On Fri, Aug 08, 2025 at 02:32:02PM -0400, Denis Aleksandrov wrote:
> Ping.
>
> Just checking in on this patch.
> It has received a "Reviewed-by" tag, and I was wondering if there is
> anything else needed from my side for it to be picked up.
"This bug is not seen on most machines. Reads on tpm/tpm0/ppi/*operations
can become very long on misconfigured systems. Reading the TPM is a
blocking operation, thus a user could effectively trigger a DOS.
Resolve this by restricting unprivileged user from reading the
above-mentioned device files."
OK I took some time to revisit this. I think the symptom is correct but
it should not be fixed the way it is done here. I.e. the fix works as
a bug report but not as a right type of fix because it will also
change uapi behavior w/o strong enough reasons to do so.
What you should do instead would be to cache the result.
I.e. first declare this as static global:
static const char *tpm_ppi_info[] = {
"Not implemented",
"BIOS only",
"Blocked for OS by BIOS",
"User required",
"User not required",
};
Then declare a spinlock:
static DEFINE_SPINLOCK(tpm_ppi_lock);
And finally static arrays that contain indexes to tpm_ppi_info e.g.,
tpm_ppi_tcg_operations and tpm_ppi_vs_operations.
Then on first request populate them and after that the results are
cached.
> Thanks,
> Denis
BR, Jarkko
