grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4] tpm: Disable tpm verifier if tpm is not present

From: Daniel Kiper
Subject: Re: [PATCH v4] tpm: Disable tpm verifier if tpm is not present
Date: Tue, 21 Mar 2023 15:35:33 +0100
User-agent: NeoMutt/20170113 (1.7.2) 
On Mon, Mar 20, 2023 at 06:18:26PM +0800, Michael Chang via Grub-devel wrote:
> When the TPM module is loaded, the verifier reads the entire file into
> memory, measures and extends the hash, and uses the verified content as
> a backing buffer for disk files. However, this process can result in a
> high memory utilization cost per file operation, sometimes causing the
> system to run out of memory, which can lead to boot failure. To address
> this issue, previous patches have optimized memory management by

I would mention at least commit 887f98f0d (mm: Allow dynamically
requesting additional memory regions) here.

> dynamically allocating heap space to maximize memory usage and reduce
> the threat of memory exhaustion. But in some cases, problems may still
> arise, such as when large ISO images are mounted using loopback or when
> dealing with embedded systems with limited memory resources.
>
> Unfortunately, the current implementation of the TPM module doesn't
> allow for the elimination of the back buffer once it is loaded, even if
> no TPM device is present or the device has been explicitly disabled.
> This can lead to wasted memory. To solve this issue, a patch has been
> developed to detect the TPM status at the time of loading and skip
> verifier registration if the device is missing or deactivated. This
> prevents the allocation of memory for a back buffer, avoiding wasted
> memory when no real measure boot functionality is performed. This patch
> also provides users with the option to disable the TPM device to free up
> memory in scenarios where the system can't afford the high memory
> utilization cost.

The last sentence is confusing because it gives an impression the patch
adds an option to the GRUB to "disable the TPM device". Which of course
is not true. I expect you wanted to say something like that: "disabling
the TPM device in the system reduces memory usage in the GRUB. This can
be useful in scenarios where the system can't afford the high memory
utilization cost and nobody cares about the measurements of loaded
artifacts."

Otherwise patch LGTM...

Daniel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]