lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 9 Mar 2016 18:57:04 -0800
From:	Andy Lutomirski <luto@...capital.net>
To:	Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:	Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
	Jason Gunthorpe <jgunthorpe@...idianresearch.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
	Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH v6 08/11] tpm: Driver for supporting multiple emulated TPMs

On Wed, Mar 9, 2016 at 6:34 PM, Stefan Berger
<stefanb@...ux.vnet.ibm.com> wrote:
> On 03/09/2016 01:01 PM, Andy Lutomirski wrote:
>>
>> On Wed, Mar 9, 2016 at 9:39 AM, Stefan Berger
>> <stefanb@...ux.vnet.ibm.com> wrote:
>>>
>>> This patch implements a driver for supporting multiple emulated TPMs in a
>>> system.
>>>
>>> The driver implements a device /dev/vtpmx that is used to created
>>> a client device pair /dev/tpmX (e.g., /dev/tpm10) and a server side that
>>> is accessed using a file descriptor returned by an ioctl.
>>> The device /dev/tpmX is the usual TPM device created by the core TPM
>>> driver. Applications or kernel subsystems can send TPM commands to it
>>> and the corresponding server-side file descriptor receives these
>>> commands and delivers them to an emulated TPM.
>>
>> Nifty!
>>
>> Is anyone considering writing a modification or replacement of
>> trousers that creates claims the real tpm and exposes a vtpm that
>> handles multiplexing internally?  Does the vtpm driver intelligently
>> support multiple simultaneous clients?
>
>
> The vtpm driver allows to use an independent trousers instance in each
> container.
>
> Using the VTPM_NEW_DEV ioctl the container mgmt. stack can create a
> /dev/tpmX (X=0,1,2,...) device and a file descriptor. The file descriptor is
> passed to a vTPM instance, the /dev/tpmX is moved into the container,
> meaning a device with the same major/minor numbers is created in the
> container. This then allows each container to talk to an independent vTPM.
> The vTPM can either be 1.2 or 2.

What I meant was:

If two clients connect to the same vTPM slave node, can the master
program tell requests from the two clients apart?  If so, great!  If
not, then I'd consider that to be somewhat sad.

--Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