Jason Gunthorpe <[email protected]> wrote on 01/25/2016
10:46:32 PM:
>
> On Mon, Jan 25, 2016 at 08:05:14PM -0500, Stefan Berger wrote:
>
> > > And confused why there is a miscdev and a alloc_chrdev_region ?
> >
> > miscdev = /dev/vtpmx - that should be ok, no ?
>
> Yes
>
> > So, I just removed alloc_chrdev_region and with that the assignment of
a
> > major+minor to the virtual device. This works fine on device creation
but on
> > device destruction something odd happens in sysfs.
>
> > With two 'vtpmctrl' test programs running sysfs looks like this:
> >
> > # find /sys/devices/virtual/vtpm/
> > /sys/devices/virtual/vtpm/
> > /sys/devices/virtual/vtpm/vtpms0
> > /sys/devices/virtual/vtpm/vtpms0/dev
>
> Ugh.
I have to dig out the sysfs topic again because I think sysfs seems to be
the only remaining part that could be a problem.
The problem is information leakage between containers via sysfs due to
sysfs entries, at least for TPM 1.2. For TPM 1.2 we have a lot of sysfs
entries that show the current state of the TPM.
The good news is, there's the bind-mount trick that a container management
stack can apply to hide everything under /sys/devices/virtual/vtpm. To
achieve that it would do 'mount -o bind [...]/nulldir
/sys/device/virtual/vtpm' inside a container and container users wouldn't
be able to see those sysfs entries anymore. However, the bind mount trick
only works if /sys/devices/virtual/vtpm exists and it only exists if a
vTPM has been created, but the first started container won't necessarily
have a vtpm, so that directory will not exists, but it will appear in that
container once another container has a vtpm. Is there anything we can do
in the driver to help user space ? Another trick would be that the
container management stack creates a 'dummy vtpm' device pair every time
and keeps it around just so it has that sysfs entry and can do the
bind-mounting.
[mkdir under sysfs doesn't work]
Stefan
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel