James Carlson wrote: >> The first case is possible now by accessing the TCS daemon over the >> network using >> standard TSS APIs. >> > > That doesn't work. There's no network connection that's necessarily > available between global and non-global zones. > >
Yes, obviously. One must have network access, unless we come up with a different method for zones later. >> The latter is prohibited by the TPM spec if another app is holding it open. >> > > It sounds like the device is really an implementation detail, and not > something that needs to be discussed as architecture. > > I don't see why assigning that internal device node (with its strange > limitations) to non-global zones would ever be a useful thing to do. > If the limitations can be removed, then there's a reason to do this, > as it allows a TCS daemon per zone. Otherwise, not so much. > OK, we'll leave it as a global-zone-only device then. -Wyllys
