcall init_ima+0x0/0xb5 returned 0 after 33389 usecs
[…]
[ 0.447312] Run /init as init process
Tracing `init_ima` with a depth of 5 shows
`ima_calc_boot_aggregate_tfm()` takes 24 ms, and
`ima_add_template_entry()` takes 10 ms.
1.282630 | 1) swapper-1 | |
ima_add_boot_aggregate() {
1.282631 | 1) swapper-1 | |
ima_calc_boot_aggregate() {
1.282631 | 1) swapper-1 | 0.153 us |
ima_alloc_tfm();
1.282631 | 1) swapper-1 | * 24404.59 us |
ima_calc_boot_aggregate_tfm();
1.307037 | 1) swapper-1 | 0.482 us |
ima_free_tfm.part.0();
1.307038 | 1) swapper-1 | * 24407.06 us | } /*
ima_calc_boot_aggregate */
1.307038 | 1) swapper-1 | |
ima_alloc_init_template() {
1.307038 | 1) swapper-1 | 0.173 us |
ima_template_desc_current();
1.307039 | 1) swapper-1 | 0.836 us |
__kmalloc();
1.307040 | 1) swapper-1 | 0.580 us |
__kmalloc();
1.307041 | 1) swapper-1 | 1.555 us |
ima_eventdigest_ng_init();
1.307043 | 1) swapper-1 | 1.275 us |
ima_eventname_ng_init();
1.307044 | 1) swapper-1 | 0.256 us |
ima_eventsig_init();
1.307045 | 1) swapper-1 | 6.618 us | } /*
ima_alloc_init_template */
1.307045 | 1) swapper-1 | |
ima_store_template() {
1.307045 | 1) swapper-1 | 5.049 us |
ima_calc_field_array_hash();
1.307051 | 1) swapper-1 | # 9316.953 us |
ima_add_template_entry();
1.316369 | 1) swapper-1 | # 9323.728 us | } /*
ima_store_template */
1.316369 | 1) swapper-1 | * 33738.54 us | } /*
ima_add_boot_aggregate */
Tracing `ima_calc_boot_aggregate_tfm()` (attached) shows that the first
`tpm1_pcr_read()` takes 16 ms in `tpm_transmit()`. Is communicating with
the TPM supposed to be that slow?
In the last years, Linux decreased it’s boot time a lot, so do you see a
way to move things out of the hot path and get `init_ima` well below 10
ms? (As systems get faster and faster, having systems with standard
distributions to be up below two seconds after pressing the power button
should be a reasonable goal (500 ms firmware (like coreboot) + 500 ms
Linux kernel + 1 s user space).
Kind regards,
Paul
[1]:
https://salsa.debian.org/kernel-team/linux/-/commit/6e679322d7d98d30b4a8a3d1b659c899a6e9d4df
[-- Attachment #2: linux-5.17-rc4-ima_calc_boot_aggregate_tfm.trace.txt --]
[-- Type: text/plain, Size: 21571 bytes --]
# tracer: function_graph
#
# TIME CPU TASK/PID DURATION FUNCTION CALLS
# | | | | | | | | | |
1.278970 | 0) swapper-1 | | ima_calc_boot_aggregate_tfm() {
1.278971 | 0) swapper-1 | | tpm_pcr_read() {
1.278971 | 0) swapper-1 | | tpm_find_get_ops() {
1.278971 | 0) swapper-1 | | tpm_try_get_ops() {
1.278971 | 0) swapper-1 | 0.201 us | get_device();
1.278972 | 0) swapper-1 | 0.265 us | down_read();
1.278972 | 0) swapper-1 | 0.252 us | mutex_lock();
1.278972 | 0) swapper-1 | 8.257 us | tpm_chip_start();
1.278981 | 0) swapper-1 | 9.794 us | } /* tpm_try_get_ops */
1.278981 | 0) swapper-1 | + 10.120 us | } /* tpm_find_get_ops */
1.278981 | 0) swapper-1 | | tpm1_pcr_read() {
1.278981 | 0) swapper-1 | | __get_free_pages() {
1.278981 | 0) swapper-1 | 0.825 us | alloc_pages();
1.278982 | 0) swapper-1 | 1.122 us | } /* __get_free_pages */
1.278983 | 0) swapper-1 | | tpm_transmit_cmd() {
1.278983 | 0) swapper-1 | | tpm_transmit() {
1.295183 | 3) swapper-1 | * 16199.26 us | } /* tpm_transmit */
1.295183 | 3) swapper-1 | * 16200.69 us | } /* tpm_transmit_cmd */
1.295184 | 3) swapper-1 | | free_pages() {
1.295184 | 3) swapper-1 | 1.827 us | __free_pages();
1.295186 | 3) swapper-1 | 2.395 us | } /* free_pages */
1.295186 | 3) swapper-1 | * 16205.24 us | } /* tpm1_pcr_read */
1.295187 | 3) swapper-1 | | tpm_put_ops() {
1.295187 | 3) swapper-1 | | tpm_chip_stop() {
1.295187 | 3) swapper-1 | 0.398 us | tpm_relinquish_locality();
1.295188 | 3) swapper-1 | 0.256 us | tpm_tis_clkrun_enable();
1.295188 | 3) swapper-1 | 1.426 us | } /* tpm_chip_stop */
1.295189 | 3) swapper-1 | 0.173 us | mutex_unlock();
1.295189 | 3) swapper-1 | 0.175 us | up_read();
1.295189 | 3) swapper-1 | 0.236 us | put_device();
1.295190 | 3) swapper-1 | 3.051 us | } /* tpm_put_ops */
1.295190 | 3) swapper-1 | * 16219.30 us | } /* tpm_pcr_read */
1.295190 | 3) swapper-1 | | crypto_shash_update() {
1.295191 | 3) swapper-1 | 0.200 us | crypto_sha1_update();
1.295191 | 3) swapper-1 | 0.693 us | } /* crypto_shash_update */
1.295191 | 3) swapper-1 | | tpm_pcr_read() {
1.295191 | 3) swapper-1 | | tpm_find_get_ops() {
1.295192 | 3) swapper-1 | | tpm_try_get_ops() {
1.295192 | 3) swapper-1 | 0.241 us | get_device();
1.295192 | 3) swapper-1 | 0.245 us | down_read();
1.295193 | 3) swapper-1 | 0.232 us | mutex_lock();
1.295193 | 3) swapper-1 | 8.181 us | tpm_chip_start();
1.295201 | 3) swapper-1 | 9.890 us | } /* tpm_try_get_ops */
1.295202 | 3) swapper-1 | + 10.217 us | } /* tpm_find_get_ops */
1.295202 | 3) swapper-1 | | tpm1_pcr_read() {
1.295202 | 3) swapper-1 | | __get_free_pages() {
1.295202 | 3) swapper-1 | 2.108 us | alloc_pages();
1.295205 | 3) swapper-1 | 2.512 us | } /* __get_free_pages */
1.295205 | 3) swapper-1 | | tpm_transmit_cmd() {
1.295205 | 3) swapper-1 | # 1186.160 us | tpm_transmit();
1.296392 | 3) swapper-1 | # 1187.552 us | } /* tpm_transmit_cmd */
1.296393 | 3) swapper-1 | | free_pages() {
1.296393 | 3) swapper-1 | 1.615 us | __free_pages();
1.296395 | 3) swapper-1 | 2.090 us | } /* free_pages */
1.296395 | 3) swapper-1 | # 1193.126 us | } /* tpm1_pcr_read */
1.296395 | 3) swapper-1 | | tpm_put_ops() {
1.296396 | 3) swapper-1 | | tpm_chip_stop() {
1.296396 | 3) swapper-1 | 0.394 us | tpm_relinquish_locality();
1.296396 | 3) swapper-1 | 0.249 us | tpm_tis_clkrun_enable();
1.296397 | 3) swapper-1 | 1.338 us | } /* tpm_chip_stop */
1.296397 | 3) swapper-1 | 0.168 us | mutex_unlock();
1.296397 | 3) swapper-1 | 0.163 us | up_read();
1.296398 | 3) swapper-1 | 0.241 us | put_device();
1.296398 | 3) swapper-1 | 2.996 us | } /* tpm_put_ops */
1.296398 | 3) swapper-1 | # 1207.262 us | } /* tpm_pcr_read */
1.296399 | 3) swapper-1 | | crypto_shash_update() {
1.296399 | 3) swapper-1 | 0.189 us | crypto_sha1_update();
1.296400 | 3) swapper-1 | 0.919 us | } /* crypto_shash_update */
1.296400 | 3) swapper-1 | | tpm_pcr_read() {
1.296400 | 3) swapper-1 | | tpm_find_get_ops() {
1.296400 | 3) swapper-1 | | tpm_try_get_ops() {
1.296401 | 3) swapper-1 | 0.239 us | get_device();
1.296401 | 3) swapper-1 | 0.243 us | down_read();
1.296402 | 3) swapper-1 | 0.228 us | mutex_lock();
1.296402 | 3) swapper-1 | 7.939 us | tpm_chip_start();
1.296410 | 3) swapper-1 | 9.650 us | } /* tpm_try_get_ops */
1.296410 | 3) swapper-1 | 9.975 us | } /* tpm_find_get_ops */
1.296411 | 3) swapper-1 | | tpm1_pcr_read() {
1.296411 | 3) swapper-1 | | __get_free_pages() {
1.296411 | 3) swapper-1 | 2.460 us | alloc_pages();
1.296414 | 3) swapper-1 | 2.867 us | } /* __get_free_pages */
1.296414 | 3) swapper-1 | | tpm_transmit_cmd() {
1.296414 | 3) swapper-1 | # 1187.963 us | tpm_transmit();
1.297603 | 3) swapper-1 | # 1189.319 us | } /* tpm_transmit_cmd */
1.297604 | 3) swapper-1 | | free_pages() {
1.297604 | 3) swapper-1 | 1.612 us | __free_pages();
1.297606 | 3) swapper-1 | 2.114 us | } /* free_pages */
1.297606 | 3) swapper-1 | # 1195.291 us | } /* tpm1_pcr_read */
1.297606 | 3) swapper-1 | | tpm_put_ops() {
1.297606 | 3) swapper-1 | | tpm_chip_stop() {
1.297607 | 3) swapper-1 | 0.407 us | tpm_relinquish_locality();
1.297607 | 3) swapper-1 | 0.254 us | tpm_tis_clkrun_enable();
1.297608 | 3) swapper-1 | 1.354 us | } /* tpm_chip_stop */
1.297608 | 3) swapper-1 | 0.178 us | mutex_unlock();
1.297608 | 3) swapper-1 | 0.157 us | up_read();
1.297609 | 3) swapper-1 | 0.235 us | put_device();
1.297609 | 3) swapper-1 | 2.973 us | } /* tpm_put_ops */
1.297609 | 3) swapper-1 | # 1209.350 us | } /* tpm_pcr_read */
1.297610 | 3) swapper-1 | | crypto_shash_update() {
1.297610 | 3) swapper-1 | 0.186 us | crypto_sha1_update();
1.297611 | 3) swapper-1 | 0.919 us | } /* crypto_shash_update */
1.297611 | 3) swapper-1 | | tpm_pcr_read() {
1.297611 | 3) swapper-1 | | tpm_find_get_ops() {
1.297612 | 3) swapper-1 | | tpm_try_get_ops() {
1.297612 | 3) swapper-1 | 0.238 us | get_device();
1.297612 | 3) swapper-1 | 0.241 us | down_read();
1.297613 | 3) swapper-1 | 0.231 us | mutex_lock();
1.297613 | 3) swapper-1 | 7.872 us | tpm_chip_start();
1.297621 | 3) swapper-1 | 9.611 us | } /* tpm_try_get_ops */
1.297621 | 3) swapper-1 | 9.953 us | } /* tpm_find_get_ops */
1.297622 | 3) swapper-1 | | tpm1_pcr_read() {
1.297622 | 3) swapper-1 | | __get_free_pages() {
1.297622 | 3) swapper-1 | 2.088 us | alloc_pages();
1.297624 | 3) swapper-1 | 2.499 us | } /* __get_free_pages */
1.297625 | 3) swapper-1 | | tpm_transmit_cmd() {
1.297625 | 3) swapper-1 | # 1186.932 us | tpm_transmit();
1.298813 | 3) swapper-1 | # 1188.266 us | } /* tpm_transmit_cmd */
1.298813 | 3) swapper-1 | | free_pages() {
1.298814 | 3) swapper-1 | 1.605 us | __free_pages();
1.298815 | 3) swapper-1 | 2.086 us | } /* free_pages */
1.298815 | 3) swapper-1 | # 1193.817 us | } /* tpm1_pcr_read */
1.298816 | 3) swapper-1 | | tpm_put_ops() {
1.298816 | 3) swapper-1 | | tpm_chip_stop() {
1.298816 | 3) swapper-1 | 0.415 us | tpm_relinquish_locality();
1.298817 | 3) swapper-1 | 0.264 us | tpm_tis_clkrun_enable();
1.298817 | 3) swapper-1 | 1.364 us | } /* tpm_chip_stop */
1.298818 | 3) swapper-1 | 0.170 us | mutex_unlock();
1.298818 | 3) swapper-1 | 0.157 us | up_read();
1.298818 | 3) swapper-1 | 0.264 us | put_device();
1.298819 | 3) swapper-1 | 3.007 us | } /* tpm_put_ops */
1.298819 | 3) swapper-1 | # 1207.997 us | } /* tpm_pcr_read */
1.298820 | 3) swapper-1 | | crypto_shash_update() {
1.298820 | 3) swapper-1 | 0.776 us | crypto_sha1_update();
1.298821 | 3) swapper-1 | 1.564 us | } /* crypto_shash_update */
1.298821 | 3) swapper-1 | | tpm_pcr_read() {
1.298821 | 3) swapper-1 | | tpm_find_get_ops() {
1.298821 | 3) swapper-1 | | tpm_try_get_ops() {
1.298822 | 3) swapper-1 | 0.239 us | get_device();
1.298822 | 3) swapper-1 | 0.252 us | down_read();
1.298823 | 3) swapper-1 | 0.228 us | mutex_lock();
1.298823 | 3) swapper-1 | 7.872 us | tpm_chip_start();
1.298831 | 3) swapper-1 | 9.576 us | } /* tpm_try_get_ops */
1.298831 | 3) swapper-1 | 9.900 us | } /* tpm_find_get_ops */
1.298831 | 3) swapper-1 | | tpm1_pcr_read() {
1.298832 | 3) swapper-1 | | __get_free_pages() {
1.298832 | 3) swapper-1 | 2.257 us | alloc_pages();
1.298834 | 3) swapper-1 | 2.674 us | } /* __get_free_pages */
1.298835 | 3) swapper-1 | | tpm_transmit_cmd() {
1.298835 | 3) swapper-1 | # 1186.138 us | tpm_transmit();
1.300022 | 3) swapper-1 | # 1187.494 us | } /* tpm_transmit_cmd */
1.300022 | 3) swapper-1 | | free_pages() {
1.300023 | 3) swapper-1 | 1.619 us | __free_pages();
1.300025 | 3) swapper-1 | 2.099 us | } /* free_pages */
1.300025 | 3) swapper-1 | # 1193.254 us | } /* tpm1_pcr_read */
1.300025 | 3) swapper-1 | | tpm_put_ops() {
1.300025 | 3) swapper-1 | | tpm_chip_stop() {
1.300026 | 3) swapper-1 | 0.402 us | tpm_relinquish_locality();
1.300026 | 3) swapper-1 | 0.245 us | tpm_tis_clkrun_enable();
1.300027 | 3) swapper-1 | 1.339 us | } /* tpm_chip_stop */
1.300027 | 3) swapper-1 | 0.170 us | mutex_unlock();
1.300027 | 3) swapper-1 | 0.156 us | up_read();
1.300028 | 3) swapper-1 | 0.236 us | put_device();
1.300028 | 3) swapper-1 | 2.927 us | } /* tpm_put_ops */
1.300028 | 3) swapper-1 | # 1206.993 us | } /* tpm_pcr_read */
1.300028 | 3) swapper-1 | | crypto_shash_update() {
1.300029 | 3) swapper-1 | 0.191 us | crypto_sha1_update();
1.300029 | 3) swapper-1 | 0.688 us | } /* crypto_shash_update */
1.300029 | 3) swapper-1 | | tpm_pcr_read() {
1.300030 | 3) swapper-1 | | tpm_find_get_ops() {
1.300030 | 3) swapper-1 | | tpm_try_get_ops() {
1.300030 | 3) swapper-1 | 0.239 us | get_device();
1.300031 | 3) swapper-1 | 0.248 us | down_read();
1.300031 | 3) swapper-1 | 0.233 us | mutex_lock();
1.300031 | 3) swapper-1 | 8.122 us | tpm_chip_start();
1.300040 | 3) swapper-1 | 9.962 us | } /* tpm_try_get_ops */
1.300040 | 3) swapper-1 | + 10.292 us | } /* tpm_find_get_ops */
1.300040 | 3) swapper-1 | | tpm1_pcr_read() {
1.300041 | 3) swapper-1 | | __get_free_pages() {
1.300041 | 3) swapper-1 | 2.407 us | alloc_pages();
1.300043 | 3) swapper-1 | 2.813 us | } /* __get_free_pages */
1.300044 | 3) swapper-1 | | tpm_transmit_cmd() {
1.300044 | 3) swapper-1 | # 1186.643 us | tpm_transmit();
1.301232 | 3) swapper-1 | # 1188.031 us | } /* tpm_transmit_cmd */
1.301232 | 3) swapper-1 | | free_pages() {
1.301232 | 3) swapper-1 | 1.604 us | __free_pages();
1.301234 | 3) swapper-1 | 2.095 us | } /* free_pages */
1.301234 | 3) swapper-1 | # 1193.909 us | } /* tpm1_pcr_read */
1.301234 | 3) swapper-1 | | tpm_put_ops() {
1.301235 | 3) swapper-1 | | tpm_chip_stop() {
1.301235 | 3) swapper-1 | 0.402 us | tpm_relinquish_locality();
1.301236 | 3) swapper-1 | 0.247 us | tpm_tis_clkrun_enable();
1.301236 | 3) swapper-1 | 1.622 us | } /* tpm_chip_stop */
1.301237 | 3) swapper-1 | 0.166 us | mutex_unlock();
1.301237 | 3) swapper-1 | 0.167 us | up_read();
1.301237 | 3) swapper-1 | 0.235 us | put_device();
1.301238 | 3) swapper-1 | 3.237 us | } /* tpm_put_ops */
1.301238 | 3) swapper-1 | # 1208.564 us | } /* tpm_pcr_read */
1.301239 | 3) swapper-1 | | crypto_shash_update() {
1.301239 | 3) swapper-1 | 0.185 us | crypto_sha1_update();
1.301239 | 3) swapper-1 | 0.933 us | } /* crypto_shash_update */
1.301239 | 3) swapper-1 | | tpm_pcr_read() {
1.301240 | 3) swapper-1 | | tpm_find_get_ops() {
1.301240 | 3) swapper-1 | | tpm_try_get_ops() {
1.301240 | 3) swapper-1 | 0.240 us | get_device();
1.301241 | 3) swapper-1 | 0.247 us | down_read();
1.301241 | 3) swapper-1 | 0.233 us | mutex_lock();
1.301242 | 3) swapper-1 | 7.824 us | tpm_chip_start();
1.301250 | 3) swapper-1 | 9.726 us | } /* tpm_try_get_ops */
1.301250 | 3) swapper-1 | + 10.054 us | } /* tpm_find_get_ops */
1.301250 | 3) swapper-1 | | tpm1_pcr_read() {
1.301250 | 3) swapper-1 | | __get_free_pages() {
1.301250 | 3) swapper-1 | 2.341 us | alloc_pages();
1.301253 | 3) swapper-1 | 2.754 us | } /* __get_free_pages */
1.301253 | 3) swapper-1 | | tpm_transmit_cmd() {
1.301253 | 3) swapper-1 | # 1163.840 us | tpm_transmit();
1.302418 | 3) swapper-1 | # 1164.639 us | } /* tpm_transmit_cmd */
1.302418 | 3) swapper-1 | | free_pages() {
1.302418 | 3) swapper-1 | 0.715 us | __free_pages();
1.302419 | 3) swapper-1 | 1.154 us | } /* free_pages */
1.302419 | 3) swapper-1 | # 1169.348 us | } /* tpm1_pcr_read */
1.302420 | 3) swapper-1 | | tpm_put_ops() {
1.302420 | 3) swapper-1 | | tpm_chip_stop() {
1.302420 | 3) swapper-1 | 0.331 us | tpm_relinquish_locality();
1.302420 | 3) swapper-1 | 0.185 us | tpm_tis_clkrun_enable();
1.302421 | 3) swapper-1 | 1.094 us | } /* tpm_chip_stop */
1.302421 | 3) swapper-1 | 0.180 us | mutex_unlock();
1.302421 | 3) swapper-1 | 0.159 us | up_read();
1.302422 | 3) swapper-1 | 0.177 us | put_device();
1.302422 | 3) swapper-1 | 2.493 us | } /* tpm_put_ops */
1.302422 | 3) swapper-1 | # 1182.716 us | } /* tpm_pcr_read */
1.302422 | 3) swapper-1 | | crypto_shash_update() {
1.302423 | 3) swapper-1 | 0.751 us | crypto_sha1_update();
1.302423 | 3) swapper-1 | 1.103 us | } /* crypto_shash_update */
1.302424 | 3) swapper-1 | | tpm_pcr_read() {
1.302424 | 3) swapper-1 | | tpm_find_get_ops() {
1.302424 | 3) swapper-1 | | tpm_try_get_ops() {
1.302424 | 3) swapper-1 | 0.178 us | get_device();
1.302425 | 3) swapper-1 | 0.250 us | down_read();
1.302425 | 3) swapper-1 | 0.232 us | mutex_lock();
1.302425 | 3) swapper-1 | 7.807 us | tpm_chip_start();
1.302433 | 3) swapper-1 | 9.333 us | } /* tpm_try_get_ops */
1.302433 | 3) swapper-1 | 9.656 us | } /* tpm_find_get_ops */
1.302434 | 3) swapper-1 | | tpm1_pcr_read() {
1.302434 | 3) swapper-1 | | __get_free_pages() {
1.302434 | 3) swapper-1 | 1.314 us | alloc_pages();
1.302436 | 3) swapper-1 | 1.672 us | } /* __get_free_pages */
1.302436 | 3) swapper-1 | | tpm_transmit_cmd() {
1.302436 | 3) swapper-1 | # 1185.055 us | tpm_transmit();
1.303622 | 3) swapper-1 | # 1186.412 us | } /* tpm_transmit_cmd */
1.303623 | 3) swapper-1 | | free_pages() {
1.303623 | 3) swapper-1 | 1.623 us | __free_pages();
1.303625 | 3) swapper-1 | 2.188 us | } /* free_pages */
1.303625 | 3) swapper-1 | # 1191.170 us | } /* tpm1_pcr_read */
1.303625 | 3) swapper-1 | | tpm_put_ops() {
1.303625 | 3) swapper-1 | | tpm_chip_stop() {
1.303626 | 3) swapper-1 | 0.391 us | tpm_relinquish_locality();
1.303626 | 3) swapper-1 | 0.263 us | tpm_tis_clkrun_enable();
1.303627 | 3) swapper-1 | 1.360 us | } /* tpm_chip_stop */
1.303627 | 3) swapper-1 | 0.172 us | mutex_unlock();
1.303627 | 3) swapper-1 | 0.159 us | up_read();
1.303628 | 3) swapper-1 | 0.228 us | put_device();
1.303628 | 3) swapper-1 | 2.958 us | } /* tpm_put_ops */
1.303628 | 3) swapper-1 | # 1204.582 us | } /* tpm_pcr_read */
1.303629 | 3) swapper-1 | | crypto_shash_update() {
1.303629 | 3) swapper-1 | 0.183 us | crypto_sha1_update();
1.303630 | 3) swapper-1 | 0.974 us | } /* crypto_shash_update */
1.303630 | 3) swapper-1 | | crypto_shash_final() {
1.303630 | 3) swapper-1 | 0.720 us | sha1_final();
1.303631 | 3) swapper-1 | 1.155 us | } /* crypto_shash_final */
1.303631 | 3) swapper-1 | * 24661.94 us | } /* ima_calc_boot_aggregate_tfm */
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: init_ima() adds 8 % to boot time
2022-02-19 9:44 init_ima() adds 8 % to boot time Paul Menzel
@ 2022-02-20 15:19 ` Mimi Zohar
2022-02-20 22:57 ` Jarkko Sakkinen
2022-02-22 6:25 ` Petr Vorel
0 siblings, 2 replies; 6+ messages in thread
From: Mimi Zohar @ 2022-02-20 15:19 UTC (permalink / raw)
To: Paul Menzel, Dmitry Kasatkin, Jarkko Sakkinen
Cc: linux-integrity, LKML, Petr Vorel
[Cc'ing Jarkko, Petr Vorel]
Hi Paul,
On Sat, 2022-02-19 at 10:44 +0100, Paul Menzel wrote:
> Dear Linux folks,
>
>
> Debian builds its Linux kernel image with `CONFIG_IMA=y` since version
> 5.13.9 [1]. Unfortunately, on the Dell Latitude E7250 `init_ima` takes
> around 33 ms, adding 8 % to the boot time up to loading the initrd.
>
> [ 0.000000] Linux version 5.17.0-rc4-amd64
> (debian-kernel@lists.debian.org) (gcc-11 (Debian 11.2.0-16) 11.2.0, GNU
> ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT Debian 5.17~rc4-1~exp1
> (2022-02-18)
> […]
> [ 0.238520] calling init_tis+0x0/0xde @ 1
> [ 0.254749] tpm_tis 00:08: 1.2 TPM (device-id 0x3205, rev-id 80)
> [ 0.285665] initcall init_tis+0x0/0xde returned 0 after 46038 usecs
> […]
> [ 0.301327] calling init_ima+0x0/0xb5 @ 1
> [ 0.301332] ima: Allocated hash algorithm: sha256
> [ 0.335502] ima: No architecture policies found
> [ 0.335520] initcall init_ima+0x0/0xb5 returned 0 after 33389 usecs
> […]
> [ 0.447312] Run /init as init process
>
> Tracing `init_ima` with a depth of 5 shows
> `ima_calc_boot_aggregate_tfm()` takes 24 ms, and
> `ima_add_template_entry()` takes 10 ms.
>
> 1.282630 | 1) swapper-1 | |
> ima_add_boot_aggregate() {
> 1.282631 | 1) swapper-1 | |
> ima_calc_boot_agg:0regate() {
> 1.282631 | 1) swapper-1 | 0.153 us |
> ima_alloc_tfm();
> 1.282631 | 1) swapper-1 | * 24404.59 us |
> ima_calc_boot_aggregate_tfm();
> 1.307037 | 1) swapper-1 | 0.482 us |
> ima_free_tfm.part.0();
> 1.307038 | 1) swapper-1 | * 24407.06 us | } /*
> ima_calc_boot_aggregate */
> 1.307038 | 1) swapper-1 | |
> ima_alloc_init_template() {
> 1.307038 | 1) swapper-1 | 0.173 us |
> ima_template_desc_current();
> 1.307039 | 1) swapper-1 | 0.836 us |
> __kmalloc();
> 1.307040 | 1) swapper-1 | 0.580 us |
> __kmalloc();
> 1.307041 | 1) swapper-1 | 1.555 us |
> ima_eventdigest_ng_init();
> 1.307043 | 1) swapper-1 | 1.275 us |
> ima_eventname_ng_init();
> 1.307044 | 1) swapper-1 | 0.256 us |
> ima_eventsig_init();
> 1.307045 | 1) swapper-1 | 6.618 us | } /*
> ima_alloc_init_template */
> 1.307045 | 1) swapper-1 | |
> ima_store_template() {
> 1.307045 | 1) swapper-1 | 5.049 us |
> ima_calc_field_array_hash();
> 1.307051 | 1) swapper-1 | # 9316.953 us |
> ima_add_template_entry();
> 1.316369 | 1) swapper-1 | # 9323.728 us | } /*
> ima_store_template */
> 1.316369 | 1) swapper-1 | * 33738.54 us | } /*
> ima_add_boot_aggregate */
>
> Tracing `ima_calc_boot_aggregate_tfm()` (attached) shows that the first
> `tpm1_pcr_read()` takes 16 ms in `tpm_transmit()`. Is communicating with
> the TPM supposed to be that slow?
>
> In the last years, Linux decreased it’s boot time a lot, so do you see a
> way to move things out of the hot path and get `init_ima` well below 10
> ms? (As systems get faster and faster, having systems with standard
> distributions to be up below two seconds after pressing the power button
> should be a reasonable goal (500 ms firmware (like coreboot) + 500 ms
> Linux kernel + 1 s user space).
>
>
> [1]:
> https://salsa.debian.org/kernel-team/linux/-/commit/6e679322d7d98d30b4a8a3d1b659c899a6e9d4df
Thank you including the initial and other TPM delays. The main reason
for the "boot_aggregate" is to tie the pre-OS measurements to the post
OS measurement list. Without the TPM based 'boot_aggregate', any IMA
measurement list could be used to verify a TPM quote. The
'boot_aggregate' is calculated, originally, based on PCRs 0 - 7 and
more recently may include PCRs 8 & 9 as well. The 'boot_aggregate' is
the first record in the IMA measurement list and the first record after
a soft reboot (kexec). It is the one and only IMA measurement record
not dependent on policy.
There are TPM 1.2 & 2.0 standards' requirements, but there are also
buggy TPMs which don't adhere to them to such an extent that IMA goes
into 'TPM-bypass' mode. Perhaps for those not interested in extending
the concepts of trusted boot to the running OS, defining a new boot
command line option to force IMA into this 'TPM-bypass' mode would be
an acceptable alternative to the delay. The IMA measurement list would
still include a 'boot_aggregate' record, but one containing 0's.
thanks,
Mimi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: init_ima() adds 8 % to boot time
2022-02-20 15:19 ` Mimi Zohar
@ 2022-02-20 22:57 ` Jarkko Sakkinen
2022-02-20 23:19 ` Mimi Zohar
2022-02-22 6:25 ` Petr Vorel
1 sibling, 1 reply; 6+ messages in thread
From: Jarkko Sakkinen @ 2022-02-20 22:57 UTC (permalink / raw)
To: Mimi Zohar
Cc: Paul Menzel, Dmitry Kasatkin, linux-integrity, LKML, Petr Vorel
On Sun, Feb 20, 2022 at 10:19:37AM -0500, Mimi Zohar wrote:
> [Cc'ing Jarkko, Petr Vorel]
>
> Hi Paul,
>
> On Sat, 2022-02-19 at 10:44 +0100, Paul Menzel wrote:
> > Dear Linux folks,
> >
> >
> > Debian builds its Linux kernel image with `CONFIG_IMA=y` since version
> > 5.13.9 [1]. Unfortunately, on the Dell Latitude E7250 `init_ima` takes
> > around 33 ms, adding 8 % to the boot time up to loading the initrd.
> >
> > [ 0.000000] Linux version 5.17.0-rc4-amd64
> > (debian-kernel@lists.debian.org) (gcc-11 (Debian 11.2.0-16) 11.2.0, GNU
> > ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT Debian 5.17~rc4-1~exp1
> > (2022-02-18)
> > […]
> > [ 0.238520] calling init_tis+0x0/0xde @ 1
> > [ 0.254749] tpm_tis 00:08: 1.2 TPM (device-id 0x3205, rev-id 80)
> > [ 0.285665] initcall init_tis+0x0/0xde returned 0 after 46038 usecs
> > […]
> > [ 0.301327] calling init_ima+0x0/0xb5 @ 1
> > [ 0.301332] ima: Allocated hash algorithm: sha256
> > [ 0.335502] ima: No architecture policies found
> > [ 0.335520] initcall init_ima+0x0/0xb5 returned 0 after 33389 usecs
> > […]
> > [ 0.447312] Run /init as init process
> >
> > Tracing `init_ima` with a depth of 5 shows
> > `ima_calc_boot_aggregate_tfm()` takes 24 ms, and
> > `ima_add_template_entry()` takes 10 ms.
> >
> > 1.282630 | 1) swapper-1 | |
> > ima_add_boot_aggregate() {
> > 1.282631 | 1) swapper-1 | |
> > ima_calc_boot_agg:0regate() {
> > 1.282631 | 1) swapper-1 | 0.153 us |
> > ima_alloc_tfm();
> > 1.282631 | 1) swapper-1 | * 24404.59 us |
> > ima_calc_boot_aggregate_tfm();
> > 1.307037 | 1) swapper-1 | 0.482 us |
> > ima_free_tfm.part.0();
> > 1.307038 | 1) swapper-1 | * 24407.06 us | } /*
> > ima_calc_boot_aggregate */
> > 1.307038 | 1) swapper-1 | |
> > ima_alloc_init_template() {
> > 1.307038 | 1) swapper-1 | 0.173 us |
> > ima_template_desc_current();
> > 1.307039 | 1) swapper-1 | 0.836 us |
> > __kmalloc();
> > 1.307040 | 1) swapper-1 | 0.580 us |
> > __kmalloc();
> > 1.307041 | 1) swapper-1 | 1.555 us |
> > ima_eventdigest_ng_init();
> > 1.307043 | 1) swapper-1 | 1.275 us |
> > ima_eventname_ng_init();
> > 1.307044 | 1) swapper-1 | 0.256 us |
> > ima_eventsig_init();
> > 1.307045 | 1) swapper-1 | 6.618 us | } /*
> > ima_alloc_init_template */
> > 1.307045 | 1) swapper-1 | |
> > ima_store_template() {
> > 1.307045 | 1) swapper-1 | 5.049 us |
> > ima_calc_field_array_hash();
> > 1.307051 | 1) swapper-1 | # 9316.953 us |
> > ima_add_template_entry();
> > 1.316369 | 1) swapper-1 | # 9323.728 us | } /*
> > ima_store_template */
> > 1.316369 | 1) swapper-1 | * 33738.54 us | } /*
> > ima_add_boot_aggregate */
> >
> > Tracing `ima_calc_boot_aggregate_tfm()` (attached) shows that the first
> > `tpm1_pcr_read()` takes 16 ms in `tpm_transmit()`. Is communicating with
> > the TPM supposed to be that slow?
> >
> > In the last years, Linux decreased it’s boot time a lot, so do you see a
> > way to move things out of the hot path and get `init_ima` well below 10
> > ms? (As systems get faster and faster, having systems with standard
> > distributions to be up below two seconds after pressing the power button
> > should be a reasonable goal (500 ms firmware (like coreboot) + 500 ms
> > Linux kernel + 1 s user space).
