Linux 6.10 introduced [1]TPM bus encryption and integrity protection for enhancing the Trusted Platform Module support to protect against interposers from compromising them with TPM sniffing attacks. There is now a new option being added to opt-out of this protection due to a discovered performance bottleneck.

Merged yesterday ahead of the Linux 6.12 stable kernel release is a measure to allow disabling PCR integrity protection with the TPM driver. Opting out of this added security protection is being done since a performance hit was realized with the Integrity Measurement Architecture (IMA).

The [2]commit to Linux 6.12 Git yesterday explains:

"The initial HMAC session feature added TPM bus encryption and/or integrity protection to various in-kernel TPM operations. This can cause performance bottlenecks with IMA, as it heavily utilizes PCR extend operations.

In order to mitigate this performance issue, introduce a kernel command-line parameter to the TPM driver for disabling the integrity protection for PCR extend operations (i.e. TPM2_PCR_Extend)."

The tpm.disable_pcr_integrity= kernel command line parameter is added to allow disabling the PCR integrity protection.

The default behavior is leaving PCR integrity protection enabled for Linux x86_64 systems.



[1] https://www.phoronix.com/news/Linux-610-TPM-Encrypt-Integrity

[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=27184f8905ba680f22abf1707fbed24036a67119