[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5] tpm: Disable tpm verifier if tpm is not present

From: Daniel Kiper
Subject: Re: [PATCH v5] tpm: Disable tpm verifier if tpm is not present
Date: Tue, 28 Mar 2023 17:56:33 +0200
User-agent: NeoMutt/20170113 (1.7.2)

On Wed, Mar 22, 2023 at 12:25:43PM +0800, Michael Chang via Grub-devel wrote:
> When the TPM module is loaded, the verifier reads the entire file into
> memory, measures and extends the hash, and uses the verified content as
> a backing buffer for disk files. However, this process can result in a
> high memory utilization cost per file operation, sometimes causing the
> system to run out of memory, which can lead to boot failure. To address
> this issue, commit 887f98f0d (mm: Allow dynamically requesting
> additional memory regions), have optimized memory management by
> dynamically allocating heap space to maximize memory usage and reduce
> the threat of memory exhaustion. But in some cases, problems may still
> arise, such as when large ISO images are mounted using loopback or when
> dealing with embedded systems with limited memory resources.
> Unfortunately, the current implementation of the TPM module doesn't
> allow for the elimination of the back buffer once it is loaded, even if
> no TPM device is present or the device has been explicitly disabled.
> This can lead to wasted memory. To solve this issue, a patch has been
> developed to detect the TPM status at the time of loading and skip
> verifier registration if the device is missing or deactivated. This
> prevents the allocation of memory for a back buffer, avoiding wasted
> memory when no real measure boot functionality is performed. Disabling
> the TPM device in the system can reduce memory usage in grub, which is
> useful in scenarios where high memory utilization is a concern and
> measurements of loaded artifacts are not necessary.
> Signed-off-by: Michael Chang <>
> Signed-off-by: Stefan Berger <>

Reviewed-by: Daniel Kiper <>


reply via email to

[Prev in Thread] Current Thread [Next in Thread]