James Carlson wrote: > Wyllys Ingersoll writes: > >>> i think this would be a good stop-gap measure. it would simplify the >>> deployment of tss based application in one non-global zone. >>> >>> as an implementation detail, you'll probably want to enhance zoneadm to >>> detect >>> when a zone is booting with a tpm device allocated to it, and have it verify >>> that there are no other booted zones with tpm devices and that the tss >>> daemon >>> is not running in the global zone. (this keeps things user friendly, and >>> zoneadm already does similar checks to verify that other required smf >>> services >>> are running.) >>> >>> ed >>> >>> >> The tpm device itself will not allow multiple readers, so I'm not sure >> if any external >> tool modification (zoneadm, etc) is even necessary. The device will >> respond to the first >> app to open it, no other apps can open the device until it gets closed >> again. >> > > Is opening it and doing nothing an effective DoS? >
The device should be 0600 root:sys to prevent just anyone from locking it up.
