grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4] tpm: Disable tpm verifier if tpm is not present

From: Michael Chang
Subject: Re: [PATCH v4] tpm: Disable tpm verifier if tpm is not present
Date: Wed, 22 Mar 2023 12:42:25 +0800 
On Tue, Mar 21, 2023 at 03:35:33PM +0100, Daniel Kiper wrote:
> On Mon, Mar 20, 2023 at 06:18:26PM +0800, Michael Chang via Grub-devel wrote:
> > When the TPM module is loaded, the verifier reads the entire file into
> > memory, measures and extends the hash, and uses the verified content as
> > a backing buffer for disk files. However, this process can result in a
> > high memory utilization cost per file operation, sometimes causing the
> > system to run out of memory, which can lead to boot failure. To address
> > this issue, previous patches have optimized memory management by
> 
> I would mention at least commit 887f98f0d (mm: Allow dynamically
> requesting additional memory regions) here.

OK. I will do it.

> 
> > dynamically allocating heap space to maximize memory usage and reduce
> > the threat of memory exhaustion. But in some cases, problems may still
> > arise, such as when large ISO images are mounted using loopback or when
> > dealing with embedded systems with limited memory resources.
> >
> > Unfortunately, the current implementation of the TPM module doesn't
> > allow for the elimination of the back buffer once it is loaded, even if
> > no TPM device is present or the device has been explicitly disabled.
> > This can lead to wasted memory. To solve this issue, a patch has been
> > developed to detect the TPM status at the time of loading and skip
> > verifier registration if the device is missing or deactivated. This
> > prevents the allocation of memory for a back buffer, avoiding wasted
> > memory when no real measure boot functionality is performed. This patch
> > also provides users with the option to disable the TPM device to free up
> > memory in scenarios where the system can't afford the high memory
> > utilization cost.
> 
> The last sentence is confusing because it gives an impression the patch
> adds an option to the GRUB to "disable the TPM device". Which of course
> is not true. I expect you wanted to say something like that: "disabling
> the TPM device in the system reduces memory usage in the GRUB. This can
> be useful in scenarios where the system can't afford the high memory
> utilization cost and nobody cares about the measurements of loaded
> artifacts."

Initially, I want to emphasize that after this proposed change,
disabling TPM will become an option to free up memory for others.
However, my previous expression may have been confusing, and I apologize
for that.

Thank you for your review, and I have updated the v5 patch to address
your comment.

Regards,
Michael

> 
> Otherwise patch LGTM...
> 
> Daniel
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]