Jason Gunthorpe <[email protected]> wrote on 01/19/2016
06:04:56 PM:
> From: Jason Gunthorpe <[email protected]>
> To: Stefan Berger/Watson/IBM@IBMUS
> Cc: [email protected], [email protected], Stefan Berger
> <[email protected]>, [email protected]
> Date: 01/19/2016 06:05 PM
> Subject: Re: [tpmdd-devel] [RFC PATCH 0/4] Multi-instance vTPM driver
>
> On Tue, Jan 19, 2016 at 01:18:08PM -0500, Stefan Berger wrote:
> > Jason Gunthorpe <[email protected]> wrote on
01/19/2016
> > 01:08:02 PM:
> > >
> > > On Tue, Jan 19, 2016 at 12:53:40PM -0500, Stefan Berger wrote:
> > > > This series has absolutely nothing to do with resource
> > > > management.
> > >
> > > Sure the patch doesn't, but the proposed application does.
> > >
> > > Linux namespaces is all about resource management.
> > The resource manager that's been discussed on the list is something
> > different, though, right?
>
> No, I meant that discussion.
>
> A completed TPM resource manager would be very close to supporting a
> 'tpm namespace'.
>
> Ie per-ns virtualizing of the SRK with would be trivial.
If someone takes ownership of the TPM 1.2 a password is associated with
the ownership and the SRK. How do you virtualize commands that need the
SRK password when a user wants to create a key where the SRK is the
parent? Does the resource manager now have to know the SRK password and
inject it into commands where the SRK password seems necessary ?
>
> Access control would already be done out of the box as a consequence
> of the process-to-process isolation the resource manager would need to
> perform.
Would that be a single hardware TPM for possibly hundreds of containers on
a system? How well does that scale?
Besides that a namespaced IMA will want to maintain an isolated list of
measurements per IMA namespace and ideally wants to extend measurements
into PCR 10 of a vTPM that is associated with that namespace. Once that
namespace goes away (container torn down) , the list will go away as well
and along with it the TPM emulator. So that speaks for spawning a vTPM for
each container with an associated IMA namespace.
>
> Not sure about PCRS, I guess that depends on how that could work. Not
> sure it makes alot of sense in TPM 1.2 at least...
The challenges in terms of 'virtualizing the single TPM' are similar for
TPM 2.
Stefan
>
> Jason
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel