Jarkko Sakkinen <[email protected]> wrote on 01/26/2016 
09:36:03 PM:

> 
> On Wed, Jan 20, 2016 at 09:39:09AM -0500, Stefan Berger wrote:
> > > Presumably some namespace magic can be used to make them show up as
> > > tpm0 in a container?
> > 
> > The magic is to have the container management stack create the device 
pair.
> > From the ioctl it learns the name of the devices that were created
> and it then
> > finds out about the major/minor number of the created device and 
> have /dev/tpm0
> > with that major/minor created in the container's /dev directory.
> 
> Is the device created before container launched? I would assume that
> this would work user space accesses through /dev/tpm0.

Yes, device would be created before container is launched.

> 
> I don't know how this would work for kernel clients.

For IMA we have these additional ioctls to either 'reserve' a vTPM for a 
container before clone() or to hook the vTPM up to a IMA namespace after 
clone() -- you may have read the discussions about these in other emails. 
As for trusted and encrypted keys and the TPM based RNG, the kernel 
determines the current IMA namespace a process that wants to use the 
kernel service is associated with. It then uses the TPM associated with 
the IMA namespace or returns an error if there is none.

   Stefan

> 
> /Jarkko
> 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Reply via email to