[v4] tpm2: add longer timeout for verify signature command

Commit Message

Amir Mizinski May 25, 2021, 11:13 a.m. UTC

From: Amir Mizinski <amirmizi6@gmail.com>

While running a TPM2_CC_VERIFY_SIGNATURE operation with RSA 3072-bit
keys the TPM driver fails with the following error:

"kernel: [ 2416.187522] tpm tpm0: Operation Timed out"

Since the TPM PC Client specification does not specify a number for
verify signature operation timeout, and the duration of
TPM2_CC_VERIFY_SIGNATURE with RSA 3072-bit keys exceeds the current timeout
of TPM_LONG (2 seconds), it is preferable to pick the longest timeout
possible.

Therefore, set the duration for TPM2_CC_VERIFY_SIGNATUE to TPM_LONG_LONG
(5 minutes).

Link: https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>
---
 drivers/char/tpm/tpm2-cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jarkko Sakkinen May 26, 2021, 4:50 a.m. UTC | #1

On Tue, May 25, 2021 at 02:13:25PM +0300, amirmizi6@gmail.com wrote:
> From: Amir Mizinski <amirmizi6@gmail.com>
> 
> While running a TPM2_CC_VERIFY_SIGNATURE operation with RSA 3072-bit
> keys the TPM driver fails with the following error:
> 
> "kernel: [ 2416.187522] tpm tpm0: Operation Timed out"
> 
> Since the TPM PC Client specification does not specify a number for
> verify signature operation timeout, and the duration of
> TPM2_CC_VERIFY_SIGNATURE with RSA 3072-bit keys exceeds the current timeout
> of TPM_LONG (2 seconds), it is preferable to pick the longest timeout
> possible.
> 
> Therefore, set the duration for TPM2_CC_VERIFY_SIGNATUE to TPM_LONG_LONG
> (5 minutes).
> 
> Link: https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
> Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>
> ---

Thank you.

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>

/Jarkko

Jarkko Sakkinen May 26, 2021, 4:56 a.m. UTC | #2

On Wed, May 26, 2021 at 07:50:43AM +0300, Jarkko Sakkinen wrote:
> On Tue, May 25, 2021 at 02:13:25PM +0300, amirmizi6@gmail.com wrote:
> > From: Amir Mizinski <amirmizi6@gmail.com>
> > 
> > While running a TPM2_CC_VERIFY_SIGNATURE operation with RSA 3072-bit
> > keys the TPM driver fails with the following error:
> > 
> > "kernel: [ 2416.187522] tpm tpm0: Operation Timed out"
> > 
> > Since the TPM PC Client specification does not specify a number for
> > verify signature operation timeout, and the duration of
> > TPM2_CC_VERIFY_SIGNATURE with RSA 3072-bit keys exceeds the current timeout
> > of TPM_LONG (2 seconds), it is preferable to pick the longest timeout
> > possible.
> > 
> > Therefore, set the duration for TPM2_CC_VERIFY_SIGNATUE to TPM_LONG_LONG
> > (5 minutes).
> > 
> > Link: https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
> > Signed-off-by: Amir Mizinski <amirmizi6@gmail.com>
> > ---
> 
> Thank you.
> 
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>

I mean @kernel.org.

I mangled the short summary as 

"tpm: add longer timeout for TPM2_CC_VERIFY_SIGNATURE"

given that 

1. The subsystem tag was wrong.
2. Always to talk about the *exact thing*. I.e. in this case it's
   preferable to just write the command name, as"verify time signature
   command" does not have any formal menaing.

It's now applied, thanks.

/Jarkko

Patch

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 7603295..e71154b 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -87,7 +87,7 @@  static u8 tpm2_ordinal_duration_index(u32 ordinal)
 		return TPM_MEDIUM;
 
 	case TPM2_CC_VERIFY_SIGNATURE:        /* 177 */
-		return TPM_LONG;
+		return TPM_LONG_LONG;
 
 	case TPM2_CC_PCR_EXTEND:              /* 182 */
 		return TPM_MEDIUM;