>> That might work. Obviously, there is no problem delivering the daemon and >> libraries >> in all zones. As long as there is only 1 instance of the TPM device in >> the kernel, >> and one reader/write of that device in userland (across all zones), I see >> no problem >> having the tpm device be located in whatever zone the admin prefers to >> install it. >> >> > > i think this would be a good stop-gap measure. it would simplify the > deployment of tss based application in one non-global zone. > > as an implementation detail, you'll probably want to enhance zoneadm to detect > when a zone is booting with a tpm device allocated to it, and have it verify > that there are no other booted zones with tpm devices and that the tss daemon > is not running in the global zone. (this keeps things user friendly, and > zoneadm already does similar checks to verify that other required smf services > are running.) > > ed >
The tpm device itself will not allow multiple readers, so I'm not sure if any external tool modification (zoneadm, etc) is even necessary. The device will respond to the first app to open it, no other apps can open the device until it gets closed again. -Wyllys
