From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: tpmdd-devel@lists.sourceforge.net,
Leonidas Da Silva Barbosa <leosilva@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, Rajiv Andrade <mail@srajiv.net>,
Sirrix AG <tpmdd@sirrix.com>
Subject: Re: [tpmdd-devel] [PATCH 09/13] tpm: Pull everything related to sysfs into tpm-sysfs.c
Date: Mon, 30 Sep 2013 15:20:03 -0600 [thread overview]
Message-ID: <20130930212003.GA10393@obsidianresearch.com> (raw)
In-Reply-To: <5249E0CB.2070106@tycho.nsa.gov>
On Mon, Sep 30, 2013 at 04:36:27PM -0400, Daniel De Graaf wrote:
> >I think using CONFIG_ options would make this feature unavaiable to
> >distro kernel users...
>
> This just moves the problem - now you need a custom initrd instead of
> a custom kernel. Other TPM options like IMA's PCR selection also must
> be changed at CONFIG_ time, although that seems to be more justified
> since IMA in TCB mode is not usable on any distro kernel that makes
> the TPM driver a module (i.e. most or all of them).
A 'custom' initrd is something a distro can automate. Eg a distro's
initrd generation script could read /etc/tpm.cfg and generate an
initrd with the module load and correct sysfs writes. This is more
accessible than recompiling the kernel.
My comments would apply to IMA as well, it should work with standard
distros, meaning the initrd must be able to set it up. So, load the
module in the initrd, setup localities, select the PCR, then enable
IMA.
The bootloader should measure the kernel and initrd together.
IMHO, distros are not making it easy to enable TPM features, and
requiring a kernel recompile is not helping :)
> There is also the fact that the driver may not be able to tell if a
> locality is available without doing some kind of test command. The
> Xen
Make sense.
> Or, for more flexibility (I actually like this one better):
>
> - CONFIG_TPM_KERNEL_DEFAULT_LOCALITY = [int]
> - CONFIG_TPM_KERNEL_LOCALITY_FIXED = [bool]
>
> And sysfs contains:
> - kernel_locality [0644, int; 0444 if FIXED=y or when locked(?)]
> - lock_kernel_locality [write-once; only exists if FIXED=n]
Yes, this looks simple and sane.
But if there isn't really a need to have a hardwired kernel, the
defaults can be DEFAULT_LOCALITY=0, LOCALITY_FIXED=n and we can
recommend distros rely on the initrd.
> So far, nobody I have talked to has offered any strong opinions on
> what locality should be used or how it should be set. I think finding
> a developer of trousers may be the most useful to talk about how the
> ioctl portion of this would need to be set up - if someone is actually
> needed.
It would be nice to have a user! As I said, we don't use it here.
Jason
next prev parent reply other threads:[~2013-09-30 21:20 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-23 18:14 [PATCH 00/13] TPM cleanup Jason Gunthorpe
2013-09-23 18:14 ` [PATCH 01/13] tpm: ibmvtpm: Use %zd formatting for size_t format arguments Jason Gunthorpe
2013-10-01 21:58 ` Peter Hüwe
2013-10-02 19:37 ` [tpmdd-devel] " Ashley D Lai
2013-09-23 18:14 ` [PATCH 02/13] tpm atmel: Call request_region with the correct base Jason Gunthorpe