> >
> >
> > [1]:
> > https://salsa.debian.org/kernel-team/linux/-/commit/6e679322d7d98d30b4a8a3d1b659c899a6e9d4df
>
> Thank you including the initial and other TPM delays. The main reason
> for the "boot_aggregate" is to tie the pre-OS measurements to the post
> OS measurement list. Without the TPM based 'boot_aggregate', any IMA
> measurement list could be used to verify a TPM quote. The
> 'boot_aggregate' is calculated, originally, based on PCRs 0 - 7 and
> more recently may include PCRs 8 & 9 as well. The 'boot_aggregate' is
> the first record in the IMA measurement list and the first record after
> a soft reboot (kexec). It is the one and only IMA measurement record
> not dependent on policy.
>
> There are TPM 1.2 & 2.0 standards' requirements, but there are also
> buggy TPMs which don't adhere to them to such an extent that IMA goes
> into 'TPM-bypass' mode. Perhaps for those not interested in extending
> the concepts of trusted boot to the running OS, defining a new boot
> command line option to force IMA into this 'TPM-bypass' mode would be
> an acceptable alternative to the delay. The IMA measurement list would
> still include a 'boot_aggregate' record, but one containing 0's.
I support the opt-in boot option.
If the full hardware specifications are known for a device, you might want
to use this.
/Jarkko
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: init_ima() adds 8 % to boot time
2022-02-20 22:57 ` Jarkko Sakkinen
@ 2022-02-20 23:19 ` Mimi Zohar
2022-02-21 20:06 ` Jarkko Sakkinen
0 siblings, 1 reply; 6+ messages in thread
From: Mimi Zohar @ 2022-02-20 23:19 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Paul Menzel, Dmitry Kasatkin, linux-integrity, LKML, Petr Vorel
On Sun, 2022-02-20 at 23:57 +0100, Jarkko Sakkinen wrote:
> On Sun, Feb 20, 2022 at 10:19:37AM -0500, Mimi Zohar wrote:
> > [Cc'ing Jarkko, Petr Vorel]
> >
> > Hi Paul,
> >
> > On Sat, 2022-02-19 at 10:44 +0100, Paul Menzel wrote:
> > > Dear Linux folks,
> > >
> > >
> > > Debian builds its Linux kernel image with `CONFIG_IMA=y` since version
> > > 5.13.9 [1]. Unfortunately, on the Dell Latitude E7250 `init_ima` takes
> > > around 33 ms, adding 8 % to the boot time up to loading the initrd.
> > >
> > > [ 0.000000] Linux version 5.17.0-rc4-amd64
> > > (debian-kernel@lists.debian.org) (gcc-11 (Debian 11.2.0-16) 11.2.0, GNU
> > > ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT Debian 5.17~rc4-1~exp1
> > > (2022-02-18)
> > > […]
> > > [ 0.238520] calling init_tis+0x0/0xde @ 1
> > > [ 0.254749] tpm_tis 00:08: 1.2 TPM (device-id 0x3205, rev-id 80)
> > > [ 0.285665] initcall init_tis+0x0/0xde returned 0 after 46038 usecs
> > > […]
> > > [ 0.301327] calling init_ima+0x0/0xb5 @ 1
> > > [ 0.301332] ima: Allocated hash algorithm: sha256
> > > [ 0.335502] ima: No architecture policies found
> > > [ 0.335520] initcall init_ima+0x0/0xb5 returned 0 after 33389 usecs
> > > […]
> > > [ 0.447312] Run /init as init process
> > >
> > > Tracing `init_ima` with a depth of 5 shows
> > > `ima_calc_boot_aggregate_tfm()` takes 24 ms, and
> > > `ima_add_template_entry()` takes 10 ms.
> > >
> > > 1.282630 | 1) swapper-1 | |
> > > ima_add_boot_aggregate() {
> > > 1.282631 | 1) swapper-1 | |
> > > ima_calc_boot_agg:0regate() {
> > > 1.282631 | 1) swapper-1 | 0.153 us |
> > > ima_alloc_tfm();
> > > 1.282631 | 1) swapper-1 | * 24404.59 us |
> > > ima_calc_boot_aggregate_tfm();
> > > 1.307037 | 1) swapper-1 | 0.482 us |
> > > ima_free_tfm.part.0();
> > > 1.307038 | 1) swapper-1 | * 24407.06 us | } /*
> > > ima_calc_boot_aggregate */
> > > 1.307038 | 1) swapper-1 | |
> > > ima_alloc_init_template() {
> > > 1.307038 | 1) swapper-1 | 0.173 us |
> > > ima_template_desc_current();
> > > 1.307039 | 1) swapper-1 | 0.836 us |
> > > __kmalloc();
> > > 1.307040 | 1) swapper-1 | 0.580 us |
> > > __kmalloc();
> > > 1.307041 | 1) swapper-1 | 1.555 us |
> > > ima_eventdigest_ng_init();
> > > 1.307043 | 1) swapper-1 | 1.275 us |
> > > ima_eventname_ng_init();
> > > 1.307044 | 1) swapper-1 | 0.256 us |
> > > ima_eventsig_init();
> > > 1.307045 | 1) swapper-1 | 6.618 us | } /*
> > > ima_alloc_init_template */
> > > 1.307045 | 1) swapper-1 | |
> > > ima_store_template() {
> > > 1.307045 | 1) swapper-1 | 5.049 us |
> > > ima_calc_field_array_hash();
> > > 1.307051 | 1) swapper-1 | # 9316.953 us |
> > > ima_add_template_entry();
> > > 1.316369 | 1) swapper-1 | # 9323.728 us | } /*
> > > ima_store_template */
> > > 1.316369 | 1) swapper-1 | * 33738.54 us | } /*
> > > ima_add_boot_aggregate */
> > >
> > > Tracing `ima_calc_boot_aggregate_tfm()` (attached) shows that the first
> > > `tpm1_pcr_read()` takes 16 ms in `tpm_transmit()`. Is communicating with
> > > the TPM supposed to be that slow?
> > >
> > > In the last years, Linux decreased it’s boot time a lot, so do you see a
> > > way to move things out of the hot path and get `init_ima` well below 10
> > > ms? (As systems get faster and faster, having systems with standard
> > > distributions to be up below two seconds after pressing the power button
> > > should be a reasonable goal (500 ms firmware (like coreboot) + 500 ms
> > > Linux kernel + 1 s user space).
> > >
> > >
> > > [1]:
> > > https://salsa.debian.org/kernel-team/linux/-/commit/6e679322d7d98d30b4a8a3d1b659c899a6e9d4df
> >
> > Thank you including the initial and other TPM delays. The main reason
> > for the "boot_aggregate" is to tie the pre-OS measurements to the post
> > OS measurement list. Without the TPM based 'boot_aggregate', any IMA
> > measurement list could be used to verify a TPM quote. The
> > 'boot_aggregate' is calculated, originally, based on PCRs 0 - 7 and
> > more recently may include PCRs 8 & 9 as well. The 'boot_aggregate' is
> > the first record in the IMA measurement list and the first record after
> > a soft reboot (kexec). It is the one and only IMA measurement record
> > not dependent on policy.
