Jarkko Sakkinen <[email protected]> wrote on 01/26/2016
09:50:57 PM:
>
> On Wed, Jan 20, 2016 at 10:01:38PM -0500, Stefan Berger wrote:
> > > Except that isn't good enough - the IMA kernel side doesn't knowthat
this
> > > tpm is now acting as the 'main' 'default' TPM.
> >
> > Hooking the vTPM to IMA requires another patch that I haven't
> shown since IMA
> > namespacing isn't public yet. Basically we implement another ioctl
> () that is to
> > be called before the clone() in order to 'reserve' a vtpm device
> pair for the
> > calling process. During the clone() call IMA namespacing code can
query the
> > vTPM driver for a 'reserved' device pair. Hooking IMA up after the
> clone() may
> > also work but in case of docker/golang it's better to do this
> before since the
> > language libraries do a lot after the clone automatically.
>
> Can we expect that "in the end" there will be a single patch set that
> contains both TPM and IMA changes? Otherwise, I see it very hard to make
> decision to apply TPM patches.
If this can be posted to the same lists, then 'yes'. I cannot set a
timeframe for this, though. Nevertheless, the vTPM driver reviews were
fruitful, I think.
The vTPM driver could be used standalone as well, though it may be more
useful in conjunction with the namespacing of IMA.
Stefan
>
> /Jarkko
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel