Jarkko Sakkinen <[email protected]> wrote on 01/26/2016
09:36:03 PM:
>
> On Wed, Jan 20, 2016 at 09:39:09AM -0500, Stefan Berger wrote:
> > > Presumably some namespace magic can be used to make them show up as
> > > tpm0 in a container?
> >
> > The magic is to have the container management stack create the device
pair.
> > From the ioctl it learns the name of the devices that were created
> and it then
> > finds out about the major/minor number of the created device and
> have /dev/tpm0
> > with that major/minor created in the container's /dev directory.
>
> Is the device created before container launched? I would assume that
> this would work user space accesses through /dev/tpm0.
Yes, device would be created before container is launched.
>
> I don't know how this would work for kernel clients.
For IMA we have these additional ioctls to either 'reserve' a vTPM for a
container before clone() or to hook the vTPM up to a IMA namespace after
clone() -- you may have read the discussions about these in other emails.
As for trusted and encrypted keys and the TPM based RNG, the kernel
determines the current IMA namespace a process that wants to use the
kernel service is associated with. It then uses the TPM associated with
the IMA namespace or returns an error if there is none.
Stefan
>
> /Jarkko
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel