Wyllys Ingersoll writes: > James Carlson wrote: > > That doesn't make sense to me. Why would the administrator _NOT_ want > > to have access to the TPM in more than one zone? > > > > By "access" do you mean having the ability to use the TPM through the > standard > TSS interfaces or do you mean having the ability to actually open > /dev/tpm directly ?
Either. As a user of it, I shouldn't have to care how I get access, should I? I assume "standard" TSS interfaces are better, though. > The first case is possible now by accessing the TCS daemon over the > network using > standard TSS APIs. That doesn't work. There's no network connection that's necessarily available between global and non-global zones. > The latter is prohibited by the TPM spec if another app is holding it open. It sounds like the device is really an implementation detail, and not something that needs to be discussed as architecture. I don't see why assigning that internal device node (with its strange limitations) to non-global zones would ever be a useful thing to do. If the limitations can be removed, then there's a reason to do this, as it allows a TCS daemon per zone. Otherwise, not so much. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
