From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org,
tpmdd-devel@lists.sourceforge.net,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [tpmdd-devel] [PATCH v2 6/7] tpm: expose spaces via a device link /dev/tpms<n>
Date: Fri, 24 Feb 2017 18:43:27 -0500 [thread overview]
Message-ID: <1487979807.2190.24.camel@HansenPartnership.com> (raw)
In-Reply-To: <20170224232327.GA9126@obsidianresearch.com>
On Fri, 2017-02-24 at 16:23 -0700, Jason Gunthorpe wrote:
> On Fri, Feb 24, 2017 at 06:01:00PM -0500, James Bottomley wrote:
>
> > Well, as a glib answer, I'd say the TPM is a device, so the thing
> > which restricts device access to containers is the device cgroup
> > ... that's what we should be plugging into. I'd have to look, but
> > I suspect the device cgroup basically operates on device node
> > appearance, so it should "just work"(tm). I can explore when I'm
> > back home.
>
> Seems reasonable..
>
> It just seems confusing to call something a namespace that isn't also
> a CLONE_NEW* option..
Well, there's namespace behaviour and then there's how you enter them.
We have namespace behaviour with the /dev/tpms<n> but the namespace is
entered on opening the device, even if the same process opens the
device more than once. So we have namespace behaviour with a non clone
entry mechanism. Since we're namespaceing a device, that seems to me
to be the correct semantic.
> FWIW more background on the topic:
>
> Stefan was concerned about information leakage via sysfs of TPM data,
> eg that a container could still touch the host's TPM. I wonder if
> device cgroup could be extended to block access to the sysfs
> directories containing a disallowed 'dev' ?
It doesn't need to. The sysfs entries (those that ask the TPM
something) are surrounded by chip->tpm_mutex, so when it asks, we know
all the spaces are context saved (i.e. the only TPM visible state is
global not anything space local).
> I was also wondering about kernel use from within the container -
> all kernel consumers are locked to physical tpm0.. But maybe the
> kernel can consult the right device cgroup to find an allowed TPM?
I'd use the device cgroup to determine what's allowable per container
(i.e. what tpm you can see) then within the container I'd open the
tpms<n> device ... because the TPM volatile storage is so tiny its not
inconceivable that multiple processes, even within a single container,
need access ... and they'd each need their own "namespace" (which they
get with the current model). However, this is opinion ... we should
try it out and see what works best.
James
next prev parent reply other threads:[~2017-02-24 23:44 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 19:25 [PATCH v2 0/7] in-kernel resource manager Jarkko Sakkinen
2017-02-16 19:25 ` [PATCH v2 1/7] tpm: move length validation to tpm_transmit() Jarkko Sakkinen
2017-02-16 19:25 ` [PATCH v2 2/7] tpm: validate TPM 2.0 commands Jarkko Sakkinen
2017-02-16 19:25 ` [PATCH v2 3/7] tpm: export tpm2_flush_context_cmd Jarkko Sakkinen
2017-02-16 19:25 ` [PATCH v2 4/7] tpm: infrastructure for TPM spaces Jarkko Sakkinen
2017-02-21 18:24 ` [tpmdd-devel] " Nayna
2017-02-22 17:08 ` Ken Goldman
2017-02-22 17:39 ` James Bottomley
2017-02-22 20:56 ` Ken Goldman
2017-03-22 20:09 ` Ken Goldman
2017-03-23 15:56 ` Jarkko Sakkinen
2017-02-22 21:08 ` Jarkko Sakkinen
2017-02-24 12:53 ` James Bottomley
2017-02-24 17:02 ` Jarkko Sakkinen
2017-02-16 19:25 ` [PATCH v2 5/7] tpm: split out tpm-dev.c into tpm-dev.c and tpm-common-dev.c Jarkko Sakkinen
2017-02-23 9:04 ` Jarkko Sakkinen
2017-02-16 19:25 ` [PATCH v2 6/7] tpm: expose spaces via a device link /dev/tpms<n> Jarkko Sakkinen
2017-02-23 9:09 ` Jarkko Sakkinen
2017-02-24 13:02 ` James Bottomley
2017-02-24 17:39 ` Jarkko Sakkinen
2017-02-24 18:11 ` Jason Gunthorpe
2017-02-24 20:29 ` James Bottomley
2017-02-24 20:52 ` Jason Gunthorpe
2017-02-24 23:01 ` [tpmdd-devel] " James Bottomley
2017-02-24 23:23 ` Jason Gunthorpe
2017-02-24 23:43 ` James Bottomley [this message]
2017-02-25 0:25 ` Jason Gunthorpe
2017-02-25 17:04 ` James Bottomley
2017-02-27 17:28 ` Jason Gunthorpe
2017-02-26 11:44 ` Jarkko Sakkinen
2017-02-26 18:30 ` Dr. Greg Wettstein
2017-02-28 17:22 ` Ken Goldman
2017-02-27 17:33 ` Jason Gunthorpe
2017-02-24 6:59 ` [tpmdd-devel] " Nayna
2017-02-24 12:53 ` James Bottomley
2017-02-27 11:46 ` Nayna
2017-02-27 14:55 ` James Bottomley
2017-02-16 19:25 ` [PATCH v2 7/7] tpm2: add session handle context saving and restoring to the space code Jarkko Sakkinen
2017-02-23 9:04 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1487979807.2190.24.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox