Jarkko Sakkinen <[email protected]> wrote on 01/26/2016 
09:50:57 PM:


> 
> On Wed, Jan 20, 2016 at 10:01:38PM -0500, Stefan Berger wrote:
> > > Except that isn't good enough - the IMA kernel side doesn't knowthat 
this
> > > tpm is now acting as the 'main' 'default' TPM.
> > 
> > Hooking the vTPM to IMA requires another patch that I haven't 
> shown since IMA
> > namespacing isn't public yet. Basically we implement another ioctl
> () that is to
> > be called before the clone() in order to 'reserve' a vtpm device 
> pair for the
> > calling process. During the clone() call IMA namespacing code can 
query the
> > vTPM driver for a 'reserved' device pair. Hooking IMA up after the
> clone() may
> > also work but in case of docker/golang it's better to do this 
> before since the
> > language libraries do a lot after the clone automatically.
> 
> Can we expect that "in the end" there will be a single patch set that
> contains both TPM and IMA changes? Otherwise, I see it very hard to make
> decision to apply TPM patches.

If this can be posted to the same lists, then 'yes'. I cannot set a 
timeframe for this, though. Nevertheless, the vTPM driver reviews were 
fruitful, I think.

The vTPM driver could be used standalone as well, though it may be more 
useful in conjunction with the namespacing of IMA.

Stefan

> 
> /Jarkko
> 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Reply via email to