On Mon, Jan 02, 2017 at 09:26:58PM -0800, James Bottomley wrote: > OK, so I put a patch together that does this (see below). It all works > nicely (with a udev script that sets the resource manager device to > 0666): > > jejb@jarvis:~> ls -l /dev/tpm* > crw------- 1 root root 10, 224 Jan 2 20:54 /dev/tpm0 > crw-rw-rw- 1 root root 246, 65536 Jan 2 20:54 /dev/tpm0rm > > I've modified the tss to connect to /dev/tpm0rm by default and it all > seems to work. > > The patch applies on top of your tabrm branch, by the way.
If we are making a new /dev/ node we should think more carefully about the design. - Do we need a cdev node for every chip? What about just '/dev/tpm' and we encode the chip number in the message. Since the exclusive locking is gone this is very doable. - Should we get rid of the read/write protocol and use ioctl instead? As I understand it ioctl is more usable with seccomp and related schemes? I could see passing a TPM FD into a sandbox and wanting the sandbox only able to do do decrypt/encrypt operations, for instance. - Something to identify tpm chips and help match key data with the proper chip. Jason
