Commit | Line | Data |
---|---|---|
7e1dc002 SB |
1 | Virtual TPM Proxy Driver for Linux Containers |
2 | ||
3 | Authors: Stefan Berger (IBM) | |
4 | ||
5 | This document describes the virtual Trusted Platform Module (vTPM) | |
6 | proxy device driver for Linux containers. | |
7 | ||
8 | INTRODUCTION | |
9 | ------------ | |
10 | ||
11 | The goal of this work is to provide TPM functionality to each Linux | |
12 | container. This allows programs to interact with a TPM in a container | |
13 | the same way they interact with a TPM on the physical system. Each | |
14 | container gets its own unique, emulated, software TPM. | |
15 | ||
16 | ||
17 | DESIGN | |
18 | ------ | |
19 | ||
20 | To make an emulated software TPM available to each container, the container | |
21 | management stack needs to create a device pair consisting of a client TPM | |
22 | character device /dev/tpmX (with X=0,1,2...) and a 'server side' file | |
23 | descriptor. The former is moved into the container by creating a character | |
24 | device with the appropriate major and minor numbers while the file descriptor | |
25 | is passed to the TPM emulator. Software inside the container can then send | |
26 | TPM commands using the character device and the emulator will receive the | |
27 | commands via the file descriptor and use it for sending back responses. | |
28 | ||
29 | To support this, the virtual TPM proxy driver provides a device /dev/vtpmx | |
30 | that is used to create device pairs using an ioctl. The ioctl takes as | |
31 | an input flags for configuring the device. The flags for example indicate | |
32 | whether TPM 1.2 or TPM 2 functionality is supported by the TPM emulator. | |
33 | The result of the ioctl are the file descriptor for the 'server side' | |
34 | as well as the major and minor numbers of the character device that was created. | |
35 | Besides that the number of the TPM character device is return. If for | |
36 | example /dev/tpm10 was created, the number (dev_num) 10 is returned. | |
37 | ||
38 | The following is the data structure of the TPM_PROXY_IOC_NEW_DEV ioctl: | |
39 | ||
40 | struct vtpm_proxy_new_dev { | |
41 | __u32 flags; /* input */ | |
42 | __u32 tpm_num; /* output */ | |
43 | __u32 fd; /* output */ | |
44 | __u32 major; /* output */ | |
45 | __u32 minor; /* output */ | |
46 | }; | |
47 | ||
48 | Note that if unsupported flags are passed to the device driver, the ioctl will | |
49 | fail and errno will be set to EOPNOTSUPP. Similarly, if an unsupported ioctl is | |
50 | called on the device driver, the ioctl will fail and errno will be set to | |
51 | ENOTTY. | |
52 | ||
53 | See /usr/include/linux/vtpm_proxy.h for definitions related to the public interface | |
54 | of this vTPM device driver. | |
55 | ||
56 | Once the device has been created, the driver will immediately try to talk | |
57 | to the TPM. All commands from the driver can be read from the file descriptor | |
58 | returned by the ioctl. The commands should be responded to immediately. | |
59 | ||
60 | Depending on the version of TPM the following commands will be sent by the | |
61 | driver: | |
62 | ||
63 | - TPM 1.2: | |
64 | - the driver will send a TPM_Startup command to the TPM emulator | |
65 | - the driver will send commands to read the command durations and | |
66 | interface timeouts from the TPM emulator | |
67 | - TPM 2: | |
68 | - the driver will send a TPM2_Startup command to the TPM emulator | |
69 | ||
70 | The TPM device /dev/tpmX will only appear if all of the relevant commands | |
71 | were responded to properly. |