TPM Support [PSARC/2008/725 FastTrack timeout 11/27/2008]

[Darren J Moffat]

Garrett D'Amore wrote:
> Note that making the interface Consolidation Private, while possibly 
> confusing to external consumers, would primarily mean that others that 
> wanted to use it outside of the consolidation would need to talk to 
> you.  I'm mostly concerned about whether or not there are "interesting" 
> applications that have relevance in a non-global zone.  I'm willing to 
> concede this point, in the meantime.

That would be pointless though because the TSS 1.2 API won't change even 
if we do virtualise access via a Zone or hypervisor.

If there is a change needed to the API to support virtualisation it will 
be a new rev of the API from the TCG.

I'm very strongly against making the API any form of Private.

> Okay, that makes sense.  Surely the problem of operation of TCS/TSS/TPM 
> with Xen^WxVM is not unique to Solaris.  It would be interesting to 
> learn what other design approaches the upstream community is considering 
> to deal with this problem.

It isn't.  IBM has to my knowlege developed an experimental Xen driver 
for virtualising the TPM for Xen.  However as Wyllys has already 
mentioned virtualisation of the TPM is the subject of an active TCG 
working group and he as agreed to participate in that to make sure that 
what is done works for Zones as well.

> Actually, I think what would be nice here would be some form of UNIX 
> domain socket or named pipes that crossed zone boundaries.  

Already discussed in other PSARC cases and already works in some 
configurations.

For example in Trusted Extensions configuration there are doors and UNIX 
domain sockets that the global zone helps sets up to the local zones for 
various servces.

-- 
Darren J Moffat