Jason Gunthorpe wrote on 01/19/2016 05:48:51 PM: > Date: 01/19/2016 05:49 PM > Subject: Re: [tpmdd-devel] [RFC PATCH 0/4] Multi-instance vTPM driver > > On Tue, Jan 19, 2016 at 05:14:28PM -0500, Mimi Zohar wrote: > > On Tue, 2016-01-19 at 11:08 -0700, Jason Gunthorpe wrote: > > > On Tue, Jan 19, 2016 at 12:53:40PM -0500, Stefan Berger wrote: > > > > This series has absolutely nothing to do with resource > > > > management. > > > > > > Sure the patch doesn't, but the proposed application does. > > > > > > Linux namespaces is all about resource management. > > > > huh? namespacing is about isolation. > > isolation of what? Every namespace in linux has a defined set of > kernel managed resources it contains. - network namespace isolates a network namespace from all the other network namespace through separate network interfaces and separate network stack - mount namespace isolates the mount points and filesystems from other mount namespaces - PID namespace isolates the process IDs of one container from those of others - IMA namespacing isolates the measurement lists between IMA namespaces; alos each IMA namespace will have its own IMA policy The goal is that each IMA namespace can have its own attached vTPM into which IMA can do PCR extensions. Stefan > > > > This is an interesting way to make a software TPM, > > > > That's the intention, not namespacing the TPM. > > Did you read the patch? > > The primary goal of this series of patches is enabling vTPM for containers > and hooking them up to a (future) namespaced IMA. However, the driver can > also be used for simulating a hardware TPM on the host. > > Jason >