* [tpm2] Re: Sharing TPM 2.0 between containers with access policy
@ 2020-06-05 17:16 Tadeusz Struk
0 siblings, 0 replies; 4+ messages in thread
From: Tadeusz Struk @ 2020-06-05 17:16 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 928 bytes --]
On 6/5/20 12:52 AM, Oleksii Moisieiev wrote:
> Hello all,
>
> I have an embedded device, with Docker containers based architecture.
> This device is operating by software, installed in separate containers.
>
>
> I would like to share TPM2.0 access between this containers with the
> following restrictions:
>
> 1) Forbid Clear TPM command for the containers;
> 2) Each container should have an access only to the set of keys it owns.
> 3) Each container can create keys, but not overwrite existing keys that
> does not related to this container.
>
> According to the "TCG TSS 2.0 TAB and Resource Manager Specification" -
> TPM Resource manager doesn't implement access restrictions right now.
I think you could run a separate instance of RM in per container to get
2 & 3. As for 1, this would need to be prevented on a platform
configuration level, like in BIOS or equivalent.
Thanks,
--
Tadeusz
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: Sharing TPM 2.0 between containers with access policy
@ 2020-06-08 15:38 nicolasoliver03
0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2020-06-08 15:38 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 477 bytes --]
Could you use tpm2_clearcontrol for 1)?
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_clearcontrol.1.md
tpm2_clearcontrol(1) - Allows user with knowledge of either lockout auth and or platform hierarchy auth to set disableClear which prevents the lockout authorization's capability to execute tpm2_clear. Only user with authorization knowledge of the platform hierarchy can clear the disableClear. By default it attempts to clear the disableClear bit.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: Sharing TPM 2.0 between containers with access policy
@ 2020-06-18 18:20 Oleksii Moisieiev
0 siblings, 0 replies; 4+ messages in thread
From: Oleksii Moisieiev @ 2020-06-18 18:20 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1808 bytes --]
Hello Tadeusz.
Thank you for the answer.
I've done some investigation and found that passing device /dev/tpmrm0 to the containers will do the job. Also problem with tpm_clear can be solved by resrtiction owner access to the tpm. So each container can use keys in TPM but talk to owner if any changes is needed.
I have another question: According to the documentation - TPM is having unique endoresement key, embedded to the device during manufacturing. So each module can be identified by this key.
How can I retrieve this key embedded to the TPM module?
Best regards,
Oleksii.
________________________________
From: Tadeusz Struk <tadeusz.struk(a)intel.com>
Sent: Friday, June 5, 2020 8:16 PM
To: Oleksii Moisieiev <Oleksii_Moisieiev(a)epam.com>; tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: Re: [tpm2] Sharing TPM 2.0 between containers with access policy
On 6/5/20 12:52 AM, Oleksii Moisieiev wrote:
> Hello all,
>
> I have an embedded device, with Docker containers based architecture.
> This device is operating by software, installed in separate containers.
>
>
> I would like to share TPM2.0 access between this containers with the
> following restrictions:
>
> 1) Forbid Clear TPM command for the containers;
> 2) Each container should have an access only to the set of keys it owns.
> 3) Each container can create keys, but not overwrite existing keys that
> does not related to this container.
>
> According to the "TCG TSS 2.0 TAB and Resource Manager Specification" -
> TPM Resource manager doesn't implement access restrictions right now.
I think you could run a separate instance of RM in per container to get
2 & 3. As for 1, this would need to be prevented on a platform
configuration level, like in BIOS or equivalent.
Thanks,
--
Tadeusz
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3649 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: Sharing TPM 2.0 between containers with access policy
@ 2020-06-18 19:48 Roberts, William C
0 siblings, 0 replies; 4+ messages in thread
From: Roberts, William C @ 2020-06-18 19:48 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2677 bytes --]
> -----Original Message-----
> From: Oleksii Moisieiev <Oleksii_Moisieiev(a)epam.com>
> Sent: Thursday, June 18, 2020 1:21 PM
> To: Struk, Tadeusz <tadeusz.struk(a)intel.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: Sharing TPM 2.0 between containers with access policy
>
> Hello Tadeusz.
>
> Thank you for the answer.
> I've done some investigation and found that passing device /dev/tpmrm0 to the
> containers will do the job. Also problem with tpm_clear can be solved by
> restriction owner access to the tpm. So each container can use keys in TPM but
> talk to owner if any changes is needed.
>
> I have another question: According to the documentation - TPM is having unique
> endoresement key, embedded to the device during manufacturing. So each
> module can be identified by this key.
> How can I retrieve this key embedded to the TPM module?
Only the endorsement hierarchy primary seed (EPS) is embedded at manufacturing time. So
Calls to tpm2_createprimary with the proper inputs will yield the same key every time. Calls
to tpm2_createek should create this for you. The calls to tpm2_getekcertificate should give you
that manufacturer certificate.
Details on this process can be found in this spec:
- https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
>
> Best regards,
> Oleksii.
> ________________________________
>
> From: Tadeusz Struk <tadeusz.struk(a)intel.com>
> Sent: Friday, June 5, 2020 8:16 PM
> To: Oleksii Moisieiev <Oleksii_Moisieiev(a)epam.com>; tpm2(a)lists.01.org
> <tpm2(a)lists.01.org>
> Subject: Re: [tpm2] Sharing TPM 2.0 between containers with access policy
>
> On 6/5/20 12:52 AM, Oleksii Moisieiev wrote:
> > Hello all,
> >
> > I have an embedded device, with Docker containers based architecture.
> > This device is operating by software, installed in separate containers.
> >
> >
> > I would like to share TPM2.0 access between this containers with the
> > following restrictions:
> >
> > 1) Forbid Clear TPM command for the containers;
> > 2) Each container should have an access only to the set of keys it owns.
> > 3) Each container can create keys, but not overwrite existing keys
> > that does not related to this container.
> >
> > According to the "TCG TSS 2.0 TAB and Resource Manager Specification"
> > - TPM Resource manager doesn't implement access restrictions right now.
>
> I think you could run a separate instance of RM in per container to get
> 2 & 3. As for 1, this would need to be prevented on a platform configuration level,
> like in BIOS or equivalent.
>
> Thanks,
> --
> Tadeusz
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-18 19:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-08 15:38 [tpm2] Re: Sharing TPM 2.0 between containers with access policy nicolasoliver03
-- strict thread matches above, loose matches on Subject: below --
2020-06-18 19:48 Roberts, William C
2020-06-18 18:20 Oleksii Moisieiev
2020-06-05 17:16 Tadeusz Struk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.