From: "Stefan Berger" <stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org
Subject: Re: [RFC PATCH 3/4] Implement driver for supporting multiple emulated TPMs
Date: Wed, 20 Jan 2016 22:56:21 -0500 [thread overview]
Message-ID: <201601210356.u0L3uQ0A002313@d03av03.boulder.ibm.com> (raw)
In-Reply-To: <20160121032115.GA26266-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
[-- Attachment #1.1: Type: text/plain, Size: 3972 bytes --]
Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> wrote on 01/20/2016
10:21:15 PM:
>
> On Wed, Jan 20, 2016 at 10:01:38PM -0500, Stefan Berger wrote:
> > > On Wed, Jan 20, 2016 at 09:39:09AM -0500, Stefan Berger wrote:
> > > > Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> wrote on
01/19/2016
> > > > 06:51:07 PM:
> > > > >
> > > > > On Thu, Jan 14, 2016 at 11:01:57AM -0500, Stefan Berger
wrote:
> > > > > > + pdev = platform_device_register_simple("tpm_vtpm",
> > > vtpm_dev->dev_num,
> > > > > > + NULL, 0);
> > > > >
> > > > > This seems strange, something like this should not be
creating
> > > > > platform_devices.
> > > > Should it be a misc_device then ?
> > >
> > > No. Check what other virtual devices are doing..
> >
> > register_chrdev maybe?
>
> ?? that doesn't replace a platform_device
>
> > > Except that isn't good enough - the IMA kernel side doesn't knowthat
this
> > > tpm is now acting as the 'main' 'default' TPM.
> >
> > Hooking the vTPM to IMA requires another patch that I haven't
> shown since IMA
> > namespacing isn't public yet. Basically we implement another ioctl
> () that is to
> > be called before the clone() in order to 'reserve' a vtpm device
> pair for the
> > calling process. During the clone() call IMA namespacing code can
query the
> > vTPM driver for a 'reserved' device pair. Hooking IMA up after the
> clone() may
> > also work but in case of docker/golang it's better to do this
> before since the
> > language libraries do a lot after the clone automatically.
>
> That sounds very complicated, wouldn't you just specify the TPM index to
use
> in the IMA namespace when it is created?
The IMA namespace is created as part of clone(). You cannot pass anything
via clone(). So you either have to do it before or immediately after. If
after is too later for whatever reason, you have to do it before.
>
> > So here things aren't so clear to me, either. Sysfs should really
> only show the
> > devices that are relevant to a container, but it seems to show a lot
> > more than
>
> I think what you are missing is that nobody uses mainline containers
> for the kind of strong isolation you are thinking about. Out-of-tree
> patches are used by those people and, as I understand it, they cover
> all these issues.
?? Out-of-tree patches?
>
> So, in mainline, the correct thing to do is nothing, and realize that
> people who would care about pcr isolation between containers won't run
> mainline anyhow. Work with the out-of-tree people to make sure things
> work properly until they get the other bits in mainline.
Now one just needs to find those poeple.
Basically you suggest to ignore the potential leaking between containers.
Just register with sysfs ?
>
> At least that is my impression of the state of affairs, someone more
> involved may know better.
>
> > > The huge downside to using a master side dev node is that these
things
> > > will leak. Killing the vtpm daemon will not clean up the slave
> > > interface and another command and sysadmin interaction will be
needed
> > > to sort out the inevitable mess.
> >
> > This is a scenario that works, though.
>
> So you already implemented the same semantics as I talked about, a clean
> up on close?
It's part of the existing patch, yes. A flag gives a choice to keep it
around, or if not set and the server close()s, the pair disappears.
>
> Then just return the fd like I said.
Any driver that can be used as an example ?
>
> auto-delete a master char dev on close is a very strange API, don't do
> that.
What I called cleanup can be trigger by the vTPM closing /dev/vtpms%d, so
the server-side. What is the master for you? /dev/vtpmx where we run the
ioctls on?
