TPM Support [PSARC/2008/725 FastTrack timeout 11/27/2008]
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Dec 1 08:06:56 PST 2008
James Carlson wrote:
> Wyllys Ingersoll writes:
>
>>> i think this would be a good stop-gap measure. it would simplify the
>>> deployment of tss based application in one non-global zone.
>>>
>>> as an implementation detail, you'll probably want to enhance zoneadm to detect
>>> when a zone is booting with a tpm device allocated to it, and have it verify
>>> that there are no other booted zones with tpm devices and that the tss daemon
>>> is not running in the global zone. (this keeps things user friendly, and
>>> zoneadm already does similar checks to verify that other required smf services
>>> are running.)
>>>
>>> ed
>>>
>>>
>> The tpm device itself will not allow multiple readers, so I'm not sure
>> if any external
>> tool modification (zoneadm, etc) is even necessary. The device will
>> respond to the first
>> app to open it, no other apps can open the device until it gets closed
>> again.
>>
>
> Is opening it and doing nothing an effective DoS?
>
The device should be 0600 root:sys to prevent just anyone from locking
it up.
More information about the opensolaris-arc
mailing list