From: Andrey Pronin <apronin@chromium.org>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Peter Huewe <peterhuewe@gmx.de>,
Marcel Selhorst <tpmdd@selhorst.net>,
tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org,
Christophe Ricard <christophe.ricard@gmail.com>,
smbarber@chromium.org, dianders@chromium.org,
groeck@chromium.org
Subject: Re: [PATCH v2] tpm: add sysfs attributes for tpm2
Date: Wed, 20 Jul 2016 10:41:25 -0700 [thread overview]
Message-ID: <20160720174125.GA45696@apronin> (raw)
In-Reply-To: <20160720170553.GD21460@obsidianresearch.com>
On Wed, Jul 20, 2016 at 11:05:53AM -0600, Jason Gunthorpe wrote:
> On Tue, Jul 19, 2016 at 07:51:52PM -0700, Andrey Pronin wrote:
> > Add sysfs attributes in TPM2.0 case for:
> > - TPM_PT_PERMANENT flags
> > - TPM_PT_STARTUP_CLEAR flags
> > - lockout-related properties
>
> I'm not completely sure we need to have these sysfs attributes. Do you
> have a reason to expose them? Does udev do something based on them? Is
> it just for debugging?
>
> Otherwise it looks about right to me.
>
In practice, useful for scripts that monitor in what state
the system started, was there a lockout, can we use tpm for
attestation, can we rely on data stored in NVRAM, etc. And
then interact with the user accordingly.
I don't know of udev rules that do anything based on them,
but in a multi-tpm system, I can envision one that selects
the tpm that was actually used by firmware as the primary one,
or controls permissions for the device based on the state it's
in.
For TPM1.2 we expose some flags from TPM_PERMANENT_FLAGS and
TPM_CAP_PROP_OWNER, for example, to show if the tpm is owned,
enabled etc. A combination of ph/eh/shEnable and *AuthSet flags
from TPM2 provides info allowing to make similar decisions about
the tpm being 'owned' or 'enabled' for userland scripts.
Andrey
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Pronin <apronin-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: Christophe Ricard
<christophe.ricard-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
smbarber-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
groeck-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org
Subject: Re: [PATCH v2] tpm: add sysfs attributes for tpm2
Date: Wed, 20 Jul 2016 10:41:25 -0700 [thread overview]
Message-ID: <20160720174125.GA45696@apronin> (raw)
In-Reply-To: <20160720170553.GD21460-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
On Wed, Jul 20, 2016 at 11:05:53AM -0600, Jason Gunthorpe wrote:
> On Tue, Jul 19, 2016 at 07:51:52PM -0700, Andrey Pronin wrote:
> > Add sysfs attributes in TPM2.0 case for:
> > - TPM_PT_PERMANENT flags
> > - TPM_PT_STARTUP_CLEAR flags
> > - lockout-related properties
>
> I'm not completely sure we need to have these sysfs attributes. Do you
> have a reason to expose them? Does udev do something based on them? Is
> it just for debugging?
>
> Otherwise it looks about right to me.
>
In practice, useful for scripts that monitor in what state
the system started, was there a lockout, can we use tpm for
attestation, can we rely on data stored in NVRAM, etc. And
then interact with the user accordingly.
I don't know of udev rules that do anything based on them,
but in a multi-tpm system, I can envision one that selects
the tpm that was actually used by firmware as the primary one,
or controls permissions for the device based on the state it's
in.
For TPM1.2 we expose some flags from TPM_PERMANENT_FLAGS and
TPM_CAP_PROP_OWNER, for example, to show if the tpm is owned,
enabled etc. A combination of ph/eh/shEnable and *AuthSet flags
from TPM2 provides info allowing to make similar decisions about
the tpm being 'owned' or 'enabled' for userland scripts.
Andrey
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
next prev parent reply other threads:[~2016-07-20 17:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 1:51 [PATCH 0/2] tpm: driver- and tpm2-specific sysfs attributes Andrey Pronin
2016-07-15 1:51 ` [PATCH 1/2] tpm: add sysfs attributes for tpm2 Andrey Pronin
2016-07-15 1:51 ` Andrey Pronin
2016-07-15 3:21 ` Jason Gunthorpe
2016-07-15 3:32 ` Andrey Pronin
2016-07-15 3:32 ` Andrey Pronin
2016-07-15 3:34 ` Jason Gunthorpe
2016-07-15 3:34 ` Jason Gunthorpe
2016-07-15 16:56 ` Andrey Pronin
2016-07-15 17:09 ` Jason Gunthorpe
2016-07-15 17:09 ` Jason Gunthorpe
2016-07-18 19:16 ` Jarkko Sakkinen
2016-07-18 19:16 ` Jarkko Sakkinen
2016-07-15 1:51 ` [PATCH 2/2] tpm: support driver-specific sysfs attrs in tpm_tis_core Andrey Pronin
2016-07-15 1:51 ` Andrey Pronin
2016-07-15 3:23 ` Jason Gunthorpe
2016-07-15 3:23 ` Jason Gunthorpe
2016-07-15 3:35 ` Andrey Pronin
2016-07-15 3:35 ` Andrey Pronin
2016-07-18 19:20 ` Jarkko Sakkinen
2016-07-18 19:20 ` Jarkko Sakkinen
2016-07-18 19:11 ` Jarkko Sakkinen
2016-07-18 19:11 ` Jarkko Sakkinen
2016-07-18 19:17 ` Andrey Pronin
2016-07-18 19:17 ` Andrey Pronin
2016-07-20 2:51 ` [PATCH v2] tpm: add sysfs attributes for tpm2 Andrey Pronin
2016-07-20 2:51 ` Andrey Pronin
2016-07-20 17:05 ` Jason Gunthorpe
2016-07-20 17:05 ` Jason Gunthorpe
2016-07-20 17:41 ` Andrey Pronin [this message]
2016-07-20 17:41 ` Andrey Pronin
2016-07-28 4:06 ` [PATCH v3] " Andrey Pronin
2016-07-28 4:06 ` Andrey Pronin
2016-08-09 10:25 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160720174125.GA45696@apronin \
--to=apronin@chromium.org \
--cc=christophe.ricard@gmail.com \
--cc=dianders@chromium.org \
--cc=groeck@chromium.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=smbarber@chromium.org \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.