Re: [PATCH v3 09/11] tpm: Driver for supporting multiple emulated TPMs

["Stefan Berger" <stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>]

[-- Attachment #1.1: Type: text/plain, Size: 2872 bytes --]

Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> wrote on 02/25/2016 
12:39:56 PM:


> 
> On Thu, Feb 25, 2016 at 09:12:57AM -0500, Stefan Berger wrote:
> 
> >    > 3) Do not show any existing sysfs attributes for
> >    > containers. All but
> 
> >    A separate sysfs tree isn't built for every container, so sysfs is 
more
> >    or less global showing pretty much the same in every container 
except
> >    for networking namespace seems to have a way of not doing that.
> 
> TPM should be able to use the same techniques as net, the syfs.*ns set
> of APIs exists for this purpose. I've never looked at how to use them,
> but something should be workable there.

It looks like they some are being used on the kobject level. 

> 
> Once you figure out how to define what TPMs are in a namespace it
> should be doable to use the syfs_ns APIs to have sysfs follow that
> restriction just like net does.

Networking has its own namespace and it looks like all devices get created 
while in that namespace. So the kobject can have its association with that 
namespace right from the beginning. In the case of vtpm we need to create 
the device on the host since we run the TPM emulator on the host out of 
reach of signals from the container. We would only associate the vtpm 
device with the namespace after the clone(), a long time after current 
registration with sysfs. Another difference is that we don't have a device 
namespace, so all our device names and major / minor numbers need to be 
unique and that's also reflected in sysfs.


I have been experimenting with an ioctl that passes along a file 
descriptor to a user namespace (/proc/pid/ns/user) for the purpose of 
associating the vtpm with that user namespace. This is similar to what 
setns() does, except the ioctl associates a vTPM with a namespace. This 
works (once the child is in its final namespace, which the parent needs to 
sync with) and following the proposed filtering on the TPM sysfs attribute 
level, only read()s issued from the user namespace that the vTPM is 
associated with get data. That we can have up to 64k TPM entries in sysfs 
certainly isn't nice.

This 1st ioctl can be called basically at any time and is called on the 
file descriptor returned by the vtpm driver.

Another ioctl is the one we have been discussing previously for 
associating the chip with an IMA namespace (which would be a compile time 
option). Here we need to ensure that the child gets the chip hooked to the 
IMA namespace before the execve() triggers measurements by IMA. Here I 
pass the process Id of that child to then determine IMA namespace to hook 
the chip to and user namespace for vTPM sysfs association. I prefer the 
child's process id over passing two file descriptors in this case...

   Stefan



[-- Attachment #1.2: Type: text/html, Size: 3317 bytes --]

[-- Attachment #2: Type: text/plain, Size: 413 bytes --]

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

[-- Attachment #3: Type: text/plain, Size: 192 bytes --]

_______________________________________________
tpmdd-devel mailing list
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel