Linux 6.10 introduced TPM bus encryption and integrity protection for enhancing the Trusted Platform Module support to protect against interposers from compromising them with TPM sniffing attacks. There is now a new option being added to opt-out of this protection due to a discovered performance bottleneck.
Merged yesterday ahead of the Linux 6.12 stable kernel release is a measure to allow disabling PCR integrity protection with the TPM driver. Opting out of this added security protection is being done since a performance hit was realized with the Integrity Measurement Architecture (IMA).
The commit to Linux 6.12 Git yesterday explains:
“The initial HMAC session feature added TPM bus encryption and/or integrity protection to various in-kernel TPM operations. This can cause performance bottlenecks with IMA, as it heavily utilizes PCR extend operations.
In order to mitigate this performance issue, introduce a kernel command-line parameter to the TPM driver for disabling the integrity protection for PCR extend operations (i.e. TPM2_PCR_Extend).”
The tpm.disable_pcr_integrity= kernel command line parameter is added to allow disabling the PCR integrity protection.
The default behavior is leaving PCR integrity protection enabled for Linux x86_64 systems.
