| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Jan 2017 14:54:45 -0700
From: Jason Gunthorpe <jgunthorpe@...idianresearch.com>
To: James Bottomley <jejb@...ux.vnet.ibm.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
linux-security-module@...r.kernel.org,
tpmdd-devel@...ts.sourceforge.net,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [tpmdd-devel] [PATCH RFC 0/4] RFC: in-kernel resource manager
On Mon, Jan 02, 2017 at 09:26:58PM -0800, James Bottomley wrote:
> OK, so I put a patch together that does this (see below). It all works
> nicely (with a udev script that sets the resource manager device to
> 0666):
>
> jejb@...vis:~> ls -l /dev/tpm*
> crw------- 1 root root 10, 224 Jan 2 20:54 /dev/tpm0
> crw-rw-rw- 1 root root 246, 65536 Jan 2 20:54 /dev/tpm0rm
>
> I've modified the tss to connect to /dev/tpm0rm by default and it all
> seems to work.
>
> The patch applies on top of your tabrm branch, by the way.
If we are making a new /dev/ node we should think more carefully about
the design.
- Do we need a cdev node for every chip? What about just '/dev/tpm' and
we encode the chip number in the message. Since the exclusive
locking is gone this is very doable.
- Should we get rid of the read/write protocol and use ioctl instead?
As I understand it ioctl is more usable with seccomp and related
schemes? I could see passing a TPM FD into a sandbox and wanting the
sandbox only able to do do decrypt/encrypt operations, for instance.
- Something to identify tpm chips and help match key data with the
proper chip.
Jason
Powered by blists - more mailing lists