Jason Gunthorpe <[email protected]> wrote on 01/19/2016 
06:04:56 PM:

> From: Jason Gunthorpe <[email protected]>
> To: Stefan Berger/Watson/IBM@IBMUS
> Cc: [email protected], [email protected], Stefan Berger 
> <[email protected]>, [email protected]
> Date: 01/19/2016 06:05 PM
> Subject: Re: [tpmdd-devel] [RFC PATCH 0/4] Multi-instance vTPM driver
> 
> On Tue, Jan 19, 2016 at 01:18:08PM -0500, Stefan Berger wrote:
> >    Jason Gunthorpe <[email protected]> wrote on 
01/19/2016
> >    01:08:02 PM:
> >    >
> >    > On Tue, Jan 19, 2016 at 12:53:40PM -0500, Stefan Berger wrote:
> >    > >    This series has absolutely nothing to do with resource
> >    > >    management.
> >    >
> >    > Sure the patch doesn't, but the proposed application does.
> >    >
> >    > Linux namespaces is all about resource management.
> >    The resource manager that's been discussed on the list is something
> >    different, though, right?
> 
> No, I meant that discussion.
> 
> A completed TPM resource manager would be very close to supporting a
> 'tpm namespace'.
> 
> Ie per-ns virtualizing of the SRK with would be trivial.

If someone takes ownership of the TPM 1.2 a password is associated with 
the ownership and the SRK. How do you virtualize commands that need the 
SRK password when a user wants to create a key where the SRK is the 
parent? Does the resource manager now have to know the SRK password and 
inject it into commands where the SRK password seems necessary ?

> 
> Access control would already be done out of the box as a consequence
> of the process-to-process isolation the resource manager would need to
> perform.

Would that be a single hardware TPM for possibly hundreds of containers on 
a system? How well does that scale?

Besides that a namespaced IMA will want to maintain an isolated list of 
measurements per IMA namespace and ideally wants to extend measurements 
into PCR 10 of a vTPM that is associated with that namespace. Once that 
namespace goes away (container torn down) , the list will go away as well 
and along with it the TPM emulator. So that speaks for spawning a vTPM for 
each container with an associated IMA namespace.

> 
> Not sure about PCRS, I guess that depends on how that could work. Not
> sure it makes alot of sense in TPM 1.2 at least...

The challenges in terms of 'virtualizing the single TPM' are similar for 
TPM 2.

   Stefan

> 
> Jason
> 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Reply via email to