Stefan
>
> Jason
>
[-- Attachment #1.2: Type: text/html, Size: 5247 bytes --]
[-- Attachment #2: Type: text/plain, Size: 413 bytes --]
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
[-- Attachment #3: Type: text/plain, Size: 192 bytes --]
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
next prev parent reply other threads:[~2016-01-21 3:56 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-14 16:01 [RFC PATCH 0/4] Multi-instance vTPM driver Stefan Berger
[not found] ` <1452787318-29610-1-git-send-email-stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2016-01-14 16:01 ` [RFC PATCH 1/4] New flags for TPM chip avoiding filesystem registrations Stefan Berger
[not found] ` <1452787318-29610-2-git-send-email-stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2016-01-21 8:07 ` Jarkko Sakkinen
2016-01-14 16:01 ` [RFC PATCH 2/4] Allow to provide a name pattern of the device Stefan Berger
2016-01-14 16:01 ` [RFC PATCH 3/4] Implement driver for supporting multiple emulated TPMs Stefan Berger
[not found] ` <1452787318-29610-4-git-send-email-stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2016-01-19 23:51 ` Jason Gunthorpe
[not found] ` <20160119235107.GA4307-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-20 14:39 ` Stefan Berger
[not found] ` <201601201439.u0KEdGB9031710-YREtIfBy6dDImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-27 2:36 ` Jarkko Sakkinen
[not found] ` <20160127023603.GA23863-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 12:17 ` Stefan Berger
[not found] ` <201601271217.u0RCHQIX004914@d03av02.boulder.ibm.com>
[not found] ` <201601271217.u0RCHQIX004914-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 14:22 ` Jarkko Sakkinen
[not found] ` <20160127142239.GA3756-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 18:24 ` Jason Gunthorpe
[not found] ` <20160127182448.GA31680-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 21:13 ` Jarkko Sakkinen
2016-01-27 22:38 ` Stefan Berger
[not found] ` <201601271217.u0RCHQkf003637@d03av03.boulder.ibm.com>
[not found] ` <201601271217.u0RCHQkf003637-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 17:35 ` Jason Gunthorpe
[not found] ` <201601201439.u0KEdFao027907@d03av05.boulder.ibm.com>
[not found] ` <201601201439.u0KEdFao027907-3MP/CPU4Muo+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 1:17 ` Jason Gunthorpe
[not found] ` <20160121011701.GA20361-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 3:01 ` Stefan Berger
[not found] ` <201601210301.u0L31hLD018933-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 2:50 ` Jarkko Sakkinen
[not found] ` <20160127025057.GB23863-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 12:20 ` Stefan Berger
[not found] ` <201601271220.u0RCKpEG016626@d03av02.boulder.ibm.com>
[not found] ` <201601271220.u0RCKpEG016626-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 14:23 ` Jarkko Sakkinen
[not found] ` <201601210301.u0L31h5r012187@d03av03.boulder.ibm.com>
[not found] ` <201601210301.u0L31h5r012187-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 3:21 ` Jason Gunthorpe
[not found] ` <20160121032115.GA26266-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 3:56 ` Stefan Berger [this message]
[not found] ` <201601210356.u0L3uP1n029818@d03av05.boulder.ibm.com>
[not found] ` <201601210356.u0L3uP1n029818-3MP/CPU4Muo+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 17:42 ` Jason Gunthorpe
[not found] ` <20160121174243.GD3064-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 19:02 ` Stefan Berger
[not found] ` <201601211902.u0LJ2LbL001130@d03av01.boulder.ibm.com>
[not found] ` <201601211902.u0LJ2LbL001130-Rn83F4s8Lwc+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 19:30 ` Jason Gunthorpe
[not found] ` <20160121193049.GA31938-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 21:51 ` Stefan Berger
[not found] ` <201601212151.u0LLpC93021986@d03av03.boulder.ibm.com>
[not found] ` <201601212151.u0LLpC93021986-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 22:10 ` Jason Gunthorpe
[not found] ` <20160121221040.GA1630-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-22 12:01 ` Jarkko Sakkinen
2016-01-22 15:09 ` Stefan Berger
[not found] ` <56A2461C.7030607-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-01-25 18:10 ` Jason Gunthorpe
[not found] ` <20160125181046.GB28108-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 1:05 ` Stefan Berger
2016-01-26 1:46 ` Jarkko Sakkinen
[not found] ` <20160126014652.GB10732-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-26 3:19 ` Jason Gunthorpe
[not found] ` <20160126031919.GA24217-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 13:56 ` Jarkko Sakkinen
[not found] ` <20160126135658.GA6813-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-26 17:58 ` Jason Gunthorpe
[not found] ` <20160126175816.GA17937-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 2:06 ` Jarkko Sakkinen
[not found] ` <20160127020617.GB22703-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 19:48 ` Jarkko Sakkinen
[not found] ` <201601260105.u0Q15IWW028777@d03av04.boulder.ibm.com>
[not found] ` <201601260105.u0Q15IWW028777-2xHzGjyANq4+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-26 3:46 ` Jason Gunthorpe
[not found] ` <20160126034632.GB24217-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 14:21 ` Stefan Berger
2016-02-02 19:22 ` Stefan Berger
[not found] ` <201601261421.u0QELnI3002626@d01av02.pok.ibm.com>
[not found] ` <201601261421.u0QELnI3002626-prK0F/7GlgzImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-26 18:22 ` Jason Gunthorpe
[not found] ` <20160126182248.GB17937-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 23:22 ` Stefan Berger
[not found] ` <201601262322.u0QNMo1r022303@d03av03.boulder.ibm.com>
[not found] ` <201601262322.u0QNMo1r022303-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 18:21 ` Jason Gunthorpe
2016-01-27 3:13 ` Jarkko Sakkinen
[not found] ` <20160127031320.GC23863-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 12:42 ` Stefan Berger
[not found] ` <201601271242.u0RCgM0E031875@d03av05.boulder.ibm.com>
[not found] ` <201601271242.u0RCgM0E031875-3MP/CPU4Muo+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 17:58 ` Jason Gunthorpe
[not found] ` <20160127175839.GA31038-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 21:58 ` Stefan Berger
[not found] ` <201601272158.u0RLwvIK005533@d01av01.pok.ibm.com>
[not found] ` <201601272158.u0RLwvIK005533-4ZtxiNBBw+3ImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-27 22:25 ` Jason Gunthorpe
[not found] ` <20160127222534.GB5520-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 22:55 ` Stefan Berger
[not found] ` <201601272255.u0RMtuqY014120@d03av02.boulder.ibm.com>
[not found] ` <201601272255.u0RMtuqY014120-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 23:33 ` Jason Gunthorpe
2016-01-14 16:01 ` [RFC PATCH 4/4] A test program for vTPM device creation Stefan Berger
2016-01-15 10:11 ` [RFC PATCH 0/4] Multi-instance vTPM driver Jarkko Sakkinen
[not found] ` <20160115101146.GA11987-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-15 13:02 ` Stefan Berger
[not found] ` <201601151302.u0FD2wGG003518@d03av03.boulder.ibm.com>
[not found] ` <201601151302.u0FD2wGG003518-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-25 23:15 ` Jarkko Sakkinen
[not found] ` <20160125231532.GA10732-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-26 0:28 ` Stefan Berger
2016-01-26 0:29 ` Jarkko Sakkinen
[not found] ` <201601260029.u0Q0T7Ek004865@d03av04.boulder.ibm.com>
[not found] ` <201601260029.u0Q0T7Ek004865-2xHzGjyANq4+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-26 1:48 ` Jarkko Sakkinen
2016-01-19 17:44 ` Jason Gunthorpe
[not found] ` <20160119174400.GA7616-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 17:53 ` Stefan Berger
2016-01-19 22:59 ` Jarkko Sakkinen
[not found] ` <201601191753.u0JHrku2031608@d01av01.pok.ibm.com>
[not found] ` <201601191753.u0JHrku2031608-4ZtxiNBBw+3ImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-19 18:08 ` Jason Gunthorpe
[not found] ` <20160119180802.GA8038-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 18:18 ` Stefan Berger
2016-01-19 22:14 ` Mimi Zohar
[not found] ` <1453241668.2673.31.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-01-19 22:48 ` Jason Gunthorpe
[not found] ` <20160119224851.GA31745-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 23:05 ` Stefan Berger
[not found] ` <201601191818.u0JIIExQ010843@d03av04.boulder.ibm.com>
[not found] ` <201601191818.u0JIIExQ010843-2xHzGjyANq4+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-19 23:04 ` Jason Gunthorpe
[not found] ` <20160119230456.GB31745-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 23:15 ` Stefan Berger
[not found] ` <201601192315.u0JNFFG6030371-Rn83F4s8Lwc+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-20 15:40 ` Ken Goldman
[not found] ` <201601192315.u0JNFGkm029862@d01av04.pok.ibm.com>
[not found] ` <201601192315.u0JNFGkm029862-YREtIfBy6dDImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-19 23:42 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201601210356.u0L3uQ0A002313@d03av03.boulder.ibm.com \
--to=stefanb-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).