[not found] ` <201310020000.13490.PeterHuewe@gmx.de>
2013-10-03 0:11 ` [tpmdd-devel] " Ashley D Lai
2013-10-03 4:36 ` Jason Gunthorpe
2013-10-04 17:21 ` Joel Schopp
2013-09-23 18:14 ` [PATCH 03/13] tpm: xen-tpmfront: Fix default durations Jason Gunthorpe
2013-09-23 18:51 ` Konrad Rzeszutek Wilk
2013-09-23 18:57 ` Daniel De Graaf
2013-09-23 18:14 ` [PATCH 04/13] tpm: Store devname in the tpm_chip Jason Gunthorpe
2013-10-04 15:57 ` [tpmdd-devel] " Ashley Lai
2013-09-23 18:14 ` [PATCH 05/13] tpm: Use container_of to locate the tpm_chip in tpm_open Jason Gunthorpe
2013-10-05 1:47 ` [tpmdd-devel] " Ashley Lai
2013-09-23 18:14 ` [PATCH 06/13] tpm: Remove redundant dev_set_drvdata Jason Gunthorpe
2013-10-05 2:14 ` [tpmdd-devel] " Ashley Lai
2013-09-23 18:14 ` [PATCH 07/13] tpm: Remove tpm_show_caps_1_2 Jason Gunthorpe
[not found] ` <201310020009.22952.PeterHuewe@gmx.de>
2013-10-01 22:21 ` Jason Gunthorpe
2013-10-01 22:38 ` [tpmdd-devel] " Peter Hüwe
2013-09-23 18:14 ` [PATCH 08/13] tpm: Pull everything related to /dev/tpmX into tpm-dev.c Jason Gunthorpe
2013-10-01 22:52 ` Peter Hüwe
2013-10-01 22:57 ` Jason Gunthorpe
2013-10-01 23:14 ` Peter Hüwe
2013-10-01 23:23 ` Jason Gunthorpe
2013-10-03 5:05 ` Jason Gunthorpe
2013-10-04 15:50 ` TPM.ko module rename (was tpm: Pull everything related to /dev/tpmX into tpm-dev.c) Peter Hüwe
2013-10-04 16:28 ` Jason Gunthorpe
2013-10-04 16:45 ` Ashley Lai
2013-09-23 18:14 ` [PATCH 09/13] tpm: Pull everything related to sysfs into tpm-sysfs.c Jason Gunthorpe
2013-09-23 18:54 ` [tpmdd-devel] " Daniel De Graaf
2013-09-23 19:36 ` Jason Gunthorpe
2013-09-23 20:20 ` Daniel De Graaf
2013-09-23 20:42 ` Jason Gunthorpe
2013-09-23 22:00 ` Daniel De Graaf
2013-09-23 22:23 ` Jason Gunthorpe
2013-09-24 14:28 ` Daniel De Graaf
2013-09-30 18:10 ` Jason Gunthorpe
2013-09-30 20:36 ` Daniel De Graaf
2013-09-30 21:20 ` Jason Gunthorpe [this message]
2013-09-30 22:09 ` Joel Schopp
2013-10-04 17:08 ` Jason Gunthorpe
2013-10-04 19:17 ` Stefan Berger
2013-10-04 22:02 ` Peter Hüwe
2013-10-07 15:06 ` Daniel De Graaf
2013-10-08 9:15 ` AW: [TrouSerS-tech] " Fuchs, Andreas
2013-10-09 17:38 ` Jason Gunthorpe
2013-10-10 7:42 ` AW: " Fuchs, Andreas
2013-10-10 16:50 ` Jason Gunthorpe
2013-09-23 18:14 ` [PATCH 10/13] tpm: Create a tpm_class_ops structure and use it in the drivers Jason Gunthorpe
2013-09-23 18:14 ` [PATCH 11/13] tpm: Use the ops structure instead of a copy in tpm_vendor_specific Jason Gunthorpe
2013-09-23 18:14 ` [PATCH 12/13] tpm: st33: Remove chip->data_buffer access from this driver Jason Gunthorpe
2013-09-23 18:14 ` [PATCH 13/13] tpm: Make tpm-dev allocate a per-file structure Jason Gunthorpe
2013-09-23 21:27 ` [tpmdd-devel] [PATCH 00/13] TPM cleanup Joel Schopp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130930212003.GA10393@obsidianresearch.com \
--to=jgunthorpe@obsidianresearch.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=leosilva@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mail@srajiv.net \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@sirrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox