On Mon, Jan 23, 2017 at 05:19:18PM -0700, Jason Gunthorpe wrote: > On Tue, Jan 24, 2017 at 02:02:52AM +0200, Jarkko Sakkinen wrote: > > This commit adds a command filter for whitelisting a set of commands in > > a TPM space. When a TPM space is created through /dev/tpms0, no > > commands are allowed. The user of the TPM space must explicitly define > > the list of commands allowed before sending any commands. This ioctl is > > a one shot call so that a resource manager daemon can call it before > > sending the file descriptor to the client. > > I don't think it makes sense to have a daemon in user space that > passes an open'd /dev/tpms0 FD directly to a client.. > > It is trivial and more powerful to just proxy the messages. Can you > see some reason why passing a FD through a daemon would make sense? > > The earlier discussion with James was to have some way to apply a > global command filter to all tpms0 users with the idea that the > 'right' restricted command set would enable a 0666 cdev node, and no > daemon.
Is that a conflicting goal? Maybe the ioctl could be restricted by CAP_MAC_ADMIN in that case? How would you propose to change the code below? I guess the "core code" is about right and this is more about API, am I right? /Jarkko > > > Signed-off-by: Jarkko Sakkinen <[email protected]> > > 1. This patch applies on top of 'tabrm4' brach. > > 2. Only compilation is tested (just drafted the idea) > > drivers/char/tpm/tpm-interface.c | 12 +++++-- > > drivers/char/tpm/tpm.h | 1 + > > drivers/char/tpm/tpm2-space.c | 7 ++++ > > drivers/char/tpm/tpms-dev.c | 75 > > ++++++++++++++++++++++++++++++++++++++++ > > include/uapi/linux/tpms.h | 29 ++++++++++++++++ > > BTW, don't forget to update kbuild when you add uapi files... Applies > to other patches.. > > Jason ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
