Hello,
I have initiated the query of the TBOOT extpol option's usefulness which Pawel have broadcasted (thank you, Pawel and everybody who replied) and have received few questions below. > "No objections, but we would be interested in understanding the root > rationale for the change."< > "Why would you not just switch the default and leave the Agility as an > option?" < > "I'm also interested in the rationale. The change of default I can > understand. I think that most people using tboot use the "extpol" option. I > don't understand completely removing agility as an option." < Let me answer these questions and provide background of the query. ACM extend policy control was introduced many years ago during architectural adoption of TPM 2.0 family. It is traced back to Q2 of 2015. At that time there were no TPM samples, no clear understanding of TPM algorithm agility use cases, no fully supported cryptography in our code bases, nor potential consequences of PCR bank capping due to insufficient internal crypto support. In the presence of such uncertainty, introduction of such policy settings seemed to be prudent - allow Users get what they prefer as measurements regardless of TPM abilities at the expense of performance or get faster service at the expense of loosing of some of the PCR banks which might get capped. Lots of things changed for the past 6 years. - we have come up with converged BtG and TXT technologies and our Startup and SINIT ACMs share lots of code, crypto included. - we have full embedded crypto code supporting all hashing and signature algorithms we need. Situation when with Max Perf policy setting we might need to get PCR bank capped due to lack of internal support is unlikely. - Max Agility setting is unacceptable for Startup ACM and is deprecated in it. This is due to strong boot performance requirements. - SINIT execution time with Max Agility setting is essentially longer, but we have not received any such complaints or acceleration requests. This bears the innuendo that this setting is not used in practice. - Internally support of this policy engenders essential complexity, including set of supported TPM2 commands, way how we maintain event log, execution flow differences etc. This is burden which I would like to drop if possible, harmonize support between two ACMs, remove potentially unneeded externally visible knob, solidify ACM core. With all of the above reasoning I was not going to change the default setting. I understand that it is awkward to leave default == 1 which means Max Perf but changing it to 0 is onerous. (This default BTW expresses our vision 6 years ago that Max Agility is preferred selection ! Real life performance demands have changed it.) This is very inertial legacy as it is OS visible change and not only for Tboot but also for a Windows world and multiple other products. What I intend to do is simply formally defeature this policy setting and remain default to be == 1, which appears to be current practice. Most likely internally in SINIT I will simply ignore this setting and will not generate an error if it is all of a sudden set == 0. I do not want to multiply security unrelated error situations. Internally SINIT will invariantly use Max Perf regardless of this setting. As soon as there are no PCR bank capping this will not produce visible difference. In extreme case when capping occurs and is undesirable it will always be possible to enable missing crypto algorithm in SINIT code. All of them are build controlled. Thank you, -ae From: Randzio, Pawel <pawel.rand...@intel.com> Sent: Thursday, December 2, 2021 12:34 AM To: Eydelberg, Alex <alex.eydelb...@intel.com> Cc: Mowka, Mateusz <mateusz.mo...@intel.com> Subject: The rationale for defeaturing "Maximum Agility" option | PCR Extended Policy Support Hi Alex, I sent out a message through the TBOOT mailing list as you asked. There's some questions that came up in response to the announcement. Greg W. Wettstein g...@wind.enjellic.com<mailto:g...@wind.enjellic.com> > "No objections, but we would be interested in understanding the root > rationale for the change." Travis Gilbert travis.gilb...@dell.com<mailto:travis.gilb...@dell.com> > "Why would you not just switch the default and leave the Agility as an > option?" > "I'm also interested in the rationale. The change of default I can > understand. I think that most people using tboot use the "extpol" option. I > don't understand completely removing agility as an option." Could I ask you to respond to these questions? Best if you could send an e-mail with the answers straight to the mailing list tboot-devel@lists.sourceforge.net<mailto:tboot-devel@lists.sourceforge.net> and I'll get it through there. Thanks, --Paweł --------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------- MY ORIGINAL ANNOUNCEMENT FOR REFERENCE: > Hello, > > I would like to inform you that there are plans to defeature TBOOT extpol > option and fix it to the current default. > > The change affects TPM2.0 PCR Extended Policy Support. It has two options: > - "Maximum Agility" - hashes computed using TPM2.0 > - "Maximum Performance" - hashes computed using software, not TPM usage > > We want to defeature the "Maximum Agility" option and leave only "Maximum > Performance" (current default). > > If you have any objections, please inform me. > > Thanks, > --Paweł Randzio
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel