On Wed, May 9, 2018 at 8:44 PM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > On Tue, May 08, 2018 at 10:29:41AM -0500, David R. Bild wrote: >> On Tue, May 8, 2018 at 10:25 AM, James Bottomley >> <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: >> > >> > > On Fri, May 04, 2018 at 02:56:25PM -0500, David R. Bild wrote: >> > [...] >> > > > In particular, it sets the credentials for the platform hierarchy. >> > > > The platform hierarchy is essentially the "root" account of the >> > > > TPM, so it's critical that those credentials be set before the TPM >> > > > is exposed to user-space. (The platform credentials aren't >> > > > persisted in the TPM and must be set by the platform on every >> > > > boot.) If the driver registers the TPM before doing >> > > > initialization, there's a chance that something else could access >> > > > the TPM before the platform credentials get set. >> > > > Who is able to test these changes if we even consider pulling them? I can send you and the other maintainers cards to test with. That's dead simple. (With a USB-A plug, not mini PCI-e, so you can plug it into any computer.) They won't have the Xaptum credentials pre-provisioned, and will just function as normal TPMs. > I do not have such a card so it will be hard to accept also given > that it is more intrusive change than usual. The current approach (the driver does all the initialization) requires no changes to the TPM driver. Only someone who buys our card will ever run that code, so it doesn't impact anyone else. Best, David
