From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751324AbdBLU3l (ORCPT ); Sun, 12 Feb 2017 15:29:41 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:51759 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750999AbdBLU3j (ORCPT ); Sun, 12 Feb 2017 15:29:39 -0500 Subject: Re: [tpmdd-devel] [RFC] tpm2-space: add handling for global session exhaustion References: <201702101003.v1AA3plF029882@wind.enjellic.com> <1486745163.2502.26.camel@HansenPartnership.com> Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org From: Ken Goldman Date: Sun, 12 Feb 2017 15:29:45 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <1486745163.2502.26.camel@HansenPartnership.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17021220-0016-0000-0000-00000624A1B5 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006604; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000203; SDB=6.00821003; UDB=6.00401487; IPR=6.00598456; BA=6.00005131; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014259; XFM=3.00000011; UTC=2017-02-12 20:29:36 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17021220-0017-0000-0000-00003754BE3F Message-Id: <14cb6207-7591-e10a-2d73-b82ede467e40@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-02-12_17:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702120212 To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/10/2017 11:46 AM, James Bottomley wrote: > On Fri, 2017-02-10 at 04:03 -0600, Dr. Greg Wettstein wrote: >> On Feb 9, 11:24am, James Bottomley wrote: >> quote: 810 milliseconds >> verify signature: 635 milliseconds > ... > > Part of the way of reducing the latency is not to use the TPM for > things that don't require secrecy: container signature verification is > one such because the container is signed with a private key to which > ... Agreed. There are a few times one would verify a signature inside the TPM, but they're far from mainstream: 1 - Early in the boot cycle, when there's no crypto library. 2 - When the crypto library doesn't support the required algorithm. 3 - When a ticket is needed to prove to the TPM later that it verified the signature.