From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Ken Goldman <kgoldman@us.ibm.com>
Cc: tpmdd-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [tpmdd-devel] [PATCH] tpm: add session handles to the save and restore of the tpm2 space manager
Date: Tue, 17 Jan 2017 18:21:01 +0200 [thread overview]
Message-ID: <20170117162101.3usgfxlbug77zeew@intel.com> (raw)
In-Reply-To: <o5l849$el9$1@blaine.gmane.org>
On Tue, Jan 17, 2017 at 09:01:59AM -0500, Ken Goldman wrote:
> On 1/16/2017 6:18 PM, James Bottomley wrote:
> >
> > Basically this means that the advice to virtualize session handles
> > in the TCG RM document is wrong and we have to use physical handles.
> > I'll redo the implementation for this ... and now, since we'll have
> > nothing to use as an index, it probably does make sense to have
> > sessions in a separate array. I can also separate isolation from
> > context switching ... although I really think this is less optimal:
> > my TPM only allows three active context handles, so if we don't
> > context switch them identically to transient object (which it also
> > only allows three of) I'm going to run out. I actually redid my
> > openssl_tpm_engine patches so they use session handles for parameter
> > encryption and HMAC based authority, so this may end up biting me
> > soon ...
>
> I think you have to context save sessions, just as you do with transient
> objects. Otherwise, only one process at a time can connect.
Isolation is self-contained step that can be tested and possible
regressions catched.
I could even consider landing isolation in one release and swapping in
subsequent in order to keep the release content more digestable for
upper layer maintainers and risk of causing major regressions small.
/Jarkko
prev parent reply other threads:[~2017-01-17 16:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-13 19:24 [PATCH] tpm: add session handles to the save and restore of the tpm2 space manager James Bottomley
2017-01-16 10:04 ` Jarkko Sakkinen
2017-01-16 10:05 ` Jarkko Sakkinen
2017-01-16 23:18 ` James Bottomley
2017-01-17 7:23 ` Jarkko Sakkinen
2017-01-17 14:18 ` James Bottomley
2017-01-17 16:29 ` Jarkko Sakkinen
[not found] ` <o5l849$el9$1@blaine.gmane.org>
2017-01-17 16:21 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170117162101.3usgfxlbug77zeew@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=kgoldman@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).