TPM HMAC Encryption Being Pulled Back To x86_64 By Default For Linux 6.10

One of the new security features coming with Linux 6.10 is TPM bus encryption and integrity protection to fend off a wave of possible attacks against Trusted Platform Module recovery keys, TPM sniffing, etc. This functionality was merged for the Linux 6.10 merge window but is now being pulled back to x86_64-only by default where it's been sufficiently tested.

Following that initial merge request where the new TCG_TPM2_HMAC knob was enabled by default, it was suggested that it be disabled by default over concerns over the performance implications of this TPM encryption. It was then suggested to limit it to just ARM64 and x86_64 architectures by default. Now in pull request form, it's been pulled back to just flipping on this security feature by default for Linux x86_64 systems where it's been sufficiently tested. And modern x86_64 AMD/Intel hardware is fast enough to cope with the encryption overhead.

This pull request today for Linux 6.10 is what's limiting TCG_TPM2_HMAC by default for just x86_64 systems now. Those on other architectures can still manually opt-in to enabling this TPM encryption functionality for better security and with time after sufficient testing/analysis will likely be enabled by default on more CPU architectures.