> >
> > There are TPM 1.2 & 2.0 standards' requirements, but there are also
> > buggy TPMs which don't adhere to them to such an extent that IMA goes
> > into 'TPM-bypass' mode. Perhaps for those not interested in extending
> > the concepts of trusted boot to the running OS, defining a new boot
> > command line option to force IMA into this 'TPM-bypass' mode would be
> > an acceptable alternative to the delay. The IMA measurement list would
> > still include a 'boot_aggregate' record, but one containing 0's.
>
> I support the opt-in boot option.
>
> If the full hardware specifications are known for a device, you might want
> to use this.
The default would be to extend the TPM with the 'boot_aggregate', with
an option to opt-out of extending the TPM.
--
thanks,
Mimi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: init_ima() adds 8 % to boot time
2022-02-20 23:19 ` Mimi Zohar
@ 2022-02-21 20:06 ` Jarkko Sakkinen
0 siblings, 0 replies; 6+ messages in thread
From: Jarkko Sakkinen @ 2022-02-21 20:06 UTC (permalink / raw)
To: Mimi Zohar
Cc: Paul Menzel, Dmitry Kasatkin, linux-integrity, LKML, Petr Vorel
On Sun, Feb 20, 2022 at 06:19:59PM -0500, Mimi Zohar wrote:
> On Sun, 2022-02-20 at 23:57 +0100, Jarkko Sakkinen wrote:
> > On Sun, Feb 20, 2022 at 10:19:37AM -0500, Mimi Zohar wrote:
> > > [Cc'ing Jarkko, Petr Vorel]
> > >
> > > Hi Paul,
> > >
> > > On Sat, 2022-02-19 at 10:44 +0100, Paul Menzel wrote:
> > > > Dear Linux folks,
> > > >
> > > >
> > > > Debian builds its Linux kernel image with `CONFIG_IMA=y` since version
> > > > 5.13.9 [1]. Unfortunately, on the Dell Latitude E7250 `init_ima` takes
> > > > around 33 ms, adding 8 % to the boot time up to loading the initrd.
> > > >
> > > > [ 0.000000] Linux version 5.17.0-rc4-amd64
> > > > (debian-kernel@lists.debian.org) (gcc-11 (Debian 11.2.0-16) 11.2.0, GNU
> > > > ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT Debian 5.17~rc4-1~exp1
> > > > (2022-02-18)
> > > > […]
> > > > [ 0.238520] calling init_tis+0x0/0xde @ 1
> > > > [ 0.254749] tpm_tis 00:08: 1.2 TPM (device-id 0x3205, rev-id 80)
> > > > [ 0.285665] initcall init_tis+0x0/0xde returned 0 after 46038 usecs
> > > > […]
> > > > [ 0.301327] calling init_ima+0x0/0xb5 @ 1
> > > > [ 0.301332] ima: Allocated hash algorithm: sha256
> > > > [ 0.335502] ima: No architecture policies found
> > > > [ 0.335520] initcall init_ima+0x0/0xb5 returned 0 after 33389 usecs
> > > > […]
> > > > [ 0.447312] Run /init as init process
> > > >
> > > > Tracing `init_ima` with a depth of 5 shows
> > > > `ima_calc_boot_aggregate_tfm()` takes 24 ms, and
> > > > `ima_add_template_entry()` takes 10 ms.
> > > >
> > > > 1.282630 | 1) swapper-1 | |
> > > > ima_add_boot_aggregate() {
> > > > 1.282631 | 1) swapper-1 | |
> > > > ima_calc_boot_agg:0regate() {
> > > > 1.282631 | 1) swapper-1 | 0.153 us |
> > > > ima_alloc_tfm();
> > > > 1.282631 | 1) swapper-1 | * 24404.59 us |
> > > > ima_calc_boot_aggregate_tfm();
> > > > 1.307037 | 1) swapper-1 | 0.482 us |
> > > > ima_free_tfm.part.0();
> > > > 1.307038 | 1) swapper-1 | * 24407.06 us | } /*
> > > > ima_calc_boot_aggregate */
> > > > 1.307038 | 1) swapper-1 | |
> > > > ima_alloc_init_template() {
> > > > 1.307038 | 1) swapper-1 | 0.173 us |
> > > > ima_template_desc_current();
> > > > 1.307039 | 1) swapper-1 | 0.836 us |
> > > > __kmalloc();
> > > > 1.307040 | 1) swapper-1 | 0.580 us |
> > > > __kmalloc();
> > > > 1.307041 | 1) swapper-1 | 1.555 us |
> > > > ima_eventdigest_ng_init();
> > > > 1.307043 | 1) swapper-1 | 1.275 us |
> > > > ima_eventname_ng_init();
> > > > 1.307044 | 1) swapper-1 | 0.256 us |
> > > > ima_eventsig_init();
> > > > 1.307045 | 1) swapper-1 | 6.618 us | } /*
> > > > ima_alloc_init_template */
> > > > 1.307045 | 1) swapper-1 | |
> > > > ima_store_template() {
> > > > 1.307045 | 1) swapper-1 | 5.049 us |
> > > > ima_calc_field_array_hash();
> > > > 1.307051 | 1) swapper-1 | # 9316.953 us |
> > > > ima_add_template_entry();
> > > > 1.316369 | 1) swapper-1 | # 9323.728 us | } /*
> > > > ima_store_template */
> > > > 1.316369 | 1) swapper-1 | * 33738.54 us | } /*
> > > > ima_add_boot_aggregate */
> > > >
> > > > Tracing `ima_calc_boot_aggregate_tfm()` (attached) shows that the first
> > > > `tpm1_pcr_read()` takes 16 ms in `tpm_transmit()`. Is communicating with
> > > > the TPM supposed to be that slow?
> > > >
> > > > In the last years, Linux decreased it’s boot time a lot, so do you see a
> > > > way to move things out of the hot path and get `init_ima` well below 10
> > > > ms? (As systems get faster and faster, having systems with standard
> > > > distributions to be up below two seconds after pressing the power button
> > > > should be a reasonable goal (500 ms firmware (like coreboot) + 500 ms
> > > > Linux kernel + 1 s user space).
> > > >
> > > >
> > > > [1]:
> > > > https://salsa.debian.org/kernel-team/linux/-/commit/6e679322d7d98d30b4a8a3d1b659c899a6e9d4df
> > >
> > > Thank you including the initial and other TPM delays. The main reason
> > > for the "boot_aggregate" is to tie the pre-OS measurements to the post
> > > OS measurement list. Without the TPM based 'boot_aggregate', any IMA
> > > measurement list could be used to verify a TPM quote. The
> > > 'boot_aggregate' is calculated, originally, based on PCRs 0 - 7 and
> > > more recently may include PCRs 8 & 9 as well. The 'boot_aggregate' is
> > > the first record in the IMA measurement list and the first record after
> > > a soft reboot (kexec). It is the one and only IMA measurement record
> > > not dependent on policy.
> > >
> > > There are TPM 1.2 & 2.0 standards' requirements, but there are also
> > > buggy TPMs which don't adhere to them to such an extent that IMA goes
> > > into 'TPM-bypass' mode. Perhaps for those not interested in extending
> > > the concepts of trusted boot to the running OS, defining a new boot
> > > command line option to force IMA into this 'TPM-bypass' mode would be
> > > an acceptable alternative to the delay. The IMA measurement list would
> > > still include a 'boot_aggregate' record, but one containing 0's.
> >
> > I support the opt-in boot option.
> >
> > If the full hardware specifications are known for a device, you might want
> > to use this.
>
> The default would be to extend the TPM with the 'boot_aggregate', with
> an option to opt-out of extending the TPM.
Ah, right, thanks for correction. By "opt-in" I meant "opt-out" :-)
BR, Jarkko
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: init_ima() adds 8 % to boot time
2022-02-20 15:19 ` Mimi Zohar
2022-02-20 22:57 ` Jarkko Sakkinen
@ 2022-02-22 6:25 ` Petr Vorel
1 sibling, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2022-02-22 6:25 UTC (permalink / raw)
To: Mimi Zohar
Cc: Paul Menzel, Dmitry Kasatkin, Jarkko Sakkinen, linux-integrity, LKML
Hi Mimi,
> [Cc'ing Jarkko, Petr Vorel]
Thanks!
> Hi Paul,
> On Sat, 2022-02-19 at 10:44 +0100, Paul Menzel wrote:
> > Dear Linux folks,
> > Debian builds its Linux kernel image with `CONFIG_IMA=y` since version
> > 5.13.9 [1]. Unfortunately, on the Dell Latitude E7250 `init_ima` takes
> > around 33 ms, adding 8 % to the boot time up to loading the initrd.
> > [ 0.000000] Linux version 5.17.0-rc4-amd64
> > (debian-kernel@lists.debian.org) (gcc-11 (Debian 11.2.0-16) 11.2.0, GNU
> > ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT Debian 5.17~rc4-1~exp1
> > (2022-02-18)
> > […]
> > [ 0.238520] calling init_tis+0x0/0xde @ 1
> > [ 0.254749] tpm_tis 00:08: 1.2 TPM (device-id 0x3205, rev-id 80)
> > [ 0.285665] initcall init_tis+0x0/0xde returned 0 after 46038 usecs
> > […]
> > [ 0.301327] calling init_ima+0x0/0xb5 @ 1
> > [ 0.301332] ima: Allocated hash algorithm: sha256
> > [ 0.335502] ima: No architecture policies found
> > [ 0.335520] initcall init_ima+0x0/0xb5 returned 0 after 33389 usecs
> > […]
> > [ 0.447312] Run /init as init process
> > Tracing `init_ima` with a depth of 5 shows
> > `ima_calc_boot_aggregate_tfm()` takes 24 ms, and
> > `ima_add_template_entry()` takes 10 ms.
> > 1.282630 | 1) swapper-1 | |
> > ima_add_boot_aggregate() {
> > 1.282631 | 1) swapper-1 | |
> > ima_calc_boot_agg:0regate() {
> > 1.282631 | 1) swapper-1 | 0.153 us |
> > ima_alloc_tfm();
> > 1.282631 | 1) swapper-1 | * 24404.59 us |
> > ima_calc_boot_aggregate_tfm();
> > 1.307037 | 1) swapper-1 | 0.482 us |
> > ima_free_tfm.part.0();
> > 1.307038 | 1) swapper-1 | * 24407.06 us | } /*
> > ima_calc_boot_aggregate */
> > 1.307038 | 1) swapper-1 | |
> > ima_alloc_init_template() {
> > 1.307038 | 1) swapper-1 | 0.173 us |
> > ima_template_desc_current();
> > 1.307039 | 1) swapper-1 | 0.836 us |
> > __kmalloc();
> > 1.307040 | 1) swapper-1 | 0.580 us |
> > __kmalloc();
> > 1.307041 | 1) swapper-1 | 1.555 us |
> > ima_eventdigest_ng_init();
> > 1.307043 | 1) swapper-1 | 1.275 us |
> > ima_eventname_ng_init();
> > 1.307044 | 1) swapper-1 | 0.256 us |
> > ima_eventsig_init();
> > 1.307045 | 1) swapper-1 | 6.618 us | } /*
> > ima_alloc_init_template */
> > 1.307045 | 1) swapper-1 | |
> > ima_store_template() {
> > 1.307045 | 1) swapper-1 | 5.049 us |
> > ima_calc_field_array_hash();
> > 1.307051 | 1) swapper-1 | # 9316.953 us |
> > ima_add_template_entry();
> > 1.316369 | 1) swapper-1 | # 9323.728 us | } /*
> > ima_store_template */
> > 1.316369 | 1) swapper-1 | * 33738.54 us | } /*
> > ima_add_boot_aggregate */
> > Tracing `ima_calc_boot_aggregate_tfm()` (attached) shows that the first
> > `tpm1_pcr_read()` takes 16 ms in `tpm_transmit()`. Is communicating with
> > the TPM supposed to be that slow?
> > In the last years, Linux decreased it’s boot time a lot, so do you see a
> > way to move things out of the hot path and get `init_ima` well below 10
> > ms? (As systems get faster and faster, having systems with standard
> > distributions to be up below two seconds after pressing the power button
> > should be a reasonable goal (500 ms firmware (like coreboot) + 500 ms
> > Linux kernel + 1 s user space).
> > [1]:
> > https://salsa.debian.org/kernel-team/linux/-/commit/6e679322d7d98d30b4a8a3d1b659c899a6e9d4df
> Thank you including the initial and other TPM delays. The main reason
> for the "boot_aggregate" is to tie the pre-OS measurements to the post
> OS measurement list. Without the TPM based 'boot_aggregate', any IMA
> measurement list could be used to verify a TPM quote. The
> 'boot_aggregate' is calculated, originally, based on PCRs 0 - 7 and
> more recently may include PCRs 8 & 9 as well. The 'boot_aggregate' is
> the first record in the IMA measurement list and the first record after
> a soft reboot (kexec). It is the one and only IMA measurement record
> not dependent on policy.
> There are TPM 1.2 & 2.0 standards' requirements, but there are also
> buggy TPMs which don't adhere to them to such an extent that IMA goes
> into 'TPM-bypass' mode. Perhaps for those not interested in extending
> the concepts of trusted boot to the running OS, defining a new boot
> command line option to force IMA into this 'TPM-bypass' mode would be
> an acceptable alternative to the delay. The IMA measurement list would
> still include a 'boot_aggregate' record, but one containing 0's.
This sounds reasonable.
Kind regards,
Petr
> thanks,
> Mimi
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-02-22 6:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-19 9:44 init_ima() adds 8 % to boot time Paul Menzel
2022-02-20 15:19 ` Mimi Zohar
2022-02-20 22:57 ` Jarkko Sakkinen
2022-02-20 23:19 ` Mimi Zohar
2022-02-21 20:06 ` Jarkko Sakkinen
2022-02-22 6:25 ` Petr Vorel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.