Jason Gunthorpe <[email protected]> wrote on 01/25/2016 
10:46:32 PM:

> 
> On Mon, Jan 25, 2016 at 08:05:14PM -0500, Stefan Berger wrote:
> 
> > > And confused why there is a miscdev and a alloc_chrdev_region ?
> > 
> > miscdev = /dev/vtpmx - that should be ok, no ?
> 
> Yes
> 
> > So, I just removed alloc_chrdev_region and with that the assignment of 
a
> > major+minor to the virtual device. This works fine on device creation 
but on
> > device destruction something odd happens in sysfs.
> 
> > With two 'vtpmctrl' test programs running sysfs looks like this:
> > 
> > # find /sys/devices/virtual/vtpm/
> > /sys/devices/virtual/vtpm/
> > /sys/devices/virtual/vtpm/vtpms0
> > /sys/devices/virtual/vtpm/vtpms0/dev
> 
> Ugh.


I have to dig out the sysfs topic again because I think sysfs seems to be 
the only remaining part that could be a problem.

The problem is information leakage between containers via sysfs due to 
sysfs entries, at least for TPM 1.2. For TPM 1.2 we have a lot of sysfs 
entries that show the current state of the TPM.

The good news is, there's the bind-mount trick that a container management 
stack can apply to hide everything under /sys/devices/virtual/vtpm. To 
achieve that it would do 'mount -o bind [...]/nulldir 
/sys/device/virtual/vtpm' inside a container and container users wouldn't 
be able to see those sysfs entries anymore. However, the bind mount trick 
only works if /sys/devices/virtual/vtpm exists and it only exists if a 
vTPM has been created, but the first started container won't necessarily 
have a vtpm, so that directory will not exists, but it will appear in that 
container once another container has a vtpm. Is there anything we can do 
in the driver to help user space ? Another trick would be that the 
container management stack creates a 'dummy vtpm' device pair every time 
and keeps it around just so it has that sysfs entry and can do the 
bind-mounting.

[mkdir under sysfs doesn't work]

   Stefan


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Reply via email to